Operational Resilience and Business Continuity – Guidance for Legal and Financial Services Firms
At times like this, our business continuity planning is really tested in ways we hadn’t contemplated, and with so many variables it is unlikely we will have covered all possible scenarios; it will be our ability to be nimble on our feet and adapt to fast-moving situations that will get us through these tough times.
For financial services firms, the infrastructure of the market and all financial services resources, systems and controls are tested at a much deeper level. This is due to the challenges that are presented not just globally, where firms operate internationally or rely on services provided from other countries, but also any outsource partner.
Your partners and especially those in other countries, may not have such robust resilience plans as we do here in the UK, but are never-the-less facing the same challenges. So, this adds additional stress to your firms’ impact tolerances where matters are out of your and the UK’s control.
Legal firms will likely be facing increased technological challenges with regards to client matters via their case management systems and ability to update client account records, not to mention carrying out transactions via client and business bank accounts.
All firms are also needing to consider situations where a large proportion, if not all staff, may need to work from home for extended periods. During this time, all firms will still need to ensure that compliance obligations are met, and that client/customer complaints are dealt with in the appropriate time frames.
Technology can and will play a huge part in enabling us to continue operating during the next few weeks/months but this brings with it some key risks.
Considerations for all legal and financial services firms
Where firms need to make proportionate decisions on the most important business services and processes that must continue, considerations should include:
- Communication with all staff on working from home policies (including working from home safely, cyber and information security protections of personal data in accordance with data protection laws such as GDPR) when using shared WIFI and use of company VPNs).
- Allocate appropriately protected business-owned IT equipment to anyone working from home on client matters.
- The challenges of managing remote teams and the wellbeing of staff working in isolation. More regular updates between teams and management via conference calls can help ensure staff are both clear on their operational objectives and supported properly remotely. Members of the management team should ensure that appropriate levels of supervision are maintained, and staff should be able to easily contact their supervisors and key teams (IT, accounts, etc.) when required.
- Increased risks of cyber-attacks in out of hours time periods where IT support or other key staff may be ill or not working. Non-encrypted IT equipment can make staff more vulnerable to cyber-attacks and subsequently data protection/GDPR issues from storing confidential client files unsafely.
- Review of internal policies, procedures and controls to ensure that there are no increased risks that would otherwise be mitigated or controlled in normal circumstances. Staff should still be able to get easy access to the business’s policies and procedures, including use of email, internet, social media and points of key contact should any reports need to be made.
- Staff working on hard copy files or having confidential client call on the phone in the home. Remind staff not to work on client/customer matters in public places or when using free unsecured WIFI connections and ensure hard copy files are stored securely when not in use, and are not accessible by others when being worked on (spouse, partner, children, visitors, etc.)
- If an online risk and compliance system is used by the business, ensure it continues to be updated as required.
- In addition to IT risks you also need to recognise that whilst requiring staff to work from home they will be covered by the same health and safety legislation as they would be if they were in their normal workplace, therefore you need to ensure that appropriate, proportionate and pragmatic assessments are carried out and any identified risks are mitigated.
- Provide training as and where appropriate on working from home safely, managing virtual teams and specifically best practice advice from the NHS and the WHO.
It is imperative that the high standards we apply when carrying out what we do should not waver in more stressful times. Criminals will be ready to pounce on any vulnerability in your systems and taking your eye off the ball with every-day tasks will immediately increase the likelihood and therefore the impact of further risks.
Please see https://www.gov.uk/government/topical-events/coronavirus-covid-19-uk-government-response for advice from UK Government on COVID-19,If you would like to find out more about the support that we at Access can provide for your firms’ Governance, Risk and Compliance challenges, through our extensive eLearning catalogues; please contact us at firstname.lastname@example.org or call us on 0800 055 6586.