As the country moves towards the Brexit deadline, uncertainty abides. The recurring message to UK businesses is to prepare for a no deal. In short, while there is uncertainty, financial institutions should prepare for the worst.
Unsurprisingly, institutions do not welcome the costs associated with speculative planning (and subsequent re-planning). Indeed, as internal and external costs continue to grow, the focus on wasted effort and spend has increased. In this article we take a look at the juxtaposition of Brexit planning and operational resilience, to highlight one upside to the ongoing uncertainty
Preparing for operational disruption
Continuing political deliberations are frustrating executives who are already exasperated by the unavoidable cost associated with the majority of Brexit outcomes. Most notably, the common perception is that Brexit contingency planning is a short-term, tactical exercise lacking in long-term value. Executives view the activity as distracting - whether undertaking supplier classification and analysis, checking the resilience of both products and platforms should investors decide to withdraw or transfer investments, or understanding the viability of various jurisdictional transfers and divestments. Not only this, but it uses resources they would prefer to see deployed in growing the business or building a better control environment.
It is difficult not to sympathise with this view. Nonetheless, in adopting a broader, long-term perspective, we believe the Brexit scenario presents institutions with an opportunity to test and refine approaches to operational resilience in what is ultimately an ‘operational disruption’. At the very least, lessons from Brexit planning can be rolled into operational resilience assessment and preparedness.
In our previous article, Building resilience for competitive advantage, we spoke of the need to look beyond survival where resilience is concerned. To that end, in responding to the disruptions arising from Brexit, firms can prevent harm to customers and the wider market, while addressing their strategic resilience obligations. Brexit is the perfect test scenario to evolve and optimise operational capabilities.
In combining operational resilience and Brexit activities, we have identified three common categories in which firms can realise synergies between tactical Brexit obligations and strategic Resilience aspirations:
1 Operational Transparency
Establishing a clear understanding of the firm’s operations universe, including:
Operational service catalogue: establish which services underpin the key operations and products, and any inter-reliance where these are owned.
Systems and process maps: understanding how key services (both client-facing and support) are provided within the organisation and beyond, with a particular emphasis on cross-border provision as impacted by Brexit.
Governance oversight and accountability: assess where oversight responsibility rests and how it is carried out, particularly in times of stress. With the advent of SMCR, mapping clear accountability is not simply limited to intra-organisational accountabilities but may extend to external third parties, such as legal counsel, PR and service providers, some of which may derive from outside the UK entities.
Client and product portfolios: products and services are the public face of resilience; form a view of the stresses on each client or customer type through understanding impacts on the product portfolio and any resulting demand on the systems.
Supplier network classification: establish a shared understanding (internally and externally) of those business-critical suppliers, which will affect the running of the operation – or its rapid recovery – under the stress scenarios. Once the criteria have been established, these should be considered when engaging new suppliers.
2 Risk Appetite
Articulating and establishing the firm’s operational risk appetite and impact tolerances, including:
Impact tolerances: a key feature of regulatory commentary, and closely tied to classification of services and suppliers, these must be framed from an internal (e.g. cashflow) or external (e.g. financial system or customer impact) perspective. They could include overt (e.g. inability to service clients in the EU) or hidden (continuing 'passported' business with expired passporting arrangements).
Disruption tolerance: boards will need to determine for how long they will permit an impact beyond tolerance to continue. Firms entering the Brexit period will need to consider mitigants, such as alternative service providers and whether senior members of staff are covered by their firm insurance should they approve action outside established parameters in clients’ best interest. In any case, early regulatory engagement is key.
Key business services: untangling the processes and activities which, if interrupted (in this case by Brexit-related shocks), will truly cause a business to sustain a severe economic loss or adverse customer impact or jeopardise its continued existence. Firms will likely benefit from developing a more agile contingency plan in terms of resources, locations and systems.
Critical functions: familiar to those dealing with operational continuity in resolution OCIR, these are a distinct subset of vital services, the failure of which may lead to disruption of essential services to the real economy, or of financial stability. Many of these are critical because of their linkages to the global financial system and vulnerable because of their reliance on service providers outside the UK.
3 Response Planning
Developing and testing actionable plans in response to various event-driven scenarios, including:
Resilience testing: stress-testing against a range of Brexit scenarios – not only technical (such as losing access to EU-based platforms) but behavioural (withdrawal or sell-off of funds). Examining both resistance to stress and ability to bounce back from a stressed failure.
Impact analysis: war-games run against Brexit scenarios and follow-on developments to understand impact and root cause, along with enhancing prevention, identifying mitigation and improving recovery times. The development of playbooks could be an invaluable tool for all members of staff.
Incident and disruption management: building event-driven incident and continuity plans, including a clear decision-making hierarchy, invocation protocol and playbook of actions.
Communications: internal and external communications prioritisation and readiness for high likelihood events. Stakeholders include customers, regulators, suppliers and internal stakeholders. Firms are encouraged to hold an actively maintained repository of pre-drafted communications.
Regulatory liaison: opening a clear line-of-sight to the regulator to allow proactive updates by professional regulatory liaison teams, backed by accountable executives.
While Brexit has been an identified threat for the last two years, the true consequences of leaving the EU on 29 March without a deal are unknown. It therefore presents an excellent opportunity to increase the robustness of emerging resilience plans. The potential challenges of identifying, preventing, and eventually responding to, and recovering from, threats can be tested before regulatory scrutiny on firms’ resilience increases.