“Never Waste A Good Crisis” : Reviewing business continuity under Covid-19
ESMA expects that firms will maintain regulatory compliance throughout the Covid-19 crisis, and any deviations will be strictly temporary. It has issued a series of recommendations for action for firms to address the operational challenges presented by Covid-19, including business continuity planning. We discuss the notion that post the pandemic, firms should take the opportunity to review the effectiveness of their business continuity plans, especially for remote working, pending a review by ESMA.
It may seem somewhat callous to write a Blog like this on business continuity given the human cost of the Covid-19 pandemic,but then ESMA has made it very clear that it is expecting firms to hunker down and maintain regulatory compliance throughout the crisis. Indeed, on the 11th March ESMA issued a series of recommendations for action by financial market participants regarding the impact of Covid-19 (1). These are :
- Business Continuity Planning – All firms, including those involved with infrastructures, should be ready to apply their contingency plans, which include deployment of business continuity measures, to ensure operational continuity in line with their regulatory obligations;
- Market Disclosure – issuers should disclose as soon as possible any relevant significant information concerning the impacts of COVID-19 on their fundamentals, prospects or financial situation in accordance with their transparency obligations under the Market Abuse Regulation;
- Financial Reporting – issuers should provide transparency on the actual and potential impacts of COVID-19, to the extent possible based on both a qualitative and quantitative assessment on their business activities, financial situation and economic performance in their 2019 year-end financial report if these have not yet been finalised or otherwise in their interim financial reporting disclosures; and
- Fund Management – asset managers should continue to apply the requirements on risk management, and react accordingly.
The brutal truth is that whatever measures firms implement to deal with the Covid-19 disruption, any consequential deviation from full compliance must be regarded as temporary, and firms must get back to full compliance as soon as possible (2).
In this Blog we’ll focus on Business Continuity Planning, although regarding Market Disclosure and Financial Reporting, we do have to mention in passing that the UK FCA has imposed a two-week moratorium on listed companies publishing their preliminary financial statements. This is to prevent investors making knee-jerk responses to information that may change rapidly with every twist and turn of the Covid-19 pandemic. We think it highly likely that NCAs and even ESMA itself will follow suit.
In times of crisis that trigger the implementation of business continuity plans, two phrases spring to mind : “Never waste a good crisis” (3), and, “No battle plan ever survives first contact with the enemy” (4).
Our recommendation is that as soon as normality returns, firms should not ‘waste the crisis’, but immediately review the effectiveness of their business continuity plans and look for areas of improvement in anticipation of a review by ESMA.
The first question for a firm to ask is that once the trigger was pulled to implement its plan, did the implementation itself go smoothly, i.e. how well did it ‘survive first contact with the enemy’? No matter how well-prepared firms are, it’s human nature that once a crisis becomes real, there is an element of paralysis or ‘rabbit-in-the-headlights’ syndrome introducing a delay while people recover from the initial shock. Firms will want to determine if there was any undue delay in their responses, but may want to tread carefully given the human sensitivities at stake.
Business continuity is a big area, but for firms located in countries that experienced lock-down (which looks likely to include all of Europe, North America, Australasia, and the Far East), we think firms should determine how well their plans coped with wholesale remote working. This may have been a very unexpected scenario – most disaster scenarios we have worked with involve the loss of one or more key buildings, staff, or systems, subsequently addressed through migration to a back-up. We’re not aware of many scenarios that contain :
- A disaster that hits all market participants simultaneously and equally;
- Forced fragmentation of all staff teams into remote-working individuals;
- The need
to equip remote workers with devices that :
- Enable them to work as effectively as they would have done in the office;
- Meet financial regulatory compliance requirements immediately, or very quickly
- The imposition of increasingly tight restrictions as the authorities implement their own continuity plans.
- Creates other unquantifiable risks, in the sense each firm has no idea how many staff will be incapacitated, when and in what areas of the business, and where different initial assumptions can lead to very different outcomes.
Step one of the review should be to determine if there is a wide-enough range of risk scenarios, including the provision for a repeat of a viral pandemic (5) or other natural disaster that hits everyone equally badly.
The second step would be to review how quickly remote working was enabled after government directives :
- Was it established beforehand if it was feasible for all staff (key or otherwise) to work remotely?
- Did staff get equipped promptly with the necessary devices to work remotely (we heard stories of shortages of laptops, mobile phones, and tablets as firms rushed to re-equip large numbers of remote workers)?
- Were the devices fully or partially compliant with the firm’s regulatory obligations?
- What effort was required to make the devices compliant, given ESMA’s expectations that any deviation from full compliance would be rapidly eliminated?
- Assuming staff working from home were using the public internet, were there bandwidth issues with their (or your) provider that reduced staff effectiveness?
A third step would be to determine if infection affected a disproportionate number of staff in areas critical to the implementation and ongoing operation of the continuity plan itself, such as IT support. It may sound trite, but the range of business disaster scenarios should include one that threatens the viability of the continuity plan.
In conclusion, when the Covid-19 pandemic ends, we do expect ESMA to launch one or more reviews of the crisis commensurate with its brief. Furthermore, in view of the tone of various ESMA Covid-19 related statements, we would also expect ESMA to focus on the performance of the market participants themselves, commenting on how well (or not) firms managed their compliance. A common theme running through ESMA’s statements is its expectation that firms will return to compliance normality as quickly as possible, with the implication that ESMA believes firms can.
Firms will need to respond to any ESMA criticisms, specific to themselves or general to the financial services industry. We recommend firms prepare for an ESMA consultation along the lines of, “How could we have done this better?”, and be prepared for some major revisions to their continuity plans. Our guess is that firms were better prepared for the most likely disaster, but ESMA was expecting firms to be equally prepared for any disaster. If firms believe ESMA’s expectations were unrealistic, this needs to be highlighted with the appropriate evidence.
- ESMA 11th March 2020 https://www.esma.europa.eu/press-news/esma-news/esma-recommends-action-financial-market-participants-covid-19-impact
- See for example ESMA’s views on call-recording : ESMA 20th March 2020 https://www.esma.europa.eu/press-news/esma-news/esma-clarifies-position-call-taping-under-mifid-ii
- Attributed to Winston Churchill.
- Attributed to Helmuth von Moltke (the Younger), although we prefer the Mike Tyson variant, “Everybody has a plan until they get punched in the mouth”, which is clearly what Covid-19 has delivered to market participants.
- We’re no panic-mongering here, but people need to be aware that increasing globalisation makes transmission of disease easier, and who knows what else is lurking out in the natural world. Extreme weather events are too localised and short-lived, and climate change too gradual relative to pandemics to use as risk templates.