- restaurants offered take-away when their dining areas were closed down
- stores offered online ordering and curbside pickup
- teachers of all levels and subjects learned how to set up video lessons and online classes
- exercise studios ran Zoom and YouTube fitness classes
- distilleries made hand sanitizers
They demonstrated resilience–a quality all organizations, whether shutdown or not, value.
The new ‘competitive advantage’
Resilence, says Forrester VP and group director Stephanie Balaouras, “will become a competitive advantage” post-COVID-19 and throughout the 2020s. Balaouras defines business resilience as “the ability to deliver on your mission and vision regardless of any kind of crisis or disruption, be it extreme weather, political upheaval, cyberattack, or the next disease outbreak.”
As companies plot how to re-open from the lockdown caused by the coronavirus pandemic, they might want to take some time to evaluate their resilience. And part of that could include taking the time to analyze and reflect on their business continuity plan.
Scrutinizing a business continuity plan
“What the pandemic has done is laid bare the immaturity of our enterprise risk management programs and our business continuity planning and preparedness,” says Balaouras.
You don’t have to look far to see the results of the pressure of the pandemic and its economic off-switch. You might already even know the answers to the following questions. But they’re still important to ask:
- How did the business function? How did the business continuity plan function? Was it specific to a natural disaster such as hurricanes or was it adaptable to a pandemic?
- Was it pandemic-specific?
- Were employees whose jobs could be done remotely able to pivot seamlessly to remote work? Or were there technology challenges? Was IT able to adapt and find tools to help managers reinforce team connections through video meetings and communications apps?
- Were employees emotionally and intellectually able to transition to remote work, having answers at hand to typical questions they might ask?
- Were they psychologically able to transition to being alone at home or working remotely with children and spouses in close quarters? Was management able to communicate and ease employee fears?
- Was the C-suite able to evaluate and assess actions to cut costs, without harming the business or its employees unduly?
As many in business are starting to realize, if they didn’t already, “it takes a village” to ensure the health of a business. And the questions above confirm that: From the C-level to IT to middle management to HR to front-line employees, the success of the business during COVID-19 depended on many people in an organization, with the CEO setting the tone. And the fate of each function or role should be thought about before the continuity of the business is threatened.
No strangers to BCPs
In the financial industry, of course, advisors and broker-dealers are no strangers to business continuity plans (BCPs). In fact, FINRA requires them: “Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires a member firm to create, maintain, review at least annually and update upon any material change, a BCP identifying procedures relating to an emergency or significant business disruption.”
And FINRA has had its own pandemic-related business continuity plan for several years. It offers a list of the minimum things a BCP should account for, appropriate to the size and needs of the firm:
- Data backup and recovery (hard copy and electronic);
- All mission critical systems;
- Financial and operational assessments;
- Alternate communications between customers and the firm, and between the firm and employees;
- Alternate physical location of employees;
- Critical business constituent, bank, and counterparty impact;
- Regulatory reporting;
- Communications with regulators; and
- How the firm will assure customers’ prompt access to their funds and securities in the event that the firm determines that it is unable to continue its business.
If the firm doesn’t include one of these elements, it must document why. And if the firm uses another entity to handle any of the above elements or systems, it must explain the relationship.
Looking at BCP weaknesses in the past
The SEC is not as detailed in its list of requirements. In fact, on its COVID-19 page, you might not find what you’re looking for in that respect. The publication Financial Planning suggests looking at the SEC’s August 2013 OCIE risk alert page.
On that page, OCIE Director Andrew Bowden is quoted: “Our staff examined approximately 40 advisers in the aftermath of Hurricane Sandy to assess their preparedness for and reaction to the storm,” said OCIE Director Andrew Bowden. “We hope our observations in this Risk Alert and those in the earlier joint advisory will help industry participants better prepare for future events that threaten to disrupt market operations.”
The Risk Alert (Vol II, Issue 3) offers observations and lessons learned from BCP review after Hurricane Sandy. Let’s look at the weaknesses they found. Not because we’re negative thinkers, but because during a crisis or disaster, what you might do wrong is more important than patting yourself on the back for what you did right.
Granted, these observations in the Risk Alert relate to a hurricane, but better to face a pandemic prepared for a hurricane than face a pandemic with no preparation at all. Here are a few:
1. The “oh that will never happen” weakness. “Some advisers adopted BCPs that did not adequately address and anticipate widespread events. These advisers generally experienced more interruptions in their key business operations and inconsistent communications with clients and employees. For example, some advisers did not have adequate plans addressing situations where key personnel, such as portfolio managers, were unable to work from home or other remote locations,” the SEC notes.
2. The “we want everyone to work in our one office” weakness. “Some advisers did not have geographically diverse office locations, even when they recognized that diversification would be appropriate. Many smaller advisers had fewer geographically dispersed staff.”
3. The “don’t worry about them, of course they must have a plan” weakness. “Some advisers did not evaluate the BCPs of their service providers…..In doing so, the advisers did not ensure that the service providers’ plans incorporated key business continuity controls that related to the advisers’ ability to execute their own BCPs.”
The pandemic laid bare many flaws, including societal and economic ones. It also exposed weaknesses and pain points for many businesses — how they operate, their policies, their culture, their revenue and supply sources, their contingency planning. Now is the time to make changes and emerge stronger, ready to face the next challenge.