Speak with people in Financial Services at the moment, and you'll be forgiven for thinking that Business Continuity (BC) is dead, replaced by a new all-encompassing discipline called Operational Resilience (driven by new FCA and EU regulations). Now, ask an insurer what headline risk mitigation they look for in SMEs and mid-sized organisations* and BC will be right up there, resilience less so. So, what's right and what's wrong?
*In our business, we refer to organisations of around 50 to 1,000 staff as mid-sized. Whilst this is quite a broad range, and overlaps with the more formal definitions of SME and Large Enterprise, we find that when it comes to BCP, mid-sized organisations face unique challenges due to high complexity, limited resources, and high expectations from stakeholders.
We support customers across many sectors of UK industry and their insurers, as well as Financial Services, and in this post, we’ll briefly explore what sits behind the change, linking three important disciplines.
The relationship between Risk, Resilience, and Recovery
The first thing to realise is that Business Continuity Planning (BCP) has evolved over time, periodically re-inventing itself, driven by change, innovation, formalisation, and commercial opportunity. Shifts in technology, work patterns, and know-how have occurred, shaped by experiences such as Covid-19 and Brexit. Simply, the landscape has changed, driving together previously separate disciplines into what is now known as Resilience.
We look at the knowledge environment as 3R's - Risk, Resilience, and Recovery because they are so closely linked.
Risk arises from our exposure to unknown events, each with an estimated severity and likelihood assessed in a Business Impact and Risk Assessment (BIA). Managing risk is then a matter of controlling all the risks that affect the business, investing so the cost and any risk residue remain bearable. The majority are low impact and can be mitigated under a resilience programme or dealt with operationally if they arise. However, some risks are so severe that they pose an existential threat to business – fires, earthquakes, etc., and where 100% prevention is rarely an option. If one of these materialises, the only option is to recover quickly using a planned, practised response.
Resilience is an organisational characteristic and management discipline that creates value through toughness. It means being able to repel, withstand, or avoid potentially damaging risk incidents at any level, and to recover from any that manage to break through. Applied systematically across the organisation, resilience promises to reduce disruption at all levels, improving performance.
Recovery ensures your organisation has a proven planned response to major risk scenarios that would otherwise be unbearable. It draws on the BIA to identify those scenarios and set recovery deadlines for important business services and resources. The resulting Business Continuity Plan (BCP) has the effect of diluting risk and adding resilience.
Is there a still a place for BCP in Financial Services?
The UK Finance Sector is a highly regulated, technically advanced, and fast-moving marketplace that risks instability if key participants are absent for even a relatively short period of time. Resilience applied across this community acts as a vital control, reducing the chance of an unplanned event triggering a cascade effect and avoiding destabilisation. This builds confidence in the sector, promoting growth and attracting investment.
The Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England make it clear that all finance sector firms must have a tested BCP to participate in the market. They state that firms must (summarising):
- Have procedures in place to manage and recover from incidents that disrupt their operations.
- Identify their important business services and ensure they can continue to deliver these during disruptions.
- Regularly test their BCPs to ensure they are effective and up-to-date.
- Manage risks associated with third-party service providers, ensuring they also have robust BCPs.
These four points demonstrate the pivotal role BCP plays in the new financial regulations, clearly regarded as essential for dealing with all aspects of major disruption. This emphasises the fact that BCP has not fundamentally changed and remains a cornerstone supporting the wider resilience framework.
Why insurers still care about BCPs
The Insurance industry is a similarly complex environment, made up of brokers, underwriters, reinsurers, agents, and several other types of organisation. Its interest fundamentally lies in being profitable by collecting premiums whilst minimising claims paid, particularly aiming to avoid the high-value pay-outs associated with business interruption.
Most insurers carry out risk assessments of insured clients, advising them to make improvements based on their experience and actuarial data. This becomes a balancing act; if an insurer demands widespread and expensive improvements, clients may look for cover elsewhere. Alternatively, insurers can accept some of the risk and secure the premium, knowing that the chances of a substantial pay-out are increased.
Insurers’ recommendations are a form of systematic resilience management, mandating improvements where the return on investment requires. Low-cost quick mitigations for high-impact risks are clear winners, and BCP offers exactly that. Consequently, we provide BCP on behalf of several leading insurers and brokers. They ultimately want to see that each client understands the continuity risks it faces and has a systematic approach to mitigation and can demonstrate recovery capability. This typically comes through well thought out BCP recovery strategies.
For SMEs and mid-sized businesses, where's the best place to start?
Embarking on a resilience programme represents a significant investment involving all parts of the organisation, typically delivering a material reduction in downtime that might pay back over several years. By comparison, a business continuity programme costs relatively little, has few if any disruptive effects, and provides assurance that the organisation will remain in business following any major disruption. It provides near-immediate protection against existential risks, allowing other exposures to be managed at a more leisurely pace.
To get your BCP moving we recommend carrying out a Business Impact and Risk Analysis to identify risks, scenarios and recovery deadlines, followed by BCP production and testing. You may then decide to start a linked resilience programme, via a parallel activity stream. We believe this offers organisations best value and protection.
How we can help
Our approach uniquely draws on the Risk, Resilience and Recovery to create a risk model of your business, linking your marketplace, your stakeholders, important business services, resources, assets and supply chain so we can pinpoint risk hotspots. We use it to deliver a prioritised list of improvements that, when implemented, drive down your exposure to risk, building-in resilience.
The model calculates impact over time, defining recovery deadlines for each risk scenario based on your supplied factual data, giving you certainty and confidence. We can encapsulate all this within a best-practice Business Continuity programme and management system, satisfying your insurer, customer, and stakeholder resilience requirements.
