The COVID-19 crisis has renewed business focus on operational risk and resilience, and business continuity planning (BCP). These activities require defined accountabilities for and effective control of key functions, clear and effective delegation of tasks, and oversight of responsibilities and key risks across the organisation.
These concepts also are central to the Central Bank of Ireland’s proposed Individual Accountability Framework and Senior Executive Accountability Regime (SEAR).
SEAR will apply to, at a minimum, the Pre-Approval Control functions (PCFs) under the current fitness and probity regime who will occupy Senior Executive Functions (SEFs). Under SEAR, and similar to the UK Senior Manager and Certification Regime (SM&CR), they will be required to:
- oversee delegation of tasks effectively;
- take “reasonable steps” to ensure that the functions for which they are individually responsible are both compliant with relevant regulatory requirements and controlled effectively; and
- notify the regulator of any matters to which it could reasonably expect notice.
Below we outline regulatory developments which provide useful insights into how PCFs can address both the challenges posed by COVID-19 and prepare for individual accountability under SEAR.
In February 2020 the CBI proposed introducing new PCF roles focussing on individuals responsible for key areas of business risk, such as IT resilience, as well as significant business areas. These proposed roles include the Chief Information Officer and Head of Material Business Line.
Similarly, the UK SM&CR introduced the Chief Operating Officer Senior Manager Function (SMF) in late 2017, with responsibility for managing the internal operations and technology of the firm. Subsequently the UK regulators released a series of discussion and consultation papers focussing on operational resilience, most recently in January 2020. They contain the following key themes:
- Operational resilience must be driven from the board with clear accountability for differentiated investment decisions that properly consider resilience.
- Resilience should be prioritised for important business services; i.e., those services that have the greatest potential to cause harm to consumers, the financial system and the firm itself.
- The resources that a firm deploys to deliver those most important services must be mapped across technology, data, people, facilities, suppliers and now key dependent processes.
- The maximum tolerable level of disruption to an important business service must be defined as an impact tolerance, and metrics must be identified to monitor and measure the firm’s ability to remain within the tolerance.
- Firms should identify severe but plausible scenarios to test the ability to respond and recover within those tolerances.
- Robust internal and external communications plans must be in place to manage the impact during any service disruption – with an emphasis on ensuring the timeliness and accuracy of the information provided.
- Firms must demonstrate that they have taken decisive and effective actions to improve resilience and have embedded a recovery centric mind-set within the organisation’s culture.
These principles are consistent with recent European regulatory activities. They are relevant not only to Senior Manager Functions such as the COO, but also to each Senior Manager who is individually accountable for demonstrating adequate control and oversight over his or her respective area(s).
This UK approach provides useful insight for Irish institutions both dealing with the current COVID-19 environment, and preparing for the introduction of SEAR. Current PCF role holders should ensure that they fully understand their accountabilities and responsibilities, and areas of operational risk and resilience within their functions (such as outsourcing risk and dependencies on third parties). Ultimately, they must ensure that their respective functions are effectively controlled, and that tasks are not only delegated effectively but also subject to ongoing oversight and challenge when required. In the current environment, this is even more of a challenge and therefore requires focused attention.
In your role as PCF/SEF, below are some questions for consideration across key business activities in your firm:
Business continuity and contingency planning
- Does your business continuity planning (BCP) clearly articulate how the firm will respond and recover following disruption?
- Does it identify critical business services and explain how they will continue to operate?
- Where BCP planning has highlighted control deficiencies and open areas of operational risk, have mitigating plans and remediation activities been established?
- Does your BCP include prompt and meaningful communication arrangements for internal and external parties, including supervisory authorities, consumers, other clients and the media?
Outsourcing and critical services providers
- Has your senior executive correctly identified the third parties that are critical to the continuous and adequate function of your firm’s operations? Do both your board and senior executive fully understand the nature and extent of your firm’s reliance on these service providers?
- If your firm has experienced service delivery disruption associated with on-shore remote working or reduction / shut-down of off-shore delivery centres, how have you addressed these issues and taken actions to mitigate them in the future? Have you re-assessed your supply chain resilience end-to-end to future proof it?
Data protection and security
- Does your firm have adequate safeguards to prevent unauthorised access to personal financial and other sensitive data relating to customers and other relevant parties? Are you fully compliant with your obligations under the General Data Protection Regulation (GDPR)?
- Are your staff, systems and behaviours appropriately managed under remote working conditions to ensure adherence to your data protection and privacy obligations? Sensitive client data needs to be protected and have you assessed whether remote working arrangements off-shore have regulatory approval?
- Security requirements are changing and cyber risks are increasing as employees locally and off-shore are working remotely, have you assessed how as an accountable executive your operations are appropriately controlling these activities, for example, protecting against Cyber issues / Phishing scams whilst working remotely on-shore and off-shore?
Internal control framework
- Is there an effective internal control framework established which allows the board and senior executives to exercise appropriate oversight and have confidence that its directions are being implemented? Does it allow appropriate prioritisation of activities as well as internal reporting and escalation points? Are roles, responsibilities and accountabilities clearly defined?
- Are your controls sufficiently documented, understood and managed under BAU and stress scenarios, such as Covid-19? Is there a top-down and comprehensive bottom up articulation of your control environment and the high risk controls requiring additional measures under Covid-19?
- If you have re-deployed staff to critical services, what controls and measure have been implemented? Have you assessed your control function’s ability to ensure effective processes are in place to meet segregation of duties, data security, key control, legal and regulatory requirements?
- Where you have implemented work arounds to continue critical services remotely, how well are these being controlled and managed?
- Does your board provide sufficient challenge to the executive and does it have access to executives with the appropriate technical skills? Does the board itself contain sufficient technical expertise to be able to challenge the executive on issues including those involving rapidly evolving technologies? Has the board explicitly defined roles and responsibilities for addressing operational risk and the operational risk management framework?
We hope that you find these insights useful. Please feel free to contact us if you wish to discuss this or any of your needs further.