Mike Osborne, ICM Computer Group's Recovery Services Operations Director, looks at the UK Financial Services Authority's current benchmarking project and what this will mean for the insurance industry.
Pressure to wise up to business continuity will not go away. Events such as 7/7, 9/11, extreme weather catastrophes, the step changes in corporate governance obligations and ever increasing pressure from regulators ensure the issue remains in sharp focus.
The insurance sector is one of the key industries that cannot afford a catastrophic failure, even for a few hours. The emphasis on 'having a plan' continues to grow with the Financial Services Authority (FSA) extending its regulatory remit to include the general insurance and mortgage industries and, hence, most companies regulated by the Association of British Insurers. All insurance companies need to sit up and take notice of the FSA's evolving requirements and guidelines on business continuity. However, there is still some confusion over what is expected and many are unsure of what their obligations are when it comes to business continuity planning.
Having already undertaken benchmarking projects in 2002 and 2004, the FSA is currently undertaking another major assessment of the resilience of the financial sector, which is designated as one of the five essential services.
This latest project started in June and will finish in September, and by the end if the year the results of the main paper will be laid out to the regulated companies along with examples of good business continuity practice and an assessment of what needs to be done to improve the robustness of the financial services sector.
The project is absolutely key to enhancing the industry's collective understanding of the resilience of the financial system and to reinforce the ability to respond effectively. The findings will also serve to promote debate and will ultimately benefit the industry as a whole by raising business continuity standards.
Earlier FSA benchmarking projects identified business continuity approaches they considered to be 'good practice'. To date, though, they have not mandated such practices through enforced regulation but have asked regulated companies to compare their own arrangements against this good practice. Therefore, with no specific legal requirements some businesses may give a low priority to 'getting a plan'. The regulator does require them to have in place appropriate arrangements, 'appropriateness' being essentially measured against published good practice.
However, there are other reasons why it can be extremely damaging for insurance companies to not give adequate consideration to business continuity. Having a proven plan reassures investors that a business can continue to trade; it shows customers that whatever happens service delivery will continue; it also makes a statement to staff that the company values their livelihood and is prepared to spend to protect it.
The contents of December's summary document are, as yet, unknown. However, it is almost certainly going to represent another step change in the regulator's definitions and expectations of industry good practice. And while its emphasis is on the larger players, each regulated firm will need to meet such expectations in line with the 'nature, scale and complexity' of its own business, as well as meeting the growing expectations of all of its stakeholders, shareholders, customers and employees.
As a leading and highly experienced UK business continuity provider, ICM expects that the likely guidelines will reflect the following:
- Business continuity management systems will be required to address many levels of operational risk, specifically financial, regulatory, legal and reputational.
- Managing such risks will be the responsibility of senior management of a company. Ownership of business continuity is expected to be at board level and not limited to one director.
- Ownership and visible control is to be evidenced by regular board level discussion and minuted conclusions.
- Business continuity arrangements must be exercised and proven on a regular basis. The exercises must prove responses to all significant risks, many of which may only be peripherally linked to IT - systems recovery is not business recovery and lessons learnt from the exercises must be acted on
- Arrangements must be appropriate to the risks identified by senior management. Exercising is one critical measure of the adequacy of the arrangements if the scope is sufficiently broad - material, facilities, sites, systems, people, and organisation. Senior management should draw conclusions from the results of each exercise, following input from their subordinates/representatives.
- Given the requirement for senior management ownership, specification and oversight of these business continuity arrangements, inspection visits are more likely to assess senior management knowledge and understanding rather than detailed operational preparation.
- Invoking a firm's business continuity plan is now a specific event requiring immediate notification to the FSA. Scrutiny of the firm's response to any major interruption will be more immediate and more intense.
And remember, that while good practice guidelines may not be stringently enforced it is the obligation of insurance companies to embrace business continuity, not only to fulfil their regulatory obligations, but more importantly to ensure the continuance of their business should the worst happen.
•Date: 10th August 2005 • Region: UK • Type:
Article •Topic: Financial sector
Rate this article or make a comment - click