Investment Management Company
As part of a global asset management firm, our client provides investment management services to clients in Europe and the Far East from locations in the UK and overseas.
Teed was asked to run an exercise for the management team of one of the client’s main UK offices. They were fairly comfortable that they had a good level of business continuity (BC) planning and solutions in place, with well defined roles and responsibilities. However, it was important to ensure they were ready for anything and the time was right to test this through an independent validation of their business continuity preparedness.
In discussion with the client’s internal business continuity team, Teed devised a range of challenging scenarios to see if response plans and strategies would stand up to scrutiny. This was combined with an element of BC awareness to ensure that all participants were comfortable with pre- and post-incident responsibilities.
With the incident management team, BC team leads and deputies involved in the exercise amounting to approximately 24 people, it was important that the exercise was designed to make the most of everyone’s time and maintain interest. Break out sessions were facilitated by the consultants to enable teams to consider issues specific to their area of operation in terms of business priorities, resource requirements, communication and business recovery.
In addition to the exercise, we reviewed the client’s existing business continuity plans and strategies and put forward recommendations for improvement as part of the Exercise Outcome Report.
Client testimonial – “Having the ability to test the BC plan against a scenario provoked some good discussions and highlighted some areas for improvement.”
The client recognised the advantages of thinking through the current threat profile as some risks had not been considered in sufficient depth, for example, cyber security threats.
There was a telling moment during the exercise when it was realised that with systems down, the Incident Management Team was uncertain whether trading could carry on. In this situation, it is important to have defined beforehand the manual workarounds that could be adopted for key activities to satisfy regulatory requirements and investor expectations. For example, is there a working fax machine available to facilitate trades and is there sufficient information available?
As is often the case, the client’s existing business continuity plans started at the point of assuming systems would be accessible. Nowadays, plans have to be sufficiently flexible to adapt to situations where IT and data are simply not available, for example, due to a cyber security incident.
A resulting action to take forward was to organise a workshop for relevant people to assess risks and identify appropriate controls and trigger points, with the resulting output to be incorporated into business continuity plans and strategies.
An interesting point to note was the continued relevance of maintaining an external recovery site given the flexibility of remote working options, which could reduce the dependence in future as new technologies emerge. Further learning was to consider how communications would work to enable a transfer of responsibilities to other locations, albeit temporarily.
Overall, the exercise showed the client was fairly well prepared to respond to an adverse situation, with lessons learned and improvements identified which may not have revealed themselves otherwise.
This was a really good example of why even the most prepared organisations should seek independent assurance that all is as it seems.
The client now intends to take BCM to the next level and seek accreditation to ISO 22301 (BCM standard) to build on the good work already done.