We asked a senior IRM member and global financial services expert for a quick update, here’s what they said:
So far I am quite confident that our company is effectively responding to the outbreak. The first thing we have learned is resilience capacity, in particular from the technical side. The company has gradually invested mobile/remote working access facilities in the past two years. For certain functions, people are equipped with two different types of access, when one does not work another can be backup. Availability of the capacity helped us smoothly switch our modes of working while service levels to clients can still be met. It has also turned out that the majority of our key suppliers are able to support us remotely.
Of course tech itself cannot stand up autonomously. The next thing we learned is that effective governance does matter. We do have clear business continuity management and response governance. Roles and responsibilities are clearly stated, plans and processes reviewed and tested periodically. Although the specific pandemic scenario was not in the original focus, such a governance structure still allowed us to act quickly to identify key response actions against the outbreak. This is also based on an existing business impact analysis (BIA), which puts chances of disruption at the core of consideration and is subject to periodic review. With regard to the BCP, a tiered approach also helped us to start our attention and pre-preparation from early stage when the impact was still low. And then as the situation develops, escalated responses can be managed in an organised way.
I guess the above are just two typical things that risk managers are looking at every day. The outbreak is just an opportunity to prove it, or the contrary. So the key is that we have something real, not a real challenge but a real capacity and effective processes.
As the outbreak continues, any questions might draw the attention of risk managers, as well as business leaders. Can we make such response capacity ‘normal’, i.e. capacity for both normal scenarios and disruption scenarios?
It might economically make sense as you don’t have to worry about a ‘contingency’ budget. And not to mention that technical capacity of remote access which will introduce new business opportunities. More importantly, in this fast changing and ever connecting world, lacking of certain capacity itself could be the very disruptive or threatening to the business.