Business continuity in the Covid era: Considerations for Boards

in Regulatory/Compliance, 13.05.2020

On 29 April 2020, KPMG partners Anne-Sophie Minaldo and Laurent de la Vaissière took part in an ILA virtual panel on “Business Risk, Continuity & Protection” where they shared their insights on business continuity to help directors lead their organizations through the Covid-19 crisis. In this blog, they share their four-step guide for board members.

 

Business continuity during the Covid-19 crisis

Business continuity management is “the process of creating prevention and recovery systems to deal with potential threats to an organization”. It is an enterprise-wide initiative which typically consists of the following four components:

  1. Crisis or emergency management involving senior management
  2. Business continuity planning involving the business continuity leaders, as well as all business units
  3. IT disaster recovery management involving information technology
  4. Third-party risk involving the business continuity leaders, procurement, and/or the business units

These four components should be underpinned by appropriate governance and program management.

In the Luxembourg financial sector, there is often an explicit regulatory mandate for board members to address business continuity either through the issuance of guiding principles or by challenging the internal governance arrangements.

In the EU, business continuity has been under increased regulatory focus in recent months, along with information technology and cyber security topics. As a case in point, the CSSF weekly questionnaire that investment fund managers must complete now prominently features business continuity (read more about this).

Prior to the current crisis, most business continuity plans were based on the central assumption that an organization’s main offices would be unavailable and that critical teams could relocate their work to back-up offices like those provided by recovery workplace specialists. Work from home strategies were rarely considered.

Obviously, an approach relying on back-up offices does not work well in times of pandemics where work must predominantly take place from home due to public health demands.

Technology challenges

The two major obstacles to wide-scale working from home that we have observed are:

1) The lack of remote access technology. To support broad remote access, many organizations were faced with the challenge of rapidly deploying emergency new technologies or scaling up existing technologies (e.g., VPN vs VDI – more about this), both requiring heroic efforts from their IT staff and their service providers;

2) The lack of digitalized business processes. Remote access does not help where critical business processes still rely on paper, exposing areas that need to accelerate digital adoption and transformation.

People and Governance challenges

Trust and Governance

Trust between an organization and its people is of utmost importance in the office, and even more important when working from home. Management should focus on maintaining a close connection with their teams to get the assurance that processes are operating smoothly with the right level of professional judgement and ethics.

Many organizations have amended or added to existing procedures and policies to adapt to the current situation. As it appears that the crisis may continue longer than originally anticipated, we encourage board and management teams to review policies and guidelines to ensure the governing rules are up-to-date and accessible to all.

Risk

Keeping risks under control is as crucial as maintaining business developments activities. But in today’s world, what are the challenges businesses are facing?

Even if risk controls are executed, past experience is no longer an indicator they will be effective in this new era. Questions of reliability should be considered in the final assessment of internal controls. This point should be addressed at audit committee or board level.

One of the lessons learned is that day-to-day operations remain manageable remotely while strategic thinking and business acumen may be more difficult.

All companies should consider extraordinary board meetings to assess and document the impacts of Covid-19 on their business strategy and risk exposure, followed by implementation of key mitigation measures.

Cyber risk challenges

Organized criminal groups have been observed exploiting these troubled and stressful times by phishing for credentials or tricking people to click on malicious links. There has also been an increase in scanning of networks for vulnerabilities, particularly in newly deployed or upgraded remote access platforms to support massive work from home.

These tactics are commonly used to penetrate organizations in order to carry out fraudulent schemes like ransomware, which blocks or wipes information systems to extort money. Sadly, organized criminal groups have been ruthless in the selection of their targets, as demonstrated by victims in the health sector including many hospitals and testing labs.

Organizations should ensure that their networks are properly secured, especially for remote access systems that were quickly deployed or upgraded. The speed of implementation potentially bypassed some of the normal risk analysis and/or security testing steps foreseen by organizations’ information security policies.

It is also crucial to raise the security awareness of staff in order to ensure they understand the current threat landscape and know what to do in case they suspect a security incident. While a click cannot be undone, the management of a security incident should start as soon as possible.

In conclusion

Given the current situation may continue for several weeks, months or even years, it is time to:

  • Draw lessons learned on what worked well and less well with your organizations’ business continuity arrangements;
  • Challenge that systems and databases are properly backed up; and
  • Amend the Business Continuity Planning and related guidance accordingly

If you have any questions or would like additional advice, please contact us.

We also invite you to read our earlier publications on this topic: