Most enterprises and institutions were caught flat-footed by the COVID-19 pandemic despite their Business Continuity or Disaster Recovery Plans (“BCPs” and “DRPs”). Now is the time for “after-action risk assessments” (“AARAs”), prior to re-opening, so that your firm’s step up to the “Next Normal” is not a step off the edge!
There are a variety of strategies and methodologies to implement your AARA, but all of them require prompt action right now. Firm management needs to seize the initiative and become the ‘tip of the spear’ for entering the Next Normal. Immediate action is especially critical for firms in the Financial Services industry—Broker-Dealers, Registered Investment Advisers, Funds and Insurance Companies should expect that their BCPs or DRPs and their Written Supervisory Procedures (“WSPs”) will be evaluated by the SEC, FINRA, or state agencies.
Management should first focus on whether it is currently prepared and equipped to conduct an AARA:
- Does your current BCP/DRP provide for an AARA? If not, why not?
- Do you have the human and technical resources needed to conduct an AARA and develop a remediation plan? Do you need consultants to assist you? Which ones, and how do you assess whether the potential benefits of hiring consultants will justify the costs?
- If your BCP/DRP did not provide for AARAs, can you assemble an AARA team “on the fly”? Who will be on the team? Who will lead it? How quickly can the team get up and running?
- Has your AARA team been instructed to prioritize go-forward measures and steps for prompt implementation?
- Does your BCP/DRP provide the AARA team with guidance on how to identify deficiencies that surfaced, how to develop and implement measures to remediate them, and who will be accountable for doing so?
- What process is in place to authorize and make the procedural, operational, and resource allocation changes recommended through the AARA process in order to prevent the recurrence of identified “failures”?
- Does your AARA process build in time for a second look and re-balancing?
- After completing the process, did you find that conducting the AARA and implementing recommendations materially exceeded BCP/DRP damage estimates? What provisions will you make for these higher-than-anticipated costs going forward?
Management’s focus in leading the AARA should be on determining how well management and the business coped with the “big picture” forces that have impacted your firm in recent weeks—(i) Macro-Economic Conditions, (ii) Regional, State and Local Economic Conditions, (iii) State and Local Health and Safety Requirements, and (iv) the Regulatory Environment—as well as the other factors unique to your firm that are currently impacting its condition and readiness to re-open. Management should now be (i) evaluating how you weathered the storm, (ii) identifying BCP/DRP failures that occurred and assessing whether these failures were timely and reasonably addressed during the crisis, and (iii) using the AARA process to produce a “gap analysis’’ that tracks failures and identifies solutions to prevent these failures from recurring, including policy and procedure and resource allocation changes.
What are the key questions that your AARA team should be asking now to identify and remediate big picture problems?
- Human Resources Issues:
- How were decisions regarding furloughs, reduction in forces, unpaid vacation leave, and salary or bonus cuts made? How were they announced? Were these changes effectively implemented? Is there a timeline for a restoration of cuts? Was there any ‘blowback’ from employees?
- Were remote workspaces secure and effective? Do you have metrics to gauge effectiveness?
- Could the firm or firm staff be subject to legal exposure pursuant to HIPPA or other privacy laws or regulations due to their handling of client personal confidential information or health data during the crisis?
- Has the staff followed up on accounting for and returning equipment no longer needed as a result of the crisis?
- Economic & Financial Issues:
- How was your firm’s budget and financial condition impacted by the crisis?
- Did you have Business Interruption Insurance coverage that applied under the circumstances?
- What was your firm’s plan for taking advantage of the government programs that emerged? Did you successfully apply for and receive Payroll Protection Program (“PPP) funds? What controls were put in place to ensure compliance with PPP guidelines and requirements?
- Labor Issues:
- What measures is the firm required to take to protect the health and safety of employees before they return to work?
- What measures should or must be taken by the firm’s landlord(s) to protect employees in building common areas? Has someone been assigned responsibility for coordinating with the landlord to ensure that appropriate precautions are being implemented?
- What health measures must your firm take before resuming business and then on a going-forward basis?
- What new policies or procedures have been or will be developed for staff returning to work? Do your policies adequately address COVID-19 testing (including steps employees should take if they positive test), wearing masks, social distancing, a preference or requirement for virtual meetings rather than in-person meetings, restrictions on office visits by visitors and clients, travel restrictions?
- Cybersecurity and Remote Working Arrangement Issues:
- Did the firm uncover or receive reports of access (e.g., phishing or malware) or personal privacy breach events? If so, did the firm’s cybersecurity procedures activate and how well did they perform?
- How effective were the measures taken by your firm to monitor your employees’ cybersecurity environments? Did the firm monitor employees’ home-use networks and the third-party vendor systems they accessed in order to ensure the confidentiality of client data and the firm’s proprietary information?
- Were firm business records copied and saved to appropriate locations in accordance with firm policy? To the extent that data retention procedures were not followed, were irregularities identified and addressed to restore or retrieve information?
- How effective were the firm’s remote access measures from a productivity and security standpoint?
- Regulatory Issues for Broker-Dealers, Registered Investment Advisors, Funds and Insurance Companies:
- Were compliance efforts allocated effectively amongst the firm’s remote workforce and was adequate supervision maintained?
- Did transaction surveillance function adequately? Was there any evidence of misuse of nonpublic confidential information? Did the firm identify any suspicious employee or customer activity and were appropriate follow-up measures taken?
- What compliance “gaps” emerged? Were the gaps documented appropriately and in real-time? Have you implemented a documented remediation plan?
- Were the firm’s regular reports and analyses produced, issued and reviewed in accordance with firm policy? Was compliance with firm’s record retention policy maintained?
- Did the firm receive any regulatory requests during this period? How were they assigned, managed, and completed? Were all requests for extensions of time documented and placed in a regulatory matrix so that the timeliness of all regulatory responses could be assured?
- Was compliance with WSPs maintained? Did your WSPs include training and testing requirements, including “tabletop” exercises? Do such exercises need to be updated to include elements and mock exams that ensure preparedness for a global pandemic scenario?
There is an emerging consensus among the experts that COVID-19 is a problem that we may be coping with for months or even years. Now is the time to make sure your firm is ready for that “Next Normal” future.