Business as usual for organizations the world over has been marred by these extraordinary times. An unprecedented crisis, the COVID-19 pandemic has divided our timeline into pre and post COVID eras. Some of the business practices that have been prevalent until now may cease to exist or get an upgrade in the post COVID times.
Business Continuity Planning: A Change in Approach
Ever since 9/11, business continuity planning (BCP) has been an integral part of businesses across industries, especially in the banking and financial services sector. Split or multi-site processing, hot-warm-cold sites, work transfer, and staff transfer were some of the recovery strategies put in place to handle exigencies on ‘off’ days. Although tested periodically for operational effectiveness, these strategies could not replicate the surprise – in fact, shock – element of real-world contingencies.
After having delivered effective results for more than a decade, some events of significant proportions in the last decade, have exposed the vulnerabilities of this approach. The learnings from these events led to the following improvements being incorporated into the recovery strategies:
⦁ Shift from work transfer to a distributed work transfer model, either by way of equal split processing or cross–trained resources
⦁ Staff transfer as the starting point of recovery strategy for critical processes was declared no-go
However, the current situation proves that these strategies – once considered best in class – are rendered ineffective in the case of a global disruption event.
The enhancements to the business continuity planning approach in the post-COVID period – to make it more agile – could be:
⦁ The pandemic or epidemic and global outage sections in the BCP documentation will have to be treated as realistic scenarios; should include workable contingency strategies to address such eventualities
⦁ Well thought-through strategies for remote working models
⦁ Real-time testing of all strategies – work transfer, staff transfer, global outage, remote working, and so on
⦁ Shift from planned testing exercises to surprise, real-time testing practices; stress testing of proposed recovery strategies
Remote Working: A Paradigm Shift
The present situation has demonstrated that remote working is not just a fad, but here to stay in the long run. Over time, working productively without physically stepping into office premises will become a part of employment contracts and HR policies.
The banking and financial services industry is highly regulated, with immense scrutiny across all areas – be it data privacy, information security, transaction processing, reporting, or even simple query resolution. It is therefore a given that remote working would pose a whole lot of risks – financial, regulatory, and operational. Let us look at some of the key risks arising out of this new way of working:
⦁ People risks
⦁ Theft of proprietary data or sensitive information such as financial as well as personal or demographic details which can help perpetrate fraud or even be sold illegally for non-monetary benefits
⦁ Low productivity
⦁ Errors due to distractions at the place of work
⦁ Fraud risk
⦁ Misrepresentation of data in management reports and dashboards
⦁ Technology risks
⦁ Systems not updated with the requisite antivirus and operating system patches, making them vulnerable to cyberattacks and prone to crashing
Human beings are regarded as the weakest link in the controls landscape, hence it may be assumed that an increase in human touchpoints will increase the risk of control failure. For controls to provide reasonable assurance that risks would be mitigated, they should be technology driven and free of human intervention. The strongest and simplest form of control is the perception of being found out – if individuals know that their actions would not go undetected, they would not bypass procedures.
We see cognitive technologies emerging as strong levers to build controls for remote working models. For instance, people risks can be mitigated through AI based detection tools (such as retinal scanning, thermal imaging, heat signature profiling, background imaging at periodic intervals to detect the number of heads in the work area, and geofencing technology to disable mobile devices or cameras within a certain perimeter), keystroke level productivity tracking tool, and soft controls (for instance, signed acknowledgements and NDA forms, daily connects, training and refreshers, and so on). Process risks can be mitigated by restricting access to data using privacy screen guards on machines, reducing exposure through encryption, dynamic masking, truncation, tokenization, and pseudonymization. Organizations can also implement transaction level controls (such as access to one transaction at a time, no access to old data or processed transactions, transaction page timeout after a specific time, and enhanced segregation of duties) and automate the input feed for MIS and reports. In addition, enabling patch and antivirus updates over open internet would help address technology risks.
A single act of negligence or non-compliance can cause a lot of damage to financial institutions, and their customers. Organizations that implement adaptable and resilient business models and build robust digital ecosystems to ensure the well-being of their employees as well as customers will emerge as leaders in the post COVID era.