Six steps to improve crisis communications for long-term resilience

How ready are you to communicate in a crisis? It’s a question firms should be asking themselves in response to new regulatory guidance. Now that the European Union (EU) Digital Operational Resilience Act (DORA)¹ regulation has come into force, European financial services firms need to be compliant with the new rules on crisis communications. The act mandates robust digital operational resilience measures for financial services and requires firms to have plans for the responsible disclosure of major information and communication technology (ICT)-related incidents or vulnerabilities to clients, counterparts and the public.

Meanwhile, the UK Financial Conduct Authority (FCA) requires UK firms to comply with their rules and guidelines on building operational resilience.² They remind firms of the importance of responsible information disclosure during an issue, following the aftermath of a global IT outage caused by a US-based cybersecurity firm last July. Sharing lessons from the outage,³ the FCA noted: “Firms who had clearly defined and tested communications strategies were able to quickly and efficiently respond to and communicate with customers and stakeholders.”

Whilst meeting regulatory requirements is essential, firms should look beyond compliance, by integrating the principles of effective crisis communication into their daily operations. Robust crisis communications plans can bring significant financial, operational and commercial benefits to UK financial services firms, safeguarding their long-term resilience and underpinning effective risk management.

Six steps for solid crisis communications planning

What do firms need to prioritise to harness the benefits of the European and UK regulators’ operational resilience requirements around crisis communications? Below are the key steps we suggest firms should take:

1. Preparation is key: Firms should implement a comprehensive crisis communications plan that includes risk assessments, scenario planning, communication protocols (such as delegation and approval processes), training of key personnel (including a spokesperson) and crisis simulations. Preparation prior to the crisis is key to make informed decisions quickly and help ensure effective risk management. The recent approach and passing of regulatory deadlines have increased firms’ investment in crisis communications, training and exercising.
   
   
2. Put someone in charge: Assign a leader to manage crisis communications. DORA mandates that “at least one person in the financial entity shall be tasked with implementing the communication strategy for ICT-related incidents and fulfil the public and media function for that purpose.” We’ve found that firms with a specific crisis communications role benefit from the accumulated expertise and are more responsive when it comes to taking action.
   
   
3. Assemble a crisis response team: The leader appointed to implement crisis communications should be part of a crisis response team, working alongside other key functions to coordinate a response. Firms that regularly train their crisis response team, embed effective communication into their culture.
   
   
4. Identify key stakeholders: Stakeholder mapping should be extensive and include internal teams, leadership, regulators, customers, shareholders, media, and third-party suppliers. Creating clear and concise messaging templates for each stakeholder group ahead of time can save valuable time during an issue and strengthen overall crisis management. The FCA has recognised this, advising firms to consider making communications more efficient through pre-approved communication templates. Language must be clear, so avoid technical jargon to help ensure accessibility.
   
   
5. Update and test your crisis communications plan regularly: Testing the plan is a regulatory requirement. Testing helps prepare for a crisis, whilst identifying and remediating any weaknesses—we have observed the strong interconnectedness of players in the industry. To help ensure an effective crisis response, firms need to understand the crisis plans of others, to check their actions are impactful and meet stakeholder expectations. 
   
   
6. Harnessing technology to keep stakeholders informed: Firms are increasingly turning to technology, such as smartphone apps, social media and instant messaging tools, to keep stakeholders informed in the event of a crisis. Determining which technologies are most effective for different stakeholder groups and purposes is key. This also extends to using artificial intelligence (AI) and data analytics to predict a potential crisis, monitoring situations that may escalate into a crisis, and issuing automated alerts once a predefined crisis threshold is reached. However, firms need to take steps to help ensure they’re using AI responsibly and complying with the EU’s AI Act.⁴ We’ve seen firms that invest in specialised software for crisis management, to help ensure a more agile and effective response, better tracking of decisions, actions and communication.

As financial services firms face a complex risk landscape, robust crisis communication strategies are essential. Comprehensive preparation helps enable a swift response; appointing a dedicated, well-trained team fosters agility; and investing in technology is crucial to optimise real-time communication and recovery planning, as well as for creating transparency with stakeholders.

Achieving compliance is just the first step

Whilst many UK financial services firms have operational resilience plans in place, many still need to review, update and test their crisis communications plans to help ensure they are robust enough to meet regulatory requirements, avoid penalties, and provide timely, accurate information to customers, regulators and shareholders. Following that assessment, firms may need to take steps to help enhance them. Otherwise, data breaches are a clear example of the implications when things go wrong, due to their significant impact on customers. On average, a data breach can cost a financial services firm around US$5million.⁵ Sustained operational resilience requires transformation and a culture of continuous improvement. Firms should see the EU and Prudential Regulatory Authority (PRA) or FCA’s requirements as an opportunity to modernise operations and embed operational resilience into every aspect of their business.