12 minute read 7 Sep 2018
businesswoman writing formula glass wall office

How financial services firms can manage through crises

Authors

Cindy Doe

EY Americas Advisory Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.

Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.

12 minute read 7 Sep 2018

From communications planning to post-event management, we explore how planning can help remove uncertainty during a crisis. 

Headline risk seems to have risen in financial services. Ten years ago, as the financial crisis unfolded globally, the sector found itself on the front page every day — we all wondered which firms would be crippled or fail. We felt that again as the sovereign debt crisis played out several years later. News reports were peppered with the latest fine or settlement levied against a firm. Arguably, crisis management seemed relatively reactive in that context — no one firm stood out as managing crisis well or poorly in the industry.

The enduring question remains, what can we learn from firms that have experienced a major crisis — the good, bad and the ugly? 

The biggest learning can be summarized by the ubiquitous motto: Be prepared. It sounds trite, but it could not be more on point. During a crisis, it’s too late to do what you should have done in advance. Every minute spent figuring out who should be responsible for a decision, how to phrase a press release, or which stakeholders should be contacted and in what order (e.g., board of directors, regulators and clients) takes away from a firm’s ability to focus on the specifics of a response. 

The enduring question remains, what can we learn from firms that have experienced a major crisis — the good, bad and the ugly? 

That said, not everything can be preplanned — new issues arise in every situation; that’s why developing corporate muscle memory through planned exercises (e.g., simulations) are so important, because they help build experience.

(Chapter breaker)
1

Chapter 1

Decision-making

We outline eight key steps to better decision-making.

Firms need to define the appropriate activities of the board and senior leadership during a crisis: who will be making decisions, how will those decisions be informed and made, and who will be brought in to assist? 

Some key issues stand out: 

  1. Clarify roles and responsibilities. 

    First, start with identifying the key decision-making in crisis. Who needs to be involved? In what capacity? Who determines when an event — and of what kind — necessitates moving from continuity plans to crisis? Does everyone appreciate how decision-making authorities shift in crisis? Ironing this out beforehand is essential, as is determining who owns the crisis management process so there is clear accountability for validating that it stays in line with evolving industry practice and regulatory expectations. 

  2. Identify substitutes. 

    Once you have determined who can make decisions in crisis, make sure qualified, experienced backups are known. For example, if the treasurer is on vacation during a crisis, who should senior management call upon for questions regarding liquidity and capital? If they can’t reach the CIO, who are the next three people in line, and are they prepared to step up? All of the identified decision-makers should be fully knowledgeable of the firm’s contingencies processes and should have delegated authority to act in times of crises. 

  3. Define escalation processes and triggers. 

    Make certain that crisis decision-makers receive information they need, when they need it, without being flooded with extraneous detail. Ahead of an actual crisis, decide which key issues must be elevated to business unit leaders, senior management, and the board and other governance bodies, including risk committees. Where possible, adopt explicit escalation triggers, so as to limit the degree to which upward communications are inadvertently delayed — it’s all too easy for employees to wait another 5 or 10 minutes to problem solve, yet those minutes can be critical. 

  4. Anticipate when established thresholds may need to be exceeded 

    During a crisis, a firm may need to accept greater financial and operational risks than typically expected. Confirm that decision-makers including the likes of second-line risk management, legal and compliance are engaged in those decisions. Review regulations, corporate policies (e.g., risk appetite thresholds) and insurance provisions to identify any “red lines” that should not be crossed. Document controls that may be overridden in crisis, by whom and when, and establish protocols for documenting such decisions. 

  5. Practice making decisions in a simulated crisis.

    While some types of crises are predictable in the generic sense, each one has its own distinct characteristics. Moreover, inevitably, the crisis that hits the hardest is the one a firm doesn’t expect. Building top executives’ experience in making decisions in crisis — crisis muscle memory, if you will — is vital. Firms often conduct tactical simulations or tabletop exercises lower down the organization — say on liquidity or cyber — but it is important that these simulations are also undertaken at the most senior levels of the firm, so leaders know how they should operate in crisis. 

  6. Line up specialist resources. 

    Inevitably, firms need some specialist resources, during and after the crisis — whether it be outside counsel, forensics, cyber or other areas. Advice from privacy, compliance and public-relations executives may also be required. Identifying and contracting with credible sources of such advice ahead of time, cross-referencing those with approved-vendor lists in insurance policies, and making certain that they can be onboarded and situated at speed allows the firm to move quickly into accessing and using this experience and resources. 

  7. Designate someone to consider “what-if” questions.

    In the early stages of a crisis, groups tend to focus on the detail of immediate actions and sometimes arrive at premature conclusions as to the scope and causes of the problem. To avoid groupthink, establish a protocol to give someone the responsibility of stepping away from the immediate demands of the event to evaluate alternate explanations and possible responses. 

  8. Design how to get back to business as normal. 

    As much as it is important to know when to escalate decisions and drive a sense of urgency, it is as important to determine the de-escalation approach, so the firm can transition back to business as usual, in an orderly, controlled and well-documented fashion. (See Prepare for post-event activities, below.)
(Chapter breaker)
2

Chapter 2

Communications

An effective communications strategy includes these eight elements.

Firms should craft a crisis communications strategy that delivers consistent, unified messaging to all internal and external stakeholders: 

  1. Develop current reference materials for communications.

    Some crises can be predicted — maybe not the specific detail, but the general situation — a major system (say, ATM network system) inaccessible, a vendor down, a major weather event. Firms can prepare for the 15-20 most common disruptions they may face, with messages suitable for different constituents, circumstances and media channels. They can draft press release templates and scripts that can be delivered through print and television news at the local and national level, and through key social media channels. They can develop a library of customer communications that covers likely experiences and alternatives, and craft specific messages for high-value customers for each major product or service. Draft crisis communications should also cover counterparties and vendors. 

  2. Make it clear who speaks to media, when and how.

    Too often firms determine who should speak to the media in crisis. Yet, public relations 101 dictates that firms should only put trained, practiced spokespeople forward for comment and confirm that they receive periodic media training on press and television (and their delegates receive the same). Spokespeople need to be accurate and up-to-date in conveying information about known developments, while acknowledging unknown details.

  3. Prepare materials to share with employees.

    Employees are the face of the firm. Any predetermined communications strategy has to prioritize them, and brief them quickly, with a focus on what should be communicated to customers and what should remain confidential. Also, employees will likely need guidance on how to access alternative services when disruptions occur — typically, these alternatives can be identified ahead of time to inform in-crisis advice to customers. 

  4. Maintain coordinated, open communications with regulators.

    Establish a playbook for how and when to communicate with regulators on matters involving risk, compliance, legal issues or subject-specific areas. Know how and when to reach law enforcement, and if necessary, national security resources. 

  5. Know the protocols to share information with peers.

    Several major industry-level initiatives have been established in recent years to enable information sharing across parts of the industry and to assist firms when they experience major outages or cyberattacks. Firms need agreed, well-documented communication and escalation protocols in place ahead of time to be able to leverage these efforts in crisis and need agreed protocols with the groups leading those efforts on how external communications will be managed effectively. 

  6. Get advice on communications.

    Even with the best preparation, firms should line up access to internal — and external advice, if needed — media and legal advice on the implications of a crisis. Even though firms may skip the full round of sign-offs for communications during a crisis, they need to clear any public statements with their legal team for advice on potential liabilities and with their investigative team regarding what can be said about ongoing breaches. 
(Chapter breaker)
3

Chapter 3

Operations

Set up processes ahead of time, so that you can focus on response during a crisis.

Numerous key decisions on how to operate during a crisis should be made beforehand with the active participation of the firm’s senior leadership and, where necessary, the board. The tradeoffs involved have a direct impact on customer and counterparty perceptions of the organization, firm liquidity and legal exposures, among others, so they should be considered ahead of time: 

  1. Establish processes for identifying the likely most-affected customers. 

    For each scenario anticipated, firms can prospectively identify the most important customers who will likely be most affected — especially those who use the firm across business lines and products. Ahead of time, firms should plan for how to prioritize communications to the most affected customers and which types of transactions and customers should switch over manual or partially automated processes, and consider what concessions could be offered, such as advice, fee waivers or extensions. 

  2. Test playbooks and manual processes, and train employees to use them. 

    Firms should use simulations or tabletop exercises around continuity plans to identify and manage choke points and key supporting technologies, and to determine alternatives for each key process that supports customers. For example, if mobile networks and credit card networks are down, banks need a process to rapidly replenish ATMs. Firms should figure out how they would handle a surge in calls and branch visits, with processes for scheduling additional workers to support core functions. They should assess their onboarding requirements to validate they can bring on new resources quickly in times of needs. 

  3. Assess potential exposures with suppliers and counterparties. 

    Firms should determine how they would assess the potential impact of a crisis on third parties and should establish contingency arrangements with major business partners, especially critical vendors. Firms have to keep in mind that that their response to a crisis (e.g., reduced withdrawal limits) may undermine confidence in its solvency and liquidity, so they need to prioritize communications with key vendors and counterparties to calm their nerves.

  4. Understand and protect your “high-value assets.” 

    The term “high-value assets” (HVA) refers not to financial assets, but rather the assets of the firm that have enterprise-wide impact on operations, compliance and legal functions, as well as on reputational risk, liquidity risk and disaster recovery. Firms need to document and deeply understand their HVA inventory so that, in crisis, they know where those assets are and how they may be affected. This knowledge can guide business-impact assessments during a crisis and decision-making through to resolution. The inventory should include points of connectivity between key systems and resources for protecting customer data, so that using this information firms have identified ways to protect HVA during different scenarios, e.g., choke points for repelling a ransomware attack or approaches for quarantining compromised systems or data. 

  5. Link crisis management and management of financial resources. 

    During crisis, firms need access to solid financial resources inside the firm or from outside, and those resources have to last a prolonged crisis. Firms need robust, tested financial contingency plans in place, which are linked directly to firmwide crisis management processes, so that, when crises hit, the crisis and operational teams can work effectively with treasury resources to manage liquidity. 

  6. Determine documentation protocols. 

    As decisions are made during a crisis, it is important they be properly documented, especially when ones are made to go out of policy or take on more risks than is typically accepted. A robust, well-known process for documenting such decisions should be designed and implemented.

  7. Consider how to maintain employee morale. 

    Most firms survive through crises because of the sacrifices of their employees — long, extended hours in the office dealing with the crisis. During prolonged crises, employees can become exhausted, and morale can be low. Firms should develop plans for how to maintain morale during crises, such as through internal communications, combat pay and other such ways to reward commitment. 
(Chapter breaker)
4

Chapter 4

Post-event activities

Learn from what you experienced, so that the next time you’ll be even better prepared. Here’s how.

It’s not just about preparing for an event. It’s important to plan for after the event — the recovery period — and learn from it to improve over next time: 

  1. Compile a library of post-event processes.

    During a crisis, firms should not focus on determining the root-cause analysis, however tempting. Nevertheless, one will be required eventually, as will other the performance of post-event processes, such as disaster recovery failback, data reconciliation (especially when the firm’s data was corrupted) and operational-loss analyses. So firms should fully document those processes, along with when and how they should be initiated or restored after the event. 

  2. Keep an audit trail.

    A critical input into post-event processes is documenting what happened during the crisis, and what decisions were made and why. In addition to helping organizations learn, such an audit trail helps demonstrate the reasonableness of decisions made considering the circumstances and information available, which can be invaluable given the potential for post-event litigation or regulatory or insurance-related discussions. 

  3. Learn from past disruptions.

    Above all, firms have to learn from past events — theirs and others’ — to continually enhance crisis management. Sound analysis looks at near misses and considers what-if scenarios as to what might have happened if decisions or actions had been different.

Summary

Crises involve complex questions and decisions that are wholly unsuited to being resolved during the heat of a crisis. Accordingly, it is an incredibly valuable use of time for firms’ senior leaders to examine their preparedness for crisis, taking the steps necessary to make sure they are well placed to actually manage effectively through a crisis so their businesses and reputations stay intact. 

About this article

Authors

Cindy Doe

EY Americas Advisory Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.

Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.