Authored by: Lilian Lai
Remote working: operational resilience and risk management
On 4 October 2021, the SFC issued a circular setting out the expected standards and required implementation measures for intermediaries to ensure ongoing operational resilience and risk management within the industry having regard to current market conditions as well as remote working. A report has also been published to supplement case examples drawn from the SFC’s review of some licensed corporations’ measures in coping with COVID-19 related disruptions.
Whilst alternative measures can be adopted to achieve the objectives, intermediaries are encouraged to adopt the techniques and procedures highlighted by the SFC where applicable. Below are some tips for intermediaries to consider.
Oversight and ongoing supervision
- Put in place senior management oversight to identify possible disruptive scenarios, ascertain the intermediary’s risk tolerance and develop effective systems and controls to maintain business activities.
- Enhance frequency of reviews and monitoring measures, e.g. trade surveillance tools to make up for the reduced in-person supervision and face-to-face interaction.
Sufficient and adequate resources
- Provide suitable equipment and IT infrastructure with good capacity and connectivity to prevent delays or disruptions, in particular for time-sensitive business activities, e.g. market making of listed products.
- Digitalise workflow and records if possible, but if certain functions are not fit to be performed remotely, e.g. processing cheques for trade settlement services, ensure appropriate minimum staff are present in the office to carry out functions.
Outsourcing and third-party arrangements
- When engaging vendors, assess their business continuity plans, financial status, cybersecurity policies and their sub-contractors to mitigate any risk of service failure due to disruptive events.
- Appoint or identify back-up service providers to mitigate vendor concentration risk.
Information security and cybersecurity
- Implement measures to prevent unauthorised access to systems and data, e.g. requiring multi-factor authentication or performing regular antivirus checks for every remote log-in.
- Ensure confidential information has been handled properly, e.g. sample checking virtual conferences made through its devices or blocking transmission of documents classified as secret.
- Set up multiple back-up systems to mitigate the risk of data inaccessibility or loss due to system failure or cyberattacks.
Record keeping and audit trail
- For off-premises trading, deploy suitable recording systems to ensure orders received or placed by remote-working staff are recorded.
- Only allow temporary keeping of requisite records at premises other than those approved by the SFC when effective controls have been put in place for such records to be delivered back to the approved premises as soon as practicable.
- If significant changes occur in the business plans covering internal controls, organisational structures, contingency plans and related matters, notify the SFC and where applicable, the HKMA of such changes, even if the remote working arrangement is only deployed for a short period of time.
- Promote staff’s awareness of their obligations through training and attestation of understanding of and compliance with related internal controls on a regular basis, or when the relevant polices/procedures have been reviewed and updated.
Business contingency plans (BCP)
- Review BCPs at least annually and test regularly. Implement incident management process to cover the escalation procedures, follow-up actions, analysis of root cause and remedial actions to mitigate the impact of similar disruptive events in the future.