Brexit Day – the day the UK is currently scheduled to exit the European Union (EU) – is really just the beginning of a much longer process for companies based in the UK or who work with third parties located there.
Brexit Day is (currently) October 31, but the UK’s departure – with a deal – could take place any time up until that date. Leaving without a deal on October 31 is still a possibility too. Once the UK has left the EU, organisation can expect the pace of change to increase significantly as the UK adjusts to its new status. The coming political, regulatory, and economic uncertainty underscores the need for organisations to be prepared by becoming more operationally resilient, particularly when it comes to managing third-party risk.
Understanding operational resiliency
Operational resiliency is a concept that began to gain traction with the publication of Nassim Nicholas Taleb’s book, Anti-Fragile, in 2013. This book grew out of Taleb’s realization that managing risk – trying to anticipate events – can only do so much. Risks, by their very nature, sometimes materialize. So, it’s important for organisations to be robust enough to withstand a risk event by being operationally resilient.
The concept of operational resilience is beginning to receive much more attention today. For example, the UK’s Financial Conduct Authority (FCA) released a discussion paper last year on operational resilience for financial services firms. Consultancies are also publishing on the topic, including Oliver Wyman’s Striving for Operational Resilience and EY’s paper, Brexit Impact: Operational Resilience. A global survey of business leaders on relative levels of operational resiliency among different countries and geographic regions by FTI Consulting is also an interesting and provocative read.
The concept of operational resiliency takes on a new dimension when applied to third-party risk management. Both the organisation and the third party need to be resilient. And the relationship between the two must be resilient, too. Good communication and transparency within the relationship are of paramount importance for operational resiliency. When applied to Brexit, for example, it’s easy to see how a good relationship with a third party could help make managing unexpected change easier and less risky, both in the short term and as the impact of Brexit unfolds.
Identifying post-Brexit risks
Once Brexit happens, organisations are going to have to be very vigilant about how all subsequent change impacts their third-party relationships. Key areas where organisations should pay particular attention to operational resiliency include:
- Regulatory risk – Even when the UK was a part of the EU, relationships between regulators of different countries could have their ups and downs. Once the UK is out, it’s important for organisations to be aware of both changes to rules and levels of enforcement from UK and EU regulators as priorities begin to vary. They also need to be aware of how UK rules may begin to diverge in some places from EU rules, and where mutual recognition of regulatory regimes applies.
- Data sharing – UK-based organisations that share data with EEA-based organisations will need to take steps to ensure they remain compliant under the terms of the General Data Protection Regulation (GDPR), particularly if the UK leaves the EU without a deal. At the moment, the UK will continue to allow the free flow of data from the UK to EEA countries because the UK have recognised the EEA countries’ regulatory regime as “adequate.” However, the EU has not reciprocated with similar assurances for data flowing the other way. The UK’s Information Commissioners Office (ICO) have quite a bit of information about this situation on their website and are a good resource as this situation evolves.
- Contracts – Organisations should make sure that the contracts that they have in place – particularly with critical third parties – will continue to function after the UK leaves the EU. It’s important to review all elements thoroughly, and to flag any that may be impacted by possible later changes after Brexit. A regular review of contracts through this period could be a good idea.
- Business continuity – All business continuity processes that exist with third parties should be assessed to make sure they will still operate smoothly after Brexit. This includes everything from data breach reporting to back-up plans for physical damage to premises.
- Fourth parties – While third parties may be Brexit-ready, it’s essential to understand a third party’s own Brexit preparedness when it comes to fourth parties, fifth parties, and nth parties – particularly for critical processes.
These are just a few areas that Brexit will impact within organisations and their third parties. Brexit is going to be an ongoing source of change and development, which will continue to be felt for decades. Under these circumstances, operational resiliency is very important.
Managing the complexity of the change associated with Brexit and third-party relationships over time will not be easy. Organisations need to measure and manage these risks, and then be able to report on them to stakeholders such as the board and senior management, so that the right strategic and tactical decisions can be taken. Managing the risks that will evolve from Brexit – as well as seizing the opportunities – will require a more sophisticated approach to third-party risk management. Organisations that are operationally resilient will be much better placed to do both.