Technology Is Important, but So is Good Process like Table Top Exercises to Mitigate Risk
Information Technology deals with infrastructure and application development technologies and solutions to help companies that operate in the capital markets. But what about good process to mitigate risk across the capital markets? This too, can fall within Information Technology or Enterprise Risk organizations depending on the structure of a company.
At my firm, The Carlyle Group, we recently completed a table top exercise. Whenever I sit through one of these exercises I stress the importance of firms investing dollars and time to ensure the integrity of our investors’ assets.
During a table top it is crucial that everyone remembers this is an exercise. It does not have a grade, nor is it pass/ fail. It is an exercise for firms to test system recovery plans, incident response plans, business continuity plans, crisis response, etc. Table tops are exercises to help us get better. They help us anticipate problems and how to handle them as well as devise the best ways to communicate with key audiences during a crisis.
What are the real scenarios that should be of concern for those that deal in the capital markets? Weather, health and cyber are a few that should be considered. Think about the natural disaster, Hurricane Sandy in 2012, and how it impacted capital markets. Yes, Hurricane Sandy did halt trading on major exchanges, but what we also saw were firms that could not report their earnings because employees couldn’t get to work or systems and facilities failed. Many of these firms had tested their crisis management plans, but the scope of this natural disaster caused CIOs to step back and rethink their recovery procedures, and made the business side think about their process and core systems needed to keep business running.
Table tops are exercises that help us anticipate problems and how to handle them as well as devise the best ways to communicate with key audiences during a crisis
Floods, storms, bushfires, hurricanes, cyclones, tsunamis, and earthquakes can all have incredible impacts on the global economy. Creating scenarios and having the key players of a firm walk through and discuss these scenarios is critical to anticipating and mitigating risk in a crisis situation. How can anyone forget September 11th? It impacted the world personally, and caused the capital markets to effectively shut down for four days. Firms that had not done table top exercises prior to September 11th were definitely thinking about it after. Firms started thinking about how to disperse their data centers globally and how to leverage their processes and resources globally. It was a crisis that made firms that deal in the capital markets take a step back and think about their ongoing plans to keep business moving in a time of crisis.
Other real life scenarios for the capital markets could be loss of key employees, like the CEO, CFO, COO, or CIO. Or the loss of key data, and loss of infrastructure like the data centers being destroyed, or key networking switches or storage damaged. All of these realistic scenarios could happen to firms and jeopardize client investments if not handled appropriately. The loss of a decision maker at the executive level could disrupt a firm for some time if they do not have a sound succession plan. The loss of core data could drive incredible reputational risk for a firm dealing within the capital markets, especially since most businesses built upon the capital markets are about relationships; and once a relationship is destroyed an entire business can be destroyed.
Some key items to think about when planning table top exercises are:
Keep the scenario as realistic as possible. For those creating the scenario think about prior incidents and how they impacted your firm or capital markets in general, and recreate your scenario based on one of those. Leverage resources in the financial industry or government to assist you with your scenario planning.
Make sure the key executives from the firm are involved in the scenario to drive decision making from the top. Make sure scenarios are explained well and all understand how the table top will be run prior to starting.
Make sure all findings are fully documented so continuous improvement can occur based on the data. Business Continuity Plans are never done; they will continue to be updated based on data points from the table top exercises and real life incidents that occur across the business.
A strong commitment of time and money in table top exercises can mitigate future risk and help maintain the integrity of our capital markets.