UK Law and Practice Contributed by: Ben Morgan, Ali Sallaway, Matthew Bruce and Emily Knight, Freshfields
2.6 Sectorial Requirements Regulated organisations may be subject to man- datory requirements relating to crisis incidents, depending on the nature of a crisis. The particu- lar regulatory agency for the sector will monitor and evaluate compliance with requirements and initiate investigations and/or enforcement action where necessary to address potential shortcom- ings. For example, the FCA oversaw the crisis management response of a major retail bank to a crisis arising from widespread disruption dur- ing a planned IT migration. The regulator sub- sequently initiated enforcement action against the bank for breaches of financial services regu- lations arising from the mismanagement of the crisis. The Water Services Regulator, Ofwat, has also imposed major fines against water suppli- ers for breaching regulations governing the safe supply of water. 2.7 Public-Private Co-Operation Co-operation frameworks may emerge from the Resilience Strategy that the government has indicated it will announce later in 2025. In the regulated sector, there are pre-existing frame- works in place for information sharing. For example, in the financial services sector, there are mandatory registration and reporting require- ments applicable to all regulated firms. The PRA uses this information to develop information on risk areas and in turn shape regulatory policy and publish useful information for financial ser- vices firms. 2.8 National Crisis Management Plan See 2.3 Government Role regarding the UK
ience Framework, which has been developed with input from various public agencies. For example, members of the Cyber Security Infor- mation Sharing Partnership, which has now been subsumed into the National Cyber Secu- rity Centre (NCSC), share information relating to incidents, threats and vulnerabilities to pro- mote best practice, as well as offering guidance on managing cyber threats. There has been an expansion in the extent to which authorities are sharing information (both domestically and inter- nationally) as part of investigations arising from a crisis, with there being examples of co-ordina- tion between the ICO, FCA and PRA, between HMRC and the National Crime Agency (NCA), and between the Serious Fraud Office (SFO) and the US Department of Justice. 3. Corporate Crisis Management 3.1 Crisis Management Plans The structure of companies’ crisis management plans and strategy will depend on the particular organisation and the challenges it faces. There are, nonetheless, accepted common approach- es. The widely utilised “three lines of defence” risk governance model, which splits responsibility for operational risk management across three functions, can apply a useful structure for cri- sis management strategy. Individuals in the first line own and manage risk directly. The second line oversees the first line, setting policies and defining risk tolerances, and ensuring they are met. The third line consists of an internal audit, and provides independent assurance of the first two lines. There have also been examples of “four lines of defence” model, which incorporates the addi-
government’s Resilience Framework. 2.9 Inter-Agency Co-Operation
COBR will oversee the co-ordination of efforts during a public crisis, with the support of the Resilience Directorate and in line with the Resil-
135 CHAMBERS.COM
Powered by FlippingBook