Still reeling from the passage of the “Spanish Ladies” in September, the catastrophic hurricanes Irma and Maria, the Island nations of the Caribbean are, with external assistance, piecing their lives and livelihoods back together. Sadly, there were human losses, and there will be ongoing economic implications for many persons living and working in the region.
Many displaced financial services workers, and evacuees, have been given a place of shelter here in the Cayman Islands, and as a consequence, businesses were able to regroup, rehouse, and recalibrate relatively quickly, once the initial impact was assessed. Customer service was slowed, but not stopped.
As a consequence of the devastation brought on by these category five storms, legal and regulatory minds have since refocussed on force majeure clauses, scope and exclusion terms of insurance policies, disaster preparedness and business continuity plans, all of which to the untrained eye, may seem like separate and unrelated strands. From a regulatory perspective, all of these strands lead into one spool – the risk profile of a business.
Financial services business licensed in the Cayman Islands should be assessing (or reassessing) their own risks and exposures, not least to determine whether their contingency plans are robust. This exercise is separate from the assessment of risks posed by dealing with clients or customers who are located worldwide.
While some leniency is a must in such exceptional circumstances, one fully expects regulators up and down the Caribbean region to express renewed interest in the risk assessment strategies, outsourcing arrangements, business continuity and redundancy plans, and record retention arrangements, of their licencees. Those arrangements now need to be iron clad to withstand what a hurricane can achieve in very little time.
The risks posed by hurricanes are known risks, and their impact on financial services infrastructure laid bare during this season. Geo-political location of front and back offices is also a known risk. Wishing that we are spared the wrath of nature’s fury, or lamenting that your business or sector was a victim of a slower-than-usual governmental or international response, are neither recommended risk mitigation strategies nor sound corporate governance plans.
Regulators are likely to be sympathetic in times of disasters, but one expects that they may be increasingly less likely to accept repeated failures to prepare adequately, as a valid excuse for regulatory non-compliance.
Lest we forget, in the Cayman Islands, the Cayman Islands Monetary Authority is tasked, among other things, with ensuring that licensed financial services business have viable business models, are prudently managed and establish and maintain effective controls for risk mitigation. For licensee, this can no longer be a “tick-the-box” exercise just to get through the initial licencing process or to pass a periodic onsite inspection or offsite supervisory review exercise. Risk assessment should be ongoing and policies responsive.
A risk-based approach to compliance needs to be ingrained both culturally and operationally into our financial services and other organisations, and that tone has to be set by the senior management teams. Clearly, resilience levels suitable only for a tropical storm will no longer suffice in the face of severe meteorological phenomenon.
Assessments should be thorough, kept current and based on the nature and complexity of the financial services and products provided including the relevance of distribution channels. We must at the very least, stop underestimating or disregarding the real risks posed by nature, and do more than check a box. As a region, it is imperative that we consider our interconnectivity and do all we can to reduce the potential implications that damage the confidence and trust in our markets, or our financial stability as offshore financial centers.