Nicholas Pratt examines the changes to operating models as a result of the pandemic and asks if any of them will be permanent changes to the landscape.
We are living in unprecedented times during the Covid-19 pandemic and spending most of it at home. Even though various governments are issuing guarded calls about returning to the workplace, the majority of those in the funds industry are lucky enough to be able to remain working remotely, at least until they feel safe enough to brave public transport. But how easy will this be to sustain in the long term amid possible cyber-security risks? And if there are permanent changes to the office-based operating model, who will be most affected?
The first thing to note is that most firms have been able to transition to remote working relatively painlessly, even if few would have anticipated a scenario where a quarter of the world would be under lockdown.
“It has been described as a grey swan event in that we knew something like this would happen and we even knew it was happening, but we did not know the severity of its impact,” says Will Packard, managing principal and head of operational resilience at tech consultancy Capco. “Typically most business continuity planning (BCP) imagines that one central site goes down, not all of them. So, I think people will be updating their plans to cater for greater longevity, extent and severity of impact.”
On the plus side, firms have had a number of weeks to prepare – in the UK, five weeks elapsed from the first cases in Wuhan becoming public to the UK going into lockdown.
“At the beginning of March, companies produced various plans that involved split sites between the main office and a back-up site and working from home, but these proved relatively ineffective and once the decision was taken to have the majority working from home, the change was implemented fairly quickly and smoothly and now 90% of people are working from home,” says Packard.
Cyber attacks
One of the challenges in the current operating model is cyber security. Both the attack surface (the sum of all possible risk exposures) and the frequency of attacks has increased in the past two months. Google has reported a 350% increase in the number of phishing attacks, many of them playing on people’s Covid-related fears – for example, suggesting that users have been identified as coming into contact with people that have tested positive for the virus and asking them to click on a link.
Consequently security managers’ efforts have focused on training people to be sensitive to the risk, says Packard. “Don’t click on that link. If you’ve implemented new servers, make sure they are updated and have all the latest patches,” he adds. “There is also the issue of the lag between penetration and detection. Even in the most sophisticated corporate networks, this lag is an issue, but in a home-working context, it could be even more severe.”
There are three main security issue for firms, says George Ralph, managing director of Richard Fleischman & Associates (RFA), a cyber-security firm working with a number of alternative investment managers. The first is moving from a centralised operating model to a dispersed one with separate satellite offices and a move from office-based firewall security to endpoint security.
A second issue is the greater use of collaboration tools such as WeTransfer and Dropbox. Unless the firm’s IT departments have set rules for the use of these tools, it could create a security risk, says Ralph.
Thirdly, there is the possibility of insider threats increasing, he says. “Hopefully government schemes to finance furloughed staff will help ease that risk, but disgruntled employees will be especially hard to detect in a remote working environment.”
This is especially so when some firms may have had to relax their rules around cyber security as a result of the move to remote working and shifting from perimeter security to endpoint security, says Ralph. “An insecure home network is a risk – smart TVs, wireless printers and wireless access points – and non-standard machines. There are still many firms rolling out multi-factor authentication at a time when there has been a rise in attacks, so we have been doing a lot of training with clients.”
Trading teams and individuals are usually well set up for remote working, says Harry Thompson, information systems and security officer at Kurtosys Systems. “The real threat to working at home will be related to the number of other remote workers, back-office functions, availability of bandwidth and the capacity of the central systems to support multiple connections,” he adds.
“The home environment offers a greater array of potential threats, which will take time to understand. For example, working from home raises the possibility of family members using an employee’s computer, or the ability of cyber criminals to hack into someone’s WiFi by standing close to the premises or peering into the window.”
Despite the heightened cyber-security risk, there is nothing to stop firms working as they are for the next six months, says Ralph. “The biggest changes are likely to be a downsizing of office space and possibly a search for cheaper labour. Business continuity plans will be adapted to cater for another pandemic and that will mean a greater focus on endpoint security at home. We will also see a number of new tech firms pop up to fill in any short-term gaps in capabilities – such as helping to use Microsoft Teams or to record calls for MiFID II compliance. But the quicker these firms emerge, the less credible their offerings will be.”
Packard thinks there will be a change in the use of large-scale disaster recovery sites, such as those used in the aftermath of 9/11. “They have not proved particularly effective. A lot of that work can be done from home and not many people want to travel out to Basingstoke for six months.”
Packard also says that now is also the ideal time for people to think about their digitisation plans and putting more things online. This will be music to the ears of many software vendors who have increasingly looked to digitise their product range.
Value chain
For Anders Kirkeby, head of innovation at investment management software provider SimCorp, Covid-19 is a good proxy for the resilience of a firm’s digital value chain. “If there are any problems in that chain, you will have problems working from home,” he says.
Larger, more distributed firms have been working digitally for some time now, while software vendors have increasingly developed tools and services for a digital age, from turning their core systems into cloud-based offerings to developing new online tools.
The pandemic has accelerated the market in the direction in which we were already heading, says Kirkeby. “There are still clients that prefer on-site implementations, where they can see and interact with the consultants, but in the last few years we have got better at putting forward the merits of remote implementations and during the pandemic, we’ve seen even greater interest in remote-service delivery.
“Historically, the reluctance to go for remote services comes because if you are paying good money for consultants, you may like to look over their shoulder,” he says. “Or the operating model may be based on one large office building. The pandemic and social distancing will encourage the small to mid-sized firms to embrace more remote working and remote-service delivery.”
Software firms have been developing service-oriented business models for some time, and promoting the ability to perform more maintenance and offer a wider portfolio of services. But new operating models are only really tested in times of trouble. Kirkeby does not foresee any capacity issues for the core systems, but this exercise will highlight the remaining areas that are not fully digitised yet as well as the bleeding-edge technology that has not been fully tested.
“For example, a lot of firms have created self-service digital portals but many of them are still a bit clunky, so I think we’ll see much more development on making these portals more efficient, more user-friendly and with greater capacity,” says Kirkeby.
There are certainly advantages of working from home for both employers and employees and, post-pandemic, there will be pressure from politicians and activists to encourage all sectors to make a shift in this direction, says Kurtosys Systems’ Thompson.
“They will cite, for example, the reduction in traffic and air pollution in cities as a benefit that could be realised more permanently, and a number of people will take this cue and want to adopt a more flexible working arrangement.”
However, working from home at scale is not easy for larger companies to manage, he says, especially if they are employing workstation tracking apps to ensure staff are staying at their jobs in working hours. “Some operational processes are much better organised and efficient when a team is present together in an office. Combined with most people’s frustration at being away from the social aspect of life at work and the way in which our economy depends on people commuting to and from work, there is likely to be a larger proportion of people returning to the normality of life as soon as they can.”
To make longer-term changes, companies need to change IT strategies and working processes, many of which they will not have prepared for, such as the reliance not just on offices, but on meeting rooms, business travel and centralised IT, says Thompson.
“Nevertheless, once the remote working environment is working smoothly, it will be difficult to justify huge offices for the convenience of risk management and corporate IT. Managing staff and ensuring proper output does not require the physical presence of a good manager,” he says.
As Capco’s Packard remarks: “I certainly wouldn’t be buying shares in any companies offering office space right now.”
© 2020 funds europe
