How to protect against operational risks in regulated customer communications

And why strategic partnerships with the right vendors are key

Expectations on the speed, clarity and ease of an organisation’s communications are constantly rising. Customers, and citizens, desire easy and frictionless interactions from their bank, their energy supplier, their insurer, their council – all interactions with all service providers. When one offers a high quality experience, the others are expected to follow.

And so, organisations undergo transformations to keep up – to build the capability and capacity to meet these ever-increasing expectations. But all change comes with risks. Digital transformation projects that overhaul systems and processes, for example, can outpace the ability of human capital to manage their new day-to-day. 

Over the years we’ve worked with many organisations, both private and public sector, that provide high-volume regulated customer communications to mitigate the internal and external risks to their communication operations. This article covers those main risks and how to protect your organisation against them.

1. BAU operational failure

The general risks to day-to-day communications operations can come from a wide range of sources. 

Internal mistakes that are under an organisation’s control, those stemming from people – human error, strikes and staff shortages – can be prevented through policy. Encouraging a culture of hiring in new people as the workforce ages, or continually upskilling existing staff as you upgrade and replace technology and equipment.

Then there are those that can’t be wholly prevented but whose impacts can be minimised by planning well. Force majeure risks such as flooding, fire and power outages can shut down printing machines and digital technology. But a good disaster recovery plan will include multi sites with spare capacity that can be up and running to take over operations.

2. Supply chain disruption

Suppliers are at the mercy of the same internal and external risks as your organisation. So it’s essential that the supply chain is properly assessed during due diligence.

• How well do you understand the health of your supplier?
• If they fail, do you have step-in rights to meet your SLAs using their people and facilities?
• Can you foresee issues within their business? 
• Is there senior level turnover?
• Will they survive a financial shock?

Carefully answering questions like these and truly understanding a company’s structure, strategy and financial health can save you from a lot of pain in the future.

Then there are the external risks that are out of your control, but can be future-proofed with good supply chain management and forward planning. 

What happens when staff who deliver last mile mail go on strike, or a communications provider goes into administration due to cost pressures? The data centre that houses your server experiences an outage or is the victim of a cyber attack? Or the cellular towers of your telecoms partner running your SMS service and contact centre are hit by storms? 

And what happens if Royal Mail restricts their service to a few days per week?

Not only do you need a good business continuity and disaster recovery plan, but so does every link in your supply chain. The first step in ensuring its resilience is checking that your vendors have the right certifications and show an active willingness to stay ahead of compliance changes.

Then, we recommend taking steps to build up “defences” to prepare for unforeseen events. Including: 

1. Build a capacity buffer – Can you or your vendor set aside surplus capacity in terms of human capital and production?
2. Ensure speed of operational execution – How quickly can you make the switch?
3. Spread visibility across the supply chain – How connected are your stakeholders so you can quickly identify critical supply chain issues and exceptions?

For regulated customer communications, where timing of delivery can dramatically impact the lives of recipients, supply chain resilience is critical.

3. Cyber attacks

The threat of cyber attacks is not going away any time soon. In fact, suffering a breach is not a case of if, but when. 

According to the government, 50% of UK businesses (and 74% of large businesses) experienced an attack or security breach in 2023. This is a huge jump from the 32% recorded in the previous year. Looked at another way, this reflects an increase from 2.39 million attacks in 2022 to 7.78 million attacks in 2023.

And it is getting more and more expensive to combat. While there is a financial impact there is also brand reputation if not managed correctly. Both the activity and sophistication of the attacks coupled with the move to hybrid working demands more investment in cyber security. Costs can come from:

• Paying external IT consultants to understand the full extent of the attack
• Not being able to do business, which could be days or in some cases weeks or months.
• Cost of new or upgraded software and systems
• Cost of replacing devices or equipment
• Recruitment costs to hire someone new
• Legal fees, insurance excesses, fines, compensation and PR costs related to the incident
• Cost of any time when staff could not do their jobs
• The value of lost files or intellectual property

It’s not enough to simply stick to compliance guidelines; you must take a proactive stance to data security to stay ahead of cyber criminals.

This means building a data security plan that helps identify and prioritise threats based on their likelihood and impact, allocating resources to address the most critical risks. And as remote work becomes more prevalent, we suggest adopting security measures that address the unique challenges of hybrid working environments. If remote employees are using hybrid mail to send physical post, ensure that the latest security protocols such as TLS 1.2 are in place.

Look at weaknesses in your supply chain too. Ask yourself, does your customer communications supplier adhere to standards like Cyber Essentials Plus and ISO 27001 (Information Security Management)? Can you see evidence of regular patching? Do they have a dedicated cyber security team and a cyber security roadmap?

61% of all cyber attacks in 2023 were phishing attacks via employee email or fraudulent website links. Ensure employees are well-versed in data security best practices by investing in training so they can understand how their actions can contribute to or mitigate risks. And finally, we recommend regularly updating security policies, procedures and technologies in line with evolving threats and industry advancements. 

Employing a multi channel communications operation diversifies the risk of operational failure when one channel might be temporarily unavailable due to cyber attacks.

4. Transformation risks

Change brings risk. But so does standing still.

Upgrades to operations can cause problems if your people are not trained to manage new ways of working – the risk of human error is still there. But a reluctance to make those changes, and to keep up with customer expectations can also mean losing out to your competitors. 

Brand reputation can also be in danger if communications do not keep up with customer sensitivities around language – it is easier than ever to call out perceived offences and broadcast in the media or social media.

So, there is a push and pull of changing too quickly versus not enough. Striking a balance means taking a small steps approach to change. Being tactical with transformations can deliver results in weeks, not months or years, improve operational efficiencies; and while they can be conducted alongside a major systems overhaul, these smaller projects see an impact far sooner.

At the same time, staying ahead of compliance pressures can help mitigate the operational risks of transformations. Your customer communications vendor should constantly update standards along with changes in technology, methodology and processes, and keep their finger on the pulse for new ways of working.

To see the various ISOs and BSs relevant to customer communications providers, take a look at our compliance and certifications page.

Speaking of vendors, any successful transformation requires auditing existing suppliers, but often the desire to change is trumped by the fear of change. Even if you know you’re not getting the service your business needs, the complexity and hassle can be overwhelming, and it can be tempting to stick with the same old if you can get a better price to renew. But if you’re still doing what you’ve always done, you can expect to get the same. The reality is, changing provider doesn't have to be so painful if they have a considered, accelerated onboarding process.

The first step is understanding that there are other suppliers out there, in whose interest it is to make change easy and painless.

Hear from the experts, live!

To hear from industry leaders and practitioners about how they are addressing the types of risks above, join us at our conference in Manchester on 15 October: Beyond Compliance: Elevating Customer Communications in Regulated Sectors.

Operational resilience strategies in customer communications

Instilling an operational resilience culture and mindset across an organisation is key to ensuring business continuity and disaster recovery plans are in place, and that there are minimal adverse effects from both expected and unexpected, internal and external incidents. 

In the 2024 Building Societies Annual Conference session on “Navigating operational resilience: are you operationally resilient enough?” the speakers were at pains to point out that operational resilience has to be more than a ‘tickbox exercise’. It needs to be ingrained within whole cultures, one that takes ownership of the associated risks and threats. 

In our experience, a good operational resilience plan includes the following strategies:

1. Redundancy and backup systems: Implementing alternative communication channels and backup systems to ensure continuous customer communication in the event of system failures or disruptions.
2. Cross-training and skill diversification: Cross-training customer service representatives and diversifying their skills to handle different communication channels and customer inquiries, ensuring flexibility and adaptability in customer communications operations.
3. Crisis communication planning: Effectively communicating with customers during emergencies or unexpected disruptions maintains transparency and trust.
4. Regular stress testing and simulation exercises: Identify vulnerabilities and improve the resilience of customer communication operations.
5. Vendor and supplier management: Strong relationships will ensure the continuity of critical communication tools and services.
6. Cybersecurity measures: Protect customer data and communication channels from cyber threats, continually training staff and upgrading defences, ensures the security and reliability of customer communications.
7. Monitoring and incident response: Quickly identify and address any issues or disruptions in customer communications.
8. Continuous improvement and adaptation: Incorporate new technologies, best practices and lessons learned from previous disruptions.

How to know how much to mitigate

Protecting your organisation against operational risk means spending money. Training staff, hiring cyber security professionals, upgrading equipment and opting for the most expensive suppliers can be unrealistic for many organisations as other costs continue to rise. So it’s important to conduct a cost-benefit analysis for each mitigation strategy. 

Fortunately, you can reduce spend without increasing risk by looking externally for multichannel communications vendors with secure physical facilities and digital processes. Dedicated customer communications specialists can remove the need for real estate and equipment, and relieve pressure on the back-office by implementing both inbound and outbound services – such as hybrid mail, traditional print and mail and digital mailroom.

For a more concrete example of costs, try our savings hub calculator for inbound and outbound communications.