Business continuity planning has increasingly garnered attention from investment advisers and regulators alike given the increasing number of threats (including cyberattacks) that can significantly impact an advisory business.
Regulators, such as the U.S. Securities and Exchange Commission (SEC), expect an adviser to adopt and maintain a robust business continuity plan because, among other things, it believes that advisers have a fiduciary duty to protect the clients’ interests from risks arising out of an adviser’s inability to provide advisory services after a business disruption. While advisers have taken the need to adopt a business continuity plan to heart, uncertainty remains as to how to conduct an annual review of the business continuity plan.
This article provides a blueprint to guide advisers in conducting such an annual review to better protect their firms.
At the outset, it is important to note that there is no one-size-fits-all approach to drafting a business continuity plan or reviewing such a plan because each investment adviser’s business, circumstances and needs are different, and each firm faces different types of potential business disruptions. Nonetheless, many of the following recommendations will apply, regardless of the individual characteristics of an adviser’s business continuity plan.
Who Should Conduct the Review
The chief compliance officer, chief operations officer or other members of firm management are often integrally involved in reviewing a firm’s business continuity plan. However, other members of senior management, as well as other business heads, should be integrally involved as well because the business continuity plan touches so many areas of a firm’s operations.
Inventory
Before the annual testing of the business continuity plan can take place, it is advisable to take inventory of the firm’s resources that will be instrumental in carrying out the business continuity plan.
This exercise typically begins with a review of the list of team members who will be responsible for carrying out the firm’s business continuity plan to ensure that the appropriate persons are identified and that their contact information and responsibilities have been properly updated. To ensure the welfare of all firm employees and contractors in the event of a business disruption and to ensure that the firm’s mission critical functions can be carried out during a business disruption, a firm should review the list of all employees and contractors and ensure that all of their contact information is up to date. If alternate employees have been designated to carry out certain critical functions in the event that one or more key employees is not available due to the business disruption, the list of alternate employees should be reviewed to ensure that it is up to date. Any changes in an adviser’s organizational structure may require revisions to such a list.
The adviser should also review its operating agreement or shareholder agreement to understand how the management of the firm would continue to run if one of the owners becomes incapacitated or unavailable as a result of the business disruption.
Various service providers will also be instrumental in helping a firm carry out is mission critical functions during a business disruption. That’s why it is imperative for a firm to review the contact information for any critical third-party service providers (e.g., custodians, broker-dealers, fund administrators, banks, technology service providers (such as cloud service providers), attorneys, accountants and utilities such as electrical, phone and internet service providers) to ensure that their contact information (and the contact information of the firm’s representatives at such service providers) is up to date.
The protection and preservation of critical firm data is also instrumental when an adviser is faced with a business disruption. As such, any review of the firm’s resources must include an inventory of the firm’s critical information (e.g., firm financial information, client information, login credentials, trading records, contracts, employee files, etc.). The firm must identify where such information is located, including any backups of such information to facilitate the firm’s performance of mission critical functions following a business disruption.
Similarly, a firm must take inventory of firm hardware (e.g., workstations, backup servers, network hardware, etc.) and ensure that backups of the critical hardware are available from the principal office and from alternate locations. A firm must also take inventory of software (e.g., portfolio management software, email, word processing, financial planning software) to ensure that backup copies of the software are accessible from the principal office and from backup locations and that the licenses remain in full force and effect. To the extent that an adviser expects to use one or more backup electrical generators in the event of a power outage, the adviser must ensure that any electric generators are properly accounted for and are functioning properly.
The adviser should also conduct a review of any leases or other similar agreements for any backup office locations to ensure that they continue to be in full force and effect. Also, ensure that all insurance coverage (e.g., errors and omissions, general commercial liability, property and casualty, worker’s compensation, key man, and cybersecurity insurance, as applicable) is up to date and provides sufficient coverage for the most likely business disruptions that the adviser will face.
Additionally, advisers should ensure that all employees have received proper training with respect to the business continuity plan. This would ideally be accomplished through certifications that are executed by firm employees attesting to the fact that they have received training from the firm and understand their responsibilities in the event of a business disruption.
Testing and Reviews
Once an inventory of the firm’s resources has been completed, a firm can move on to conducting various tests and reviews to ensure that the business continuity plan can be carried out as smoothly as can be expected.
This often starts with conducting various scenario tests of a firm’s emergency preparedness plan and evacuation procedures designed to mimic the most likely business disruptions, whether they be natural disasters, terrorist attacks, or cyberattacks. Such tests must ensure that employees and critical resources can be moved safely to alternate locations. The firm can also use this opportunity to test its communication plan with employees and service providers. The firm can test to ensure that any information phone line into which employees and/or clients can dial into in the event of a business disruption is functioning properly. The firm can also test its ability to contact critical service providers during such drills.
The firm then can conduct separate tests to ensure that its systems can function properly in the event of a business disruption. Among other things, the firm can conduct tests to ensure that any hardware (including any backup servers) is functioning properly. Advisers may want to consider having an independent third party conduct such tests. Advisers should also conduct tests to ensure that all software is functioning properly.
Nonetheless, an adviser must consider not only its own systems, but the systems of its service providers, to ensure that mission critical functions can be carried out in the event of a business disruption. As such, an adviser must periodically contact its critical service providers to determine whether any tests have been conducted on their business continuity plans and whether such plans have been updated. An adviser can request an SSAE 16 or similar type of report from the service provider.
Special attention must be paid to an adviser’s ability to function remotely should the firm’s principal office become unavailable due to a business disruption. As such, a review of the business continuity plan should include a visit to each alternate location to ensure that it is secure and remains accessible in the event of a business disruption. The review should determine whether the required hardware and software at each alternate location is in good working order. Tests should also be conducted to ensure that access to web and phone connectivity, firm systems, and data and service providers continues to be accessible from each alternate location. Advisers should confirm that backup data (whether electronic or hard copy) at the alternate locations continues to be up to date.
To the extent that firm employees are permitted to work from home, the adviser should confirm that each employee has conducted a test to ensure that they can connect to the firm’s systems and has access to all of the information required for the employee to work remotely. The adviser should also confirm that each employee has a copy of the most recent business continuity plan available to them at home to follow in the event of a business disruption.
Reviews of the Business Continuity Plan Itself
No review would be complete without a review as to whether the business continuity plan itself should be updated. In conducting such a review, the adviser should be sensitive to any new regulatory or other guidance relating to business continuity that requires revisions to be made to the business continuity plan. The review should also contemplate whether any new potential business disruption threats should be addressed.
The business continuity plan should be revised accordingly if new circumstances warrant such revisions. Additionally, the adviser should ensure that the revised business continuity plan should be disseminated to all employees who should ideally sign off on receipt of the revised business continuity plan.
