Registered investment advisors, as well as a fair contingent of state registered investment advisors, are required to prepare and maintain a Business Continuity Plan. Recently, I spoke to my partner and BCP expert, Steve Galletto, regarding this regulatory requirement.
Steve explained that the purpose of the BCP is to help ensure that a firm is prepared to adapt and overcome a significant business disruption that could be caused by, for example, natural disaster, loss of key personnel, or even just a service outage. Firms with an effective plan in place will find themselves in a better position to service clients as they are able to mitigate business disruptions and reduce downtimes. However, for a BCP to be effective it can’t just look good on paper.
To strengthen your plan, avoid these pitfalls:
1. Unrealistic expectations. Your plan should be drafted to help your firm adapt and overcome foreseeable business disruptions, not just the most likely disruption events. Many plans assume that certain key/critical services will be available (i.e. power, cell phones, phone lines, Internet, water) and will be fully functional. Plans may also assume that staff will be in a position to show up for work, and won’t be otherwise personally effected by the circumstances leading to the business disruption.
But your firm does not operate in a bubble. Your BCP should provide structure for those who are available to assist with resolving the business disruption while also providing the necessary information and resources for those individuals to succeed.
2. Failing to see the big picture. If your plan’s only focus is backing up and protecting your firm’s books and records, you are missing the big picture. Sure, your BCP must address how the firm will survive a digital record catastrophe, but it also should focus on personnel and facilities. Communication with staff is essential. If you can’t communicate with your staff, there is no effective way to execute the plan. Furthermore, all firms rely on essential systems and services to conduct their business. You must identify these systems and services and create a recovery protocol, which will be the roadmap for the resolution of any business disruption.
3. Not available or shared with personnel. If you’ve invested time and effort preparing a BCP that sits on a shelf in your office, it might as well not exist. A plan is only as effective as well as it is communicated. Therefore, staff should be trained and empowered to assist with the resolution process.
4. Little or no testing. If you’ve written out your BCP without testing its critical components, it actually may be worse than not having a plan at all. A simulated event during a training session held onsite may prove to be surprisingly effective in finding weaknesses with a plan. Also, actual business disruptions are invaluable for refining your current plan.
5. Insufficient remote licenses/lost login credentials. As many firms have begun shifting away from paper and relying more on remote electronic data storage and cloud environments, the use of remote login credentials has become ubiquitous. Remote login credentials allow employees to login to essential applications and systems. However, there only may be a limited number of licenses assigned to your firm. In some cases, more employees will need to have access to the applications/systems than your current license agreement will allow.
6. Stale plans. Everything changes so your BCP should too. Whether you’ve opened up a new branch, replaced or added a new critical service, or there have been personnel shifts, your plan should be updated promptly to reflect these changes.
It is absolutely essential to review and amend your plan whenever there is significant change to your business or infrastructure. Also, at least annually, you should conduct a risk assessment and determine if your plan’s responses are adequate.
Thomas D. Giachetti is chairman of the Securities Practice Group of Stark & Stark, a law firm with offices in Princeton, New York and Philadelphia that represents investment advisors, financial planners, BDs, CPA firms, registered reps and investment companies, and is a regular contributor to Investment Advisor. He can be reached at email@example.com.