In today’s unpredictable world, it’s more critical than ever that investment managers and advisers establish plans to keep their businesses from experiencing undue harm. Daily business operations can be impacted by a wide variety of scenarios– from the most threatening, large-scale disasters (like terrorism, natural disasters, etc.) to more common, user-provoked errors. But regardless of the size and scope of the disruption, today’s financial firms are often ill-prepared to restore operations in a timely manner – and with minimal impact to the firm.
In 2016, the Securities and Exchange Commission (SEC) proposed Rule 206(4)-4, requiring registered investment advisors (RIA) to enact business continuity plans (BCPs) and transition or succession plans. This rule aids advisers in maintaining the continuity of services in the occurrence of a business disruption.
Operational risks to business continuity
The SEC stresses that investment advisers need to assess not only external threats, but also internal threats to accurately assess their own risk. This evaluation is critical to identifying the risk impact to specific capabilities and operations, as well as how they will affect the firm’s employees, clients and third parties.
To provide some more specific examples, following are scenarios that could impact a firm’s business operations:
- Equipment or application failure
- Disruption of power supply or telecommunication services
- Human error
- Fire
- Natural Disasters (hurricanes, tornadoes, snowstorms)
- Terrorist Attacks
- Cybersecurity incidents (hacking, phishing or fraud)
Advisers should take a proactive and organised approach to creating risk mitigation programs for employee activity, as well as, required systems (eg email and Internet). Risk programs may include segregation of responsibilities, documentation of processes, etc.
Business continuity plan elements
There are four primary areas the SEC highlighted within the rule regarding business continuity. Plans should include specifics on:
- Maintenance of critical operations and systems, and the protection, backup and recovery of data;
- Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees;
- Communications with clients, employees, service providers and regulators; and
- Identification and assessment of third-party services critical to the operation of the adviser.
Third party risk management
Disaster preparedness extends beyond the firm itself. For example, if partners and vendors are at risk, so is the firm. Investment management funds should not only understand how their own BCP addresses risk, but also how third-party service providers are prepared to respond to risk scenarios.
We advise firms to review these four areas with vendors at least on an annual basis:
- Continuity Program Activities: This includes ensuring that the vendor or business partner regularly reviews and updates necessary plans and procedures.
- Disaster Recovery Systems: During vendor discussions and evaluations, ensure business partners are identifying the location(s) where data is backed up.
- Business Continuity Procedures: Firms should discuss comprehensive continuity strategies and procedures with all third-party vendors.
- Communication Practices: Firms should confirm with vendors or business partners that they have both an internal and external communication plan.
Overall, the main purpose of SEC Proposed Rule 206(4)-4 is to ensure that advisers can continue to operate efficiently and deliver client services when an unexpected event occurs. It’s important to remember that although no contingency plan will eliminate all risk resulting from an unexpected service interruption, preemptively planning can minimise the severity of damages following an incident.
In today’s unpredictable world, it’s more critical than ever that investment managers and advisers establish plans to keep their businesses from experiencing undue harm. Daily business operations can be impacted by a wide variety of scenarios– from the most threatening, large-scale disasters (like terrorism, natural disasters, etc.) to more common, user-provoked errors. But regardless of the size and scope of the disruption, today’s financial firms are often ill-prepared to restore operations in a timely manner – and with minimal impact to the firm.
In 2016, the Securities and Exchange Commission (SEC) proposed Rule 206(4)-4, requiring registered investment advisors (RIA) to enact business continuity plans (BCPs) and transition or succession plans. This rule aids advisers in maintaining the continuity of services in the occurrence of a business disruption.
Operational risks to business continuity
The SEC stresses that investment advisers need to assess not only external threats, but also internal threats to accurately assess their own risk. This evaluation is critical to identifying the risk impact to specific capabilities and operations, as well as how they will affect the firm’s employees, clients and third parties.
To provide some more specific examples, following are scenarios that could impact a firm’s business operations:
- Equipment or application failure
- Disruption of power supply or telecommunication services
- Human error
- Fire
- Natural Disasters (hurricanes, tornadoes, snowstorms)
- Terrorist Attacks
- Cybersecurity incidents (hacking, phishing or fraud)
Advisers should take a proactive and organised approach to creating risk mitigation programs for employee activity, as well as, required systems (eg email and Internet). Risk programs may include segregation of responsibilities, documentation of processes, etc.
Business continuity plan elements
There are four primary areas the SEC highlighted within the rule regarding business continuity. Plans should include specifics on:
- Maintenance of critical operations and systems, and the protection, backup and recovery of data;
- Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees;
- Communications with clients, employees, service providers and regulators; and
- Identification and assessment of third-party services critical to the operation of the adviser.
Third party risk management
Disaster preparedness extends beyond the firm itself. For example, if partners and vendors are at risk, so is the firm. Investment management funds should not only understand how their own BCP addresses risk, but also how third-party service providers are prepared to respond to risk scenarios.
We advise firms to review these four areas with vendors at least on an annual basis:
- Continuity Program Activities: This includes ensuring that the vendor or business partner regularly reviews and updates necessary plans and procedures.
- Disaster Recovery Systems: During vendor discussions and evaluations, ensure business partners are identifying the location(s) where data is backed up.
- Business Continuity Procedures: Firms should discuss comprehensive continuity strategies and procedures with all third-party vendors.
- Communication Practices: Firms should confirm with vendors or business partners that they have both an internal and external communication plan.
Overall, the main purpose of SEC Proposed Rule 206(4)-4 is to ensure that advisers can continue to operate efficiently and deliver client services when an unexpected event occurs. It’s important to remember that although no contingency plan will eliminate all risk resulting from an unexpected service interruption, preemptively planning can minimise the severity of damages following an incident.