Regulatory requirements for registered investment advisers and securities broker-dealers require that each have a business continuity plan (“BCP”) and disaster recovery procedures to address emergencies or other significant business interruptions. The Securities and Exchange Commission, the Financial Industry Regulatory Authority, and the Commodities Futures Trading Commission conducted a study of the effects of Hurricane Sandy on several firms with a “significant market presence.” The report from that study noted common issues for firms to address in assessing their BCPs.
The report is clearly driven by the experiences of major brokerage firms in New York City, but many of the “lessons learned” could apply to almost any firm. Although the study was based on the effects of Hurricane Sandy, we are reminded of the Great Blackout of 2003 so near to its 10thanniversary.
The best practices and “lessons learned” described in the report include the following points for firms to consider.
WIDESPREAD DISRUPTION CONSIDERATIONS
- Consider the possibility of widespread lack of telecommunications, transportation, electricity, office space, fuel, and water in BCPs. Consideration should be given to multiple, redundant services and the proximity of vendors to the potential disaster area.
- Remote access is an important component of BCPs. Firms should consider their employees’ ability to work from home during a crisis and determine what steps can be taken to ensure adequate staffing during a crisis event. Also consider enhancing the capabilities of staff that work from home by identifying technology and communications products and services that could increase efficiency. Since the use of remote access relies heavily on fully functional telephone and internet service, firms should consider alternatives to telework in their BCPs, particularly for key control functions such as compliance, risk management, back office operations, and financial and regulatory reporting.
ALTERNATIVE LOCATIONS CONSIDERATIONS
- When considering alternative locations (i.e., back-up data centers, back-up sites for operations, remote locations, etc.), firms should consider the implications of a regionwide disruption. Firms are encouraged to consider geographic diversity when determining the physical location of alternative sites.
- Consider the accessibility of alternative sites and the ability of staff to travel to the site in the event of a transit shutdown or closure of major roadways. Consideration should be given to staff ability to travel to remote locations, the methods of transportation to move staff to the site, and living and lodging expenses related to relocating staff. Also, familiarizing staff with the transportation alternatives prior to a contingency event may facilitate the process and help ensure that the transportation alternatives are efficiently used. Consider the appropriate number of staff necessary at any alternative site to perform critical activities.
- Consider the generator capacity at the alternative site (i.e., Does it restore partial or full power?) and whether appropriate capacity is allocated to critical users, activities, and systems in advance.
- Consider whether the firm’s alternative location site has adequate resources. Does the site have sufficient staff workspace (e.g., desks, chairs, telephones, etc.), equipment (e.g., computers, printers, network connectivity, etc.), and supplies (e.g., paper, toner, etc.) to accommodate the staff and to carry on operations? In addition, firms should consider keeping their BCPs, contact lists, and other necessary documents, procedures, and manuals at the alternative site, ideally in paper form, in the event that electronic files cannot be accessed
- Consider making pre-arrangements for reserving space at remote locations such as hotels or other office space and contemplate moving staff to the alternative location in advance of a significant BCP event.
- Consider critical vendor relationships. Firms should consider examining whether vendors that provide critical services such as clearance and settlement, banking and finance, trading support, fuel, telecommunications, electricity, and other utilities also have adequate BCPs. Firms should also take into account that many of these providers could be impacted by the same communication, transportation, and electricity challenges facing the firm.
- Consider categorizing vendors (low-risk, high-risk, etc.) and evaluate the risk in BCP plans.
TELECOMMUNICATIONS SERVICES AND TECHNOLOGY CONSIDERATIONS
- Reliance on a single telecommunications service provider may lead to significant communications disruptions when that service provider is unable to operate. Firms should consider contracting with multiple telecommunications carriers to provide a failover to a different carrier to maintain fax, voice mail, and landline and VoIP services. Firms should also consider evaluating how a telecommunication provider’s contingency plans will affect the firm’s ability to operate. Consider using multiple telecommunication providers, secondary phone lines, cloud technology, temporary phone lines, mobile telecom units, and Wi-Fi for staff without power, as well as back-up mobile phone services with different carriers. Firms are encouraged to provide customers, trading counterparties, and regulators with updated contact information should alternate telephone lines be used.
- Consider multiple alternative staffing scenarios, including remote access, staff relocation, or staffing at alternative sites, and consider enhancing the firm’s telecommunications infrastructure to ensure that staff remains fully functional while working from home during brief and extended periods of time.
Communications with Customers and Other External Third Parties
- Consider a plan for providing customers and trading counterparties with alternative contact information so that business can continue. Firms should consider taking measures to ensure that their website is kept up-to-date with information about the firm’s operational status and general contact information during a disruption event. Introducing firms should consider publishing contact information for clearing firms on their websites to enable customers to execute liquidating orders or wire transfers through their clearing firms should the firm be inoperable. Clearing firms are encouraged to be in a position to authenticate the validity of customer requests.
- Consider whether to establish relationships with multiple brokerdealers to facilitate alternative market entry points.
- Consider implementing a communication plan that allows firms to better communicate and coordinate with regulators, exchanges, emergency officials, and other firms. Such coordination should reduce the likelihood of inconsistent communications. Firms are encouraged to participate in industry groups and task forces that may assist firms in strengthening their communication plans.
Communications with Staff
- Consider establishing a centralized process for accounting for all staff members rather than relying on each business unit to contact staff individually. Firms should also update emergency contact lists frequently (e.g., as staff members are added or removed) so staff can be contacted with firm updates.
- Consider adopting more diverse methods of communication with employees including allowing staff, particularly critical staff, to carry multiple communications devices on multiple carriers (e.g., multiple mobile phones, softphones and T-1 lines).
REGULATORY AND COMPLIANCE CONSIDERATIONS
- Consider time-sensitive regulatory requirements, since a crisis event can occur at any time. For example, some firms put a lower prioritization on month-end financial processes, which increased challenges due to Hurricane Sandy’s proximity to month-end, and caused delays in firms’ production of certain month-end data for regulatory computations and financial reporting.
- Regularly update BCPs to include new regulatory and self-regulatory organization (“SRO”) requirements. Firms run the risk of failing to comply with new regulatory and SRO requirements when their BCPs are not regularly updated. For example, the Chicago Mercantile Exchange and National Futures Association enacted new requirements for the daily reporting of financial data in 2012. This new requirement may not have been included in some firms’ BCP processes and therefore may not have been properly prioritized.
REVIEW AND TESTING
- Firms should consider conducting full BCP tests and participating in industry testing, at least annually, but more frequently if changes are made. Firms should consider full staff BCP tests to evaluate whether all day-to-day functions, including trade processing, can be performed regardless of staff location. In addition, firms are encouraged to keep their BCPs up to date and to amend their BCPs to incorporate testing results.
- Regarding business continuity training, firms should consider conducting annual or more frequent training on their BCPs to familiarize all personnel with the plan and their critical pre-established roles.
- In addition, firms should consider incorporating stress tests into their BCPs. For example, firms could perform a stress test on their liquidity position and review the level of excess customer reserves. Based on this analysis, firms may be better prepared to adjust liquidity or excess reserves (e.g., term repos versus overnight, ability to liquidate money market funds, ability to meet margin calls in a potentially volatile market, adding excess segregation reserves) prior to an event.
The report serves as a useful reminder that each firm should make an honest reassessment of its BCP from time to time. Of course every BCP must be tailored to the realities of the firm, and the recommendations in the report are intended as best practices, not requirements.