On August 16th, the SEC, CFTC and FINRA issued a statement regarding best practices with respect to business continuity planning. The statement resulted from a joint review of the impact that Hurricane Sandy had on the business continuity and disaster recovery planning programs of several large firms affected by the October 2012 event. Particular attention was given to the areas of trading, customer relations, financial and regulatory obligations, and technology. This posting summarizes the guidance across several key areas of consideration.
Widespread Disruption of Communications and Support Services - In this regard, the statement emphasizes that consideration should be given to multiple, redundant services and the proximity of vendors to the potential disaster area. Also, an emphasis was placed on the need for firms to facilitate remote access by employees.
The Need for Alternative Locations - The statement noted that firms should consider the implications of a disruption event on an entire region, especially when devising plans for back-up data centers and operational sites. Furthermore, in advance of a crisis, a firm should ensure that the alternative locations have adequate workspace resources to accommodate the staff and allows commercial operations to continue. As a practical matter, the statement encourages firms to consider making pre-arrangements for reserving space at hotels, offices or other similar facilities - and to know well in advance of a disruption event how staff will be moved to those locations.
The BCDRP of Key Vendors - The joint statement encourages firms to examine the business continuity plans of their most significant vendors and assign a rating to the quality of those plans.
Communication Plans - The joint statement addresses communication plans with external business partners and staff. The joint statement specifically encourages encourages firms to have a centralized process for accounting for all staff members rather than relying on each business unit to contact staff individually.
Regulatory and Compliance - By way of example, the statement pointed out that as a result of the timing of Hurricane Sandy, some firms had trouble completing their month-end financial processes. Similarly, firms should ensure that their business continuity plans are are updated in a timely manner to reflect changes in regulatory and SRO requirements.
Review and Testing - On at least an annual basis, firms should conduct full business continuity planning tests and train employees to familiarize them with critical pre-established roles. Similarly, the joint statement advises firms to conduct regularly scheduled stress testing, in order to understand the potential effect of a disruption event on the firm's liquidity position.
The full text of the joint statement is available here.