Within hours of a severe storm warning, high winds, flooding, and electrical outages wreak havoc, affecting numerous homes and corporate offices in your area. Once the storm has passed, you drive to the office to check for damages and find the roof is severely damaged and leaking. Fortunately, your firm partner backs up your data, you have a list of your vendors, and you have emergency contact details for your staff. But are you really prepared to respond to this kind of disruption? Do you have business resilience strategies you can easily put in place?
In 2021 alone, the U.S. experienced a record-breaking number of natural disasters, according to the National Oceanic and Atmospheric Administration, and the number of cyberactivity events exceeded prior years. To ensure that your office can continue business operations and protect client assets in the event of a disruption—whether it’s a fire, natural disaster, cybersecurity breach, or the unexpected disability or death of a key employee—developing a business resilience plan is critical. Below, we’ll discuss why your firm needs a comprehensive plan, as well as steps you can take to get started.
Why a Plan Is Important
Compliance. Companies must continuously evaluate how they operate, communicate, and safeguard against cyberattacks, climate change, and the pandemic. In addition, regulators are increasing oversight of firms’ preparedness. The Federal Deposit Insurance Corporation and Federal Reserve, along with other governing entities, have outlined sound practices designed to assist in implementing resilience.
Protection. As with insurance protection, you can’t simply set up a plan the day you need one. Taking proper precautions ahead of time is the only way to ensure that your business operations continue when disaster strikes.
Profitability. The ability to find key contact information—including resources, vendors, business relationships, and a road map back to meaningful business activities—can make the difference between getting back to business and going out of business.
Clients. By building and implementing a plan, your firm will be able to meet the financial needs of clients in a timely fashion, no matter the situation.
How to Get Started
Now that you know the rationale behind developing a business resilience plan, you may be wondering how to get started. Consider raising the issue in your next meeting or scheduling time to talk to staffers in more detail. At that time, you can discuss these steps for creating a comprehensive plan:
1) Define and prioritize. Identify the key services and functions that are critical to your practice.
2) Map dependencies. Document the resources required to support business functions, including personnel, technology, data, and external service providers.
3) Assess the risks and define impact tolerances. Review your internal systems, document functions, and required resources to determine where gaps may exist. You’ll want to consider areas where you may lack recovery strategies, do not have manual workarounds, or have single points of failure, such as undocumented procedures or overreliance on key personnel.
Some risk categories to consider include:
Internal/external risk exposure/vendorsInsurance coverage
Building and equipment maintenance
Physical security and cybersecurity
Safety and fire
Office and business supplies
Risks specific to SEC-registered investment advisers
4) Form an incident management team. Members of your recovery team should be given specific responsibilities related to business resilience and recovery. They must be empowered to make decisions and have a strong understanding of the effects of business disruption.
5) Delegate responsibilities. Once your team has been identified and assembled, various facets of the plan can be delegated to make sure your bases are covered. The following list is not comprehensive, but you can use it as a guide to get the process started.
Identification of third-party services critical to office operations
Custody of client assets
Trade execution and processing, pricing, client servicing, and recordkeeping
Financial and regulatory reporting
Prearranged physical location of your offices and employees
Address of remote location in event of business disruption
Maintenance of critical operations and systems
Transaction processing, including management, trading, allocation, and settlement
Delivery of securities and funds to clients
Identification of key personnel who deliver services—address temporary and permanent arrangements
Protection, backup, and recovery of data
Procedures for hard-copy and electronic backup
Inventory of key documents (e.g., contracts and procedures) and their location
Listvof service providers
Details of your firm’s management structure, risk management processes, and financial and regulatory reporting requirements
Backup plan in event of cyberattacks
Communication with clients, employees, service providers, and regulators
Methods, systems, backup systems, and protocols for communications
How employees will be notified about a significant business disruption
How employees should communicate during a disruption
Creation of redundancies, including who covers the tasks of missing employees
When and how to communicate a business disruption to clients
Expectations for prompt access to client records after a disruption (e.g., name, contact, and account information)
Plan for notifying local regulators of the disruption
Transition plan (e.g., in the event of death, disability, or voluntary exit of owner or key personnel)
Policies and procedures intended to safeguard, transfer, or distribute client assets during transition
Prompt generation of client-specific information needed to transition each client
Information regarding the corporate governance structure of the advisor
Identification of any material financial resources available to the advisor
Assessment of the applicable law and contractual obligations governing the advisor and clients
Organizational chart and other information about the advisor’s ownership and management structure
Identity and contact information of key personnel
6) Test the plan. Testing is critical to the success of any business resilience plan. A trial run, including key individuals responsible for plan execution, will reveal anything you may have overlooked and indicate whether the plan works. As you identify deficiencies, prepare a list and a plan for resolving them. Revisit areas that need improvement and amend the plan as necessary after the trial run.
7) Communicate and implement the plan. Now you’re ready to provide a presentation to stakeholders on the development of the plan, its objectives, and implementation. Any questions that arise will reveal additional content that needs to be included in the plan.
8) Monitor, revise, and improve the plan. Once you’ve worked out the kinks, schedule an annual meeting on business continuity and resilience to ensure that your plan still meets your firm’s needs.
One of the most compelling reasons to have a business resilience plan is to stay compliant with current and impending regulatory policies. But it also just makes sound business sense to build a strong, focused plan that will pay off when you need it. A comprehensive plan can give your firm a distinct advantage: the ability to find key contact information—including resources, vendors, and business relationships—to aid in a quick recovery and help you maintain business continuity, no matter the circumstance.
Editor’s note: This post was originally published in June 2017, but we’ve updated it to bring you more relevant and timely information.
This material is for educational purposes only and is not intended to provide specific advice.