Why Your Firm Needs a Business Resilience Plan

Susan Armstrong
Susan Armstrong

12.08.21 in Cybersecurity & Enterprise Risk

Estimated Reading Time: 6 Minutes (1125 words)

Keywords: risk management, continuity, information security, disaster recovery, infrastructure

Within hours of a severe storm warning, high winds, flooding, and electrical outages wreak havoc, affecting numerous homes and corporate offices in your area. Once the storm has passed, you drive to the office to check for damages and find the roof is severely damaged and leaking. Fortunately, your firm partner backs up your data, you have a list of your vendors, and you have emergency contact details for your staff. But are you really prepared to respond to this kind of disruption? Do you have business resilience strategies you can easily put in place?

In 2021 alone, the U.S. experienced a record-breaking number of natural disasters, according to the National Oceanic and Atmospheric Administration, and the number of cyberactivity events exceeded prior years. To ensure that your office can continue business operations and protect client assets in the event of a disruption—whether it’s a fire, natural disaster, cybersecurity breach, or the unexpected disability or death of a key employee—developing a business resilience plan is critical. Below, we’ll discuss why your firm needs a comprehensive plan, as well as steps you can take to get started.

Why a Plan Is Important

Compliance. Companies must continuously evaluate how they operate, communicate, and safeguard against cyberattacks, climate change, and the pandemic. In addition, regulators are increasing oversight of firms’ preparedness. The Federal Deposit Insurance Corporation and Federal Reserve, along with other governing entities, have outlined sound practices designed to assist in implementing resilience.

Protection. As with insurance protection, you can’t simply set up a plan the day you need one. Taking proper precautions ahead of time is the only way to ensure that your business operations continue when disaster strikes.

Profitability. The ability to find key contact information—including resources, vendors, business relationships, and a road map back to meaningful business activities—can make the difference between getting back to business and going out of business.

Clients. By building and implementing a plan, your firm will be able to meet the financial needs of clients in a timely fashion, no matter the situation.

How to Get Started

Now that you know the rationale behind developing a business resilience plan, you may be wondering how to get started. Consider raising the issue in your next meeting or scheduling time to talk to staffers in more detail. At that time, you can discuss these steps for creating a comprehensive plan:

1) Define and prioritize. Identify the key services and functions that are critical to your practice.

2) Map dependencies. Document the resources required to support business functions, including personnel, technology, data, and external service providers.

3) Assess the risks and define impact tolerances. Review your internal systems, document functions, and required resources to determine where gaps may exist. You’ll want to consider areas where you may lack recovery strategies, do not have manual workarounds, or have single points of failure, such as undocumented procedures or overreliance on key personnel.

Some risk categories to consider include:

  • Operations

  • Internal/external risk exposure/vendorsInsurance coverage

  • Building and equipment maintenance

  • Physical security and cybersecurity

  • Safety and fire

  • Storage

  • Business records

  • Office and business supplies

  • Risks specific to SEC-registered investment advisers

4) Form an incident management team. Members of your recovery team should be given specific responsibilities related to business resilience and recovery. They must be empowered to make decisions and have a strong understanding of the effects of business disruption.

5) Delegate responsibilities. Once your team has been identified and assembled, various facets of the plan can be delegated to make sure your bases are covered. The following list is not comprehensive, but you can use it as a guide to get the process started.

  • Identification of third-party services critical to office operations

    • Portfolio management

    • Custody of client assets

    • Trade execution and processing, pricing, client servicing, and recordkeeping

    • Financial and regulatory reporting

  • Prearranged physical location of your offices and employees

    • Address of remote location in event of business disruption

  • Maintenance of critical operations and systems

    • Transaction processing, including management, trading, allocation, and settlement

    • Delivery of securities and funds to clients

    • Identification of key personnel who deliver services—address temporary and permanent arrangements

  • Protection, backup, and recovery of data

    • Procedures for hard-copy and electronic backup

    • Inventory of key documents (e.g., contracts and procedures) and their location

    • Listvof service providers

    • Details of your firm’s management structure, risk management processes, and financial and regulatory reporting requirements

    • Backup plan in event of cyberattacks

  • Communication with clients, employees, service providers, and regulators

    • Methods, systems, backup systems, and protocols for communications

    • How employees will be notified about a significant business disruption

    • How employees should communicate during a disruption

    • Creation of redundancies, including who covers the tasks of missing employees

    • When and how to communicate a business disruption to clients

    • Expectations for prompt access to client records after a disruption (e.g., name, contact, and account information)

    • Plan for notifying local regulators of the disruption

  • Transition plan (e.g., in the event of death, disability, or voluntary exit of owner or key personnel)

    • Policies and procedures intended to safeguard, transfer, or distribute client assets during transition

    • Prompt generation of client-specific information needed to transition each client

    • Information regarding the corporate governance structure of the advisor

    • Identification of any material financial resources available to the advisor

    • Assessment of the applicable law and contractual obligations governing the advisor and clients

    • Organizational chart and other information about the advisor’s ownership and management structure

    • Identity and contact information of key personnel

6) Test the plan. Testing is critical to the success of any business resilience plan. A trial run, including key individuals responsible for plan execution, will reveal anything you may have overlooked and indicate whether the plan works. As you identify deficiencies, prepare a list and a plan for resolving them. Revisit areas that need improvement and amend the plan as necessary after the trial run.

7) Communicate and implement the plan. Now you’re ready to provide a presentation to stakeholders on the development of the plan, its objectives, and implementation. Any questions that arise will reveal additional content that needs to be included in the plan.

8) Monitor, revise, and improve the plan. Once you’ve worked out the kinks, schedule an annual meeting on business continuity and resilience to ensure that your plan still meets your firm’s needs.

The Advantages

One of the most compelling reasons to have a business resilience plan is to stay compliant with current and impending regulatory policies. But it also just makes sound business sense to build a strong, focused plan that will pay off when you need it. A comprehensive plan can give your firm a distinct advantage: the ability to find key contact information—including resources, vendors, and business relationships—to aid in a quick recovery and help you maintain business continuity, no matter the circumstance.

Editor’s note: This post was originally published in June 2017, but we’ve updated it to bring you more relevant and timely information.

This material is for educational purposes only and is not intended to provide specific advice.

Please review our Terms of Use.


Enjoy thought leadership from some of the most respected, seasoned professionals in the industry.