“Financial advisors must plan in advance to mitigate the effects of disruptions or, in certain cases, to minimize the likelihood of their occurrence,” says Subhas Fagu, partner with Techlicity Ventures Corp. in Toronto. “[Advisors] must have a sound understanding of the potential impact of any disruptive event and develop welldefined processes and procedures to deal with such events.”
Regulatory bodies such as the Ontario Securities Commission (OSC), the Investment Industry Regulatory Organization of Canada, the Mutual Fund Dealers Association of Canada (MFDA) and the Canadian Securities Administrators require that business continuity be an ongoing priority for investment industry participants. The regulators recognize the substantial risk that major disruptions can pose to the financial services sector and the potential for loss of confidence among investors.
To put the requirement for business continuity management into perspective, an OSC staff notice states that plans must incorporate a “whole-of-business approach that includes policy, standards and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption.” The notice adds: “Effective business continuity management concentrates on the impact as opposed to the source of the disruption.”
Although business continuity planning and disaster recovery planning often are mentioned together and usually are covered in the same plan, the terms have slightly different meanings.
“Business continuity” refers your ability to keep your business up and running during a disaster and to get back to normal with as little disruption as possible after an event.
“Disaster recovery” refers to your ability to restore key data
necessary to run your business should your systems be damaged.
Both components of disaster planning are equally important.
In addition to requiring that you have both business continuity and disaster recovery plans in place, the OSC requires that you test your business continuity plans periodically. You also are responsible for ensuring that your thirdparty providers, such as back-office systems and cloud-storage
services, have adequate disaster recovery capabilities. And you must conduct reviews of the quality of any outsourced services. “[Advisors] must have some degree of contingency planning in place to be able to deliver the same level of service under adverse conditions,” says Des O’Callaghan, an independent business continuity management consultant in Toronto.
To begin with, he says, you must aim to prevent disruptions and, if they occur, “have the processes and capabilities in place to continue to operate or to recover as quickly as possible.”
Larger businesses may have more sophisticated plans, which are more costly to maintain and operate. But plans for smaller businesses, such as financial advisory practices, don’t have to be expensive, O’Callaghan says.
“Regardless of the size of the organization,” O’Callaghan says, “any business continuity measures must be cost-effective.”
The MFDA recognizes that differences in scale of operations should dictate the level of planning required. An MFDA staff notice states that firms must develop business continuity plans that are appropriate for their size and business model.
Still, cost can be a constraint for many advisors, says Montu Chadha, president of Applications On Network Inc., in Richmond Hill, Ont. Smaller businesses generally maintain the minimum requirements for business continuity and disaster recovery. “[These businesses] want to do more,” Chadha says, “but are faced with budgetary constraints.”
Many advisors may not have internal resources to prepare their plans and, consequently, must seek outside help.
“You have to start from somewhere,” Chadha says. “Have a practical budget and speak to someone who has done it before.”
PREPARING YOUR PLAN
Your integrated business continuity and disaster recovery plan must describe clearly the steps you and your team will take to deal with disruptive events. The plan must answer the following questions:
– What are your critical business functions? For example, do you maintain and conduct trades in client accounts? Do you hold personal client information?
– Do you have a list of contacts, including contact information for individuals with specific responsibilities in the event of an emergency?
– Have you identified an alternative site from which you can operate in case you don’t have access to your office?
– What are the other roles and responsibilities of your staff members in an emergency?
– Who is responsible for recovering client data following a disruptive event?
– Who are your third-party service providers, particularly those who handle your data?
– Where and how is your data stored?
– How can you access your stored data should an emergency happen?
– How quickly can you recover the data you maintain in order to continue serving your clients?
– What assurances do you have that you can recover your data readily?
– How frequently do you test your ability to recover your data?
“Planning involves intelligent thinking and doesn’t have to be terribly complicated,” O’Callaghan says. “You must establish priorities and emergency procedures in case of a disruption.”
Your plan is basically a series of “what if” scenarios for various occurrences.
Communicate your plan to your staff and update it regularly to reflect changes in your business operations, including system and service-provider changes.
From an operational standpoint, your plan must be tested periodically at least, annually to ensure that you can handle a disruptive event. Testing must be conducted in collaboration with third-party providers, such as your off-site back office or your data backup and storage site.
Some key considerations to take into account:
IDENTIFY POTENTIAL THREATS
Business disruptions can come in different shapes and sizes, Fagu says. For example, the challenges of continuing to operate your business after a fire would be different from working through a cyberattack.
In the case of fire, you might have to find new premises at least, temporarily and replace computers and other equipment.
After a cyberattack, you must take steps to recover data and deal with systems security and software issues, such as firewalls and virus protection.
That is why you have to conduct an analysis of all potential threats.
“You must have some awareness of what can happen,” O’Callaghan says, “and some kind of emergency plan to deal with the resulting disruption.”
Consider the types of events that are most likely to occur in your operating environment, Chadha says. For example, depending upon your geographical location, you may be unlikely to experience an earthquake or a tornado, but might need to deal with a flood or a sustained power outage.
CONDUCT A BUSINESSIMPACT ANALYSIS
Whatever the source of the potential disruption, you must analyze how it will affect your infrastructure, Chadha says.
Fagu adds that you will need to identify and prioritize business functions that must be recovered in case of an emergency.
One of the most important components of a financial advisory business is its technology infrastructure. The infrastructure maintained by your third-party service providers is equally important.
You must ensure that your computer systems are configured in such a way that you can recover important data and client records quickly and easily.
You must be able to validate the recovery capabilities for your information through regular testing, Fagu adds.
DATA STORAGE, BACKUP AND RECOVERY
Storing and backing up data are important elements of both business continuity and disaster recovery.
“There is a real cost, as well as time and effort, associated with data storage and backup,” Chadha says. So, you should back up only data that are critical to your operations.
To make this distinction, you must categorize data based on relative importance, he says. This step would make recovery of key data in an emergency easier. Access to marketing materials, for example, would not necessarily be as critical for business continuity as applications and client data are.
Generally, data can be backed up locally, off-site, remotely or in the cloud. Each method has advantages and disadvantages. “There is no single solution,” Chadha says.
Smaller businesses, Fagu says, often back up and store data on their own servers, external hard drives or USB drives. Alternatively, third-party servers, which are convenient and relatively inexpensive, could be used.
However, Chadha cautions, data backed up on portable drives are susceptible to corruption and can be lost or exposed to unauthorized access if they’re not encrypted.
“A lot of companies back up data, but often can’t recover [the data] when required,” Chadha says, “because the tools [aren’t there].”
For example, you may not have the software to recover certain accounting records. So, you must ensure that you have the ability to recover your data on demand.
Chadha recommends using an automated system for storage and backup that is available and accessible at all times.
Cloud storage is one solution. “When you use the cloud,” Chadha says, “your data can be accessed at any time from multiple locations, enabling easy recovery.”
However, he cautions, cloud storage can be costly and you must select your provider with care. Also, your data will be in “somebody else’s hands” and may be subject to security threats.
DETERMINE ROLES AND RESPONSIBILITIES
In the event of a disruptive event, you must determine how you and your staff will continue to do your jobs and how you will communicate with clients and service providers.
You also must establish who is responsible for managing the business continuity and disaster recovery plan.
“In the case of smaller advisory businesses,” Fagu says, “the owner would most likely have to take control.”
For larger businesses, staff must be assigned key responsibilities, together with alternates in case the primary staff member is not available. You also must establish a platform and methods for communicating with clients, third parties and staff if your existing infrastructure is not available.
For many advisors, the requirements for business continuity and disaster recovery planning might appear quite onerous. But, from a regulatory standpoint, you have an obligation to have a plan.
“Just think about your own business model,” Fagu says, “and what you would do if disaster strikes.”