Five Takeaways from the SEC’s 2016 Business Continuity Guidance Update
Last month, the SEC issued a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Eze Castle Integration’s Certified BCP Planners have reviewed the guidance and recently shared their thoughts on how hedge funds and private equity firms can meet the SEC’s growing expectations and standards with regard to business continuity practices.
Read on for five takeaways from the SEC’s business continuity guidance update or scroll down to watch our full, 30-minute webinar replay.
Include All Key Components of Your Firm
When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods.
A BCP is a Living Document
Internal participation is a fundamental driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.
Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent within all parts of the company.
Keep the Board Informed
The SEC recommends that fund boards meet at least annually to discuss the BCP. Since the financial industry faces so many changes and evolving threats, we recommend that firm stakeholders meet on a more regular basis to discuss operational incidents, changes and challenges as they happen.
Testing Should Be Done Regularly
The SEC also recommends firms test business continuity plans yearly, however our BCP planners stipulate that for some processes testing should occur on a semi-annual basis. Some plans to consider testing more often include, but are not limited to, employee remote access capabilities, disaster recovery systems and employee communication procedures. All tests, regardless of their testing frequency, should be documented in your records.
Conduct Oversight of Critical Third Parties
Whether you outsource your accounting, legal, compliance, cloud services, administration and/or trading, it is important that your firm is informed on the business resiliency procedures that a third party provider has in place. The SEC advises that hedge funds and private equity firms conduct thorough due diligence on critical third parties to ensure they have plans in place to operate in the face of an emergency. Third party providers should provide you with information on their disaster recovery and business continuity plans as well as all test results and other operational findings. By gathering this information your firm is able to ensure that whether a business disruption directly impacts you or one of your crucial third parties, both entities will still be able to operate business as normal.