A Best Practices Guide to Business Continuity Planning

There has been a lot of discussion about “best practices” lately when it comes to business continuity and disaster recovery planning, especially as we approach the first anniversary of Hurricane Sandy. In fact, I had the pleasure of speaking about some specific DR and BCP best practices earlier this week during a webinar, 10 Signs It’s Time to Rethink Your Approach to DR/BCP.

If you do a Google search for “business continuity and disaster recovery best practices,” you’ll get several options to choose from. However, if you are in working in the financial industry, the first resource you should consider taking a look at is the best practices guide published by the SEC, FINRA and CFTC in August 2013.

Sandy was a remarkable storm that affected many businesses along the East Coast, including hedge funds and investment firms based in the tri-state area. Post-Sandy, regulatory bodies including the SEC, FINRA and CFTC met with several registered advisors to ensure they were prepared for future disasters.   Based on the findings, these organizations developed a four-page best practice guide for investment firms.

As a Certified Business Continuity Planner, I’ve had the pleasure of working with some of Eze Castle’s clients to compare these best practices with their own BCP and DR planning strategies. Below I’ve outlined some of the primary best practices offered by the SEC/FINRA/CFTC and how they can be applied to your firm. I encourage you to take these to heart as you are developing new BCP/DR plans and modifying existing strategies.

1. Communication Plans

• Outline procedures for communicating with external business partners (regulators, exchanges, emergency officials, etc.)

• Ensure your website is kept current and can post a recovery status.

• Consider multiple broker-dealer relationships to allow for multiple market entry points

2. Remote Access/Telecommunication

• Validate that employees have the ability to work remotely, especially essential personnel.

• Assess the resources being utilized by employees to work remotely to identify areas for improvement to increase efficiency.

• Validate your firm’s infrastructure can accommodate telecommuting of all employees.

3. Review and Testing

• Conduct full BCP tests at least annually.

• Validate critical functions can operate regardless of location.

• Ensure employees complete annual BCP Training.

4. Telecommunications Services and Technology Considerations

• Implement telecommunication redundancy.

• Evaluate contingency plans for telecommunication vendors.

• Review multiple alternative staffing scenarios.

5. Vendor Relationships

• Ensure adequate BCPs for clearance and settlement, banking and finance, trading support, fuel, telecommunications, electricity, etc.

6. Regulatory and Compliance Considerations

• Define time-sensitive regulatory requirements.

• Keep BCP current to meet changing industry demands.

7. Telecommunications/Transportation/Utility

• Plan for widespread outages that could impact:

  • Telecommunications
  • Office
  • Public transportation
  • Utilities

These were just some of the highlights from the best practices guide. You can download the complete guide from the SEC/FINRA/CFTC here.

Every company is organized differently, and therefore, each organization’s BCP and DR plans will vary. These best practices, however, will serve as a guide for firms reevaluating or updating their plans. Be thoughtful in choosing strategies that will ensure your business can stay operational in the event of any type of disaster.