In our experience, RIA firms place a high importance on business continuity planning, yet often (particularly with smaller firms), either postpone or abbreviate the process of creating, testing and maintaining their business continuity plans.
These tendencies leave them exposed to the risk of disruptions in their ongoing responsibilities to clients. However, they would all agree that the protection of client information is essential to maintaining the integrity of their business.
Advisor Business Continuity Planning (BCP) In a NutshellWe employ this framework to help RIA firms implement their business continuity planning:
- Business Analysis. Identify the critical business processes that you must perform daily, as well as those that become critical in a typical 10-day period. Think through the possible and likely scenarios that could result in a business disruption (i.e. power outages, weather, systems failures in your office building). Take an inventory of all technologies and external partners that you rely on to run your business.
- Plan Design. Define the scope of your plan. (Will it cover disaster recovery only or should it be expanded to include succession planning to mitigate key-person risk?) Your BCP must also contain: firm policy/plan expectations, contingency scenarios, critical business functions (Day 1 vs. Day 10), critical business systems and how to access them, Contact information for employees, vendors and partners, alternate work location(s), back-up and restoration of critical information, protection of client information, and protocols for testing, updates and revisions.
- Implementation. With the buy-in and support of your leadership, socialize and review the plan with your team and provide training (and cross-training) for key activities, data access and data protection. Ensure that your plan is accessible to everyone from a remote location (e.g. current copy at home, copy on separate secure server or Intranet)
- Testing. Perform a "real" test at least annually by following the BCP as written. Your BCP should be self-implementing; it should contain the process for how to continue your business operations. Document gaps in the plan and document deviations from the plan. Require full participation (at the same time!) and test all critical functions and systems, including operations, vendors, and communications.
- Maintenance. Update your plan on a real-time basis for process changes, technology enhancements, regulatory changes, and contact information. Deliver and train your team on changes.
Through the Regulator's EyesThe SEC has identified business continuity planning as a requirement for RIA firms. (See SEC Release IA 2204) While they require policies and procedures to address business continuity, they do not mandate specific requirements for the BCP, other than it must address the procedures to meet the fiduciary responsibility to protect client interests from being at risk as a result of an advisor’s inability to operate. Some states have adopted formal BCP requirements for state-registered RIA firms. If you are a state-registered RIA firm, be sure to verify your BCP meets applicable state requirements, or check with your compliance consultant.
Regardless of the implicit or explicit requirements, all RIAs should have a formal BCP in place to demonstrate to regulators and clients that they have planned for the undisrupted performance of their fiduciary duty.
CCO Best Practices
- Plan for the 99.5% and not the 0.5%
- Ensure buy-in from senior management and owners
- Test your plan at least annually by selecting one day to conduct business from alternate location(s)
- Update your plan with new and changing contact information for staff and external partners
- Ensure that information security is a priority of your BCP, including the protection of client information during business disruptions
- For state-registered RIAs, validate against the NASAA model rule for business continuity planning
- Leverage your business continuity planning obligations by using them as a foundation for a documented operating plan (Operating Manual) for your business. Your firm's activities can run just as smoothly day-to-day as they do during business disruption!
The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program. Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.