Each of us tend to either ignore or underestimate the possibility of disasters occurring in our futures. This has been proven time and again by cognitive science research and often referred to as "normalcy bias."
In our experience, RIA firms place a high importance on business continuity planning, yet often (particularly with smaller firms), either postpone or abbreviate the process of creating, testing and maintaining their BCP document.
These tendencies leave them exposed to the risk of disruptions in their ongoing responsibilities to clients.
Advisor Business Continuity Planning (BCP) In a Nutshell
We employ this framework to help RIA firms implement their business continuity planning:
- Business Analysis. Identify the critical business processes that you must perform daily, as well as those that become critical in a typical 10-day period. Think through the possible and likely scenarios that could result in a business disruption (i.e. power outages, weather, systems failures in your office building). Take an inventory of all technologies and external partners that you rely on to run your business.
- Plan Design. Define the scope of your plan. Ensure that the plan covers disaster recovery as well as succession planning (see the “key-man risk section” below). Your BCP must also contain:
- firm policy/plan expectations, contingency scenarios, critical business functions (Day 1 vs. Day 10),
- critical business systems and how to access them,
- contact information for employees, vendors and partners, alternate work location(s),
- back-up and restoration of critical information,
- protection of client information, and
- protocols for testing, updates and revisions.
- Implementation. With the buy-in and support of your leadership, socialize and review the plan with your team and provide training (and cross-training) for key activities, data access and data protection. Ensure that your plan is accessible to everyone from a remote location (e.g. current copy at home, copy on separate secure server or Intranet).
- Testing. Perform a "live" test at least annually by following the BCP as written. Document gaps in the plan and document deviations from the plan. Require full participation (at the same time!) and test all critical functions and systems, including, operations, vendors, and communications.
- Maintenance. Update your plan on a real-time basis for process changes, technology enhancements, regulatory changes, and contact information. Deliver and train your team on changes.
Consider the “Key Person” RiskBased on statements made by SEC Chairman Mary Jo White in December of 2014 regarding the potential for a “transition rule” (SEC statements); it is now critical that RIAs integrate succession into their business continuity planning. The unexpected death, incapacitation or departure of key advisory staff is an additional risk that may affect an RIA’s ability to protect client interests and fulfill their fiduciary responsibility, and it is up to advisors to take reasonable steps now to ensure their clients are relatively protected from this risk.
To protect against this risk, RIA’s should adopt management practices that mitigate their reliance on any one individual, or to allow for process continuity during planned absences like vacations. These include:
- Establishing and documenting defined roles and responsibilities
- Cross-training of operational processes and controls
- Knowledge sharing (so that more than one person is familiar with the firm’s investment process and clients)
Technology will play a central role here. Active (and universal) use of a CRM will ensure that client information is centrally stored and easily accessible. Likewise, an internal website may be used to store the firm’s operations manual, which documents all critical processes and procedures. In the absence of a formal operations manual, RIAs may post a set of documents that detail their investment process, workflows and operational procedures.
In addition to these operational controls, RIAs should consider establishing a legal agreement that govern their firm in the event the death or incapacity of an owner.
Single-Owner RIAs may wish to establish a “continuity agreement.” A continuity agreement is a legal contract that appoints an “alternate” registered investment adviser to assume client responsibilities in the event of the death or incapacity of an RIA. If this were to occur, the “alternate” adviser would be responsible for offering to assume the advisory role (the client has the ability, of course, to decline). The extent of the alternate adviser’s responsibilities can vary. They may be limited to interim oversight (to give clients the opportunity to seek a new RIA) or the alternate RIA may be charged with overseeing a sale of the business or acquire the advisory business themselves.
Multiple-Owner RIAs may wish to establish a “buy-sell agreement.” Buy-sell agreements establish guidelines for an orderly internal sale of the advisory firm to the other owners. Typically these owners are employees of the firm and should be familiar with the firm’s clients and investment process.
Through the Regulator's Eyes
The SEC has identified business continuity and succession planning as a requirement for RIA firms arising from their fiduciary duty. (See SEC Release IA 2204) While they require policies and procedures to address business continuity, they do not mandate specific requirements for the BCP, other than it must address the procedures to meet the fiduciary responsibility to protect client interests from being at risk as a result of an advisor’s inability to operate. Certain states have adopted formal BCP requirements for state-registered RIA firms. Given this, ensure that you take the time to check your state regulatory requirements regarding your BCP.
Regardless of the implicit or explicit requirements, all RIAs should have a formal BCP in place to demonstrate to regulators and clients that they have planned for the undisrupted performance of their fiduciary duty.
CCO Best Practices
- Plan for the 99.5% and not the 0.5%.
- Ensure buy-in from senior management and owners.
- Test your plan at least annually by selecting one day to conduct business from an alternate location(s).
- Update your plan with new/changing contact information for staff and external partners.
- Ensure that the protection of client information is a priorities during business disruptions.
- Leverage your BCP obligations to use as a foundation for a documented operating plan (Operating Manual) for your business.
- Begin to integrate succession planning into business continuity planning preparation.
- Consider establishing legal agreements that govern the firm to mitigate against the “Key Person" risk.