The AdvisorAssist CCO Series: Business Continuity Planning (BCP)

Each of us tend to either ignore or underestimate the possibility of disasters occurring in our futures. This has been proven time and again by cognitive science research and often referred to as "normalcy bias."

In our experience, RIA firms place a high importance on business continuity planning, yet often (particularly with smaller firms), either postpone or abbreviate the process of creating, testing and maintaining their business continuity plans.

These tendencies leave them exposed to the risk of disruptions in their ongoing responsibilities to clients. However, they would all agree that the protection of client information is essential to maintaining the integrity of their business.

Advisor Business Continuity Planning (BCP) In a Nutshell

We employ this framework to help RIA firms implement their business continuity planning:

1. Business Analysis. Identify the critical business processes that you must perform daily, as well as those that become critical in a typical 10-day period. Think through the possible and likely scenarios that could result in a business disruption (i.e. power outages, weather, systems failures in your office building). Take an inventory of all technologies and external partners that you rely on to run your business.
2. Plan Design. Define the scope of your plan. (Will it cover disaster recovery only or should it be expanded to include succession planning to mitigate key-person risk?) Your BCP must also contain: firm policy/plan expectations, contingency scenarios, critical business functions (Day 1 vs. Day 10), critical business systems and how to access them, Contact information for employees, vendors and partners, alternate work location(s), back-up and restoration of critical information, protection of client information, and protocols for testing, updates and revisions.
3. Implementation. With the buy-in and support of your leadership, socialize and review the plan with your team and provide training (and cross-training) for key activities, data access and data protection. Ensure that your plan is accessible to everyone from a remote location (e.g. current copy at home, copy on separate secure server or Intranet)
4. Testing. Perform a "real" test at least annually by following the BCP as written. Your BCP should be self-implementing; it should contain the process for how to continue your business operations. Document gaps in the plan and document deviations from the plan. Require full participation (at the same time!) and test all critical functions and systems, including operations, vendors, and communications.
5. Maintenance. Update your plan on a real-time basis for process changes, technology enhancements, regulatory changes, and contact information. Deliver and train your team on changes.

Through the Regulator's Eyes

The SEC has identified business continuity planning as a requirement for RIA firms. (See SEC Release IA 2204) While they require policies and procedures to address business continuity, they do not mandate specific requirements for the BCP, other than it must address the procedures to meet the fiduciary responsibility to protect client interests from being at risk as a result of an advisor’s inability to operate. Some states have adopted formal BCP requirements for state-registered RIA firms. If you are a state-registered RIA firm, be sure to verify your BCP meets applicable state requirements, or check with your compliance consultant.

Regardless of the implicit or explicit requirements, all RIAs should have a formal BCP in place to demonstrate to regulators and clients that they have planned for the undisrupted performance of their fiduciary duty.

CCO Best Practices

• Plan for the 99.5% and not the 0.5%
• Ensure buy-in from senior management and owners
• Test your plan at least annually by selecting one day to conduct business from alternate location(s)
• Update your plan with new and changing contact information for staff and external partners
• Ensure that information security is a priority of your BCP, including the protection of client information during business disruptions
• For state-registered RIAs, validate against the NASAA model rule for business continuity planning
• Leverage your business continuity planning obligations by using them as a foundation for a documented operating plan (Operating Manual) for your business. Your firm's activities can run just as smoothly day-to-day as they do during business disruption!

---

The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program.  Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.
Brian Lauzon

Read More

Hurricane Sandy - AdvisorAssist BCP Plan

Clients, Partners and Friends:

As many of you along the eastern side of the country are preparing to protect your families and your livelihood, the AdvisorAssist team has you in our thoughts.

AdvisorAssist is prepared to support you during this tough period. AdvisorAssist operates on a fully redundant and secure cloud environment, with offices in multiple states.

If you have any business continuity matters and need support, please contact us at:

Advisor Support Line: 617-800-0388, Option 2
Email: Support@AdvisorAssist.com

If possible, please reflect on your business continuity plan as you endure this process. We welcome follow-up meetings to discuss and enhance your BCP plan.

Thank you.

The AdvisorAssist Team

Read More

Cloud Computing for RIAs

As business owners and entrepreneurs, you are routinely faced with activities that distract you from your core competencies of managing clients and their portfolios. Many of these activities (managing people, business planning) simply come with running your own business and cannot (or should not) be avoided. Others, however, can be mitigated with thoughtful vendor selection and outsourcing.

Technology clearly falls into this latter category. As you know, AdvisorAssist has always advocated “cloud computing” solutions for RIA clients. (There are a small number of advisors that do have a genuine need for dedicated servers and IT infrastructure but they fall within a small minority.)

“Cloud computing” is simply the use of remote servers located on the Internet to store, manage, and process your data. Connecting to these Internet-based servers eliminates the need for you to purchase, install, maintain, and backup your own servers.

Our rationale is really based on the notion of strategic focus. Your business is wealth management and investment advisory services. Installing and maintaining dedicated servers nudges you into the IT business as well. With the proliferation of service providers that offer inexpensive access to server technology, it becomes more and more logical to outsource your IT infrastructure to those in the IT infrastructure business.

Of course, as compliance consultants we appreciate the importance of privacy and data security for registered investment advisors. The adoption of cloud-based technology does bring with it some additional responsibilities around vendor due diligence and oversight. However, we believe that the time and resources you will save far outweighs these efforts.

We have posted a presentation with some information on cloud computing, specifically dealing with the importance of data security and vendor selection/due diligence for RIAs.

If you haven’t already, we encourage you to consider moving towards a cloud-based infrastructure. If you have any questions on how to implement, please feel free to contact us.

Read More

Using Google Sites for Compliance

Google Sites can be a great way to deliver and manage secure content for your advisory firm.


Tough to beat the features you get for the cost (Google Apps for Business is $50 per user per year).


Data Security and Audit Trails
Google has amazing security and redundancy through its SAS70 Type II data centers. Some of the features that attracted us to their tools include:


1. SSL Encrypted, Secure Site with 10.5GB or more of space
2. Full audit trail of all site actions, including postings, document additions/changes
3. Never lose a document - Google will allow you to repost the most current version of a document, but they do not delete the old version.
4. Create a timestamped activities list - You can track client discussions, projects, compliance tasks and more.


Manage your Compliance Policies and Procedures
Harcopies of policies and procedures often have limited utility these days. They are harder to search and find what you need. They become an administrative nightmare in distributing updates. You get the point.


Consider moving your core policies and procedures to the cloud: 


1. Maintain your required business continuity plan ("BCP Plan"). This enables you to maintain a current BCP Plan in one central location that is accessible to all employees. You can easily link to other resources, such as vendor websites, your core systems, etc. Integrate Google Maps and Directions...


2. Maintain written supervisory procedures. Whether you upload a Word document or create an indexed manual online, Google's powerful search will allow you to isolate the key information you need immediately. Have a question on personal securities trading? A typical search would pull up your policy in the manual, your code of ethics and any certifications you might post.


3. Store your core documents. Don't lose the core templates for your business, including client agreements, investment policy statements, and other documents.


4. Create centralized lists of compliance activities:

• Gifts and entertainment log
• Restricted securities lists
• Conflicts of interest matrix
• Checks received logs
• Trade error log
• Compliance program change log
• Books and records matrix
• Client complaints log

5. Share and collaborate internally and with partners. You can provide temporary access or even dedicated portals for your business partners.


For more information on how your RIA firm can benefit from a secure intranet, contact Chris Winn at 617-532-0925 or email at cwinn@advisorassist.com.


AdvisorAssist can implement an RIA Compliance Intranet for your firm.

Read More