Hurricane Sandy tested the capabilities of contingency planning along the east coast and prompted the SEC’s National Exam Program (NEP) to review the BCPs of about 40 advisers. The NEP wanted to see how Hurricane Sandy impacted the processing of securities transactions (order taking, order entry, execution, allocation, clearance and settlement) as well as delivery of funds and securities, client relations, financial and regulatory obligations and technology.
They found that insufficiently comprehensive BCPs and those that do not provide for mobile or remote access by employees are often ineffective. BCPs that concentrate technology, facilities and operations in one geographic region were vulnerable to local and regional disruptions. BCPs that do not maintain information about suppliers and vendors including contact information were less effective in dealing with business disruptions. And do-it-yourself systems maintenance is seldom effective.
The NEP also confirmed that BCPs that have been created as a result of collaboration between compliance and all business lines and operations units tend to be more effective and those BCPs that provide employees with the ability to work remotely can be more effective than those that do not. BCPs should include an inventory of critical vendors (ranked according to risk) and questions should be asked of vendors with regards to their contingency plans. BCPs should provide for proactive initiation of backup or alternative sites and facilities and should consider locating backup or additional facilities on a different power grid or in another geographic location. And redundant or mobile connectivity to the internet is an important consideration.
The core message of the Risk Alert and the Joint Publication issued by the SEC, the Commodity Futures Trading Commission (CFTC) and the Financial Industry Regulatory Authority (FINRA) is that BCPs should be the result of careful and comprehensive planning, thorough preparation, strategic redundancy and geographic diversity applied to critical supply chain providers, good internal and external communications and testing.
If you have any questions about this article or want to make certain your business continuity plan is up to the challenge, please call Red Oak Compliance today. We are here to help.