Compliance Solutions for Investment Advisers

FAQs — Business Continuity Planning

 

Are SEC-registered investment advisers required to implement a business continuity plan?

Yes. In the adopting release to Rule 206(4)-7 under the Advisers Act (commonly known as the Compliance Rule) the SEC listed certain issues that should be addressed by an adviser’s policies and procedures. Business continuity planning was one of them.

Is business continuity planning and business succession planning the same thing?

Not the same, but related. For smaller advisory firms (especially one-person firms), the death of the owner or key personnel may cause the advisory firm to cease operations. Business succession planning can protect clients’ interests from being placed at risk as a result of the advisory firm’s inability to provide advisory services after the death of the owner or key personnel.

What are the primary objectives of business continuity planning?

The SEC has identified the following business continuity objectives:

  • Rapid recovery and timely resumption of critical operations following a wide-scale disruption;
  • Rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and
  • Establishing a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible.

Has the SEC set forth specific requirements for an adviser’s business continuity plan?

The SEC has not detailed specific requirements for a business continuity plan other than to state that it must adequately address the procedures necessary for the investment adviser to fulfill its fiduciary obligation to protect its clients’ interests from being placed at risk as a result of the adviser’s inability to provide investment advisory or related services after a disaster or disruption occurs.

What are the typical elements of a business continuity plan?

Each business continuity plan should, to the extent applicable and necessary, address the following areas: (i) data back-up and recovery (hard copy and electronic); (ii) all mission critical systems; (iii) financial and operational assessments; (iv) alternate communications between the advisory firm and its clients; (v) alternate communications between the advisory firm and its employees; (vi) alternate physical location of employees; (vii) critical business constituent, bank, and counter-party impact; (viii) regulatory reporting; (ix) communications with regulators; and (x) how the advisory firm will assure clients prompt access to their funds and securities in the event that the advisory firm determines that it is unable to continue its business.

What are SEC examiners looking for in an adviser’s business continuity plan?

SEC examiners will specifically look for the following in an advisory firm’s business continuity plan: (i) senior management involvement; (ii) adequacy of resources; (iii) coverage of critical areas; (iv) employee training; (v) testing; (vi) review and update of the plan; (vii) back-up facilities; (viii) coverage of third party service providers, major counterparties and clients; (ix) short-term and long-term strategies; (x) communication alternatives; and (xi) data back-up timing and capacity.

What is considered a significant business disruption?

That is going to vary from firm to firm, but many business continuity plans anticipate “internal” business disruptions (e.g., affects the adviser’s ability to communicate and conduct its business) and “external” business disruptions (e.g., prevents the operation of the securities market as a whole or business in general).

What are some common risks confronting investment advisers?

While the exact nature of potential risks or their outcomes is impossible to determine, benefits can be derived from assessing all threats that could arise to the advisory firm, including (i) “natural” threats (e.g., floods, fires, snow and ice storms, tornados, hurricanes, earthquakes and wind damage; (ii) “technical” threats (e.g., power disruptions, heating, ventilation or air conditioning failure, telecommunications failure, hardware/software failure, gas leaks and water damage); and (iii) “human” threats (e.g., bomb threats, disgruntled employees, thefts, riots, terrorism and vandalism).

What are some common operational risks confronting investment advisers?

Operational risks include the inability to communicate with the clients, employees, service providers in addition to the inability to provide continuous and regular supervisory or management services to clients’ securities portfolios or otherwise service clients’ accounts.

Is an investment adviser required to maintain a back-up office location?

An adviser does not need to go to the expense of leasing a back-up office and can designate an employee’s home as the advisory firm’s back-up location.

What kind of procedures should an advisory firm have for the back-up and recovery of paper records?

A best practice would be a fire-proof safe outside of the primary office. In that way, the records could be recovered in the event the primary office location was not accessible.

How often should an investment adviser test their business continuity plan?

Comprehensive testing of a business continuity plan should take place at least once a year. Testing ensures that an advisory firm’s business continuity plan remains accurate, relevant and operable under circumstances of disruption or disaster.

What should be tested?

Testing should include the recovery of critical people, functions, applications and infrastructure at an advisory firm’s recovery or back-up locations. In addition, annual testing should be conducted with essential third-party service providers to ensure connectivity and compatibility of each service providers’ business continuity plan with the advisory firm’s business continuity plan.

Is an adviser required to document the testing of its business continuity plan?

While there is no requirement that the testing of an adviser’s business continuity plan (or results thereof) be documented, as with any compliance testing, it is an excellent way to show SEC examiners that your advisory firm is taking its fiduciary duty to its clients seriously.

 

Important Information

The information contained in this Frequently Asked Questions is only a summary and is not intended to be a comprehensive analysis of the rules and regulations applicable to registered investment advisers. It is not intended to constitute legal or compliance consulting advice or apply to any one investment adviser’s particular situation. For more information, please see our Terms of Use.

line