Dear Compliance Professional,
I hope this finds all of you and your families up and down the East Coast safe and sound.
Earthquakes and hurricanes – two phenomena not usually associated with this neck of the woods (or Colorado, for that matter). As I sit here typing in semi-darkness – courtesy of Hurricane Irene – I thought this a good opportunity to review some disaster recovery plan basics.
The primary goal of a disaster recovery plan is to have an emergency plan in place that deals with a range of disasters that will permit your advisory firm to continue on with minimal interruptions. From a regulator’s perspective, the key issue is the protecting clients and their assets. From an adviser’s perspective, the overriding concern may be the firm’s very survival.
Asking Critical Questions
Since planning for an emergency/disaster is the ultimate “what if” exercise, the best way to approach the development of an disaster recovery plan (or an assessment of an existing plan) is to ask critical questions. What follows then, is a series of questions that all investment advisers should be asking about their disaster recovery plan:
- Have you identified specific individuals who will be responsible for implementation of the DRP?
- Has your advisory firm prioritized critical business functions and how quickly these must be recovered?
- Has your advisory firm identified applicable risks?
- Has your advisory firm prepared a gap analysis report that identifies what is currently done versus what ought to be done?
- Has your advisory firm remedied any gaps discovered during the test of its DRP?
- Has your advisory firm determined its vendors’ emergency response capabilities?
- Does your advisory firm’s recovery strategy ensure that systems can be recovered quickly and effectively following a disruption?
- Are your data backup and recovery capabilities consistent with your fiduciary duty to your clients?
- Does your advisory firm have current and multiple contact information (e.g., home and cell phone numbers, personal email addresses) for: (i) employees; (ii) clients; (iii) vendors; and (iv) insurance companies?
- Does your DRP identify necessary support equipment (forms, spare parts, office equipment, etc.) to recover the mission critical business and/or functions?
- Is a current copy of your DRP maintained off-site?
- Is there an audit trail of the changes made to your DRP?
- Do all users of your DRP have ready access to a current copy and/or copies at all times?
- Do all employees responsible for the execution of your DRP receive training?
- Are all critical or important data required to support your advisory business being backed-up?
- What happens if a key vendor no longer functions?
- What happens if a key market (NASDAQ, NYSE) shuts down?
- What happens if a key counterparty (bank) no longer can provide funding to continue conducting business?
- Does your advisory firm conduct exercise(s) of the DRP at least annually?