Recently, when visiting a client in Manhattan’s financial district, I looked out the window and commented about the calm, beautiful vista. The people in the room reminded me about the event four years ago that created quite a different scene: Hurricane Sandy.
Streets flooded. Debris flew. The extreme weather shut down the financial markets for two days. It challenged our industry.
Soon after, the SEC, FINRA and the CFTC swung into action. They contacted financial services firms that had a significant market presence. How did Hurricane Sandy impact them? The agencies probed into many areas, e.g., trading, customer relations, financial and regulatory obligations, technology. They wanted to know: how did firms implement their business continuity and disaster recovery procedures? From the information obtained, the regulators compiled best practices and lessons learned.
This work continues, but with more direction. The SEC proposed a rule in June 2016 with specific requirements for business continuity and transition plans for registered investment advisors. Still under review at the time of this writing, these actions underscore the importance of mitigating risks related to significant business disruptions.
This is where Business Continuity Management (BCM) comes in. An umbrella term, BCM comprises a mix of elements. The goal: build organizational resilience.
BCM for You
If you’re looking for an off-the-shelf BCM program, be advised otherwise. There is no adequate one-size-fits all model. That’s because an effective BCM pertains to a firm’s situation.
BCM casts a net across the enterprise. It aligns with processes, priorities and plans. In this way, it should not only address the firm’s specific needs but also regulatory guidelines and industry standards.
A robust undertaking consists of four interrelated elements, including:
BCM is a series of dynamic, interlocking initiatives. Core components are:
– Business continuity ─ retrieval and resumption of business processes
– Disaster recovery ─ recapture of infrastructure and technologies
– Emergency management ─ enablement of life and safety
– Crisis management ─ playbook to mobilize and communicate during a disaster
– Governance ─ strategic oversight and management of the program
As noted in the Accenture diagram above, there are four phases of activities: establish, implement, monitor and maintain. They apply to each element and the program as a whole.
An effective methodology lays out the BCM effort along a continuum. It drives the work forward in orderly progression. And it results in output that forms an auditable, tested and enduring multifaceted program. Work proceeds as follows:
Phase I: Establish
BCM vision ─ promote the vision and mission to BCM team members
Phase 2: Implement
Business understanding ─ use BCM environment and firm’s business needs to identify risks
Strategy development ─ convert information surfaced to reduce risks and enable recovery
Planning and deployment ─ shape strategies into procedures to follow during an event
Training and awareness ─ socialize/familiarize BCM teams and the firm with the program
Phase 3: Monitor
Test and exercise ─ prepare teams and critical third parties to mobilize when needed
Phase 4: Maintain
Continuous improvement ─ review components at least annually to address business changes and new threats
3. Third Party Risk Management
Service providers can perform vital roles as strategic partners. Their involvement may also pose risks. Starting with vetting the vendors and throughout its lifecycle, firms need to develop or improve solutions. Examples include:
- Devise policies and procedures for due diligence investigation of suppliers on the front end
- Set up governance granting an internal owner decision-making to manage third party risk
- Design risk-based segmentation to devote the most BCM effort to the highest risks and potential alternatives
- Use enterprise-wide surveys and data analytics to create a database of third parties
Asset managers could integrate third parties into their BCM efforts by building obligations into Service Level Agreements and BCM program elements.
4. Cyber Security
The crisis management component of BCM addresses the defensive piece of cyber resilience. It focuses on response, recovery and communication during and after a cyber breach. It assesses the depth and breadth of groups, systems and data affected. This, in turn, could help a firm to tackle the situation rapidly to minimize the impact. Detailed descriptions and plans are cornerstones of this effort.
A recent rule from the Federal Reserve, Office of the Comptroller of the Currency and FDIC stresses the seriousness of this issue. It requires critical entities to have plans to restore systems in two hours or shift capabilities elsewhere. Although still proposed at this time, this action points to the need for firms to have enhanced capabilities readily available.
Ready, Set, Respond
BCM is an ongoing pursuit, not a one-time project. Effective programs comprise multiple elements. They cut across an enterprise and its people, processes and technology. Above all, BCM makes good business sense.