Business continuity plans have taken on greater importance in recent months after a plethora of natural (or unnatural) disasters afflicted many parts of the nation. August and September, typically the most active months for hurricanes, saw several storms rage across various parts of the eastern and southern United States, causing widespread damage, power loss and subsequent business interruptions. Elsewhere, earthquakes, tornadoes, wildfires, flooding, mudslides and other natural phenomena have created havoc for financial advisors and their clients.
Thus, disaster planning is just one important reason to have a business continuity plan. However, it is far from the only one. Any potential risk to the continued operation of a firm should be covered in a properly prepared plan. A few questions to ask yourself might include: How prepared is your business to reopen within 24 to 48 hours following a natural or man-made disaster or epidemic? What is your anticipated disaster recovery time-in other words, how fast can you get critical operations/systems back up and running following a local disaster? Have you formulated a plan and strategies to limit the risks to your business? Where will your clients and suppliers go during your downtime if your building is destroyed or damaged or if your employees are quarantined and your business unavailable for some length of time? Does your building have emergency lighting or a generator? What features do you have in place to protect paper files in the event of a fire, water damage or theft? What would happen in the event that you could temporarily not work?
The answers to these questions could help advisory firms assess their potential exposure and enlighten them about the overwhelming need to develop a continuity plan. Advisors often discuss the financial planning process to clients in terms of worst-case scenario planning. If the worst arose, could the client still be in a position to reach his financial goals? And even if the worst didn't happen and the client had been prepared anyway, wouldn't he then be that much better off? Yet the financial advisor often doesn't ask these same questions of himself for his own firm.
The objectives of a business continuity plan should be to protect the firm, its employees and clients; to stay in business no matter what; and to protect the nterests of the economy nd your community.
A business continuity plan should embrace a planning process that includes:
Vulnerability assessment;
Risk identification and quantification;
Risk transfer;
Protection and mitigation;
Business impact analysis in case of the interruption of operations;
A plan to curtail operational and financial risk;
An emergency response in case of an operational or financial upheaval; and
Plans to resume business and to recover and restore the technological and physical infrastructure that supports a firm.
Disasters are only one possible cause of a business interruption. The disability or death of key employees could prove to be just as devastating to a firm that has not anticipated it with proper succession planning. Inadequate insurance during a disruption could prove to be a huge vulnerability, too. Many firms carry business insurance, but is it enough? And does it cover the appropriate risks? Simply checking a policy for business interruption coverage or spending more for extra protection could save a firm tens of thousands of dollars.
If a continuity plan seemed simply prudent before, it's now even more important since the government is requiring that firms have them. In April of 2004, the Securities and Exchange Commission (SEC) approved rules proposed by the NASD and the New York Stock Exchange that required their member firms to establish procedures to handle an emergency or significant business disruption. The NASD (now FINRA) followed that in May of the same year by announcing Rule 3510, which required each firm to create and maintain such a business continuity plan with a number of mandatory features. The rule further required member firms to conduct an annual review of their plans and update them whenever the firms made any major changes such as realigning their business structure or operations or changing location.
Each firm must also now disclose to its clients how its business continuity plan addresses the possibility of a future significant business disruption and how the firm plans to respond to emergencies of different severity. Rule 3520 requires firms to designate two emergency contact persons and file this information with FINRA electronically. (In September 2008, the SEC took the unusual step of contacting firms that might have been affected by Hurricane Ike to obtain emergency contact phone numbers.)
In May of 2006, FINRA reinforced these moves by warning against violation of Rule 3510 and stating that all firms must include ten critical elements specified in the original NASD Rule 3510:
1. The firms must secure data backup and recovery (both in hard copy and electronic form);
2. The firms must secure all mission-critical systems;
3. The firms must make financial and operational assessments;
4. They must create alternative channels of communication between clients and the firm;
5. They must create alternative channels of communications between the firm and its employees;
6. They must be able to remove their employees to another physical location;
7. They must assess the impact of a disaster on critical business constituents, banks and counterparties;
8. They must maintain regulatory reporting;
9. They must maintain communications with regulators; and
10. They must consider how their firms will assure clients' prompt access to their funds and securities if the firm determines it is unable to continue business.
As comprehensive as this seems, there is one other reason to build and maintain a business continuity plan besides the government requirement. Ultimately, it comes down to the financial setbacks you would endure if you were put out of business. Take into account how much it would cost for any of these things:
To establish and use a temporary alternative location (which requires equipment costs, rent, start-up expenses, etc.);
To route phone calls to new lines, establish Internet/e-mail connections, etc.;
To pay restoration costs (for rebuilding computers, reinstalling software, recovering electronic files, rebuilding destroyed paper files, replacing equipment, furniture and other office items);
To pay temporary employees;
To suffer the loss or disaffection
of clients after a perceived violation of trust; or
To possibly fall out of compliance or compromise your security and private client information.
Many stories have surfaced in recent years about violations of privacy. For example, in April 2008, a mortgage company that went bust near Denver had its offices cleaned out by the property manager, who tossed the laptops, personal files and other information of some 300 clients into a dumpster. Those files contained Social Security numbers, bank account numbers and other sensitive personal data. Though the information was later apparently recovered, it should remind an advisor of how vulnerable such data could be amid a natural disaster or some other event that imperils a financial services firm. The scary part is that this happens quite frequently all across the country. (Google this: "Client files found in dumpster.") The threat of identity theft in such situations is very real and very frightening. Therefore, it is incumbent on all financial advisors to prepare a properly written plan and share it with their clients to alleviate such fears. It is also simply a best business practice. For more information on the current regulations and to obtain a free small firms template, visit www.finra.org/Industry/Issues/BusinessContinuity/.
David L. Lawrence is a practice efficiency consultant and is president of David Lawrence and Associates (DLA), a practice-consulting firm based in Tampa, Fla. DLA publishes a monthly subscription newsletter, The Efficient Practice, which focuses on operational efficiency (www.efficientpractice.com). David is a much-sought-after public speaker on a variety of leadership, financial and technical topics. For details, visit www.davidlawrencespeaks.com.