An ‘unexpected business disruption’ can – as the term suggests – occur at any time and arise in different forms. This means there is a range in the severity of effects it may have on your investment firm. Your business could be subject to anything from a power outage one day, to a cyber-attack the next. Natural disasters, too, are on the increase, and can last for an indefinite period.
Earlier this year, we saw a highly reputable airline, British Airways, face a data breach which compromised the personal and financial data of over 350,000 customers. Leisure brand, Butlins, and social media giant, Facebook, were also among the many to fall victim to sophisticated breaches in 2018.
When confronted with unexpected business disruptions, investment firms need to react swiftly, methodically and successfully or else risk significant financial, regulatory, and reputational losses. This level of response requires in-depth business continuity planning to ensure all aspects of a business are evaluated and ready to recover at a moment’s notice. A Business Continuity Plan (BCP) is typically a document that illustrates how your firm will respond when confronted with unexpected business disruptions, such as natural disasters (including extreme weather), or critical software/applications going into downtime. The following seven steps aim to help you understand the key considerations for developing a BCP as well as the testing, maintenance, and training.
The first step to creating a BCP is to perform a regulatory review, as all funds and investment firms have requirements from oversight bodies. The Financial Conduct Authority is principally responsible for the regulation of hedge funds and investment firms operating in the UK.
There are also self-imposed industry standards and expectations that come from external stakeholders including: investors, who will have standard due diligence questionnaires and reporting expectations; auditors with frameworks to follow; and external partners, who may have a stake in the continuity of your firm.
Next, a risk assessment is advised. At a high level, this process includes identifying and prioritising potential business risks and disruptions based on severity and likelihood of occurrence. It’s also a balance of what risks are acceptable, and which you would want to take actions against, whether it be mitigating these, creating contingency plans, or simply accepting risk.
Conducting a risk assessment typically includes the following steps:
• Evaluation of your firm’s risks and exposures
• Assessment of the potential impact of various business disruption scenarios
• Determination of the most likely threat scenarios
• Assessment of telecommunication recovery options and communication plans
• Prioritisation of findings and development of a roadmap
A Business Impact Analysis (BIA) is beneficial from not only a BCP standpoint, but also to understand how different departments in your firm function, what is critical to them, the different tools they have and what their dependencies are. This information is valuable.
A BIA is designed to identify any gaps your firm may have such as costs linked to failures, loss of cash flow, replacement of equipment etc. A BIA report quantifies the importance of business components and suggests appropriate fund allocation as measures to protect them. The BIA will also prioritise the recovery process and recommend the maximum allowable downtime.
A BIA should include each area of your business (ie Finance, Operations, Trading, Human Resources, etc). This will help you acquire detailed information about each function’s business requirements – both during normal business hours and during a disaster.
A Risk Assessment (RA) is just as important as a BIA. Once these are complete, it’s a good time for firms to start thinking about the overall strategy and begin to organise and develop the plan. Understanding the needs of the individual business functions in order to ensure that they can operate efficiently is crucial. Key questions to ask yourself include:
• Do you have a contingency plan for each department?
• If a system is down, how long can each department go without having it up and running?
• If a system is down for an extended period, what is the contingency plan to continue business operations?
In the development phase, it’s important to incorporate many perspectives from various departments to help map the overall organisational focus. Once the plan is developed, a management team review is recommended to sign off on the plan.
It’s not if, but when, an incident will happen. Therefore, having a realistic incident response plan in place bespoke to your firm is crucial. If an incident does occur that disrupts day-to-day business, you will want to ensure that responsibilities and specific actions are assigned to specific employees. When creating the incident response plan, firms are advised to involve departments throughout your organisation and engage with other parties both internally and externally. Internally, you should include employees from Operations, Human Resources and any IT or partners who will respond to events. Everyone should understand the strategic plan and what their responsibilities are within the plan. From an external standpoint, firms are encouraged to reach out to the different vendors they work with and see how they plan to respond to the incidents that may arise. In doing so, investment firms can understand the impact it will have on not only the firm itself, but clients too.
Business continuity exercises should be an essential and ongoing initiative. Your plan must be regularly tested using the predefined strategies developed. The testing strategy should include testing objectives and associated measurement metrics, scenario scripts, summaries, post mortems and improvement planning. Investment firms should look to set up a schedule of testing throughout the year. Looking at the Business Continuity Plan at least once to twice a year is recommended.
Conducting table top exercises and simulation exercises is also recommended. These can be in-person or virtual seminars but should involve department representatives across the firm to open communication and verify planning process in the event of a business-impact scenario.
The final aspect of a BCP is communication. It is crucial to be able to communicate with key team members quickly and efficiently during an incident. Your firm probably has a wide variety of counterparties to communicate with regularly, and during a disruption, keeping parties abreast of ongoing activity will be crucial.
It is vital that your BCP determines who will be responsible for contacting necessary parties (including employees, investors, service providers and regulators) and how they will maintain those communications. Many organisations use an automated mass notification system to expedite the communication process. However, you must think about what to do if email or the internet is down. Because of this, firms are encouraged to ensure responsible parties have contact information readily accessible and clear plans for getting the word out in a timely manner.
Ultimately, firms are encouraged to adopt a ‘when’ not ‘if’ attitude and go the extra mile to ensure they have a concrete plan of action in place for when disaster strikes.