In the modern age, the importance of sound practices in the area of business continuity has never been greater. The increased use of the hedge fund industry by institutional investors requires all participants to build, test and review their contingency plans having identified any threats to the smooth operation of their business.
Managers have to demonstrate to investors and regulators that they are able to manage investors’ money effectively, prudently – and reliably. Vitally for hedge funds, major incidents in financial centres are often accompanied by big market moves. Just when you want to trade, you may not be able to.
Business Continuity Management is the process of identifying threats to the smooth operation of a business or similar organisation and preparing plans to:
- reduce the likelihood of a major disruption; and
- respond effectively to an emergency should one occur.
The recently published AIMA Guide on this subject covers the following key topics:
- identification of risk events;
- identification of the system, process, information and relationship network which make up the enterprise;
- definition of recovery requirements;
- development of protection and recovery plans;
- testing and proving the plans work;
- maintenance and updating of the plans.
Our recently published 26 page Guide is available to members only and has been written for fund managers with 5-50 employees.
Event Stages
The three recognised stages of an event are Crisis, Recovery and Resumption.
The Crisis Management phase handles the immediate aftermath of the event and addresses the initial evaluation and risk mitigation actions deemed necessary:
- the well-being of staff;
- effective and controlled communication;
- evaluating the impact of the event;
- deciding what must be done and initiating the response;
- executing predefined functional Crisis Management plans; and
- protecting the company’s franchise.
The Recovery phase looks to the medium term response to an event, ensuring the key business functions can continue and an adequate service is provided to the clients:
- carefully migrating work done during Crisis phase to core systems;
- performing additional tasks with reduced resources;
- controlling updates to data and systems with a view to full resumption;
- communicating with staff and external parties about what can and cannot be achieved during this phase;
- allocating resources to facilitate a sustainable work flow which may mean flexible working from staff; and
- using some staff to prepare for full resumption.
The Resumption phase addresses the return to full operation once the event has ended and the effects are fully understood and have been overcome:
- validating data captured during previous phase;
- ensuring core systems fully aligned;
- producing any reports or other deliverables that have been missed during Crisis and Recovery; and
- updating business continuity plans to reflect any changes to premises or procedures after the
event.
Risks
For every area of the business the company should identify:
- key activities;
- the impacts and the affect if that key activity cannot be performed;
- recovery time objectives (how quickly each task must be done);
- deadlines (internal/external/hard/soft);
- key internal dependencies on that function;
- key external dependencies upon which that function relies;
- system and technical requirements.
Check List questions
The company should be able to answer the following questions:
Overall plans
- Do you have a business continuity plan (BCP)?
- Within your company, who is the owner of the BCP? If this is not a board-level person, why not?
- When did you last test your business continuity plan? How often do you test it?
- What did you learn from the last test of your BCP?
- Have you needed to activate recovery plans within the last three years? If so, please give details.
- What is your policy for when to activate your BCP arrangements?
- How often do you review your BCP? When did you last review it?
- How often do you update the details of your BCP? Who is responsible for these updates?
- Which events are specifically considered in your business continuity plan?
Specific arrangements
- Where are your back-up trading desks situated? How many other companies share this facility?
- Do you have backup power supplies in place? When did you last test them?
- Who in the company is in charge in the time of a crisis? Who is their back-up person if they are not available?
- Do you have any particular staff with critical and unique skills? What arrangements do you have if two or more such staff are suddenly unavailable?
- Where and how is your proprietary data backed up?
- Which information do you keep in paper format, and what arrangements do you have to protect it?
- What arrangements have you made in the case of service failure from your key suppliers – prime brokers, administrators etc?
- Which are your key systems? Do you have a backup arrangement for them with a third party supplier, if so please give details?
- What is your timetable forrecovering IT functions? When did you last do a full recovery of IT systems?
Security questions
- What is your computer security policy?
- What virus protection arrangements do you have in place? When were they last updated? What is
the policy for updating them?
- What is your policy on checking staff references before joining?
- What is your security policy for dealing with “bad leavers”?
- What security do you have on your laptop computers?
Finally, remember that the EC’s new MiFID regulations will require “investment companies to establish, implement and maintain an adequate business continuity policy aimed at ensuring…the maintenance of investment services and activities.”
So a valid business continuity plan will become a legal requirement as well as an essential business practice.