With natural disasters, cybersecurity risks, and infrastructure failures growing more frequent and more intense, what can an RIA do to ensure business continuity for their organization and for their clients?
Are your systems operating to help you boost your regulatory intelligence and business continuity? Avery, the Regulatory Co-Pilot, is Designed to Offer 24/7 Personalized Regulatory and Enforcement Action Insights to Minimize Risk of Non-Compliance, All While Saving Time And Money For SEC, FINRA and State-Board Regulated Firms.
What is a business continuity plan?
Under SEC Rule 206(4)-7 a business continuity plan is a required policy and must be reviewed annually. A business continuity plan is a set of processes and procedures a firm’s employees and systems must rely on in order to maintain the business operations during time of suspension. To help the RIA be prepared to restore operations smoothly and efficiently should an event, either internal (i.e., power outage, IT failure) or external (i.e., winter storm, tornado), disrupt operations; a BCP takes into consideration the risks that the RIA may face and creates business continuity strategies to mitigate those risks.
Steps to take now as we enter 2024
- Disruption considerations: Enhance the design and implementation of your BCP by developing policies and procedures to address and anticipate widespread events, including possible interruptions in key business operations and loss of key personnel for extended periods.
- Alternative locations: When confronted with utility (e.g., internet, phone) or location access failure, off-site recovery locations that are not affected by the same power and utility outages are crucial. Are you moving to paperless and virtual processes?
- Vendor relationships: Review and evaluate the IT infrastructure of service providers. Perform risk analysis of disrupted operations at service providers which can create unforeseen operational challenges. Consider what Avery can provide to streamline your compliance programs. Our compliance platform is not only cloud based, but it is also cloud region redundant to ensure you are able to continue your Firm compliance operations in the event of a natural disaster.
- Telecommunications services and technology considerations: Using cost/risk analysis, establish and implement the best course of action for back up files, whether it is VPN, Citrix or trending cloud computing to ensure no data is lost or unavailable during the time of need.
- Communication plans: Create protocol to communicate with employees before, after and during business interruptions and to contact clients if the need arises and key personnel are unavailable.
- Transition plan: Identify any material sources of funding, liquidity, or capital the RIA would seek in times of stress and consider how the RIA would implement a reduction of expenses and other alternatives. Create transition plans to seamlessly shift client information to the proper and applicable arrangement.
- Regulatory and compliance: RIAs should regularly update their BCP to adapt to environmental and social changes and include new regulatory requirements.
- Review and testing: Many entities that have a BCP already in place do not regularly test them, and many plans would receive a less than adequate grade. Testing and timely remediation are integral steps to a successful BCP.
Compliance Matters: Business Continuity - NASAA
eCFR :: 17 CFR Part 275 -- Rules and Regulations, Investment Advisers Act of 1940
SEC.gov | Information for Newly-Registered Investment Advisers
Additional Tags: DR, Disaster Recovery, BCP, Business Continuity Plan, Policies, Procedures, Cybersecurity