Developing a Disaster Recovery Plan for Your Firm

You arrive at work one morning only to find fire trucks in front of smoking rubble—where your office used to be! Now what? You may tell yourself that your broker/dealer backs everything up. Plus, you have lists of vendors, and you know how to contact your staff in an emergency. But is your office really prepared? Not quite.

To ensure that your office can continue business operations and protect client assets if any type of event disrupts your operation—whether it’s a fire, natural disaster, cybersecurity breach, or the unexpected disability or death of a key employee—developing a disaster recovery plan is of the utmost importance. Here, we’ll discuss the various reasons why your firm needs a comprehensive plan, plus steps you can take to get started.

Compliance. In April 2015, the North American Securities Administrators Association approved a rule requiring registered investment advisers in every state to adopt written procedures for business continuity and succession planning. Here at Commonwealth, our Practice Management team believes it is only a matter of time before similar regulations apply to registered representatives under FINRA rules.

Protection. As with insurance protection, you can’t simply set up a plan the day you need one. Taking proper precautions ahead of time is the only way to ensure the continuation of business operations when disaster strikes.

Profitability. The ability to find key contact information—including resources, vendors, business relationships, and the road map paving the way back to meaningful business activities—can spell the difference between getting back to business and going out of business.

Clients. By building and implementing a plan, your firm will be able to meet the financial needs of clients in a timely fashion, no matter the situation.

Now that you know the rationale behind developing a disaster recovery plan, you may be wondering how to get started. I suggest raising the issue in your next meeting with staff or scheduling time to talk to them in more detail. At that time, you can discuss these seven steps for creating a comprehensive plan.

1) Form a disaster recovery team. The members of your disaster recovery team should be given specific responsibilities related to disaster recovery. They must be empowered to make decisions and have a strong understanding of the effects of business disruption.

2) Assess the risks. Here, you’ll want to review your internal systems and make note of significant issues. Some of the risk categories you might consider include: 

• Operations
• Internal/external risk exposure
• Insurance coverage
• Building and equipment maintenance
• Physical security and cybersecurity
• Safety and fire
• Storage
• Business records
• Office and business supplies
• Risks specific to SEC-registered investment advisers

3) Delegate tasks. Once you have your disaster recovery team assembled, various facets of the plan can be delegated to make sure all of your bases are covered. Keep in mind that this list is not comprehensive but merely a guide to get the process started. 

• Identification of third-party services critical to office operations
  • Portfolio management
  • Custody of client assets
  • Trade execution and processing, pricing, client servicing, and recordkeeping
  • Financial and regulatory reporting 
• Prearranged physical location of your offices and employees
  • Address of remote location in event of business disruption 
• Maintenance of critical operations and systems
  • Transaction processing, including management, trading, allocation, and settlement
  • Delivery of securities and funds to clients
  • Identification of key personnel who deliver services—address temporary and permanent arrangements 
• Protection, backup, and recovery of data
  • Procedures for hard-copy and electronic backup
  • Inventory of key documents (e.g., contracts, procedures) and their location
  • List of service providers
  • Details of your firm’s management structure, risk management processes, and financial and regulatory reporting requirements
  • Backup plan in event of cyber attacks
• Communication with clients, employees, service providers, and regulators
  • Methods, systems, backup systems, and protocols for communications
  • How employees will be notified about a significant business disruption
  • How employees should communicate during a disruption
  • Creation of redundancies, including who covers the tasks of missing employees
  • When and how to communicate a business disruption to clients
  • Expectations for prompt access to client records after a disruption (i.e., name, contact, account information)
  • Plan for notifying local regulators of the disruption 
• Transition plan (e.g., in the event of death, disability, voluntary exit of owner or key personnel)
  • Policies and procedures intended to safeguard, transfer, or distribute client assets during transition
  • Prompt generation of client-specific information needed to transition each client
  • Information regarding the corporate governance structure of the advisor
  • Identification of any material financial resources available to the advisor
  • Assessment of the applicable law and contractual obligations governing the advisor and clients
  • Organizational chart and other information about the advisor’s ownership and management structure
  • Identity and contact information for key personnel

4) Create physical and electronic versions. Once you’ve gathered all of the necessary data, it’s time to document it—both on paper and electronically. You’ll also want to have a system in place to ensure that this document is regularly updated.

5) Test the plan. Testing is key to the success of any disaster recovery plan. A trial run, including key individuals responsible for plan execution, will reveal anything you may have overlooked and indicate whether the plan works (or whether it doesn’t). As you identify deficiencies, prepare a list and a plan for resolving them. Revisit the areas that need improvement, and amend the plan as necessary after the trial run.

6) Communicate and implement the plan. Now you’re ready to provide a presentation to key stakeholders on the development of the plan, its objectives, and implementation. Any questions that come up will reveal additional content that needs to be included in the plan.

7) Monitor, revise, and improve the plan. Once you’ve worked out the kinks, schedule an annual meeting on disaster recovery to ensure that your plan continues to meet your firm's needs.

One of the most compelling reasons to have a disaster recovery plan is to stay compliant with current and impending regulatory policies. But it simply makes sound business sense to build a resilient, focused plan that will pay off when you need it. A comprehensive disaster recovery plan can give your firm a distinct advantage: the ability to find key contact information—including resources, vendors, and business relationships—to aid in a quick recovery and help you maintain business continuity, no matter the circumstance.

Does your firm have a disaster recovery plan in place? What other steps have you taken during this process? Please share your thoughts with us below!