Draft a Disaster Recovery Plan
All registered investment advisers are expected to have a firm-appropriate disaster recovery and business continuity plan. Indeed, a recent SEC examination request letter asked for “access to written plans, policies and procedures that provide guidance in preparing for and responding to emergencies, contingencies and disasters.” Your disaster recovery plan should take into account the unique types of disasters and contingencies that could apply to your firm. Such considerations should incorporate the firm’s size, geographic location and mission critical systems. Typically, a disaster recovery plan should address natural threats (i.e., floods, fires, snow and ice storms, tornadoes, hurricanes, earthquakes and wind damage); technical threats (i.e., power disruptions, heating, ventilation or air conditioning failure, telecommunications failure, hardware/software failure, gas leaks and water damage) and human threats (bomb threats, disgruntled employees, thefts, riots, terrorism and vandalism). Single-person advisory firms also should incorporate the loss of key personnel into their disaster recovery plan. I suspect that in our post-9/11 and post-Katrina world we all take these threats much more seriously. I can assure you that the SEC does.
Test Your Disaster Recovery Plan
Testing your disaster recovery plan should be a top priority during the coming year and every year thereafter. It is not enough, however, to tell employees in advance to stay home one morning because the building was “destroyed.” That is akin to telling a student that there is going to be a pop quiz next Tuesday. Though I certainly appreciated this type of advanced notice when I was a student, it does defeat the purpose of seeing how well your plan and your advisory firm’s personnel will hold up when confronted by an extraordinary occurrence. I suggest not only conducting the test without prior warning, but developing a checklist for your personnel to complete during the testing of the plan.
Subscribe