In June 2016, the SEC delivered a guidance update for registered advisers regarding how funds (and their service providers) plan for potential business disruptions. Following are key takeaways from Eze Castle Integration’s Certified BCP Planners on how hedge funds and private equity firms can meet the SEC’s expectations around business continuity practices.
Capture All Essential Components of Your Firm
When writing a BCP, firms undoubtedly remember to create plans for their physical office facilities and technology systems, but it is important that you don’t overlook other important components that drive the well-being of your firm. This includes data/colocation centers, employees, activities and dependencies on critical third parties. You could face an array of issues affecting one or more factors within your firm, so it is important to implement a business continuity plan that not only addresses potential risks but also outlines comprehensive protection methods.
A Business Continuity Plan is a Living Document
Internal participation is a key driver for a successful BCP. From senior management executives to representatives from Human Resources and Compliance, internal business continuity contributors need to be informed of and up-to-date on policies and procedures. The BCP should also take into consideration the ideas, recommendations and changes brought forward from other departments within the firm.
Remember: A business continuity plan is dynamic, therefore changes and challenges faced need to be transparent within all parts of the company.
Maintain Communication with Your Firm’s Board
The SEC recommends that fund boards meet at least annually to discuss the BCP. Since the financial industry faces so many changes and evolving threats, we recommend that firm stakeholders meet on a more regular basis to discuss operational incidents, changes and challenges as they happen.
Conduct Regular BCP Testing
The SEC also recommends firms test business continuity plans yearly, however our BCP planners stipulate that for some processes testing should occur on a semi-annual basis. Some plans to consider testing more often include, but are not limited to, employee remote access capabilities, disaster recovery systems and employee communication procedures. All tests, regardless of their testing frequency, should be documented in your records.
Oversight of Important Third Parties is Key;
Whether you outsource your accounting, legal, compliance, cloud services, administration and/or trading, it is important that your firm is informed on the business resiliency procedures that a third party provider has in place. The SEC advises that hedge funds and private equity firms conduct thorough due diligence on critical third parties to ensure they have plans in place to operate in the face of an emergency. Third party providers should provide you with information on their disaster recovery and business continuity plans as well as all test results and other operational findings. By gathering this information your firm is able to ensure that whether a business disruption directly impacts you or one of your crucial third parties, both entities will still be able to operate business as normal.