Recent U.S. natural disasters, especially Hurricane Sandy in 2012, underscore the importance of having a business continuity plan (“BCP”) that adequately addresses weather-related events. These natural disasters, though tragic, have taught financial services firms several valuable lessons on planning for hurricanes, blizzards, floods, earthquakes, tornadoes, wild fires, and other natural disasters. We share some observations and lessons learned to help broker-dealers and investment advisers prepare for future natural disasters.
Weather-Related Business Disruptions
Here are some general recommendations and considerations related to weather-related business disruptions:
- Make sure your firm’s BCP addresses the weather-related risks most likely to affect your firm. For example, a firm located in Florida should have a BCP that addresses the risks associated with hurricanes.
- Distribute your firm’s BCP widely across your firm’s businesses and operations, and consider redistributing the BCP immediately prior to any forecasted event.
- Make sure your firm’s BCP addresses any critical systems and is tailored to fit your firm’s business operations.
- Consider continued facility and systems operations with widespread remote access by employees.
- Have compliance personnel work with your firm’s business lines to develop a BCP that achieves redundancy in key services and operations.
- Require all business units to identify contingency scenarios that would affect operations and derive multiple solutions to help ensure your firm can meet its obligations.
- Form special committees to plan, develop, test, and, if necessary, execute your firm’s BCP.
- Enhance the design and implementation of your firm’s BCP by developing policies and procedures to address and anticipate high disruptive weather-related events, including possible interruptions in key business operations and loss of key personnel for extended periods.
- If a weather-related event is forecasted to occur, assess the adequacy of your firm’s BCP prior to the occurrence of the event (for example, the arrival of a storm). Modify the BCP as needed to deal with the specific disruptions likely to occur from the event.
Alternative Locations
Here are some recommendations and considerations related to alternative locations:
- Consider switching to back-up sites or systems, if needed, in advance of trouble rather than waiting for shutdown or imminent threat.
- Establish back-up facilities on a power grid separate from your firm’s primary facility.
- Maintain critical business functions in more than one location to reduce potential disruption of operations by regional events. For example, your firm could use employees’ homes, branch offices, data centers, or hotels as alternative locations.
- Place back-up generators at alternative locations to ensure connectivity.
- Establish geographically diverse office locations.
- Evaluate how to operate when faced with the possibility of electrical failure and the loss of other utility services (for example, cable and phone).
- Consider alternative locations far away from your firm’s main office. For example, your firm could establish a back-up site inland if its business is located on a coast.
Vendor Relationships
Here are some recommendations and considerations related to vendor relationships:
- Evaluate the BCPs of third-party service providers.
- Require third-party service providers to test their BCPs annually and report the results to your firm.
- Keep an updated list of vendors and contacts at each entity.
- Review the IT infrastructure of service providers because their infrastructure may be in the same geographic area of your firm.
- Consider whether, based on risk, your firm should have multiple back-up servers.
- Evaluate how to operate when your firm or a service provider’s facilities are faced with the risk of weather-related events, including flooding. Disrupted operations at service providers can create unforeseen operational challenges.
Technology
Here are some recommendations and considerations related to technology:
- Implement technology to allow employees to work from remote locations, such as their homes.
- Maintain important data at multiple service providers and test the connectivity to the providers to ensure that the data is accessible from remote locations.
- Arrange to have key power systems tied to generators so electricity and air conditioning would be available for the entire building.
- Maintain adequate system capacity (physical and electronic) to accommodate staff who may be displaced and may need to work from home or an alternative location.
- Establish and test server internet connection via wireless cards for use if the primary connection was lost.
- Elevate electronic equipment stored in ground level facilities to mitigate risk of flood damage.
- Maintain uninterrupted battery power supply to power essential operations until the back-up generator turns on.
- Engage service providers to ensure that back-up servers function properly.
- Consider having alternative internet providers or obtain guaranteed redundancy from internet providers.
- Consider cloud computing and other alternatives to maintaining back-up files and systems in your firm’s primary office location.
Communications
Here are some recommendations and considerations related to communications:
- Communicate with employees before, during, and after the weather-related event concerning, among other things, status of your firm’s business, operations, and back-up locations.
- Communicate the status of your firm’s operations to clients. For example, your firm could provide a recorded message stating that offices are closed and provide clients with instructions for contacting your firm and any employees who are working remotely. Your firm’s website could provide information regarding your firm’s status.
- Make sure your firm determines how to contact and deploy employees during a crisis. Your firm’s BCP should identify the personnel responsible for executing the plan.
- Consider contacting clients (directly and/or via an e-mail) before a major storm to see if they have any transactions (g., funds transferred) that will need to be executed if an extended outage occurs.
Regulatory Obligations
Here are some recommendations and considerations related to regulatory obligations:
- regularly update your firm’s BCP to address new regulatory requirements.
- consider time-sensitive regulatory requirements, because a crisis could occur at any time.
Review and Testing
Here are some recommendations for testing your firm’s BCP:
- Conduct tests of your firm’s BCP prior to the occurrence of a severe weather-related event.
- Test generators frequently to validate that they are working properly.
- Test all critical business operations and systems.
- Consider testing the operability of all critical systems under your firm’s BCP using various scenarios.
- Attempt to identify critical weaknesses during testing.
Concluding Thoughts
Not every firm faces the same weather-related risks. Each firm must perform its own assessment to determine its risk exposure to various types of events (for example, hurricanes, earthquakes, blizzards). We strongly urge broker-dealers and investment advisers to prepare for the extreme weather conditions that could affect their operations. After all, a poor response to a natural disaster could jeopardize not only the continuity of your firm’s business, but also the health and lives of your staff and other individuals.
For more posts regarding a Business Continuity Plan, please see Business Continuity Plan: Pandemic Preparedness, Business Continuity and Transition Plans for RIAs, and Loss of Key Personnel: How to Prepare.