Breaking

Post Top Ad

Your Ad Spot

Thursday, May 23, 2019

Business Continuity and Succession Planning revisited

David McNeal, Consultant and Contributor of My Compliance Blog
Cory Roberson, Principal of FIN Compliance and FIN Lancer


May 26, 2019.  According to a study by the North American Securities Administrators Association (“NASAA”), business continuity and succession planning is an ongoing concern for many financial service providers, vendors, consultants, and investment advisors.  

Given the growing threats to safeguarding client data, as well as the rise of the mobile worker, we took a little time to dive further into this issue that is also referenced in a 2019 NASAA Investment Advisor Report.  

Firms can ease many of these concerns through taking assessments of its own vulnerabilities, including cybersecurity practices.

What are SEC-firm requirements on these matters?

Currently, there are no federal statutory requirements for consultants to implement a business continuity or succession plan. However, the Securities and Exchange Commission (“SEC”) proposed such a requirement for investment advisors to implement' business continuity and succession plans.  Yet, as it stands today, that rule proposal has not been finalized.  With that said, a continuity plan is a general expectation for firms to have in place and could be a rule requirement from another regulatory body that the firm must uphold.  (ref amend Rule 204-2; proposal Rule 206(4)-4))

NASAA and state securities examiner views on continuity plans

At the state level, the North American Securities Administrators Association (“NASAA”) requires registered advisors to implement a business continuity and succession plan to minimize risks “that could result from a sudden significant business disruption (“SBD”). (ref. Model Rule 203(a)-1A or 2002 Rule 411(c)-1A)

A Franklin Templeton case study on continuity plans
According to the study, firm participants were asked, “How prepared is your business continuity and succession plan?”  Only 64% of participants were either somewhat or not completely prepared to address their own business continuity requirements. 

Not very prepared
12%
Neutral
18%
Somewhat prepared
34%
Very prepared
28%

This is a reason for your practice to consider boosting its training efforts.
Important Tips for Business Continuity and Succession Planning
Consider these steps to effectively implement your plans:

·         Know your Plan;
·         Establish Roles and Responsibilities;
·         Communicate;
·         Practice and Participate. 

*Sole proprietors can look at establishing a plan with seeking business continuity partners*

Business Continuity Plans
A solid business continuity plan is only as strong as the firm’s employees who execute it, and therefore, training and education are critical elements to the success. 

The following are scenarios that could impact a RIA’s business operations:

·         Equipment or application failure;
·         Disruption of power supply or telecommunication services;
·         Human error;
·         Death/Incapacitation;
·         Natural Disasters (hurricanes, tornadoes, snowstorms, fires);
·         Terrorist Attacks;
·         Cybersecurity incidents (hacking, phishing or fraud);

Succession Planning
The death or unavailability of key personnel may also change the Adviser’s business relationship with creditors and outside vendors, which may also result in a reduction in the credit available for the Adviser.

Did you know?
Most advisors without a succession plan recognize the potential perils of not having one:

Fifty-four percent see a significant risk and 41% see some risk, the FPA study shows. Also, 97% of them say they will create a plan at some point.

For smaller operations, the lack of a succession plan is more acute: Just 13% of advisors at firms managing less than $50 million have a formal plan, compared with 60% of those at firms with $500 million or more in managed assets.

Having a blueprint for how your company will run if you or an important employee unexpectedly leaves is crucial — not only to your business, but to your clients.

Advisers should consider the following items when drafting a Succession Plan to ensure that the policy adequately accounts for the risks related to the business entity:
  
Are the clients’ investment advisory contracts with an individual or a legal entity?
 Does an Adviser Representative’s death or unavailability affect the advisory agreements?
How will the Adviser ensure continuity of services to the client?
What will happen in the event of death or incapacity of the manager of discretionary accounts?
 How will the death or unavailability of certain individual owners affect the legal ownership of the firm and the registration status of the entity and/or its new owner(s)?
 Does the Adviser only have one person with IARD access?
 What will happen if that contact is no longer available?
 Who is responsible for dealing with creditors and vendors?
 Who will rebate advisory fees if fees are paid in advance?

Disaster Recovery Plan
An effective Disaster Recovery Plan can ensure the uninterrupted availability of advisory services to clients in a compliant manner after a disaster.

Some example procedures include:

Contingency arrangements for loss of key personnel, such as the president or primary portfolio manager, either temporarily or permanently;

The protection, backup, and recovery of books and records through appropriately secured means that ensure ongoing compliance with Regulation S-P and other confidentiality requirements;

Maintaining accurate and up-to-date contact information for all third-party service providers, including custodians, broker-dealers, transfer agents, pricing services, and research firms;

Alternate communication protocols to contact staff and clients, such as cell phones, text messaging, web-based email accounts, or an Internet website;

A pre-arranged remote location for short-term and possible long-term use.

Temporary lodging for key staff where necessary as a result of a relocation of the firm;

Maintaining sufficient insurance and financial liquidity to prevent any interruption to the performance of compliant advisory services;

Familiarity with the business continuity plans of such third-party service providers;

Effective training of staff on how to fulfill essential duties in the event of a disaster, including compliance matters; periodic testing, evaluation, and revision of disaster preparedness plan; 
·     
Ref. My Compliance Blog “Reviewing Firm Disaster Recovery
Cybersecurity Policies should be a part of the mix

Developing a coherent cybersecurity strategy is now one of the most critical challenges facing Registered Investment Advisors (RIA). Companies should review their cybersecurity policies and procedures for any compliance gaps and ensure that employees are adequately trained.

Some examples of common policies that can be included in your company’s cybersecurity plan include:

●     Acceptable Use
●     Acceptable Encryption
●     Data Breach Response
●     Digital Signature Acceptance
●     Email
●     Password Construction/Protection
●     Remote Access
●     Router and Switch Security
●     Wireless Communication
●     Technology Equipment Disposal
●     Information Logging
●     Software Installation
●     Server Security

Ref My Compliance blog. “Creating your Cybersecurity policy
Third Party Risk Management
If key business functions and related activities are performed by an affiliate of the fund, a third-party service provider, or some combination thereof, you should review these four key areas with your vendors at least on an annual basis: 

Business Continuity Programs
Succession Plans
Disaster Recovery Procedures
Cybersecurity Policies

Need help to decipher your firm’s business continuity, succession, and/or cybersecurity needs.  We can help you with some resources to get started.  



Email Us to schedule a brief session to review needs

Compliance and Business Management

FIN Compliance (FINCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019).  Access all services on one site: FINCompliance.io.

Impact


FIN Missions (FINmissions.com) provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.

No comments:

Post a Comment

Compliance Calendar

W.I.N Collective Partners

Post Top Ad

Your Ad Spot

Pages