One area of increasing scrutiny by regulators of investment advisory firms is that of business continuity and disaster recovery. Given the fact that these firms are providing ongoing investment advice to their clients, it seems logical to require that the firms have a plan in place to ensure at least some level of protection for their clients in the event of a business disruption of any type.
Where a firm creates a policy and process to address business disruption in response to the regulatory requirement therefor (quite apart from the common sense which would dictate such a policy even in the absence of the requirement), what happens next? In the event of an audit of the firm, which usually takes place every few years, one might expect the policy to be provided for review and comment. That review might or might not be more than a pro forma checking of the box or could actually involve an in-depth examination with comments and questions. We’ve seen both approaches….
A couple of other next steps suggest themselves and might be found useful by a firm taking its business and any potential disruption seriously. First, that policy and process should actually reflect the business and its personnel and be updated at least annually to keep relevant with changes in the firm, its technology, business model and more. Second, wouldn’t it make sense to provide clients with a basic overview of the process with an emphasis on what the clients can and should do in the event there is a business disruption? They would know what to expect, what they could do with regard to their investments, and how to contact the firm.
What a business disruption policy and process should be focused on is not what the regulators might think they want but on what will best serve your clients and after them, your business.