Does your business continuity plan have holes?
Q: With everything going on involving the coronavirus pandemic, what would you say is the most important thing broker-dealers should be focused on at this time?
A: I generally say the most important thing broker-dealers, or any business, should be focused on is their business continuity plan (sometimes referred to as a disaster recovery plan). FINRA’s website has an entire page devoted to all things COVID-related, including business continuity planning.
Most pertinent for our purposes is FINRA Rule 4370, which requires member firms to have a written BCP “identifying procedures relating to an emergency or significant business disruption.”
Note that the rule requires that the plan be “reasonably designed to enable the member to meet its existing obligations to customers.” This is important because it means there is no one-size-fits-all plan. You cannot, and should not, simply use an off-the-shelf plan and expect that it will be acceptable without customizing it specifically for your firm’s needs. (As a starting point, take a look at FINRA’s Small Firm Business Continuity Plan Template.)
Additionally, keep in mind that your BCP should not be a static document. Rule 4370 requires you to update the BCP as your business changes and to review it annually. Examiners will expect such revisions, not only to address new disasters, but also when business disruptions have exposed holes in your plan.
The current pandemic is a good example of this. I’ve been working with several firms whose existing BCPs had provisions for working from alternate locations in the event their main office was inaccessible, but which failed to address the current scenario where employees are required to work from home, and where working from a single alternate location is not feasible.
The rule helpfully provides a list of elements that a BCP must — at a minimum — address. But, as we see from the current situation, it’s important to consider potential business disruptions that might not appear obvious at first. FINRA provides the results of its 2009 firm survey to determine preparedness for a pandemic in the wake of the swine flu, or H1N1 virus. In light of the coronavirus pandemic, you can be certain that the SEC and/or FINRA will conduct additional surveys or sweep exams to assess firms’ BCPs and how the firms handled — or didn’t — the sweeping changes brought about by COVID-19.
Finally, don’t forget that testing the plan is an important part of preparation, and examiners will expect to see documentation of periodic testing.
Please send your questions for compliance expert Alan Foxman to firstname.lastname@example.org