The financial-services industry has come a long way in preparing for a disaster in the nearly three years since 9/11, when business-continuity planning (BCP) was quickly thrust to the top of financial institutions' priority lists.
At this year's SIA show, BCP remains an important issue, with a discussion taking place tomorrow afternoon. The panel, "Business Continuity Planning - Improving the Resiliency of the Securities Industry," will offer an update on the state of BCP and how the SIA is continuing its work and focus on BCP.
On the panel, Howard Sprow, director of business continuity planning at the Securities Industry Association, will be joined by industry representatives Rudy Garcia from Bank of America, Peter Jespersen of Merrill Lynch and Robert Kaiser of Pershing to discuss the SIA's BCP goals. The panel will focus on three major areas: the new NYSE and NASD BCP rules that were released in April; industry-wide BCP tests that the SIA is helping to coordinate; and an update on the SIA Emergency Command Center.
Robert Kaiser, vice president at Pershing, will address the newly released NYSE and NASD BCP rules. Specifically, he will discuss the NASD Rules 3510 and 3520 and the NYSE Rule 446. NASD Rule 3510 requires each member to create and maintain a BCP plan and outlines requirements that each plan must address. It also requires members to update their BCP plans when any material changes take place and to conduct, at a minimum, an annual review of the plans. In addition, the rule requires member firms to disclose to customers how their BCP plans address the possibility of future significant business disruptions and how the firm plans to respond to events of varying scope. Rule 3520 requires members to designate two emergency contacts to provide information to the NASD electronically.
NYSE Rule 446 is similar, requiring "members and member organizations to establish and maintain BCPs relating to an emergency or significant business disruption." The rule also requires the BCP to be designed to enable the organization to meet its obligations to customers and address relationships with other broker-dealers and counterparties. The NYSE rule establishes, at a minimum, an annual review of a member firm's BCP plan and requires updates for any change in the firm's operations, structure or other detail that affects the information in the plan.
"These rules are very important," says Kaiser. "While the vast majority of firms are already doing this, it's important to advocate that disparate parts of the program are made into complete packages that can be reviewed by the NYSE or NASD auditors." He cautions, though, that the rules are not plans themselves, and it is important for firms to have a robust underlying BCP program already in place.
Kaiser explains that the rules set out 10 major points of what a BCP plan must contain or address. "The purpose is to bring the rules to the attention of firms and people that might not be directly involved but who should be aware that the rules are out there and might be called to participate," he explains.
While many of the points are already being addressed by firms, Kaiser says that other points will require more work and planning based on hypothetical situations and what-ifs, and what the response would be. "These will force firms to think about what their responses are going to be ahead of time; these are scenario-based responses," Kaiser says. For smaller firms that might not have the resources or the numbers for a dedicated BCP staff, the NASD has also released a template to help them shape their BCP plans and meet the new rules.
In addition to the new rules, the panel will offer an update on the SIA Emergency Command Center, including how the center works, what the notification process is and how the center interacts with government agencies during times of crisis. Merrill Lynch's Jespersen will describe how and when the center is activated, how member firms are contacted and how contact is maintained. "As we developed the process, we determined that the best way to do this was virtually," says Jespersen. The command center is based on scheduled conference calls and e-mail contact in a time of crisis. "We will come together through the virtual command center capability, which offers a conference bridge and the ability to send out e-mails to give details on what happened, when, and the estimated duration for the event."
Jespersen says that the command center committee is also working with the city of New York in preparation for the Republican National Convention and is constantly looking to improve capabilities by updating and upgrading planning and documentation. One of the key factors, Jespersen says, is that if an event happens in, say, the New York area, member firms from Florida or Illinois are prepared to step up and do the coordination and work with the command center. "Among BCP professionals, this is a top priority, and the financial-services industry is recognized by regulators and others to be one of the best-prepared industries because we've had a history of requirements," he adds.
The panel also will address ongoing industry-wide BCP testing coordinated by the SIA. Phase One, which began last year, continues to test connectivity among firms and their backup sites, exchanges and utilities. At the end of 2004, Phase Two will begin, with more robust tests covering work-area recovery and connectivity. "We will discuss where we are in Phase One and talk about how we move to the Phase Two tests," says the SIA's Sprow, who adds that testing has gone well so far. Though major firms have been testing more heavily, he says, smaller firms are also currently testing. <<<