Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk Management

07:24 AM
Cristina McEachern
Cristina McEachern
News
Connect Directly
RSS
E-Mail
50%
50%

Not Quite Right

According to the SIA and BMA, a recently released white paper on business-continuity planning should go back to the drawing board.

According to the SIA and BMA, a recently released white paper on business-continuity planning should go back to the drawing board.

Reinforcing the continued interest in business-continuity planning and disaster recovery, hundreds of securities-industry representatives gathered in October to attend the Security Industry Association's first Business Continuity-Planning Conference.

And just two months earlier, the first white paper on sound practices to strengthen the resilience of the U.S. Financial System was released as a collaborative effort among the Fed, the SEC, the Comptroller of the Currency and the New York State Banking Department.

The paper, as well as the large conference turnout, showed once again that the BCP issue is moving full-steam ahead into 2003. But as regulators dip their toes into the BCP waters and financial-services firms are busy preparing and enacting comprehensive BCP strategies, differences of opinion are beginning to surface. 2003 looks to be a year of questions and answers to see if, how and to what extent BCP is regulated and/or mandated.

In a joint-response letter to the regulatory coalition's white paper, the SIA and the Bond Market Association brought up several areas for comment and went so far as to ask the regulators for another draft of the white paper and another round of commentary before anything is finalized.

"We're very concerned about a one-size-fits-all or a prescriptive approach to recovery," says Jerry Klawitter, chairman of the Best Practices Subcommittee of the SIA BCP Committee and vice president of investment banking and business-continuity management for the Americas at JPMorgan Chase. "It's really about how do you manage risks and it's different for different parts of the country, for different firms, the risks are different."

As examples, he points out that firms located in New York and San Francisco face different risks. San Francisco has to plan for earthquake risks, which have large but different implications than New York, which faces risks such as hurricanes, large storms and now terrorist possibilities. "It comes back to what are we planning for and to what degree do we plan for it?" says Klawitter.

The regulator's white paper combines its overall thoughts on sound practices in addition to putting forth questions and requests for comments on various areas. In the area of geographical diversity, the SIA/BMA letter responded that, "The Associations do not believe that the white paper should recommend a specific distance or a sound practice that specifies an 'out of region' approach ... firms have already made and continue to make significant investments in alternative sites and data centers based on risk assessments including costs and benefits."

Concerns over Distance and Definition
One area in particular that the paper questioned is the possibility that all core organizations will be required to have a 200 to 300 mile distance between primary and backup facilities. Klawitter says, "You want to look at the physical risks, infrastructure risks and people risks - prescribing or suggesting 200 to 300 miles is not a good place to be."

He points out that in New York City, the distance between downtown and midtown may not be great, but the power grids and communications lines are vastly different. "I can be in midtown as opposed to downtown and not have any physical risk," says Klawitter. "Each firm should have an ability to manage its risk appropriately."

He adds that the consensus among comment letters thus far has been against the 200 to 300 mile distance suggestion.

The recovery time periods also posed some problems, says Klawitter, with specific two and four hour targets. He says that depending on the time of day incidents might occur, the recovery time periods could be different. If something is interrupted at 2:00 a.m. versus 4:00 p.m., the necessary recovery times should be different.

The SIA was also concerned with the white paper's description of "core and significant" firms and the competitive implications of different levels of planning requirements for each. "The paper tries to divide the industry into core, significant and others - many of the smaller firms fall into the other category," says Klawitter. The paper then offers more stringent BCP practices for the core firms in the industry, which would require them to incur additional expense, impacting their profitability.

"When trying to protect the U.S. financial system, the presence of a large clearing house or firm is important, but clearance and settlement is often low margin and there may be businesses that, because of these implications, may have to consider whether they want to remain in those markets, which may force further concentration in the industry," explains Klawitter.

He adds that this would not necessarily be a good thing as the risk would then also be more concentrated among those left. "If you had eight firms doing it and now you only have three firms, that can be a concern," Klawitter says.

Best Practices Versus Regulation
Overall, Klawitter says that the SIA is not really recommending a set of rules or examination guidelines for BCP. Instead, he says that sound practices are a good idea and firms don't necessarily need industry regulation to achieve them.

"Firms are already investing in additional data centers and capabilities," he says. "Marketplace drivers are already doing this - clients are coming in and asking what the state of firms' plans are - there's not really a need for regulatory requirements."

Looking toward the coming year and progress in the BCP arena, Klawitter says that firms should continue to manage their risks and concentrate on best practices. "Firms are good at planning and testing and are even more so prepared post Sept. 11," he adds. After Sept. 11, firms are also thinking differently about BCP, realizing that multiple firms could be recovering at one time and that incidents can occur on a much wider scale.

But he also says that firms are still waiting to see how the regulatory aspect will work out - whether it will be a set of best practices or regulatory, mandated requirements.

Klawitter says that there is still potential for additional regulatory entities to weigh in on the BCP issue and firms are in a wait-and-see position until more information is delivered. Regardless though, he says that firms are working to address any regulatory recommendations and that the SIA will continue to work with the regulatory organizations. "We all have the interest of the U.S. financial system in mind," says Klawitter. "We want to figure out what the right things are and what the right balance is."

------------------------------
------------------------------

Time to recover for mainframe users:
About 90% of firms said they could recover within 24 hours

------------------------------
------------------------------

Technology Recovered Internally or With the Support of a Vendor?

- 42% used an internal recovery solution only

- 10% used a vendor solution only

- 48% used a combination of both internal & vendor solutions

------------------------------
------------------------------

Distance Between Relocation Site & Primary Facility

Firms with less than 5,000 People

- About 22% had sites beyond the 30-mile range

Firms with greater than 5,000 People

- About 63% had sites beyond the 30-mile range

Have firms separated business units & senior executives across locations post Sept. 11?

Firms with less than 5,000 People

- About 79% have not split critical business units across locations

- About 95% have not split senior executives across locations

Firms with greater than 5,000 People

- About 42% have not split critical business units across locations

- About 71% have not split senior executives across locations

------------------------------
------------------------------

In planning for building outages, only 22% of firms planned for multiple building outages before Sept. 11 while 61% planned for multiple building outages after Sept. 11.

------------------------------
------------------------------

Lessons Learned - Post Sept. 11
- After Sept. 11 what parts of the BCP program have received the most focus?

The most focus was given to people relocation strategies and technology recovery, followed by communications recovery and program assumptions.

- After Sept. 11 what parts of the BCP program have changed the most?

The majority of changes were also seen in program assumptions, people relocation strategy and

technology recovery, followed by communication recovery and crisis management.

------------------------------
------------------------------

In the event of the loss of a primary data center, 89% of firms rated their current level of recoverability as either excellent or very good

------------------------------
------------------------------

Successes & Weak Links in BCP programs
In terms of success of BCP programs, firms rated senior-management support, business-level buy-in, crisis-management plan and appropriate BCP budget as the most highly achieved.

Register for Wall Street & Technology Newsletters
Video
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.