Simple backup strategies no longer cut it as the SIA and other regulators are stepping up the BCP discussion with new guidelines and a white paper.
As the securities industry marked the first anniversary of the Sept. 11 terrorist attacks and financial-services firms have slowly returned to lower Manhattan, business-continuity planning has become a boardroom issue. Financial-services firms now have heads of business-continuity planning and have put extensive thought into these master plans in light of the attacks and business interruption possibilities in general.
On the eve of this first anniversary, the Securities Industry Association took the first step forward in making business-continuity planning an industry-wide initiative with the release of a recommended guidelines/best practices paper. While the SIA best-practices paper coincided with the release of a joint white paper by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency and the Securities and Exchange Commission (see this month's "Operations" section), the SIA document focused on the planning aspect and best practices when formulating those plans.
"By definition, responses to impacts on our business are extremely detailed in nature. We run very complex systems and have very complex interactions with each other and those details reach beyond the technology-oriented things like IT and telecom into all aspects of the business, not just the processing piece," says Donald Kittell, executive vice president of the SIA. "The way we are dealing with this is to come up not with detailed solutions to every scenario you can think of but to identify generic types of business interruptions and develop generic solutions to those things."
Kittell points out that while backing everything up may be a simple broad-ranging answer to the BCP question, the costs associated with such a project makes it difficult for many firms. "It's a feasible solution in some cases, but for the industry to duplicate all of its critical functions in different geographies, with all of the technical backup as well as the staffing involved in that sort of thing, is essentially not affordable and impractical," he says. So the SIA has released its guidelines for business-continuity planning as a reference point to make sure firms are addressing all of the most important aspects.
Developed by the SIA's Business-Continuity Planning Committee, the guidelines are broken into three areas covering a set of Business Continuity Program best practices, Recovery Strategy recommendations and Recovery Resources for the SIA's 600-plus member firms.
Kittell says that coordination is key to business-continuity planning. "Sept. 11 introduced whole new dimensions where we suddenly have to worry about our infrastructure, our Telco providers, our power providers, etc," he says. "There is a huge premium on networking and coordinating information across a whole set of relationships that are non-traditional for us. We're very used to dealing with each other and our regulators, we are less traditionally used to dealing with power companies, transportation and municipal agencies. So it's a much more complex set of coordinations."
While the SIA is not involved directly with individual firms' plans or what the exchanges are doing internally, Kittell adds that the SIA best practices focus on coordination between "all the working parts in the industry." He says the best practices aim to be an educational reference point with the organization acting as an interface to the regulators. "We are only a very small piece of a much broader puzzle," he says.
When it comes to specifics, testing business-continuity plans is an important area that the SIA is looking to address as firms are cementing their plans. "As an industry, we've gone through certain initiatives, such as Y2k and decimalization, that have forced us into testing," says Paul Honey, chairman of the SIA BCP committee and first vice president of global continuity planning at Merrill Lynch. He adds, though, that contingency planning tests are slightly different. "We're talking about testing from one backup site to another backup site, rather than just testing by changing code in someone's data center." While certain member firms have already undertaken tests, industry-wide testing initiatives are still being developed.
Kittell adds that, on Sept. 11, many firms were going into their backup sites but were not fully aware of their location or connectivity routes. "Now there is an awareness and we will be able to test with the firms talking to the hub organizations - backup to backup," he says.
Reinforcing the importance of testing plans, Honey points out, "The critical point about continuity planning is that it's very good, obviously, to develop these plans, but where the rubber meets the road is making sure they are tested and actually work and meet expectations, that's a critical focus."
In addition, Honey says that with comprehensive BCP plans in place, firms will have the ability to rely on those procedures without depending on employees to work long hours in recovery. "There were a lot of heroics on Sept. 11 and people were incredibly creative with solving problems and there were a lot of problems to solve after the 11th," says Honey. "I think a good way of looking at testing and the ongoing program is to rely less on the heroics at the time of disaster and rely more on procedures put in place."
Honey adds that while securities firms have traditionally been very competitive in areas such as equity, debt, research, etc, continuity planning is one area that firms do not compete in and can work together to embrace the BCP best practices. "We've been tremendously impressed by the level of information sharing that has taken place, if one firm goes down, it has a negative impact on the whole industry," he says.
The guidelines are a general set of best practices that cover business continuity due to any type of disruption, says Honey. "Continuity planning, in general, looks at the broad array of threats - anything that can put a company out of business from a man-made disaster to a natural disaster to cyber attacks and other threats," he says. "We try to concentrate on the impact of something happening rather than the specific threat itself."
While hard data on the actual implementation of business-continuity plans remains to be seen, Honey says that most of the almost 60 firms on the BCP committee have fairly robust plans already in place. But the SIA will be seeking more information from member firms when it surveys representatives at its Business Continuity Planning Conference and Exhibit (Oct. 29-30 at the New York Marriott Brooklyn). "This should provide, for the first time at the industry level, a very formal benchmark for firms to assess where they are with their programs," says Honey.
"Business-continuity planning is a process and not a project," says Kittell. "What we're trying to do here is build this into day-to-day operations. Unfortunately, your business environment will continually change, your facilities, your technology will change, the markets will change and you have to build continuity planning into those various areas."
A Sampling of SIA BCP Best Practices
- Each firm should have in place a business-continuity program that ensures:
The development, implementation, testing and maintenance of business-continuity and emergency-response plans that enable the business to protect its assets and meet its business-recovery objectives; prevention and mitigation activities that reduce the likelihood and impact of a disruption; an ongoing employee-awareness program.
- Each firm should have a business-continuity-policy document which provides the framework for its business-continuity program and the development of business-continuity and emergency-response plans. Business-continuity plans should be documented and readily accessible to those who need access.
- Each firm should have an executive and corporate group responsible for overseeing the business-continuity program.
- Business managers should be responsible for the review, implementation, funding and sign-off of business-continuity plans and associated exercise results.
- Recovery exercises for critical-business functions should be conducted no less than annually and as is warranted by changes in the business and/or information-system(s) environment.
- Plans should be reviewed and updated no less than annually and as warranted by changes in the business and/or information system(s) environment.
The full SIA BCP Best Practices document can be viewed on the SIA website at www.sia.com/business_continuity/pdf/bestpractices.pdf