PALM DESERT, Calif. - Just over a year after the terrorist attacks of Sept. 11, which forced many financial services companies to relocate their staffs and their computer systems, a Securities and Exchange Commission official said that the disaster-recovery plans of many small-fund companies are inadequate.
Speaking at the Investment Company Institute's Tax & Accounting Conference here, Brian Bullard, chief accountant at the SEC's Division of Investment Management, said that an SEC review of fund companies' business-continuity plans this year found that the plans of small firms included "less documentation" and were "less formalized."
"The SEC found that some firms had holes in their plans," Bullard said. "For example, offsite locations may not be geographically far enough apart," he said.
Last year's attacks spawned a heightened awareness of how disasters can threaten companies, and now executives and regulators are encouraging complexes to step up their disaster-recovery plans.
Bullard said that the SEC has found mid- and large-size fund complexes to have adequate and well-documented plans. However, executives who spoke at the ICI conference last month said that firms can do more.
Timothy Jacoby, a partner at Deloitte & Touche of New York, said that scores of potential disasters, including earthquakes, floods, computer viruses and satellite interruptions, threaten the continuity of fund companies.
To mitigate the threat, Jacoby said that firms should build disaster-recovery plans that include locations of back-up computer systems and ways to reach and electronically communicate with employees at home.
Running Right Along
Jacoby said that a plan should be designed, not to recover quickly from a disaster, but to keep business running throughout a disaster with as little disruption as possible.
"The goal is that there is no down time," he said.
In addition, Jacoby said that the notion of a business-continuity plan has changed dramatically. Fund companies "used to worry about the [computer] system," he said. "Now, they're worried about the people. You can recover the technology, but if you don't have the people to run the technology, it won't do you much good."
Companies that are updating their recovery plans should involve senior management as much as possible, and build the plan with several departments in mind, including human resources, information systems, real estate, telecommunications and those who select vendors for the firm.
And, while in the past such plans have been built around known threats, primarily disasters that have occurred before, Jacoby said that firms now need to plan for the unexpected, rare calamity.
Fund companies should also take into consideration the plans of their service providers, and know that a partner company's plan is solid [see MFMN 4/15/02]. The reason, he said, is that if a firm is outsourcing to a custodian or transfer agent, "you have to rely on their business-continuity plan," he said.
In general, executives should regard the plan as a practical, living document that changes as necessary, is tested regularly, is far from "theoretical"--and most importantly--is remotely accessible.
For example, Richard Hisey, SVP and treasurer at MFS Investment Management, of Boston, who also spoke at the ICI conference, said that many firms have created business-contingency blueprints in large binders, inclusive of such information as contact phone numbers. But "when 9/11 came, nobody was walking around with those binders with them," he said.
In light of that, Hisey recommended that the essentials of a business-continuity plan, including key home phone numbers, be included on a small wallet card that employees can keep with them.