Business Continuity Planning Is Drawing Increased SEC Scrutiny
By Warren J. Mackensen, CFP

I know of three SEC audits, held in different parts of the country, where auditors requested to see a copy of the firm’s disaster recovery plan or a contingency plan. It’s clear that the events of September 11 have changed the SEC’s attitude toward this important part of any firm’s practice.

Mackensen & Company spent considerable time in the past few months developing our own disaster recovery plan, and I’d like to share some of the things we’ve learned. First, since these plans can serve a useful purpose beyond recovering from disasters, a better name for such a document is a Business Continuity Plan (BCP). The term “business continuity plan” connotes a more positive purpose. In fact, as we prepared our BCP, we identified several weaknesses in our business operations. A BCP provides detailed steps to mitigate and recover from the loss of office space, communications, services, or key people. The BCP supports the continuation of essential business operations in the event of a catastrophic event, natural or man-made. Some of the major reasons to develop a BCP include:

• Executing our fiduciary duty to our clients.
• Decreasing potential exposures.
• Ensuring organizational stability.
• Minimizing potential economic loss.
• Minimizing insurance premiums.
• Reducing legal liability.
• Protecting company assets.
• Minimizing erroneous decision making during a situation.
• Providing an orderly recovery from a disaster.
• Ensuring regulatory compliance.

The overarching philosophy in preparing a BCP is the question: “What can I do now to better prepare our business to respond if our office is unavailable?” Why our office is unavailable is not the issue. Consider that our office and all of the resources that we normally have available for day-to-day operations are no longer available. Now what would we do?

As with any major planning effort within a firm, the full support of management and the Board of Directors is needed. They must commit the necessary time and funds to create and maintain a practical BCP. Business continuity planning is what Stephen Covey, in his book The Seven Habits of Highly-Effective People, would refer to as a Quadrant Two activity. This means that the activity is important, but not urgent. The activity is easy to put off. However, failure to perform the activity could have a major impact on the business. Visionary business owners attempt to spend most of their time in Quadrant Two.

As time marches on, resources must be allocated to analyze the firm’s ongoing planning needs and update the BCP as needed. Funds must be made available to test and verify the components of the BCP. Planning for relocation must be done before it’s needed to avoid any unnecessary delays in the recovery process.

The BCP addresses computer and communications outages, building problems, and personnel tragedies associated with the primary location of the office. Complete copies of the BCP need to be maintained up-to-date and distributed to the locations specified as alternate offices. The BCP needs to be reviewed at least annually, with additional updates distributed as required. The person responsible for maintaining the BCP must be clearly designated.

During the BCP creation stage, it is critical for everyone in the company to provide input. One person will think of things that another does not. Once written, the staff needs to be apprised of changes and appropriately re-trained on the provisions of the BCP.

The training should consist of, as a minimum, tabletop exercises in which the employees will have the opportunity to review and comment on the efficacy of the planned actions, including what must be done initially and on a maintenance basis.

In our BCP, we considered four natural disasters that could completely destroy our office, or otherwise make it uninhabitable: a tornado, a hurricane, flooding, or an ice/snow storm. We thought about likely man-made disasters that could prevent us from using our office space: a fire, an airplane crashing into our building, an accident at the nearby nuclear power plant, or a chemical/biological accident.

We planned for the loss of any of these critical services: electrical power, water pressure, DSL, the Internet, and our file server.

A quick read of several back issues of the Disaster Recovery Journal indicates that the single most important step in getting started on a BCP is to conduct a Business Impact Analysis (BIA). The BIA establishes which business processes and functions are most critical to the survival of our company so that they can be properly protected. The BIA should provide an estimate of the maximum tolerable downtime for each process, followed by a plan to restore the areas of greatest exposure as soon as possible. 

After you prepare your BIA, the idea of buying a more robust server may come to mind. For example, buying a server with dual redundant power supplies will improve the reliability of your server by 100%. If one power supply fails, the other power supply will continue to power the server. The failed power supply may be replaced without shutting down the server (“hot swappable”). This realization is typical of the positive fallout from conducting a BIA.

Since a server is such a critical piece of hardware, the notion of having a RAID array (Redundant Array of Independent Disks) on the server also makes a lot of sense. A RAID array, for example, stores files on the server by putting a different two-thirds of each file on three different drives. This feature allows for the loss of one disk without any loss of data. Mirroring drives also provides an improvement in file retrievability.

The BCP should explicitly define your firm’s file backup scheme. It should specify that the “verify” feature is used whereby, after a backup is completed, the backup is read back and compared with the server’s hard drive so that there is 100% confidence in the backup. The BCP should require that you periodically restore a backup on an offsite computer to prove that the capability exists.

Storage of media offsite should be addressed, along with the associated backup rotation schedule.

Since most businesses depend on a certain amount of paper-based marketing materials, the BCP should specify the minimum amount of marketing materials that should be stored offsite. These materials should be stored in a clearly marked “Recovery Box.”

Prior identification of offsite duplication facilities will help in a casualty situation when printing and duplication capability at the office are lost.

Phone capacity at the alternate office locations needs to be addresses. This may involve putting in a second phone line at an owner or employee’s home that would serve as a backup office.

Internet capability at the alternate office(s) must be reviewed. For example, maintaining a dial-up connection at someone’s home could be important if a widespread cable outage occurred.

A detailed list of all employee phone numbers, email addresses, street addresses, and a map to get to everyone’s home should be contained in the BCP.

Banking relationships need to be addressed. If the main bank with which you have a relationship suffers a severe disaster, you may have difficulty carrying on your business for a period of time. It makes good sense to have two banks for your business. The Recovery Box should contain blocks of unused checks for both banks.

We have designated my home as the primary alternate office, which is three-tenths of a mile from the office. Since our firm previously operated out of my home, and since my wife currently operates a home-based music business, the house remains well suited to become the primary alternate office. However, we recognize that some disasters could easily wipe out both the office and our home, so we have designated two other alternate office locations at employee homes.

The BCP should address the procedures to be used to close or not open the company under various circumstances, such as a blizzard. We still remember the Blizzard of ’78 when the entire Boston area was shut down for a full week.

Rebuilding and reestablishing the work area following a major disaster may require substantial planning and execution. The BCP should outline the steps towards initial data gathering and salvage tasks that may be necessary for the immediate decision making process and for data that may be helpful in locating and starting up a replacement office. Some of these steps may comprise a damage assessment, a preliminary analysis of office downtime, and photographing the damaged areas for insurance purposes.

The BCP should contain insurance company contact information (Remember, your office is gone!) so that the damage may be reported. Of course, it helps if you know what was in your office, so the BCP should specify how often you are taking digital pictures of everything in your office. The digital files, of course, are stored offsite. Succession Planning

The BCP should spell out any succession plans that have been put into place for loss of personnel. In our situation, we have signed a Shareholder Business Continuation Agreement with another fee-only financial planning firm in New Hampshire that will act as the conservator of our business if I should die or become disabled while I am president of the firm. This succession plan allows for the employees to purchase the business, or if they elect not to do so, the conservator is given an opportunity to buy the business. Failing that, the conservator will sell the business to an arm’s-length purchaser. Client Notification

We felt that it was important for our clients to know about our BCP and to be given the phone numbers and email addresses of our alternate offices. We encourage our clients to file this letter in their Wealth Management Binder, which our firm provides to most clients. BCP Maintenance

Most of the lists that will be updated each year as part of the annual BCP review are contained in appendices. Some of the appendices include:

• Insurance Company Contact Information
• Maps and Directions to Alternate Offices
• Client List (printed from ProTracker)
• Employee Call List
• Vendor Call List
• Corporate Resolution Affirming the BCP
• Alternate Office Site Inventory
• Printed Materials Sources
• Copy Shops in the Area
• Recovery Box Inventory List
• Annual Plan Review Checklist

Did we learn anything about ourselves while preparing our BCP? You bettcha. For example, as diligent as we have been about taking daily tape backups offsite every day for over a year since we bought our server, we have no offsite computer containing a compatible tape drive in which to put the tapes for offsite recovery. Remember, if our office is gone, what good does the tape do if we do not have a tape drive to put it in? Obviously, we will be obtaining a new offsite compatible tape drive.

On a lighter note, we now have candles (and matches) at the office to put in the windowless bathroom and kitchen in case we lose electricity!