Pull out those milk cartons. FINRA is not joking around. Like the SEC’s rule in 2016 to have advisory firms registered with the SEC do business continuity plans (BCP), FINRA (in Rule 4370(e), specifically) sets out that each member “must disclose to its customers how its [BCP] addresses the possibility of a future significant disruption.” It is meant to protect clients and business partners who do business with these firms.
If a financial advisory firm had to disclose their actual BCP, are they going to be proud of their BCP or ashamed of how terrible it is…or proud because they have no idea how terrible it is? I have some tales…
I have reviewed some BCPs for such firms. I do not insist on adding value where value already exists. I was hoping some of the plans I looked at were at least decent to good. I was shocked at my level of disappointment. These firms - with their cookie cutter plans – should worry that they will fail as a business in addition to being out of compliance with FINRA.
The top 5 missed items in Financial Advisory Firm BCPs:
1) Backing up data. Disaster Recovery is a term of art in the business continuity world related to data. The plans I’ve seen either had no steps to physically back up data at all, or – in the best case – backing up data on an external hard drive on a weekly basis. That is hardly sufficient Disaster Recovery planning.
2) Substance. There is a lot of fluff in the BCPs. Cybersecurity is part of a BCP. A cybersecurity plan reciting the importance of the NIST Cybersecurity Framework is not a plan; NIST provides a scalable framework meant for a business of any size to adopt for protection. It needs to be scaled to the firm to be useful.
In the same vein, I’ve seen mention of what Recovery Time Objective (RTO) is in general, but no actual figuring out what the RTO is for the specific firm operations. RTO is essentially knowing how much time any critical system can be down for before the firm experiences business death.
3) Control Measures. If there is a problem that is identified, there are things that can be done to address it to prevent it. Think of a generator for power outages or a fire extinguisher for fires. A BCP is not just for processes, it is premises, people, and providers.
4) Awareness and Training. FINRA requires BCPs to be updated both annually and sooner when there is a material change in the firm. When “updated” documents that house the BCP are last signed 3 years ago, the firm is missing regulatory compliance obligations. Testing at least annually would help a firm better determine whether it has met the "reasonably designed" threshold. You don’t know if it works until you try it.
5) Having an actual plan - I've seen a plan to plan as the plan. That’s not something that can be trained on. Or updated. When the BCP has “assess the damage and then figure out what our possibilities are” after the disaster as the plan, it’s a plan to let the disaster dictate. That’s unnecessary. It is within the control of the firm to change that dynamic. Punting works in football, not financial advising BCPs.
FINRA requires that firms provide “…estimates of how long the firm expects it will take to recover from business disruptions of varying intensities…and resume business.” If you don’t figure out the RTO, you can’t provide this information. If you don’t have an actual plan, you can’t provide this information.
Top 3 damaging things when you miss these items:
1) Failure of third party providers. Every plan backs up files to the cloud, but you need both for there to be internet access AND the cloud to be working. Never assume the internet will be working at all times when you need it. Just ask AT&T customers or Google drive customers when it goes down. Prepare for that phone call when you tell your client you can’t serve them. Maybe practice it in the mirror to make it hurt less.
2) Cessation of operations or firm death. When all the eggs are in one basket, it creates a single point of failure (SPOF). A SPOF, when it stops working, causes an entire breakdown of the operations, making them come to a screeching halt.
3) False sense of security. I’d ask for my money back for some of these plans. They amount to BCP malpractice. Each firm with a bad BCP is woefully unprepared and will have the wind knocked out of them in the event they have to use the BCP.
Another thing that FINRA requires is for the BCP to be reasonably designed. If your firm identifies with any of the 5 points, above, in the apt words of Astro Jeston: “Rut-row!”
