You have been granted access to this page through First Click Free. Subsequent use of TabbFORUM will require logging in. If you don't have an account, registration is free.

Videos

 

More Video | Podcasts

Advertisement

06 September 2012

Best Practices for Hedge Fund Data Compliance and Business Continuity Planning

In today’s marketplace, investors demand that firms demonstrate their ability to maintain consistent operations regardless of disasters or other external events.

In today’s marketplace, investors demand that firms demonstrate their ability to maintain consistent operations regardless of disasters or other external events. To be successful, you must ensure that your firm’s data is thoroughly protected.  The best practice for accomplishing this is to have both a business continuity plan (BCP) and a disaster recovery (DR) system at the time of your fund’s launch.

Best practices for protecting your firm’s data

When preparing for a potential business disruption, it is crucial to understand the differences between a BCP and DR, as each provides complementary yet unique data protection capabilities. DR encompasses all of the steps involved in implementing and supporting the organization’s infrastructure (including hardware, software and sites) to enable full recovery of mission-critical services and applications. The procedures that will be employed to access up-to-date information and applications are established within the DR plan, as well. In other words, DR planning addresses all of the technological needs of the company and ensures that it will be able to run normally in the event of a disaster.

A BCP makes use of the infrastructure plans addressed in the DR stage, but builds upon this foundation to incorporate a blueprint for recovering normal business operations. A BCP addresses the personnel needs of the organization so that employees gain a clear understanding of what to do, where to go and what their responsibilities are in a disaster situation. Developing a strong BCP involves answering such questions as:

  • What are our firm’s mission-critical processes?
  • Who are the key personnel within our organization?
  • How will those individuals, along with other employees and personnel, be notified of an emergency?
  • Where and how will the company continue to operate?

The process of designing and implementing a DR system and developing a thorough BCP may take as long as several months to complete. When you are finished, your firm should have clearly identified essential processes and personnel, and you should address all necessary aspects of resurrecting your business after an unexpected disruption.

As you write your plans, be aware of some pitfalls:

  • You’ll want to establish a DR site to which your employees can report if the office is no longer accessible. An investment firm’s DR site should include redundant power, heating, ventilation and air conditioning (HVAC) systems, fire suppression systems and diesel generators.
  • If your firm’s DR site is in the same geographic area as your primary office location, a regional disaster may render both sites unusable. For instance, if a hurricane or tornado hits your city, this will likely affect both the primary and alternate worksites. Diversify these locations whenever possible.
  • Relying solely on physical tape backup is a not a viable data protection plan. Tape does not constitute DR – especially in the investment space. Ensure that your firm’s plan incorporates daily electronic replication of all essential data and applications to an off-site backup location.

The importance of business continuity planning

With Hurricane Isaac wreaking havoc on the Gulf Coast on the anniversary of Hurricane Katrina, we are again reminded of the importance of having a comprehensive BCP in place to protect the people and processes that power an investment firm. The one positive aspect of hurricanes and other weather-related disaster scenarios from a BCP perspective is that businesses typically have advanced warning of their arrival. This gives your firm time to prepare, notify employees and other relevant parties, and put the necessary BCP procedures into action before the storm hits. A firm that is ill-prepared for inclement weather is going to face serious challenges when an unannounced incident, such as a building fire, occurs.

To develop an effective BCP, investment firms should systematically undertake the following five-step process:

  1. Risk assessment: During this phase, evaluate physical on-site security and conduct walkthroughs. You will also want to review single points of failure within both the physical infrastructure and the network. Evaluate the impact of various business disruption scenarios (e.g., a blizzard, a shooter in the building, a massive power outage, etc.) and use a rating system to define the probability of a risk occurring. Prioritize your findings and develop a roadmap.
  2. Business impact analysis (BIA): When developing a BIA, start by collecting information on recovery assumptions, including recovery point objectives and recovery time objectives. Next, identify critical business processes and workflows, as well as the supporting production applications and interdependencies (both internal and external).  Identify critical staff members, including backups, skill sets, and primary and secondary contacts. Finally, discuss any future endeavors that may impact recovery, as well as any special circumstances that might occur.
  3. Plan development: During this stage, you’ll want to obtain executive sign-off of the BIA, then synthesize the risk assessment and BIA findings to develop a thorough and actionable plan. Be sure to create plans on the department, division and site levels. Review the plans with all key stakeholder groups to get their feedback, then finalize and distribute.
  4. Plan implementation: Distribute the plan to all stakeholder groups. Conduct training sessions to ensure employees are comfortable with the steps outlined and answer any questions or concerns they may have.
  5. Plan testing & maintenance: Periodically conduct disaster simulation exercises to ensure all stakeholder groups understand how to execute the various steps of the plan. Bi-annual plan and annual BIAs reviews are also highly recommended by management to ensure that the plans are up to date

Final thoughts

In the fast-paced, volatile arena of investment management, constantly maintaining effective and efficient business operations is crucial. A successful business must be thoroughly prepared for unexpected disasters or outages. Even just a few moments of downtime could be extremely costly, so it is essential that firms implement sound business continuity and disaster recovery procedures.

About Bob Guilbert

Bob Guilbert is managing director of marketing & products at Eze Castle Integration. He is responsible for leading the company’s strategic marketing, partnership and product development functions.

If you would like to speak with someone at Eze Castle Integration about cloud services for your firm, please contact us at 1-800-752-1382 or www.eci.com.

Comments | Post a Comment

1 Comment to "Best Practices for Hedge Fund Data Compliance and Business Continuity Planning ":
  • Comment_john_crossed
    jjrapa

    06 September 2012

    Bob - don't forget that most/all asset management firms have an SEC requirement to implement a BCP, maintain it and test it regularly! 

You must log in to comment.