Regardless of your Regulator, FCA/SEC/FINRA, a business continuity plan is a regulatory requirement

Every business has a notional plan as to what to do if a disaster strikes. However regulated firms have to be much more definitive in their thinking and procedures. The regulator insists that firms have adequate systems and that those systems can survive a disaster with minimal impact on the business or clients. The core of a regulated Firms Business Continuity requirements are set out in the Senior Management Systems and controls hand book (SYSC) the relevant four sections being:

  • SYSC 4.1.6 (Requirement)
    A common platform firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the common platform firm must employ appropriate and proportionate systems, resources and procedures.
  • SYSC 4.1.7 (Requirement)
    A common platform firm and a management company must establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, in the case of a management company, its collective portfolio management activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities.
  • SYSC 4.1.8 (Guidance)
    The matters dealt with in a business continuity policy should include:
    • (1) resource requirements such as people, systems and other assets, and arrangements for obtaining these resources;
    • (2) the recovery priorities for the firm’s operations;
    • (3) communication arrangements for internal and external concerned parties (including the appropriate regulator, clients and the press);
    • (4) escalation and invocation plans that outline the processes for implementing the business continuity plans, together with relevant contact information;
    • (5) processes to validate the integrity of information affected by the disruption; and
    • (6) regular testing of the business continuity policy in an appropriate and proportionate manner in accordance with SYSC 4.1.10 R.
  • SYSC 4.1.10 (Requirement)
    A common platform firm and a management company must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.

In summary what the FCA wants is for a firm to invest in robust systems in the first place, if they fail have a recovery plan in place, regularly test that plan and fix any issues found in the testing. IP Sentinel have a long track history of implementing regulatory sound Business Continuity and Disaster Recovery plans. These plans are more than just paper exercises for firms as they form a key part of not only regulatory requirements but Investor Due Diligence as well.