Application Development
Cyber Security
Featured
Management Consultancy
What business activities are in scope?
Do you know your exposures?
Who are your customers and what are their expectations?
What is your reliance on critical vendors?
What is your reliance on critical infrastructure, clearing firms, administrators?
What functions, operations, and products are critical?
What are the minimal resources required to maintain the business for a selected time period?
What immediately non-critical functions become critical after a given time period?
What is the “proximity” risk to your firm — internal and external?
NH
Author
Nour Hamdieh
Read time
5 minute read
Published
23 Jun 2020
Topics
AI and Data Science
Executive summary
Business continuity is not optional — it is a compliance requirement.
Recent provisions promulgated by the Private Fund Investment Advisers Registration Act of 2010 — a section of the Dodd-Frank legislation — require managers to register with the SEC and implement a suitable compliance programme if they either have $100M of AUM (managing a fund and separate accounts) or $150M of AUM (managing a fund only).
Under SEC Rule 206(4)-7 of the Investment Advisers Act of 1940, those managers must design and manage a business continuity plan as part of the compliance programme. The SEC has stated that an adviser has an obligation to protect its clients’ assets from risks resulting from the adviser being unable to provide advisory services — and the BCP must be “reasonably designed” to enable the adviser to meet client obligations in the event of a natural disaster, emergency, or significant business disruption.
Business environment
A regulatory landscape with growing expectations
Globally, many business recovery standards are developing to meet the needs of international organisations — such as the British Standards Institution’s BS 25999. It is important to assess which standard is appropriate, taking into consideration the nature of the business, international acceptance of BCP practices in your markets, and management’s approach regarding risk management.
Best practice guidance is available from many credible sources. The SEC has co-authored the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, and SIFMA, the MFA, and FINRA have published best practice guidelines under Rule 4370 — providing a framework for private fund advisers.
BCP framework — key areas to address
→Establishing and maintaining a BCP — procedures for emergency or significant business disruption
→Updating requirements — review at least annually and upon any material operational change
→Plan approval — designation of senior management registered principal to approve the BCP
→Disclosure requirements — written at account opening, posted on website, available on request
→Designating emergency contacts — at least one must be senior management and a registered principal
→Business constituent, bank, and counterparty relationships identified and analysed for continuity
BCP detail areas — minimum compliance framework
Data back-up and recovery (hard copy and electronic)
All mission critical systems
Financial and operational assessments
Alternate communications between member and customers
Alternate communications between member and employees
Alternate physical location of employees
Regulatory reporting
Communications with regulators
Assurance of customers’ prompt access to funds and securities
Key concerns
Issues to address in a top-down BCP programme
A firm planning a top-down approach to BCP implementation needs to focus on its strategic business priorities and review the relevance of industry guidelines within that context.
Regulatory requirements — SEC guidance may be forthcoming; will FINRA become the model?
Risk management including exposures of vendors and to counterparties
Executive ownership, commitment, and support of the programme
Programme as part of company culture — recognizing it is part of “doing business”
Adequate funding and staffing
Key questions
Nine questions every fund must answer
Before designing the BCP, the firm must honestly assess its own exposures, dependencies, and critical functions across all business lines.
Q1
Q2
Q3
Q4
Q5
Q6
Q7
Q8
Q9
Key terms
Definitions used throughout this framework
Investment Adviser
The “adviser” to a private fund is specifically understood, in the legal sense, to be responsible for compliance to the Investment Adviser Act, as well as to the investment clients they represent.
Mission critical system
Any system necessary to ensure prompt and accurate processing of securities transactions — including order taking, order entry, execution, comparison, allocation, clearance, settlement, maintenance of customer accounts, access to customer accounts, and delivery of funds and securities.
Financial and operational assessment
A set of written procedures that allow a member to identify changes in its operational, financial, and credit risk exposures.
Investment Advisers Act of 1940 (as related to Dodd-Frank)
Requires the registration of anyone in the business of offering investment advice. Promulgates disclosure rules with respect to the adviser’s interests in all transactions, and contains anti-fraud provisions. As updated by the Private Fund Investment Advisers Registration Act of 2010, sets the AUM thresholds triggering SEC compliance programme requirements including BCP.
Approach
A structured approach to BCP implementation
Effective BCP implementation requires executive-level commitment and a clear view of whether the strategy will be driven by application resiliency or business impact analysis — or both. The appropriate resources must be secured before implementation begins.
Step 01
Executive commitment
Obtain executive-level commitment and strategic insight prior to implementation. Without senior ownership, BCP programmes fail to become embedded in firm culture and receive insufficient funding and staffing.
Step 02
Strategy decision
Decide the business and technology mix — whether application resiliency or business impact analysis will drive the strategy — and plan the implementation project accordingly.
Step 03
Essential resources
Secure ad hoc resources required for an effective implementation — legal counsel, compliance assessment, operations project management, and IT project management.
Benefits
What a well-structured BCP delivers across the firm
A robust BCP is not just a compliance requirement — it is a business asset that reduces operational risk, supports client transparency, and frees the firm to respond to disruption with confidence rather than improvisation.
Citations
1. Mallon, Bart. “Business Continuity Plans (Disaster Recovery Plans) | Investment Adviser Registration.” Retrieved October 18, 2010, from http://www.hedgefundlawblog.com
2. Amended by SR-FINRA-2009-036, effective December 14, 2009.
3. SIFMA (2008). The Business Continuity Program — Expanded Practices Guidelines. New York: Business Continuity Planning Committee.
4. Securities and Exchange Commission, Division of Investment Management website (www.sec.gov). SME, legal & industry interpretations appended.
5. “Protecting Investors: A Half Century of Investment Company Regulation”, United States Securities and Exchange Commission, Division of Investment Management, May 1992.
Business continuity is not a project. It is a discipline.
OmniVista · Management consultancy · AI & Data Science
Building or reviewing your fund’s business continuity programme?
OmniVista provides BCP framework design, compliance assessment, and implementation support for private fund advisers and investment management firms.

