Guidance on Business Continuity and Disaster Recovery Planning for Coronavirus Disease 2019 (COVID-19)
ACA is actively monitoring the developments related to coronavirus disease 2019 (COVID-19). The threat of the virus has put everyone on alert as governments, regulatory agencies, and health professionals provide guidance and possible restrictions to prevent the spread of the virus.
Firms are encouraged to revisit their business continuity and disaster recovery planning in response to a pandemic. In this alert, we’ve outlined key business operational risks as well as steps firms should take to prepare for and minimize business disruptions due to COVID-19. This alert should be read in conjunction with the latest relevant guidance from applicable regulatory and government agencies.
To see the latest ACA updates related to COVID-19, click below.
Regulatory agencies globally continue to monitor and assess the impact COVID-19 will have on firms. Many have instituted rules and regulations as well as relevant guidance to assist financial firms in developing effective business continuity and disaster recovery plans to minimize the potential adverse effects of a pandemic, including COVID-19.1,2,3,4
Review Your Firm’s Business Continuity (BCP) and Disaster Recovery Plans
Your firm should review its existing business continuity and disaster recovery plans to address a variety of contingencies that could disrupt the firm’s businesses, including potential pandemics. Such plans should be sufficiently flexible and reflect the firm's size, complexity, and business activities.
To address the unique challenges posed by COVID-19, your firm's business continuity and disaster recovery plans should provide for:
- A proactive program to reduce the likelihood that the firm's business operations will be significantly affected by a pandemic event, including monitoring of potential outbreaks, employee training, and ongoing communications and coordination with critical service providers.
- A written Business Continuity and Disaster Recovery Plan that ensures the firm's process and controls are identified and followed during a pandemic event.
- Framework to address business locations and/or facilities to ensure the firm's ability to continue its business operations if its primary physical space is unavailable.
- Testing the program to validate the effectiveness of the business continuity and technical recovery procedures. Testing allows for continuous improvement to the firm's readiness to respond to an unpredictable business disruption such as COVID-19 and confirm the availability and functionality of the firm's critical processes and supporting resources. Tabletop exercises should include preparation for a number of potential scenarios including but not limited to office closures and quarantines as well as public transportation and critical service provider disruptions.
- Management oversight and governance to ensure the firm's business continuity and disaster recovery plans are kept up-to-date and supportive of its business operations.
Considering the recent outbreak of COVID-19, firms should review, update, and test their current business continuity and disaster recovery plans to help minimize a potential disruption to their business operations. Firms can take the following steps to ensure adequate preparation for business continuity and disaster recovery:
- Identify key personnel
- Appoint at least one Point of Contact (POC) or selected team members to coordinate pandemic readiness activities;
- Coordinate internal roles and responsibilities during an outbreak;
- Monitor news and announcements;
- Identify back-up personnel if the primary POC or selected team members should fall ill or be unable to execute responsibilities; and
- Identify back-up personnel for key functional stakeholders should they fall ill or be unable to execute their responsibilities (e.g., accounting and finance, portfolio manager, or investor relations backups).
- Develop an employee communication plan
- How the firm will respond to various scenarios (e.g., closed schools, quarantine of areas, coworker(s) suspected or confirmed to be infected) - what are the plans and what must employees do to prepare);
- Whether the plan has been enacted;
- How to respond to rumors and to confirm the firm's status; and
- How and when the firm will make an “all clear” announcement and a potential return to standard processes.
- Test and secure remote access for work-from-home situations
- Provision laptop computers, monitors, keyboards, printers, docking stations, shredders, etc.; avoid, if possible, shifting work to personally owned computers;
- Consider employees that require access to paper documents/files; identify and securely provision access to cloud file stores where shared access to documents is required (use multi-factor authentication and encryption);
- Require employees to carry laptop computers home each day as quarantines and closures may be enacted with little warning;
- Confirm remote access capabilities (e.g., VPN and Citrix equipment is up-to-date and internet service lines have sufficient capacity. Test web and voice conferencing capabilities and ensure employees have access to and understand how to use these);
- Test employees’ ability to work remotely (e.g., rotate staff to work remotely on selected days during the week to identify issues proactively in anticipation of a facilities closure or quarantine order); and
- Identify the ability to reset (remotely if possible) the schedule of exterior doors automatic lock and unlock related to business hours.
- Coordinate with key vendors and outside parties
- Develop open communications and coordination with key vendors and other outside parties, including clients, shareholders, limited partners, regulators, and the media;
- Test the ability of critical service providers to support business during a disruption (e.g., ensure clients can access investor portables or continue to receive investor/client reports);
- Consider alternative service providers; and
- Develop backup/alternative processes (e.g., manual or in-house) to ensure continuation of critical business operations.
- Conduct staff training
- Conduct a webcast or conference call to review the BCP with your entire organization;
- Ensure employees understand roles and responsibilities during a business disruption;
- Conduct tabletop exercises in preparation for office closures, quarantines, health emergencies as well as public transportation and critical service provider disruptions; and
- Ensure employees understand how to access critical business systems as well as firm and/or client information remotely.
- Coordinate with portfolio companies
- Private equity firms should provide guidance to their portfolio companies to ensure their BCP plans are in place and have been tested.
Although no business continuity or disaster recovery plan can guarantee full and immediate resumption of business operations given the unknown impact of COVID-19, creating a sound framework as well as implementing strong processes and controls can help prepare your firm and its employees to handle and manage against a significant disruption to business operations related to COVID-19.
Replay Our Webcast
ACA hosted a live 30-minute webcast on March 4 featuring a Q&A with our cybersecurity and IT team. Please join Mike Pappacena, Partner at ACA Aponix, Jeff Gorton, Senior Principal Consultant at ACA Aponix, and Steve Blossom, Chief Information Officer at ACA Compliance Group for this interactive discussion.
ACA's COVID-19 Resources
ACA is closely monitoring the coronavirus (COVID-19) pandemic and the new and emerging risks our clients are facing during this uncertain time. We are providing updates, guidance, and best practices to help your firm manage business disruptions caused by COVID-19.
Additional COVID-19 Resources
How We Help
We provide business continuity planning development and implementation assistance designed to help your firm address its operational and other risks in the event of a disruption, as well as meet upcoming regulatory obligations.
Click below to request a meeting:
For More Information
To learn more about how ACA can help enhance or strengthen your business continuity and disaster recovery plans, please reach out to your ACA consultant or contact us below.
1 See rule 206(4)-7 of the Investment Advisers Act of 1940 (the “Advisers Act”) which requires advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act by the adviser or any its supervised persons.
3 FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires firms to create and maintain a written BCP with procedures that are reasonably designed to enable firms to meet their obligations to customers, counterparties and other broker-dealers during an emergency or significant business disruption.