Embed Size (px)
Citation preview
September 2012
1
PMAC Guideline on Preparing a
Business Continuity Plan (BCP)
NOTICE: This document is intended to provide general guidance to the members of the Portfolio Management Association of Canada (PMAC) and is not intended to be and should not be construed or relied upon as legal or other advice. PMAC assumes no liability by providing this guidance to its members or any other person or entity. Every section of this document may or may not apply in any particular situation. Users should carefully review this document generally and the commentary provided to determine applicability. Please note that there may be certain topics applicable to your firm not covered here. Introduction Business continuity is an ongoing priority for industry participants and regulatory authorities. Various recent events, such as flu outbreaks, natural disasters, black-outs or marketplaces’ system problems resulting in widespread impact across the entire industry, have served to heighten this priority by highlighting the risk to and effect of operational disruptions to the financial system. Registrants are required to have a business continuity plan (BCP) to address these and other types of events that disrupt business. This guide is intended to provide an overview of BCP planning, preparation, implementation and testing and may be particularly helpful to small and medium size firm registrants. This guideline does not separate business continuity and disaster recovery; disaster recovery should generally be considered within the scope of a firm’s BCP. Regulatory Requirements Section 11.1(b) of National Instrument 31-103 Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI 31-103) requires registrants to establish, maintain and apply policies and procedures that establish a system of controls and supervision sufficient to manage the risks of its business in accordance with prudent business practices. The Companion Policy to NI 31-103 also indicates that firms should:
• ensure that third-party service providers have adequate safeguards for keeping information confidential and, where appropriate, disaster recovery capabilities;
• conduct ongoing reviews of the quality of outsourced services; • develop and test a BCP to minimize disruption to the firm’s business and its clients if
the third-party service provider does not deliver its services satisfactorily; and
September 2012
2
• note that other legal requirements, such as privacy laws, may apply when entering into outsourcing arrangements.
Regulators are paying more attention to the existence and adequacy of BCPs. For example, the Ontario Securities Commission (OSC) includes questions concerning business continuity planning in its risk profile compilation for registrants. Specifically, the compliance risk assessment questionnaire administered by the OSC requests firms to indicate whether they have tested their BCP and how frequently testing occurs. Regulators are also becoming more interested in recovery times and their impact on operational effectiveness. National Instrument 21-101 Marketplace Operations requires firms to test their BCP (including disaster recovery plans) on a reasonably frequent basis and at least annually. Similarly, IIROC By Law 17.16 requires all IIROC Member firms to have a BCP. Finally, in OSC Staff Notice 11-764 Business Continuity Planning – Industry Testing Exercise, the OSC indicated its views on participating in industry-wide testing and encouraged all dealers, marketplaces and clearing agencies to participate in the September 2011 market-wide exercise organized by IIROC. The OSC stated that participation in that testing exercise facilitates the discovery of any potential communication issues, points of failure between industry participants within and across different jurisdictions or other issues with services provided by third-party service providers. Objective of a BCP The primary objective of a BCP is to ensure that a firm has the capacity to resume operational effectiveness within a specific period of time after the onset of a disaster or other market-disrupting event. A BCP should be designed to cover substantially all foreseeable aspects of business interruption with the ultimate goal of enabling a firm to continue or resume its most critical operative service and technology functions in order to meet service level commitments to customers and its fiduciary, legal and regulatory requirements. A comprehensive BCP also provides for the preservation of a firm's books and records along with client access to account information and to their funds, enabling firms to verify client holdings, process sells, settle, etc. The specific requirements of NI 31-103, as noted above, in respect of disaster recovery capabilities of third party service providers should also be integral to a firm’s BCP. Generally, your BCP may wish to mitigate the following categories of risks:
Firm specific triggers (e.g. loss of key staff members)
Local triggers (e.g. loss of power)
Widespread triggers (e.g. natural disasters, flu and pandemics) A BCP should at least account for all types of foreseeable risks that the firm has greater control over in terms of mitigation and recovery.
September 2012
3
Overview of Implementing a BCP Firms may wish to develop and assign activities required to implement a BCP. This may take the form of a committee or assigning an individual (BCP Lead) to oversee the planning process. The planning process will include, among other things, identifying the following:
essential services and functions;
risks applicable to the firm;
business impact analysis (risk assessment identifying key people processes and systems);
the required skill sets to perform essential services and functions;
key service providers and determination of whether they have a BCP;
any relevant issues/implications for the implementation of the BCP; and
potential impact of an business interruption on operations. The BCP should address each essential service and function identified in the planning process and develop an alternate contingency plan procedure, along with setting a return to operations (RTO) time (ideally 12-24 hours). The BCP should be reviewed with the appropriate committee(s) and/or any management group that the committee(s) report to. Once the BCP has been approved, firms should communicate relevant content of the BCP to all staff and develop firm-wide training and cross training plans. The BCP should be reviewed annually or more frequently if appropriate, revised when necessary to reflect business changes, tested and updated for testing outcomes as required. This is discussed in further detail below. NOTE: The BCP along with all appendices should be accessible by staff in hard copy as well as at specified locations at the firm’s premises and at recovery locations that may include residences. Drafting a BCP A. General BCP Topics
1. Introduction / Statement of Intent
plan objective(s) including goals and scope
accountability for plan administration, review, etc. (identify a committee or individual)
plans, measures and arrangements to ensure the continuous delivery of critical services and products, which permit the organization to recover its facility, data and assets
identification of resources necessary to support business continuity, including personnel, information, equipment, legal counsel, infrastructure protection and accommodation, etc.
consideration of relevant definitions
September 2012
4
disclaimer that the plan is not intended to cover every situation
note that professional advice should be sought in certain circumstances (e.g. medical or security emergencies)
2. Plan Administration
identify location(s) where the plan can be accessed; determine plan distribution method(s)
identify plan maintenance, review periods, update procedures
provide for undertaking a business impact analysis / risk assessment
identify relevant secondary material – relevant information in appendices, check lists, call trees, etc.
review the plan at least quarterly (more frequently if significant changes to personnel, business model or process)
provide for firm-wide staff training
3. Communications
establish procedure(s) for communication with stakeholders, e.g. employees, building management, customers, clients, service providers, regulators, etc.
notice of temporary disruption to services/facilities for clients including those with disabilities
provide a contact list for all groups identified
consider alternative methods of communication to anticipate possible disruption scenarios, e.g. Internet outage, interrupted telephone service, etc.
4. Plan Activation
designate a lead person/group to activate the plan
classify response according to severity, if required
information – refer to third party sources (WHO, Health Canada, Centres for Disease Control etc) for widespread, universal disruption events
communicate with external service providers (e.g. where information technology support is outsourced)
5. Plan Activities
evacuation response - during business hours and non-business hours
procedures for staff with disabilities
identify off site meeting location for premises evacuation purposes
facilities and security
recovery site location
business resumption
6. Information Technology and Office Infrastructure
ensure that network architecture is documented and accessible
identify single points of failure for mitigation where possible
establish data backup plan
September 2012
5
prepare a data and network recovery plan
network connectivity - ensure specific applications can be accessed from the back-up site, key client records restoration capability (physically and electronically), ensure manual work-around for critical processes are developed and practiced
identify where phone lines can be redirected to alternate site(s)
continuity of key processes e.g. ability to calculate firm capital
establish a technology test plan
identify where teleconferencing, videoconferencing services are accessible to facilitate stakeholder communication
document key systems and applications, establish acceptable downtime, restoration priority and RTOs
identify reliance on third parties and document alternate means of obtaining or providing service
provide for protection of documentation, books, records, financials - all vital records to be available at recovery site location and available for use in the required timeframe during an emergency
7. Service Providers
all third parties, including service providers, upon whom the firm is critically dependent, should be required to demonstrate an effective and proven business continuity capability
third party connectivity testing - telecom lines, quote vendors, trading systems and exchanges, banks online systems, etc.
8. Emergency Preparedness
fire and water emergencies and other natural disasters
weather related and transit emergencies
power outage (cross reference to IT)
physical emergencies, e.g. sudden illness, workplace injury, etc.
establish required emergency equipment - first aid kit and fire extinguisher, and identify parties responsible for maintaining them
9. Pandemic Guidelines
about pandemics - quarantine
impact on staffing - staff absenteeism and staff relocation, loss of key personnel
travel policy (repatriating employees abroad)
world health organization recommendations
resources
other business impacts
teleconferencing, videoconferencing
transportation issues
premises security
September 2012
6
10. Succession Planning
reference to stand alone policy on succession planning (if applicable) or create procedural process documentation in the event of missing, unavailable or loss of key personnel
consider cross training to cover key functional areas
consider assigning a back-up staff member to key personnel
process for access to key personnel's files
response to medical emergencies for key personnel that render them unavailable to the business
11. Testing (see below for more details)
objectives and scope
testing process, procedures and frequency
test evaluation and reporting, follow-up
reviewing BCP of significant service providers Testing your BCP Securities regulations require that business continuity plans be tested regularly, to reflect current or potential developments. Firms must establish that the BCP meets its objectives and whether RTOs are appropriate and achievable to mitigate the risks to the firm in the event of business disruption. A BCP is tested in order to determine the adequacy, effectiveness of contingency planning and timeliness of restoration procedures. The best way to establish this is through regular limited scope testing and, annual comprehensive testing. This may, of course, be undertaken more frequently if the firm determines it appropriate. In order to prepare for a successful BCP test, firms should undertake the following:
Check for any update required to the BCP that would impact the effectiveness and relevance of testing, for example,
o Identify new lines of business, mergers, changes in business model, etc. o Reflect any changes in technology – IT or telephone, etc. o Review critical business functions, processes and resources o Identify changes in critical third party systems and outsourced service
providers o Consider any new software added or user licenses since last review and test o Include changes in office location(s) or property management
Design a scenario and prepare a set of assumptions that puts the test in the context of a potential disruption scenario
Determine the test participants
Prepare a list of external dependencies to include in the testing
Inform third party service providers or other stakeholders as necessary
Establish test date(s) - peak periods of activity may be considered
September 2012
7
Prepare a detailed testing plan
Prepare staff for the test (except where this is a ‘surprise’ test) Firms should determine the most appropriate testing procedure for its business environment. During a BCP test, key individuals from functional areas performing critical processes (e.g. trade desk, settlements, wires, transfers, representative support, help desk, compliance, etc.) should participate. Generally, as most BCPs reflect technology disruptions or other events that impact technology delivery, IT staff should be included. Other teams and/or individuals engaged in areas identified as non-critical may be included as appropriate to the nature of the test. Firm wide testing should include all staff. Elements of testing may include ensuring that all staff is informed of the test, either in advance unless the test is intended to be a ‘surprise’. Tests should be scheduled when the greatest number of staff can participate, e.g. avoid peak holiday periods. Consider the length of time it may take to transit to a secondary site or ‘work from home’ location if this is key to your testing plan. At the outset of the test, the BCP Lead should outline participant expectations. Pre-prepared “scripts” for critical functions should be tested and time tracked (including how long it takes to get back to main site and be back in operation). Firms should test the call tree (this should be done routinely) and other lines of communication available during the business disruption (e.g. ensuring that telephone and fax lines can be redirected to outside lines). At the completion of testing, an assessment of critical and non-critical failures should be made and an action plan developed to address them according to priority. This is often referred to as a business impact analysis. The BCP Lead in consultation with other staff should prepare and finalize a report of the test experience, along with signoff and recommendations. Critical failures may require escalation to senior management or to the Board and should be included in the annual CCO report to the Board. An action plan should be created in order to correct all failures and retest critical failures. Reviewing and Maintaining a BCP
Firms must ensure that all contact information, plan requirements and procedures are kept up-to-date in the BCP. Firms should also ensure that all BCP updates take into consideration new industry regulations or changes to existing ones. Staff training should also be updated, if necessary and training should be provided to any new staff. Firms are reminded that maintaining a BCP also requires reporting to senior management and/or reporting in an annual CCO report to the board on any BCP testing or occurrences of activating the BCP.
September 2012
8
Additional References
Public Safety Canada – A Guide to Business Continuity Planning http://www.publicsafety.gc.ca/prg/em/gds/bcp-eng.aspx
Canadian Centre for Emergency Preparedness http://www.ccep.ca/
Health Canada – Latest Headlines, Advisories and Warnings http://www.hc-sc.gc.ca
Canadian Federation of Independent Business - Basic Emergency Management Guidelines
http://www.cfib-fcei.ca/english/article/359-how-to-prepare-for-an-emergency.html
Disaster Recovery Information Exchange (DRIE) and the Business Continuity Management Information Exchange (BCMIE)
http://www.drie.org/ Sample Appendices The following is a list of sample appendices that are considered to be key components of a BCP:
Sample BCP Checklist - See Appendix A
Sample Call Tree - See Appendix B
Sample Critical Service Providers Contact List - See Appendix C
Remote Log in Instructions (Customize to firm systems)
September 2012
9
APPENDIX A
SAMPLE BCP CHECKLIST ______________________________________________________________________
Do you have a clearly defined, documented and formally approved BCP?
Have you assigned responsibility for the BCP?
Have you evaluated resource requirements?
Have you designated a lead staff member for the overall responsibility for the BCP and clearly defined roles and responsibilities?
Have you identified the employees, processes, tools and critical inputs you need to maintain key business operations during emergency business disruption?
Have you completed a business impact analysis?
Have you defined your critical business functions that must be recovered in case of an emergency?
Have you established appropriate and achievable recovery time objectives (RTOs) for critical business functions?
Have you ensured that your key client records can be restored (physically or electronically)?
Have you defined your strategies for the protection and recoverability of data (electronic or physical)?
Where applicable, have you established pre-designated alternate sites/recovery sites, located a prudent distance from primary sites?
Have you provisioned for testing your BCP annually or more frequently, if necessary?
Are you comfortable that clients will be able to have continued access to their funds and/or assets shortly after interruption business disruption?
Has your staff been made aware of the plan and been provided training on the BCP?
Have you ensured the plan covers staff with disabilities?
Is there a process by which staff is made aware of updates to the BCP that impact them?
Is BCP awareness and training included in your new employee orientation?
September 2012
10
Have you validated the recovery capabilities of critical third party service providers as identified in your BCP?
Have you drawn up Emergency Response Procedures dealing with:
Establishing the existence of an emergency
Notification of staff
Notification of key individuals, service providers, regulators, etc.
Activation of emergency plans
Are Emergency Response Procedures kept up-to-date?
Have you arranged for alternative means of communication in case of failure of telephone and fax lines or power supply?
Do you maintain updated lists (call trees) of internal and external contacts, with alternates?
Do you have a platform for communicating emergency status and actions to employees, vendors, suppliers, and customers inside and outside the worksite in a consistent and timely way? Have you included redundancies in the emergency contact system?
Does your BCP define key roles, responsibilities and authorities, with alternates?
Have you designated a control and coordination (i.e. command) centre location, where applicable?
Do you have the minimum resource requirements for critical function recovery?
Do you have clearly defined back-up procedures for key applications, hardware and data?
Have you defined processes for restoration or replacement of key data (electronic and paper)?
Do you review and update your plan annually?
Is the existence and adequacy of your BCP communicated to the firm’s Board of
Directors or equivalent?
Have you reflected any critical failures during previous BCP testing in your current
BCP?
September 2012
11
APPENDIX B
SAMPLE CALL TREE
________________________________________________________________________
A call tree is a telephone procedure which can be used to notify staff of an emergency. A call tree is typically used to notify staff outside of business hours. A common arrangement is that one person will call a small group of staff members with a message, then those persons will phone other staff and pass on the message, until finally all relevant members of staff have received the message. To ensure that a call tree is effective, it should be regularly tested: missing or changed phone numbers can severely degrade the performance of a call tree. Developing call tree test procedures ensures the call tree operates effectively.
PRIMARY
NAME
WORK
PHONE
MOBILE PHONE/
BLACKBERRY
HOME
PHONE
TEAM WORK
TIME
CALLED
CONTACTED
YES/NO
000-000-0000
BB # -
BB # -
ALTERNATE
NAME
WORK
PHONE
MOBILE
PHONE/PAGER
HOME
PHONE
TEAM WORK
TIME
CALLED
CONTACTED
YES/NO
DRAFT: For Discussion Purposes September 4, 2012
12
APPENDIX C
SAMPLE CRITICAL SERVICE PROVIDERS CONTACT LIST
Product/Service:
Service Provider Name/ID:
Address:
Contact Person:
Phone No.:
24 Hour No.:
FAX No.:
Other No.: Alternate Contact:
Comments:
Product/Service:
Service Provider Name/ID:
Address:
Contact Person:
Phone No.:
24 Hour No.:
FAX No.:
Other No.: Alternate Contact:
Comments:
