On August 27, 2013, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert, which contained examiners’ observations regarding investment advisers’ Business Continuity Plans (“BCPs”) related to the disruptions caused by Hurricane Sandy in October 2012. Although it is far too soon to tell how well advisers’ BCPs are performing during the current pandemic, it is an issue that examiners are likely to assess after this is all behind us.
BCPs protect a RIA’s business and clients
In the 2013 Risk Alert, OCIE stated that a Registered Investment Advisor’s (RIA) policies and procedures should include BCPs because advisors have a fiduciary duty to protect clients’ interests from risks arising from their inability to provide advisory services after a natural disaster or some other tragedy. The contingency planning process should be appropriately scaled and must be reasonable in view of the facts and circumstances surrounding the RIA’s operations, as well as its commitments to clients.
A BCP should address the following elements at a minimum:
- Who is responsible for maintaining employee, regulator, and client contact information;
- Who is authorized to declare an emergency;
- Who is responsible for reporting the disaster to the authorities and insurance carriers;
- How is client information stored and recovered;
- How will the firm communicate if its primary communication system is unavailable;
- Who is responsible for periodically testing the BCP and for maintaining records of such testing; and
- Where will advisory personnel meet if the RIA’s office becomes uninhabitable.
In view of the current pandemic, BCPs will need to address the possibility that in-person meetings with staff and clients will become impractical.
Every member of an RIA should be made aware of the firm’s BCP and should know their own responsibilities in the event an emergency occurs. RIAs should also conduct due diligence of their vendors, custodians, and other service providers to ensure that they have established BCPs and should check in with these vendors during an event that has triggered the vendor’s BCP to determine whether there are any unforeseen issues of which the RIA should be aware.
RIAs must plan for widespread disruption. The current pandemic takes that recommendation to a new level. Few advisers could have predicted that the current pandemic would impact every state in the country, and almost every country in the world.
In its critique of BCPs following Hurricane Sandy, SEC examiners commended several notable practices. Some RIAs’ compliance personnel worked collaboratively with the firm’s various business lines to develop the BCPs and sought to achieve redundancy in key services and operations. Certain firms’ BCPs facilitated widespread remote access by employees. A number of firms’ main telephone lines provided a recorded message stating that offices were closed and gave instructions for contacting the RIA and employees working remotely.
Today, there are many more forms of communication, and the use of VPN (virtual private network) makes the ability to work from home virtually seamless. Chief compliance officers (“CCOs”) should ensure that they have the ability to supervise various forms of communication used by staff and must make sure the communications are retained as part of the RIA’s books and records. CCOs must take care to continue to enforce prohibitions on certain methods of communication if these methods, such as texting or use of personal email, are not captured by the firm’s archiving system.
The SEC’s 2013 Risk Alert is available here.
Succession planning is an important discussion long before a pandemic
Certainly, the coronavirus has made even the healthiest investment advisor feel mortal. Investment advisors must engage in succession planning long before there is a deadly virus that threatens key members of the firm.
A succession plan can be a separate document or may be included in the firm’s BCP. Implementing a succession plan may require advisors to revise their operating agreements and other legal documents.
A succession plan can ensure the viability of the firm for generations to come and is often intertwined with an owner’s estate plan. A succession plan can help an RIA to avoid or minimize potential compliance, tax, and legal problems that may arise when a key person dies, becomes disabled, or leaves the firm.
As they engage in succession planning, advisors should take steps to protect clients by preparing for the time when principals transition to the next phase of their lives. A sound succession plan ensures a smooth transition to a different advisory team or a merger with a different firm.
It is not enough for an RIA to have a succession plan available for review by securities examiners. It is also prudent for RIAs to make employees and even clients aware that the firm has implemented a plan to protect their interests. Succession planning assures employees that their jobs will be secure if a key member of the RIA dies or otherwise leaves the firm.
BCPs should evolve to address new risks that are faced by advisory firms and their clients. RIAs should not be afraid to revise BCPs, as well as other policies and procedures, in response to changing conditions. Some RIAs are reluctant to make revisions because the advisors fear they are admitting their previous BCP was inadequate. However, even some of the best BCPs did not address pandemics. From now on, they should.
As firms assess how implementation of their current BCP is fairing under this pandemic, and as amendments are made to the advisor’s BCP to address matters that could not be been predicted or foreseen, firms should be careful not to remove parts of their current BCP that may not have been triggered by this pandemic, but may nonetheless be useful when the next disaster occurs.