“Before anything else, preparation is the key to success.”
Alexander Graham Bell
Now is an opportune time to review, update, and test your business continuity plan (“BCP”). Here are three good reasons to do so …
- Regulatory: Recently, the SEC Division of Investment Management recommended that investment advisers and funds plan and prepare for potential sustained business disruptions due to the evolving risk presented by the coronavirus (“COVID-19”) outbreak. Specifically, the Commission stated: “The Division encourages investment advisers and funds to contact the Division staff with any concerns they have related to the staff letter or to current or potential effects of COVID-19 on their operations, including any need for relief or guidance.” The SEC goes on to encourage registrants to evaluate their business continuity plans and valuation procedures, among other relevant policies, procedures, and systems. This guidance is consistent with the Commission’s ongoing directive to advisers to develop “risk-based” policy. The COVID-19 risk set presents unusual challenges to adviser BCP execution; a risk-based response would therefore entail testing and follow-on amendment and possible implementation.
- Diffused risk set: The virus may spread without a discernable pattern, i.e., COVID-19 has the potential to become a rippled risk set wherein the effects of widespread contagion, while not particularly devastating, remain highly unpredictable thereby substantially complicating effective mitigation from a business continuity planning perspective. Public health officials are prepared to implement policy prescriptions which entail both voluntary and enforced social distancing as a viable means to contain the attendant health risk. Social distancing or quarantines of significant elements of a regional population would likely require advisory firms to develop and execute a significant element of client investment advice remotely.
- Client expectations: Clients are entitled to assume that advisers have taken the steps necessary to protect those interests in times of stress, whether that stress is specific to the adviser or the result of broader market and industry events … so says the SEC and one must presume so say adviser clients themselves. The fiduciary standard of care requires advisers to implement prudent risk management protocol designed to facilitate adviser resumption of business activity in the event of disruption. According to the SEC, this should prompt advisers to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services.
Recent Regulatory Input
- Division of Investment Management communication: In addition to BCP testing recommendations, the communication includes a “no action position” regarding in-person voting requirements for upcoming fund board meetings.
- Order under Section 36 of the Securities Exchange Act of 1934 Granting Exemptions from Specified Provisions of the Exchange Act and Certain Rules Thereunder: defers filing deadlines for issuers of public securities and provides relief for proxy solicitation material delivery by securities issuers.
- Important Note: The March 31st deadline for advisers to file their annual amendment to Form ADV (if they have a December 31st fiscal year end) has not been lifted or changed as of this writing.
Risk sets which present diffuse or highly emergent attributes by definition are more difficult to mitigate. Advisers have wrestled with business continuity since the advent of Rule 206(4)-7 in 2003 which mandated BCP implementation, i.e., how do you responsibly mitigate a risk that you heretofore have not fully identified? The answer is risk-based policy formulation and implementation. The intervening period has demonstrated to risk managers that business continuity planning is an evolution, i.e., as risk becomes more understood, mitigation efforts too must evolve. Across the adviser community, the disruptions attendant to 9/11, various hurricanes and a few limited public health events all contributed to BCP evolution as continuity risks became more understood. COVID-19 will likewise substantially contribute to BCP risk-based development as advisers adapt to what may become a significant public health risk. In this regard, the ripple risk attribute of COVID-19 may seriously challenge adviser BCP implementation.
Many advisers rely upon “remote from home” arrangements whereby some or all staff are directed to work from their private residences. If COVID-19 employee morbidity experienced by the adviser is significant it will flex or even exhaust the capability of the firm to responsibly staff/accomplish critical tasks that are essential to the development and execution of investment advice.
Place Client Interests First and Foremost
In 2016, the SEC proposed a BCP rule (still pending) which introduced anti-fraud risks attendant to BCP development and implementation whereby the Commission asserted that an adviser’s failure to provide a viable BCP would be subject to anti-fraud provisions of the Advisers Act:
“We believe it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.”
Would the SEC bring an enforcement action on the basis of a leaky BCP? Unclear, especially given the referenced relief that has been forthcoming from the Commission relative to the current public health crisis. Would the clients of an adviser have a problem with a sustained disruption? Probably. We recommend that advisers allow the fiduciary standard of care to guide their current BCP implementation and testing protocol whereby the adviser is reasonably confident that, in the event that mandated social distancing becomes a reality, the adviser retains the capability to logistically execute the plan and thereby provide continuous investment advice and services to clients.
Additional COVID-19 Risk Mitigation
- Community awareness: According to the Centers for Disease Control and Prevention (“CDC”), a COVID-19 outbreak could last for a long time in a given community. Depending on the severity of the outbreak, public health officials may recommend community actions designed to help keep people healthy, reduce exposures to COVID-19, and slow the spread of the disease. Remaining informed about your local community is vital to staying ahead of the planning curve. Many firms have convened business continuity teams to monitor/communicate important elements of the evolving risk.
- Identify essential functions and resources: Identify and map essential business and administrative functions to the resources required to execute those functions. For example, review key vendor locations which may be susceptible to quarantine, i.e., if a key vendor in Washington state is subjected to quarantine restrictions for an extended period, does the vendor have other remote resources to provide to the adviser?
- Communication: Conduct a thoughtful discussion or exercise using your plan, to ascertain any critical resource or personnel gaps or problems that must be addressed or resolved prior to BCP implementation. Ensure that employees, especially critical staff, are fully conversant with duties, tasks and BCP protocol. Establish a reliable and robust communications protocol which addresses personnel, clients, and critical third party/vendors.
- Virus exposure considerations: Healthy employees with a sick family member at home with COVID-19 should notify their supervisor and refer to CDC guidance for how to conduct a risk assessment of their potential exposure. If an employee is confirmed to have COVID-19, you should inform all employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality as required by the Americans with Disabilities Act. Employees exposed to a co-worker with confirmed COVID-19 should refer to CDC guidance for how to conduct a risk assessment of their potential exposure.
- Documentation: Be sure to document all efforts taken to evaluate, test, and enhance your business continuity plan.