While new requirements are clearly aimed at the securities industry's member firms, their impact is already being felt in other areas.
Recent approval by the Securities and Exchange Commission (SEC) of new business continuity and contingency plan rules has pushed select companies into a full state of preparedness. But let's face it, developing and reviewing plans to mitigate financial and operational risk during projected business disruption scenarios is akin to gazing into a crystal ball. You never can anticipate precisely when, what or how it will happen.
While many forward-thinking companies have long maintained carefully detailed business continuity and disaster recovery strategies and plans, it wasn't until the 2001 terrorist attacks in the United States that a number of inconsistencies and failings surfaced, prompting some industry associations to take increased measures to safeguard their members and member organizations.
The New York Stock Exchange (NYSE) and the National Association of Securities (NASD) developed two virtually identical measures covering business continuity and contingency plans. The NYSE's version, known as Rule 446, and the NASD's Rules 3510 and 3520, received expedited approval from the SEC. While the rules affect only NYSE and NASD member firms, they still serve as valuable guidelines to businesses worldwide.
Rule 446, which went into effect on August 5, 2004, requires NYSE members and member organizations "to establish and maintain business continuity and contingency plans relating to an emergency or significant business disruption." Furthermore, it requires the plans be "reasonably designed to enable it [the business] to meet its existing obligations to customers, and address existing relationships with other broker-dealers and counter-parties."
These new rules signal a more hands-on regulatory approach that without question impacts business and information technology functions and processes within companies. Specific procedures must now be outlined, reviewed annually and adhered to in the event that an emergency or significant business disruption occurs. While the rules call for an annual review, if a material change in a firm's operations, structure, business, location or technology takes place that affects the business continuity strategy, the plans must be updated at the time of occurrence.
Ten Minimum Compliance Elements
Regardless of the size of the member company, NYSE Rule 446 and NASD Rules 3510 and 3520 outline a set of 10 minimum requirements that must be addressed. These are:
- Books and records backup and recovery (hard copy and electronic).
- Identification of all mission-critical systems and backup for such systems.
- Financial and operational risk assessments.
- Alternate communications between customers and the firm.
- Alternate communications between the firm and its employees.
- Alternate physical location of employees.
- Critical business constituent, bank and counter-party activity.
- Regulatory reporting.
- Communications with regulators.
- How the member or member organization will assure customers prompt access to their funds and securities in the event the member or member organization determines it is unable to continue its business.
In cases where one or more of these items are not relevant to a particular business, then the member or member organization's plan must specify which requirement is not addressed and the rationale for not including it. Regardless of a company's size or needs, the plan is still required to address how the company's customers will have prompt access to their personal funds or securities.
The NYSE and NASD recommend that members and member organizations, in focusing on varying business disruptions, should address specific scenarios of varying severity. Financial planners should address situations that may disrupt not only the firm, but account for a single building, a business district, a citywide or regional disruption. Additionally, each NYSE or NASD-listed company must state whether it plans to continue business during each scenario and, if so, its planned recovery time and general information regarding its intended response.
Each member or member organization is also required to disclose to its customers how the business continuity plan will be implemented in an event of a significant disruption of business. At a minimum, disclosure must be made in writing to customers at the time of account opening, be posted on the company's Web site and mailed to customers upon their request.
NASD Survey Results in Changes
Following the aftermath of the World Trade Center attacks, companies began to examine their own procedural guidelines to determine how they fared in handling the disruption. Despite the fact that many businesses resumed activities in a timely manner, the market remained closed for four days. The NASD recognized the extent of some of the shortcomings and the need for stricter guidelines on continuity planning, and launched a survey to uncover current practices.
The NASD surveyed 150 randomly selected member firms and 120 of its largest members to ascertain their ability to respond to such significant disruptions. The association noted that some of the results were encouraging, while others raised concerns. Among the key findings from the NASD surveys were:
- A significant number of randomly selected firms did not have business continuity plans. Of particular concern, many smaller and midsize firms did not store backup data and systems in a separate geographic location from primary systems and records.
- Fewer than half of the randomly selected firms and three-fourths of larger firms had backup facilities in place that had the capacity to handle the same volume of trading as the primary facility. Nearly all member firms performed daily or weekly backup of records.
- Nearly 85 percent of larger firms had backup systems to accommodate investor communications, but fewer than half maintained such systems.
The survey suggests that a large share of companies had voluntary continuity planning programs in place, but had not developed or matured some of the more essential steps. With these new rules in effect, NYSE and NASD member organizations will provide other businesses with a new benchmark for continuity and contingency planning.
One aspect of the NYSE's Rule 446 that may be problematic for smaller companies facing compliance is the definition of "mission-critical system." This is defined as any system that is necessary, depending on the nature of a member's or member organization's business, to ensure prompt and accurate processing of securities transactions, including order taking, entry, execution, comparison, allocation, clearance and settlement of securities transactions; the maintenance of customer accounts; access to customer accounts; and the delivery of funds and securities. Essentially, all aspects of customer account maintenance are considered mission-critical.
Business Continuity Challenges Facing Businesses
Many smaller firms that typically focus more exclusively on recovery of the IT environment than on recovering all critical business processes may face substantial work to expand their plans to meet new standards. For some larger companies, the challenge may be the need to ensure recovery and resumption of highly integrated global systems.
Section (c)(7) of Rule 446 requires that a member's or member organization's business continuity plan address "critical constituent, bank and counter-party impact." This section requires companies to assess the impact that a significant business disruption would have and then address whether alternative measures might be more appropriate than wide, generic solutions. To comply with the rule, a business is responsible for identifying each relationship it deems critical.
For example, if an order is placed in New York for a transaction that must be executed on the Nikkei exchange, would a firm have the short-term ability to execute and post the transaction should there be a significant business disruption? The ability to recover business processes and IT assets associated with this scenario is ambitious, even for large firms that play significant roles in critical markets.
The requirement to conduct financial and operational risk assessments is another area that may pose a challenge to some companies. While financial risk assessments are routine in the securities industry, operational risk assessments may not occur as frequently or be as broad in investigative range. Some companies may be unsure of the scope required for an effective assessment. However, operational risks, which often result from corporate governance or internal control failures, can be as destructive as financial risks. Corporate America is littered with examples of small and large corporate failures to prove the point.
Further Federal Guidelines
Firms that are already subject to the NYSE and NASD rules also need to review their continuity plans to ensure they incorporate the practices outlined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System."
The Federal Reserve System, the Office of the Comptroller of the Currency and the SEC issued a final version of the paper that outlines three business continuity objectives for all financial services firms. Included in the paper are four "sound practices" that are intended to minimize the effects of a widespread disruption on critical financial markets, while supplementing existing policies and guidance from industry regulators and financial institutions. The federal agencies expect the objectives to be adopted by all financial firms and the sound practices to be adopted by core institutional clearing and settlement organizations and firms that have significant roles (those that "consistently clear or settle at least five percent of the value of transactions") in critical financial markets.
Impact on all Businesses
While these new requirements are clearly aimed at the securities industry's member firms, their impact is already being felt in other areas. The insurance, banking and energy industries are already subject to continuity oversight. Yet new rules are expected to become the norm for other industries that operate in a heightened threat environment, are considered critical to operation of the economy as a whole or have a direct impact on a large number of customers that individually cannot influence the design or deployment of continuity solutions. Market expectations are gradually rising to these new, higher standards.
Just as Sarbanes-Oxley and related laws were introduced to meet the needs of a changed operating environment, business continuity regulations are similar in nature -- they are responding to a changed threat environment that would have an enormous and significant market impact.
Critical elements of NYSE Rule 446 and NASD Rules 3510 and 3520, such as the requirement that companies address financial and operational risks, will become compliance templates. For example, companies seeking direction in complying with similar requirements, such as Section 404 of the Sarbanes-Oxley Act (which requires management to file an internal control report with the annual report), might want to consider adopting the rule's guidance.
The complexity of complying with the new rules should not be overlooked. Yet, it is clear that the SEC, NYSE and NASD are mandating companies adhere to never-before-seen higher standards to protect not only its members, member organizations and core systems and operations, but also the business' many constituents. Lastly, it serves notice to companies to avoid the risk of being viewed as less than proactive in addressing business continuity priorities.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access