Having a plan for operational risks is just as important as the risk management in your trading program. The news is constantly bringing to our attention the fact that disasters occur. Whether it is the wild fire in California, flooding in Mississippi, rail car derailment in Arkansas, explosion in Maryland, or electrical outage in New York, there are times when our organizations are not able to carry on business as usual. There are many more disruptions that can affect organizations that do not make the news. For the commodity trading advisor or introducing broker, they are all real disasters and need a plan for addressing them.
The size of an organization does not preclude you from risk or reduce your need to plan. Small organizations are more nimble, but have less capital and resources to deal with disasters. Large organizations have more resources, but the complexity of the response and potential magnitude make them vulnerable too.
Money managers, capital market organizations and other parts of the national market system are expected to perform following a disaster because reputation and stability is key to maintaining customer confidence and national economic stability. In this case disaster planning is not an option but a requirement. The size of operations does not change the expectation but does change the resources needed to prepare and address disaster and business continuity planning.
To provide focus to business continuity planning activities and provide cost-effective plans, it is important to identify disaster risks that are most likely to occur and severely affect the organization. Managers should rank disaster risks. Using low, medium and high to categorize and rank risks can provide focus and simplify the process. Those disaster risks that have high impact and a higher likelihood of occurrence are those that should be the focus of your business continuity plan.
Business continuity professionals divide disasters into three categories: natural, technical and human. Natural disasters include fires, tornados, hurricanes, earthquakes, etc. Technical disasters are those affecting our computer systems, transportation systems, power systems, telecommunications systems and other types of situations affecting our technological infrastructure. Human disasters are those caused by humans, such as sabotage, illness, labor strikes, thefts, supply disruptions and other events for which human actions may be responsible.
Identifying the types of disasters that can affect operations helps put in perspective the potential impact, the ability to take precautions when the threat is imminent and the likely extent of the damage or disruption. Mitigation measures help reduce the risk and should be taken where possible. In many cases, the mitigation measures can be taken through changes in operating practices, facility configurations and training of personnel. Organizations have applied mitigation measures that include establishing and equipping offices in multiple locations so they can operate stand alone if needed. This approach allows the operation to continue in a disaster without need for expenditures that don’t yield continuing benefit to the organization. Money managers, brokers and dealers need to identify the volume of essential transactions that need to be handled when sizing the recovery and response capabilities. Customers may have alternative sources of market or capital access available to them and will move between those sources if there is a disruption to one. A disaster response strategy might be to allow the rerouting to occur. The impact and consequences of a disaster increase over time (see: “Measuring risk”).
Business continuity plans take over when normal measures for dealing with problems and events are not adequate and extraordinary measures need to be taken to preserve the organization’s position. The time span from incident to critical impact level for money managers, capital market dealers and national market system participants is relatively short e.g. hours and days. Once a disaster occurs, there are many issues that need to be addressed. Among these are:
Identifying what is affected: People, facilities, supplies, product, systems, customers, vendors, data and equipment.
Communicating: Communication needs to be internally focused initially to employees, managers and owners, and then directed externally to customers, intermediaries and the public.
Establishing critical operations: Operations essential to the organization’s survival need to be activated by bringing together the personnel, facilities, equipment, information systems and supplies required to operate in a survival mode.
Recovering all operations: The essential goal of any disaster recovery and business continuity plan is to resume normal operations as rapidly as possible, protecting the organization and their constituents.
Management of the response and recovery process is complicated by the fact that disasters are not normal occurrences, and the specific events and situation are not known until the incident occurs. Disasters also present problems of resources allocation that require taking measures that are not normally desirable, but are the best alternative in the long run. These problems can include deciding which customer gets services from the limited supply available, which operations should be restored first and where to use the personnel that are available. The “right” decision in the full context of the short- and long-term consequences is not readily apparent when operating in a crisis.
Because of this it is also important to test your plan. Do not simply have a disaster recovery site, use it periodically to test your response. Chances are problems may come up that you didn’t initially plan for that you can now incorporate into the overall plan after a dry run.
Identifying the essential transactions and critical customers before hand and putting in place means to servicing them can mitigate many of the potential consequences. The analysis and decision process needs the input of management and be subject to deliberation. To assure the deliberation results are preserved and available to those who might be confronted with the situation, the business continuity plan needs to be documented. The plan should not simply define the desirable decisions, but lay out the framework for coordinating activities and carrying out the damage assessment, communications and responses. The plan documentation needs to be supported with the contact information and resources identified to carry out the response.
Organizations are most successful in developing a business continuity plan if they follow a defined process. The five-step business continuity process followed by RSM McGladrey is very effective in providing the guidance and direction through the development effort. The five steps in this process are:
Defining the operations areas most sensitive to disruption, identifying the internal business continuity planning champion and committing resources to the planning and continuity planning program efforts are all program initiation activities (see: “Having a plan”). Successful business continuity planning rests on the commitment of the organization and its senior management. A solid program initiation assists in sustaining the planning process and in controlling planning costs.
Analyzing operations is able to proceed once management direction and support is obtained. The analysis focuses on understanding two aspects: risks that pose the highest and most significant likelihood of a sustained disruption of operations and analyzing the operations in terms of impact to the organization’s survival.
Knowing the potential causes or sources of a major disruption enables preemptive measures to be taken that will prevent or mitigate the disruption. Close analysis of these disruption hazards can help in the operating decisions and prevent creating or sustaining unnecessary risks of disruption. There are no unimportant parts of the operation, but some aspects are more critical to the ability to retain customers and remain in business long-term. The business impact analysis allows all portions of the operations to be evaluated in terms of survival. Once this analysis is done, it is possible to build a business continuity plan that will be effective when needed and provide measures to reduce the potential and impact of a disruption.
The challenge for smaller money managers and brokers is that there are limited resources available to devote to disaster recovery planning. This does not mean the task can not be accomplished. It requires the same management commitment to disaster recovery planning as large organizations and an understanding of the process of risk assessment and preparation. The planning process can make use of the organization’s normal ability to adapt and respond quickly in defining the plan (see: “Five steps for small firms”).
Small commodity trading advisors (CTAs) can use these principles to reassure their clients. While institutional clients do not normally like home-based managers, operating out of your home reduces many risks in terms of a disaster that would prevent someone from accessing a central office location. CTA Diamond Capital Management has two principals, one based in Wisconsin and one in North Carolina. Each principal has redundant services and can execute all of CTA’s trade signals from either location.
The ultimate purpose of business continuity planning is to protect the organization’s people and assets from the consequences of unexpected events and maintain the organization’s value. Disasters will occur, but planning and preparation will enable your organization to respond and survive. The five business continuity planning development steps provide the roadmap to building an affective contingency plan. Realization by management and personnel that disasters are real and business continuity planning provides the means to protect their organization and livelihood is the key to surviving.
While these tools are meant to provide a blueprint for managers in contingency planning they also should be part of every investor’s due diligence process in evaluating an investment manager or broker. You need to know that your money will be safe and your advisor will be on the job during a disaster.
Curtis Siegel is a consulting director with Schaumburg, Ill., based RSM McGladrey Inc. He provides business continuity consulting services to organizations across the United States. He is a Certified Business Continuity Professional, Certified Computer Professional and Certified Information Systems Auditor. He presents seminars at continuity insights on vendor supply chain continuity risks and to bankers’ associations on pandemic planning. He can be contacted at firstname.lastname@example.org.