The Securities and Exchange Commission wants it to be better.
In the aftermath of Hurricane Sandy, the Securities and Exchange Commission joined the Commodity Futures Trading Commission and the Financial Industry Regulatory Authority in issuing a joint staff advisory on business continuity and disaster recovery planning.
The advisory follows a review by the regulators after Hurricane Sandy closed U.S. equity and options markets for two days in October 2012. Many firms had a hard time dealing with such a widespread area of severe impact.
When considering alternative locations (i.e., back-up data centers, back-up sites for operations, remote locations, etc.) firms should consider the implications of a region wide disruption. Firms are encouraged to consider geographic diversity when determining the physical location of alternative sites. An alternative site, particularly a system back-up location, in close proximity to the primary site may not sufficiently protect the firm from the effects of a region wide event. Firms should consider whether their primary site and alternative sites rely on the same critical utility services, such as electricity, transportation and telecommunications.
That is a somewhat achievable goal for big firms, but not one for smaller firms.
The alert ignores that reality of the physical location of people, their homes, and their families. It would be great to have a fully redundant backup site located a thousand miles away from the main location. But you’re not going to be able to quickly get people there in the event of such a widespread event.
Not only are businesses affected by a disaster, but so are homes. Many (most?) employees are not going to abandon their families, stuck with limited access to power, food, and other needs.
Of course, firms need a solid business continuity and disaster recovery plan. It should be tested and evaluated regularly. A firm needs to plan for small disruptions and big disruptions. Small disruptions are more likely and need to be well addressed.
It’s much harder to have a bullet-proof plan for an event like Sandy that disrupts power to huge parts of the urban center, knocks out power to a huge swath of residential areas, floods office buildings, floods thousands of homes, disrupts transportation, and does so over hundreds of miles.
References:
The imposition of the Business Continuity issue has been the pea under the mattress of many small firms. They recognize that they need some type of plan for the “what if…” but at the same time they can’t afford the remote locations, etc as well as take care of their families and employees.
Small firms will do what they can with their limited resources to ensure that their clients are taken care of.
The view of the joint staff review seems to indicate a need to be always on. That may be true for very large firms.
For smaller firms I think the SEC needs to think in terms of how long it takes to get most of the business back up and running.
After speaking informally to a few firms, Hurricane Sandy was beyond the scope of their disaster planning. Even many big firms had trouble getting their business back up and running. Physical infrastructure, firm infrastructure, and personnel were not available on a widespread scope.
I think at some point a disaster is so big that the business continuity plan is just huddling with your family around the candlelight.