Welcome to GRIP, Global Relay’s new digital information service on practical compliance and regulatory change.

Please enjoy this free trial of our subscription content service, for a limited time only.

  

Rules

Transcript: Deirdre Patten and Julie DiMauro podcast

Deirdre Patten and Julie DiMauro.
GRIP Montage: Patten Training & Review/Martina Lindberg

GRIP

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

BCPs can help your organization deal with difficult situations, ensuring it can continue to function with as little disruption as possible.

This is the transcript of the podcast Deirdre Patten and Julie DiMauro on business continuity plans between GRIP’s US content manager Julie DiMauro and consultant Deirdre Patton.

[INTRO]

Carmen Cracknell: Hello listeners. As we look back on a global pandemic, consider ongoing and seismic weather events and ponder the far-reaching impact of technology-based disruptions of service, it seemed like a good idea to talk about corporate business continuity planning. Today, I’m joined by consultant Deirdre Patton and our very own Julie DiMauro, GRIP US content manager. We talk about why we need such plans, who’s involved in creating them, and some of the features of a well-rounded one.

Thank you for joining us Deirdre. Could you please introduce yourself in your own words to the audience?

Deirdre Patten: Absolutely. My name is Deirdre Patton and I run Patton family companies, and they are Patton Training and Review, which is outsourced compliance for broker dealers and investment advisors; also Patton Training, which provides education in the securities and financial industry, as well as Singer Consulting Group which does insurance CE compliance. And I’m happy to be here. Thank you for having me.

Carmen Cracknell: Lovely, and Julie do you want to introduce? We all know who you are but …

Julie DiMauro: Sure. I’m Julie DiMauro and I am US content manager here in the New York offices of Global Relay and heading up our US operations at GRIP. Pleased to be here, thank you.

Carmen Cracknell: Great to have you both. So, we’re here to talk about business continuity planning, and for ease I’ll just refer to it by the acronym BCP from here. When we talk about that what do we mean exactly?

Deirdre Patten: A business continuity plan is used by many companies to make sure that they can continue business when there’s interruptions. It could be an interruption from an IT situation, it could be an interruption from a weather situation or a pandemic. There’s many reasons that business could be interrupted, and we want to make sure that the business continues during those events.

Carmen Cracknell: And Julie would your definition differ at all?

Julie DiMauro: No, I mean that I think that’s really a great definition, and you know the agencies have interpreted it as well given some construct to it as well, and I’ll just read what the Federal Financial Institutions Examination Council, FFIEC, has said. They said, “business continuity planning is the process whereby financial institutions ensure the maintenance or recovery of operations including services to customers when confronted with adverse events such as natural disasters, technological failures, human error or terrorism.” I thought that was an interesting list.

Deirdre Patten: Yeah, that is.

Carmen Cracknell: So, you’ve got that outline but how do you know what you need to put into such a plan before anything actually happens?

Deirdre Patten: You really have to anticipate what could happen and sometimes you’re blindsided, so you have to have a group of people, usually at a senior executive level that starts thinking about all the different functions that face the customers and the regulators because you always have to be communicating with the regulators during these events. Julie?

Julie DiMauro: I agree, and I think it’s so interesting that the term really took off when we started talking about Hurricane Sandy. It was a natural weather event that really put this into our kind of everyday parlance, and then of course cybersecurity disasters started happening to almost every single company of every size and that was another thing we had to plan for.

So it just seemed like all of a sudden we’re thinking about having robust policies and procedures, it was also policies and procedures to help your business when it was going through a calamity to ensure that there might be some disruptions – but how many can we actually mitigate, right? And what is it that we need to be communicating to our customers and other stakeholders employees etc. to show that we have the situation under control, that there is a plan in place, and have some sort of mechanism later to kind of go through how did you audit the program, how you performed in your business continuity planning, and perform better next time.

You know what I might add too? I think we think of natural disasters a lot and cybersecurity events a lot. Some of the things that I think we forget is that CEO succession or executive leadership succession is included in it because if anything should happen, where – you know – a member of the executive leadership team is incapacitated there needs to be some sort of process in place for someone to step in and take over their duties. Deirdre, if you want to comment.

Deirdre Patten: Yeah, and I think some of the regulators certainly on a broker dealer side have certain things that are required to be in the BCP, and FINRA which is our self regulatory organization, has a list of some of those things and templates that we have to include. So I think a BCP has certainly a technology thing we have to make sure our technology is working, certainly our employees are, that we can get a hold of our employees, certainly that our senior management is aware and knows what to do and implement.

Carmen Cracknell: Sure, so who takes part in devising the businesses BCP?

Julie DiMauro: That’s a really good question because businesses have to decide that for themselves and this has changed I think through the years as well. I was just talking to someone yesterday about supply chain best practices, and she was saying you know when it comes to supply chain failures in particular, she has seen more and more you know financial legal and compliance people being in on those discussions, when it used to be more of a peripheral discussion that more of the operations people would handle, and I think that’s true of BCPs as well.

So depending on the circumstance of course you’re gonna want obviously a lot more of your tech people – involvement is a tech issue, but you still need a lot of your critical officers there in terms of data security compliance legal your comms and PR team your HR team and your finance team. Obviously your CEO as well reporting back to the board. Am I forgetting anyone Deirdre?

Deirdre Patten: No, I think that was a great list Julie and you’re right you have to have the people at the table.

Carmen Cracknell: So that’s quite a few different people. What would updating a BCP entail?

Deirdre Patten: I think you would start with a committee of some sort, and it’s senior management that really starts it and pulls in the appropriate parties. This is something that on a broker dealer and a financial services usually do at least on an annual basis, or when there’s an event that triggers it like the pandemic. So everybody had to kind of move really quickly and we only had one firm that had very very detailed pandemic procedures. The rest of them were having to work you know as they went through, and how to do it because it was sort of an immediate everybody had to relieve the office and what was done. And they did a fabulous job but then all the BCPs had to get updated to incorporate what they were doing and how the business continuity plans changed during those events.

Julie DiMauro: You know, and I think this is really interesting, Deirdre, and I’m so glad you brought up FINRA because of course they have the very formal rule on business continuity plans, but you know the SEC has put forward a couple of times proposals for having a BCP rule. If that has not actually happened. But they have mentioned in their other remarks like there’s been an alert, an investment alert and guidance that was put out, in some of their enforcement actions they have mentioned the lack of business continuity planning or CEO succession planning, to anticipate and mitigate any issues that have come up, that companies could have at least somewhat foreseen.

And I think that’s very interesting that other agencies might not actually have the same type of rule that FINRA has more specifically and formally, but they can still require it as part of the idea of having an effective compliance program.

Deirdre Patten: Absolutely.

Carmen Cracknell: So what role would outside experts play in creating or updating a BCP?

Deirdre Patten: I think one of the things you have to do is you have to actually use your vendors and figure out who the critical vendors are, and kind of rank them in order. They also, when you’re doing vendor due diligence, you have to make sure that they have a business continuity plan and that you understand what their business continuity plan is. So the vendors play a really high part or strong part in the process, so we have to check them we have to make sure that they’re available and can handle the business disruption as well, so, it’s important to list them and rank them within your community.

Julie DiMauro: Absolutely. Deirdre, I was looking at a list of things, just in case you and I who talk about business continuity plans a lot, is there anything that we’ve missed?

Generally speaking, no, but there were a couple of things that actually did stand out in my mind in terms of, you know, obviously infrastructure of your buildings if that can those can be compromised during natural disasters, or other terrorist events etc., but also I thought it was interesting you know, and we talked about communication so many times, but transportation issues and other resources that are needed to support your programs. That you might not even think of from telecoms, we talk about that when we’re presenting usually together about having backup providers for all of these things, and it is very important.

I teach as an adjunct professor, and Deirdre’s always reminding my students that you want to have backup resources and sometimes that means out in the mid west, in the middle of prairies, you know backup providers and you know, whether they’re cloud providers other service critical service providers. And I think that that is an important thing to mention, but also another thing that I was I think I might not mention enough, is remembering to have the budgetary requirements to support this program. So you need to advocate for those resources, whether it’s people or actually money or technology and tools so, you know, sometimes I think that is a component of business continuity planning that might get forgotten.

Carmen Cracknell: So what does training on the BCP look like?

Deirdre Patten: For us what we usually do is we train it within our annual compliance meetings, we also send it out to the staff so they’re familiar with it. We make sure we keep our call trees updated and so train people when they change their personal cell phones or their emails to make sure to give it is handed in. Some of the other things that we have to be careful of is that we also have to communicate to not only the regulators on the FINRA side, there’s at least two senior managers that have to have their personal information given to the regulators and if that changes we have a very short time, 17 business days, to let the regulators know the the new contact information.

But also for the customers, so most firms have a abbreviated business continuity plan available to the customers through their website or through sending it out electronically, or sometimes even physically, so people know how to get a hold of the firm if the firm is under business continuity.

Julie DiMauro: Good point. And a business continuity plan is only as good as you know about it right, so you need to know where to access it and if you’re having a technological failure you should still be able to access it. So there have to be you know work arounds so that you’re able to access a physical copy or an internally stored copy. You want, like Deirdre just mentioned, to know where, how, to contact everybody, right? So those things need to be up to date. Privilege to materials, right? Make sure your privileges and who has access to certain things that’s always needs it needs to be updated.

You want to know where your safe gathering spots are, if something something should happen to your headquarters or one of your main buildings where employees meet and you can’t actually meet there that day. Where can they go? And then what remote access looks like. What’s permissioned? What can you bring? What changes in terms of your policies and procedures if anything in working remotely. We went through that exercise in during the pandemic, but it’s sometimes sometimes we need a refresher on that. And then you know the regulator actually, FINRA requires current emergency contact information too, so we’re not just saying this to do it.

You know, again we’ve talked about appropriate numbers of staff, and generator capacity, adequate resources, pre-arrangements for reserving alternate space. Making sure that people can travel to where you’re telling them to go to again if transportation is down, so, there are so many little considerations. Sometimes you might need to bring in external resources, because, you know you sitting there and you’re thinking about your business, and you’re thinking you know these things are far-fetched, it’ll never happen, or it’ll never happen at that location. Your external resources some of the experts that you rely on, or new ones if needed can come in and have an independent point of view to remind you of some of those, you know access points and contingencies that you might not have thought of.

Deirdre Patten: One other thing Julie I want to just mention is that we have to right-size our business continuity plan. Actually during the pandemic we had firms that were actually on site, and what they did is they separated out the people because they literally had to be on site. They wore masks. They had, you know, sanitizer, yes you know if anybody who’s sick, they had a leave. They had sanitizer everywhere. So all these things had to happen, so a lot of the big financial institutions did have to have people that were actually on site.

And even the smaller ones, so you have to right-size your business continuity plan to meet the needs of your clients, your regulators in order to do it and they’re not all the same. You can’t just have one set plan that works for everybody.

Carmen Cracknell: Yeah, so what can we learn from the mistakes of other businesses do you think?

Deirdre Patten: I think one of the things that we could learn from mistakes of other businesses is just that the speed of action. So if you’re not paying attention and not operating very quickly that could cause disruption. So one of the things … I live in a coastal community and the regulator actually calls when a hurricane’s coming and say “do you institute your business continuity plan?” And it’s a point in time in which you are under business continuity and it’s a point in time in which you end business continuity.

There was a blur during the pandemic because it was partially ended, but you really have to go ahead and and be diligent and institute that procedure in accordance to because a lot of times firms didn’t institute it fast enough and there was issues there. Julie?

Julie DiMauro: One of the things I was just thinking of was that you don’t really get every department involved because you don’t just want the business continuity team that might not represent every single department of the firm to, so sometimes you might forget some of the issues that are particular to certain departments or subsidiary locations, branch locations, etc.

They should have a voice in it, even if they’re not actually designing the business continuity plan, to actually, you know hear from them about how things actually work in their world is very important. The other thing is to test it out. You don’t want to wait until the actual event that occurs, the catastrophe that occurs to actually test your business continuity continuity plan out. And that, you know I think we remember that in the cybersecurity area, but we might not remember that in terms of, you know, a natural disaster happening to the organization or against CEO succession planning etc.

So again, you want answers to what would you do if the crisis actually hit today and where would you go for your information? How up-to-date is your information? Is everybody able to access it and does everybody know their role?

Deirdre Patten: Right, and it’s required for the broker dealers to actually do the test, an annual test on their business continuity and document it.

Carmen Cracknell: For those looking for inspiration, are there some good corporate BCPs that companies can access and refer to to craft their own?

Deirdre Patten: Yeah, so FINRA has a template that you can use. I think a lot of the companies, I know that Global Relay for example, they have a abbreviated one that we get and we can look at and it’s very good. So you look at your peers and kind of see what they’re doing to see if you can get best practices. We work with a lot of different broker dealers, and we see a lot of different ones. I know Julie has gone on websites during class and looked at some of them. So, I think just learning from your peers and learning from the regulators and see templates that are out there.

Julie DiMauro: Yes. Deirdre just said it perfectly. That’s exactly it. There are a lot of materials out there that the regulator has made available from their guidance documents to enforcement actions to their speeches etc. to the rule itself and then, you know, as Deirdre mentioned, a lot of companies have business continuity plans that they’ve made publicly available. I’m not saying that’s the entire document. They obviously have some components of it that they’re not sharing with the public, but it is a very good outline and it helps you get started. We often look at the Goldman Sachs one in class and it’s a very detailed one.

Again, it’s not even their full one, but it is a really good start. You don’t have to actually just look around and feel like you have nothing to go by. There are some templates.

Deirdre Patten: I was just gonna say you have to be prepared for the unexpected. So there’s things that you’re not going to know about in advance, and so you have to get in front of it and step back and be prepared for the unexpected. And if it happens and you don’t have it in your business continuity you still have to mobilize and get the job done.

Carmen Cracknell: Well thank you both.

Deirdre Patten: This was really fun. Thank you so much.

Julie DiMauro: Thanks, everyone.

Listen to the audio.

You may also like