Business Continuity – Is Your Institution Ready for the Next Challenge?
Posted by Sean Cunniff, Investment Management research leader, on September 17, 2013
An airline pilot recently presented a telling story about the most intense day of his life. It began as the pilot was taking a flight home as a passenger – when one of the plane’s engines exploded. Because of his experience with that particular model, the pilot offered his help in the plane’s cockpit; scanning the instruments, his eye was drawn to the hydraulic level indicators – all three were reading zero. His first thought was: “That’s not possible – the hydraulic systems are triple redundant." His second thought was: “I am going to die today.” He knew that if even two of the three hydraulic systems were down, the plane could still fly, but not without all three: hydraulics control all of a plane’s moving surfaces, flaps, rudders and ailerons. The pilot explained that trying to fly a plane without hydraulics was akin to driving a car without a steering wheel. The odds of such an occurrence were considered so improbable, around one in one billion, that there was no procedure or checklist for handling it. Remarkably, through incredible teamwork and resource management, the crew was able to keep the plane airborne, eventually landing it and saving the lives of those aboard.
This story, which carries a lesson for many industries, seems especially prophetic for the financial services industry, in light of the recent joint observations from the Commodity Futures Trading Commission, (CFTC), the U. S. Securities Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) on business continuity planning (BCP). The post-Hurricane Sandy review, based on a study of “firms with significant market presence”, is a compilation of recommendations to better reevaluate BCP for both the firms and their vendors, in the face of “significant large scale events.”
Just days after its publication, the joint release was followed by a risk alert from the SEC on the same topic, but with an additional and noteworthy feature.
The SEC risk alert is most interesting because it includes cause-and-effect results from interviews the SEC collected in the wake of Hurricane Sandy. The SEC noted many examples of firms that not only had robust BCPs, but that had also tested them prior to the storm, thereby weathering the hurricane with relatively few business interruptions.
Perhaps even more interesting are the weaknesses that the SEC noted in key areas. In general, numerous advisors whose BCPs did not cover widespread events had more business interruptions. Some advisors did not have geographically diverse locations; some advisors reviewed neither the BCPs nor SSAE 16 Reports of their key vendors; others ran tests of their BCPs that were simply inadequate.
The fact that regulators found so many critical gaps in an area that has been in sharp focus for so long may be surprising, even daunting. Clearly there is a divergence of preparedness among investment advisors, some treating BCP much more seriously than others. What adds to the uncertainty is the possibility that even the well-prepared, as in the airplane pilot’s story, can be impacted by unexpected disaster. Is there anything financial institutions can do to prepare for a one-in-a-billion-chance event?
Deloitte, in collaboration with NASA, is doing some interesting work within this context. The program, currently targeted at the oil and gas industry, is designed to provide early warnings of low-probability, high-impact risks. Intended to work in conjunction with existing operational risk management programs, it uses technology to indicate when the effectiveness of a firm’s “risk culture” is beginning to degrade. The program also determines the probability of inherently uncertain risks and identifies and links seemingly random, disconnected risks. The concept behind the program is that while very different, the oil and gas and aerospace industries have common attributes such as complex systems, culturally diverse work forces and a reliance on third-party contractors that add to risk.
The financial services industry, sharing these same attributes, can and should learn from the leading practices of these other industries in order to prepare itself as much as possible for the next challenge. Financial regulators are sending a clear message that no matter what the next disaster is – whether a software glitch, cyber attack, or meteor strike – they don’t want to hear explanations or excuses. They just want your firm to be up and running.