When you hear coronavirus, what emotions does it invoke? Does it invoke any emotions whatsoever? Or is it just another thought that you pushed to the back of your mind? As an investment manager you are probably concerned about how it affects your portfolio, but have you thought about how it can affect your people and the overall business?
This pandemic before you (no one wants to call it that or believe it is one yet) is extremely serious, and you should be treating it as such. Why? Because as some sources have already said, it will alter our daily lives, both personally and professionally. As an investment adviser this means it will alter the way you run your business. You or your colleagues may have to work from home or some other location, while others may not be available to work at all because they have been directly or in certain cases indirectly affected, and since no one can predict how long it will last, you may be operating differently for an unknown period of time.
Are you prepared for this? Have you thought about what it means to work differently? Can you run your business with people distributed across multiple home offices? Do you have the infrastructure to support this type of situation? These are only some of the questions that you should have already though about when you created your Business Continuity Plan (BCP) and performed a Business Impact Analysis (BIA).
In my experience what most people think is a Business Continuity Plan (BCP) is a Disaster Recovery Plan (DRP). What do I mean by this? Are you thinking they are the same thing? Firms have long conducted failover tests of infrastructure systems such as email and servers and feel by conducting this exercise they have tested their BCP, but the reality is they tested their DRP. Yes, there is a BCP element covered when testing your DRP, but this does not mean you fully tested your BCP. Why? Simply put a Business Continuity Plan applies to people while Disaster Recovery applies to the technology.
Have you created a plan for and tested the ability to execute trades if your head trader isn’t available, or making sure payroll is still processed after finding out that the vendor that you were using suddenly shut their doors without notifying you? Sure, some of this may sound extreme, but the reality is it is not, and you are not prepared for it.
Taking some of the thoughts above and applying it to the current situation we are dealing with should help you figure out if you are prepared to deal with this type of business impacting condition. So now ask yourself again, do you have an appropriate BCP that can address the impending change in our lives? If not, you should be acting now. Plan for this change. Figure out if your BCP is comprehensive enough. Ask yourself some of these questions:
- Do we have the infrastructure to support all our employees working remotely?
- Do we have the communication platform to allow us to collaborate?
- Do all employees know how to reach the vendors they work with when outside of the office?
- Do all employees know how to reach each other when outside of the office?
- Are you limiting certain access to vendor systems from the office that may not be accessible from someone’s house?
- Is there a specific application or security setting (e.g. a certificate or token issued by a fund admin or bank) that runs on office computers that you somehow need to getting working from home?
- Will I still be able to work with my counterparties and vendors when they notify us that they are similarly affected?
At this point you probably identified that you are either prepared or under prepared, but wait, are you fully prepared? All I covered was BCP up until this point and I did not say anything about Incident Response Plans. (IRP). So why do I mention IRP?
Think about it this way, you have an office that no one is sitting in because everyone has to work remotely, but since you did not change the automatic unlock feature on your office entrance doors, they are open to anyone that wants to walk in and do some nefarious things on your network; or maybe since people are working from home and are preoccupied with other things, they receive a phishing email that they click on, and boom, their computer now has ransomware on it. What do you do now? How do you fix the network; or who has to go to the user’s home to try to stop the ransomware infection? It is bad enough dealing with a BCP incident but when it is coupled with an IRP incident, you want to crawl under a rock and never come back out. Again, this may sound extreme, but it is not, and you are now starting to realize how under prepared you are.
Your IRP should address cyber and potentially physical incidents that lead to breaches, but they should not be limited to incidents that affect you when you are in the office. They should address the above- mentioned situations as well, including incidents related to travel, etc.
This brings me to the end of my concerns and advice. I take this very seriously and you should too. What are my principles of this article? Do not wait until it is too late! Think more holistically of how you will be affected! Plan, plan, plan, and plan! Test, test, test, and test!
If you feel helpless, or need help developing an IRP or BCP, or just need another set of eyes on your plans, do not hesitate to reach out.
About the Author: Anand Mohabir