A Different Look at Business Continuity

Although they are targeted to the financial market, many companies can glean some tips from two new reports from the Board of the International Organization of Securities Commissions (IOSCO) about risk management. “A key objective of the reports is to help identify and address possible weaknesses or gaps in the business continuity plans and recovery strategies of trading venues and market intermediaries,” said the IOSCO in a release. The first report, Mechanisms for Trading Venues to Effectively Manage Electronic Trading Risks and Plans for Business Continuity, focuses on a step by step plan to avoid disruption when trading electronically, and how trading venues are adapting to new technology and ways of doing business. Based on surveys from trading venue participants from more than 30 jurisdictions, the report proposes risk mitigation mechanisms and a variety of scenarios for testing and analyzing business continuity plans.

The second report, Market Intermediary Business Continuity and Recovery Planning, details standards and sound practices that regulators can use to develop and implement business continuity plans.

Sound practices for components of a market intermediary’s BCP include:

a) Identify the business functions and systems that are critical to continue operations in the face of an MOD, along with primary and backup staff.

b) Identify the major threats and impacts posed to the firm. As part of the BCP development process, consider risks like fire, floods, severe weather, pandemics, local protests, terrorism, or cyber-attacks, i.e., anything with the potential to have broad impact on the physical access to buildings and staff.

c) Assess the potential impact of an MOD through qualitative analysis (e.g., evaluating image reputation, legal and regulatory risks) and quantitative analysis (e.g., assessing potential financial and operational impacts of outages, and regulatory reporting).

d) Consider whether the BCP needs to be modified based upon market disruptions that have impacted the industry, including similarly situated market intermediaries.

e) Take steps that seek to ensure clients’ prompt access to their funds and securities in the event of an MOD.

f) Consider the unique aspects of regional operations, if it is a globally active firm. For example, consider the need to have separate BCPs for different markets in which the firm operates.

g) Where appropriate, address a firm’s operational dependencies on clearing and settlement entities and other third-party constituents.

h) Include documented procedures for internal and external communications with employees, clients, service providers, regulators and other stakeholders (e.g., media), including policies and procedures that establish specific call cascades or trees.

i) Establish back-up sites for critical operations that have the same basic capabilities of primary sites. Consider the need for geographic diversity of back-up sites.

j) Establish an appropriate internal corporate governance structure that will be capable of implementing the BCP successfully in the event of an MOD. This could include having the firm designate certain individuals who are responsible for business continuity management.

k) Establish policies and procedures to ensure that critical personnel (or their back-ups) are available in the event of an MOD.

l) Assess, on a periodic basis, the current robustness of their BCPs, including critical outsourcing suppliers, to ensure high availability and resiliency of critical systems in times of an MOD, including the testing of the market intermediary’s BCP on a periodic basis. Whenever practical and useful, participate in industry-wide or cross-border testing with other intermediaries and stakeholders, and conduct mock drills (simulation exercises) to test the effectiveness of the BCP plan. Senior management should review results of BCP assessments.

m) Evaluate funding access and liquidity of the firm during an MOD.

n) Conduct BCP training exercises to help ensure that the BCP operates as intended should it be triggered by an MOD.


For more information, visit: