Preparing for the next disaster no easy task

Everyone likes to think they’re ready for the disaster they hope will never come. But investment dealers who aren’t prepared could face the ire of the IDA if they don’t have business continuity plans in place by July 31.

The good news is the financial services sector appears to be taking the message to heart. Almost 90% of Canadian financial services firms have procedures in place to ensure there is no service disruption in the event of a something like a repeat of 9/11 or the looming threat of avian flu, according to a recent survey by KPMG.

Firms don’t have to look back too far to see why the IDA is concerned. Few were properly prepared for the extended service disruptions caused by the blackout that spanned the eastern seaboard in the summer of 2003.

“The IDA bylaw is just pushing them to where they should be,” says Mike Moszynski of KPMG’s Advisory Services.

But there are still issues to be resolved. Moszynski says firms have focused their planning around technology, but haven’t formalized those plans or made sure that their employees know how to react in the event of a crisis.

That’s the difference between disaster planning and business continuity planning, he explains. Disaster planning focuses on backing up data, where as continuity planning ensures that data and people are in place to serve their clients within 24 to 48 hours after a service disruption. “The bottom line is about client access to assets.”

Maysar Al-Samadi, vice-president of professional standards for the IDA, is encouraged by the progress he’s seen by firms so far, but he acknowledges there’s quite a bit of work to do to meet the summer deadline.

Al-Samadi is heading up the business continuity project for the IDA. Firms not only have to have a documented and tested plan in place, he says, they also must have their plans reviewed by an approved independent third party, and report to the IDA. Introducer members — who have their back office system maintained by another IDA approved member — will be reviewed by the IDA.

Some small and medium-sized firms are undergoing reviews, but none would be considered to be in compliance with the bylaw at this time, Al-Samadi says.

“IDA members should be sensitive to the fact that the bylaw talks about a governance or management framework so there has got to be a policy,” Moszynski says. “It must be communicated to staff and the reviewer must assess the level of communication to staff.”

Moszynski is visiting firms that are only now starting to formulate a plan. Others are looking to have their plans reviewed by April or May. That should be enough time, he says, but it’s cutting it close.

He advises firms to get their plans ready sooner rather than later, since audit firms like KPMG, can issue a preliminary report and re-test before the formal report can go to the IDA. Moszynski has seen recovery systems fail four or more times. Many people underestimate the complexity of technology testing, he says. A failed test can be as simple as loading the backup tapes in the wrong order.

To be in compliance, small companies are looking at spending between $25,000 to $30,000 and a retainer of less than $5,000 a month, which gives them access to a recovery site within 24 hours. Larger firms are looking at a price tag of tens of millions of dollars.

The big players are also re-considering locations for recovery centres. “The recent thinking about backup data centres is that Mississauga and Markham are no longer far enough away,” Moszynski says. “The larger organizations are starting to look beyond the Greater Toronto Area to locate their backup data centres.”

IDA is still discussing what ‘incentive’ it will use to make sure firms are in compliance. The regulator has the authority to levy fines and warnings. Al-Samadi said he should know that within the next few weeks.

Filed by Mark Brown, Advisor.ca, mark.brown@advisor.rogers.com

(03/17/06)