© 2011 Corgentum Consulting, LLC
Increasingly Complex Plan Testing
Evaluating a fund manager's business continuity and disaster recovery ("BCP/DR") planning is acritical part of the operational due diligence process. As investors have continued to place increasefocus on BCP/DR planning, funds have responded by developing increasingly detailed plans. Theseplans can often run the gamut from data backup and alternative backup power generation plans tophone notification trees and alternative gathering locations. The best laid plans however, can beuseless if they are not properly implemented during a business disruption or disaster event. This iswhere the role of plan testing comes into play. Funds that test their BCP/DR plans more frequentlyare better prepared to deal with disaster events. A major risk related to evaluating a fund's BCP/DRplanning is whether or not the plan can be carried out once activated. Testing can come in manydifferent forms. There are technology based tests which solely focus on restoring the firm's systemsand hardware after a business disruption or disaster event. Other types of tests can be more focusedon the role played by the firm's personnel in the event of a disaster event. If a fund's BCP/DR planscall for the ability for the firm's employees to access the firm's systems remotely should the firm'sprimary office become inaccessible, then, one type of test could have employees attempt to connectto the firm's network from outside of the office. Other types of tests can include more realisticsimulations where employees stay home for the day and try to continue operations or insteadcontinue working from a remote location. Investors should take steps during the operational duediligence process to evaluate both the frequency and scope of a fund manager's BCP/DR testing.Some key questions investors should ask include:
Have BCP/DR plans ever been tested?
If so, when was the most recent test?
What kind of test was it?
How was the test carried out?
Who at the firm was responsible for evaluating whether the test was a success?
How have your firm's BCP/DR plans changed as a result of test feedback?
How frequently do you plan to perform such tests going forward?Another key consideration, related to BCP/DR testing is whether or not employees have thenecessary information and tools to remain in contact after a business disruption or disaster event.Some funds for example, provide employees with remote mobile devices. As part of BCP/DRplanning and testing, a fund may load each employees contact details onto these devices soemployees can utilize this information to contact others in an emergency.Investors that invest with fund managers that have solid BCP/DR plans and test them frequently willbe less exposed to the operational risks associated with the inability of funds to continue operationsshould a disaster ever strike.
Originally posted in the February 2012 edition of Corgentum Consulting's
Operational Due Diligence Insights