Background
The purpose of this Notice is to provide guidance to Members regarding the development and implementation of business continuity plans.
MFDA Rule 2.9 (Internal Controls) requires that Members establish and maintain adequate internal controls. Internal controls consist of the policies and procedures established and maintained by management to assist in achieving its objective of ensuring, as far as practical, the orderly and efficient conduct of the entity’s business.
Recent heightened sensitivity to the possibility of business disruptions, whether due to an act of terrorism, an outbreak of a widespread disease or a natural disaster, has increased the focus on business continuity planning as a significant component of investor protection and maintaining market stability.
As a consequence, MFDA staff is of the view that Members should establish and maintain appropriate business continuity arrangements to ensure that they are adequately prepared to minimize business disruptions in a variety of potential crisis situations and are able to continue service or resume operations within an acceptable period of time.
Business Continuity Planning
Members should develop a business continuity plan that is appropriate for their size and business model. The business continuity plan should identify necessary procedures to be undertaken during an emergency or significant business disruption. In particular, such procedures should address the following:
- Defined triggers for invoking business continuity arrangements;
- Identification of critical operations and services to be maintained in a crisis situation;
- Defined management/staff responsibilities for managing operational disruptions;
- Procedures to be followed to maintain all core business functions and, if interruption is inevitable, to resume service within acceptable time frames;
- Allocation of adequate resources for business continuity;
- Back-up systems for the protection and recovery of data and client records (electronic or physical);
- Procedures to be followed to communicate information of an event to all relevant parties, to maintain contact in crisis situations, to provide clear guidance regarding key personnel functions and to coordinate all activities during the execution of the recovery plan; and
- Information about service providers’ business continuity arrangements, if relevant. It is the Member’s obligation to ensure that its core third party service providers have such arrangements in place.
As with all policies and procedures, business continuity arrangements should be in writing and should be reviewed and tested on at least an annual basis. All staff should be informed about the existence and details of the business continuity arrangements and should be able to access them promptly in an emergency. Business continuity arrangements should also be approved by senior management.