By Ash Bhatnagar, CFP
As with any firm today, compliance has become an important part of the financial business. Disaster recovery is one regulation little understood by compliance managers. In large firms, the chief compliance officer (CCO) normally assigns this critical task to the technology department. In small firms, the advisor usually depends on a local technology company to create and install a plan. In both cases, neither of the business owners truly understands what they have received. Statically, 40 percent of businesses never re-open after a disaster and 60 percent of businesses confronted by a major disaster close within two years.1 Additionally, 77 percent of businesses that test their internal backups regularly "found they were unable to fully recover their data."2 With these types of statistics, I say forget the regulations...disaster recovery is a business-critical issue that needs competent solutions.
In large companies, there is a chain of command where the CCO asks the technology group to implement a disaster recovery plan. The technology group spends long hours building systems, spends an extreme amount of money, and writes thousands of pages for the manuals. The CCO, overwhelmed by the monster, simply marks the task as done. In the past month I met firms where the CCO did not know where the backups were being performed, how often, and if the technology department tests the backup. So how do you combat this problem or fear?
More and more I am finding that CCOs need to acquire some basic knowledge on technology, specifically networking and business software. There are many courses available throughout the country (check the Internet) or try your local college. Second, every CCO should test their backup as a part of their overall compliance review process. I suggest testing quarterly, if not more often. For instance, the test can be something as simple as asking the technology department to recover a deleted file from the previous week. But to understand what procedure to put in place, you must understand the system first. Thus, the key for a CCO is to better understand technology.
Small to Mid-sized Firms
Unless you have a relative who is a technology genius, small to mid-sized firms have it tough. Small firms face many challenges with disaster recovery: knowledge, time, cost, and resources. Usually a local technology company installs the system to the best of their ability and the advisor instinctively runs the other way from all the wires and blinking lights. Then the advisor hopes nothing breaks, a mistake that eventually costs thousands of dollars. Fortunately, as a small firm you have little bureaucracy, so the fix is easier. Unfortunately, technology moves so fast that most advisors do not have the time to keep up. So let's take a look at a solution I consider helpful.
Most firms in this category have personal computers that are connected to a network hub for Internet connection. Some firms also have a server. First thing to note is that if you do not need a server, do not get one. There are many alternatives in the marketplace. Remember: you, the advisor, will be responsible for managing the server or will spend a lot of labor dollars having it managed.
So what is an alternative? Consider network area storage (NAS) that is specifically made for small-business home offices. This is not your ordinary external drive purchased from your office supply chain. It is more sophisticated, yet easy to install. I have found most technology vendors will install the office-supply-chain solution mainly because it is cheaper, but I have seen advisors lose a lot of data with this type of solution, so it's not worth saving a few hundred dollars. Additionally, when the cheap solution breaks, you have to hire the tech vendor to recover your data.
NAS systems are specifically built as an external hard drive that automatically performs internal backups. NAS systems normally come with two to four drives that are constantly backing each other up; if one of the drives ever fails (the system will send you a message), you can replace it yourself. No need to hire a tech person. Once replaced, the system will automatically start backing up again. Many of these systems also have an auto-sync feature. You can place another unit at your home or remote location and the two units will synchronize continuously. No need for tape, DVD, etc. Finally, you can set up the NAS to access your files from the Internet. You may need a little help with the sync and Internet features, but once setup is complete, they work well. For more information on specific products go search the Internet under SOHO (small-business home offices) and NAS. Additionally, there are product reviews online or you can check out You Tube. It's amazing how many people are willing to share their information. First they buy the unit, post their review and even show you how the product works. Whatever you choose, never use RAID (redundant array of independent disks). Wikipedia.org has an entry about RAID.
Another solution that many advisors use is third-party backups. Although these backup vendors have many claims, it is imperative that a procedure be in place to test these solutions on a monthly basis. I have spoken to many firms that have used reputable third-party backup services, only to find that the backups had not worked for months. Of course they found out only after they lost their data and tried to recover it from the vendor. Before choosing a third-party vendor, ask them what the tier level is for their data center. Look at Webopedia.com to understand tier levels.
Very few think about the telephone system when they develop a disaster recovery program. You have the client's most sensitive information and the last thing they should fear is how to get in touch with you. Here are some scenarios to think about. If the phone system is installed in the basement of a building, what will happen to the phone system during a flood or a water pipe break? If the power goes out, do you have battery backup? Can you forward calls from a remote location? If the phone system stops working, what happens to the calls? Do not get caught in a situation where the client gets a strange voice in a voice mail or a busy signal. This actually did happen to one of my clients. Just imagine the shock to the advisor's clients! One solution would be to buy a backup voice mail box on your main number from your telephone carrier. If for some reason your phone system does not pick up, the carrier's mailbox will. Then, as a compliance officer, you should test at least semi-annually.
- "Disaster Recovery Decision Making for Small Business," by Darrell Zahorsky.
- Storage magazine.
Ash Bhatnagar, CFP, is president of RIA Independence Company. RIAICO is an industry expert for advisors seeking independence, offering outsourced integrated solutions for compliance, technology, operations and marketing. RIAICO also conducts technology-compliance infrastructure review, Regulation S-P, vendor review and evaluation, as well as structuring compliance review processes. Bhatnagar can be reached at 609-945-7100 x101 or firstname.lastname@example.org.