Circular to Licensed Corporations concerning Effective Business Continuity Plans

An effective business continuity plan is essential to the operations of all licensed corporations.  You are expected to establish and maintain appropriate internal controls and risk management measures to protect your key business functions and recover them in a timely fashion in the event of operational disruptions¹.

Below, we set out a non-exhaustive list of questions to which you may refer when reviewing your business continuity plan.

Self-assessment questions

(a)  Have you assigned at least one senior staff member to:

• Identify critical systems and functions (including outsourced functions);
• Activate the business continuity plan at the appropriate time;
• Oversee the business recovery process;
• Communicate with other staff members about the process;
• Coordinate with relevant external parties (including major service providers) to resume your business operations; and
• Test the business continuity plan and evaluate its effectiveness on a regular basis and update it as necessary?  

(b)  Do you have other business location(s) which may serve as your back up site from where you can maintain critical operations and services if your staff is unable to access your major office(s)?

(c)  How can you serve your clients if access to your office is restricted?

(d)  Will certain functions or services to clients need to be suspended if your back up site can only operate on a limited capacity?

(e)  Do you have an emergency communication plan to inform your clients and counterparties of your business continuity arrangements?

(f)   Do you have an emergency contact arrangement for all your key staff members and are the contact details up-to-date?

(g)  Have you regularly backed up and stored your critical business and transaction data, and are those backed-up data available for use in your back-up computer system within a reasonable timeframe?    

(h)  If you are an Exchange Participant, do you have any alternative trading arrangement to effect clients’ trade orders, such as trading via another Exchange Participant on your behalf or using back-up terminals provided by the Exchanges?

(i)   Have you assessed the quantum of potential claims from clients in the event you cannot provide the usual level of services to them?

(j)   Have you assessed the adequacy of your existing insurance coverage?  

While you are expected to assess your existing business continuity arrangement, you are also reminded to update your information, particularly the emergency contacts, with the Commission on a timely basis.

Licensing Department

Intermediaries Division

Securities and Futures Commission