SMALLWOOD'S SHOUT for IFA Online - 'Disaster Recovery - are you taking it seriously?'
Since 2002, following the terrorist attacks in the US which saw the regulator's Canary Wharf HQ temporarily close, the FSA has been working to ensure firms are "properly prepared" when operations are disrupted. Despite this, very few adviser firms have ever attempted a complete disaster recovery and understandably the Regulator is working hard to remedy this in the broader intermediary marketplace.
Following record floods in the past few months, the FSA stated that it was assessing the impact that severe weather, including flooding, would have on different sizes and types of financial firms. As part of this, the Regulator stated that it is working with about 80 businesses to examine their preparedness for disaster recovery, office evacuation and their abilities to restore business continuity.
With an already very damaged reputation, much rides on the industry regaining respect for improved measures to protect sensitive client data and restore businesses in the event of unforeseen situations. For a bank or a building society this type of testing should be run of the mill, but for many smaller intermediary firms it is all too often seen as a chore, which will disrupt business for a short period, with little reward. Sadly, this short sighted approach could mean many firms and thousands of clients are left exposed and I for one think it is about time something was done to make disaster recovery solutions mandatory.
At the very least all firms should have a formal, documented process for testing that their business continuity processes and procedures can operate correctly, but ideally practical testing should form a core part of this.
One of the key elements to a good disaster recovery process is virtualisation solutions; whereby files and folders are held on a real physical server, however to all intents and purposes it looks and feels as if it is a simple piece of software running from the same PC.
The real difference here though is that virtualisation technology allows main servers and disaster recovery servers to automatically and seamlessly replicate data whenever changes are made to one. Windows patches, anti-virus updates and new software installations are all duplicated in the background without any prompting or checking needed. This ensures that if the back-up is ever needed to be implemented, it really is a case of business as usual.
Having done the whole disaster recovery exercise ourselves and fortunately having completed it very successfully in a short 10 hour window, I would strongly advocate that all firms should be forced to undertake the same exercise. It is all very well saying that disaster recovery plans should be reviewed at least once a year but more importantly, the should be physically tested too.
Whether it be under TCF rules or simple common sense, the need to provide security at the heart of a business is fundamental to long-term success and ultimately valuation. Taking on board disaster recovery preparedness as a serious commercial necessity should be unavoidable. Managing risk is all very well but adding risk where it is not needed is simply stupidity.