Is Your Hedge Fund Prepared for the Storm? – Operational Due Diligence on Business Continuity and Disaster Recovery Planning With the recent continuing spate of snow storms and extreme weather throughout the United States the subjects of business continuity planning (“BCP”) and disaster recovery (“DR”) have come back into the spotlight. Even minor disaster type events can cause major disruptions to a hedge fund’s operations. From heavy snow which may prevent employees from accessing the firm’s offices to small scale power outages and routine internet access outages, occurrences which present the potential for data loss and business disturbances often occur more frequently than many investors would think. Often during the course of an operational due diligence review, investors run the risk of being lulled into complacency when it comes to evaluating a hedge fund’s ability to both continue operations when a disaster event occurs (i.e. – business continuity) and to restore from a disaster things such as potential data loss (i.e. – disaster recovery). Considering Hedge Fund Strategy Appropriateness: As is the case with the vast majority of issues which should be covered during the operational due diligence process, certain strategy specific considerations should be taken into account when evaluating the appropriateness and robustness of a hedge fund’s business continuity and disaster recovery planning. For example, a hedge fund which engages in a high-frequency trading strategy should be more sensitive to risks due to down time from a power outage, loss of internet connectivity or loss of telephones which would influence the fund’s ability to trade, as compared to a fund which executes only a handful of trades a week. Similarly, investors performing due diligence on these funds should take measures to understand the appropriateness of different levels of preparedness for each of these funds. This is not to suggest that a fund which executes a small number of trades every month should settle for a mediocre BCP/DR plan for trade connectivity in the event of a disaster event. However, in reaching a conclusion in relation to the amount of operational risk present at a particular hedge fund, the nature and weight of the risks relevant to that particular hedge fund should be considered. Protecting Critical Data: Critically important to the successful operations of any hedge fund, is the management and maintenance of data. Data can include all types of items ranging from daily trade activity files and security master files to routine employee emails. When a disaster event occurs a hedge fund must be able to access and restore this data in a timely manner. If not, they could face disruptions which cause a number of problems including deprive them of market opportunities and delaying production of investor capital statements
Some key questions investors should consider in evaluating the robustness and appropriateness of a hedge fund’s data backup and recovery systems include: • • • •
How is data backed up? (i.e. – via tapes, external hard drives, online backups etc.) Are different types of data backed up more/less frequently? (i.e. – for mission critical systems versus lower priority systems) How long would it take to restore data? Are test data restores performed? If yes, how frequently and by whom?
Understanding BCP/DR testing: Regardless of the business continuity and disaster recovery policies and procedures in place, such plans are virtually useless unless they are frequently tested. Testing should not only be performed from a technological standpoint (i.e. – if the primary internet connection goes down does the backup internet pipe automatically kick-in) but also from a personnel perspective as well. Some key questions to investors may want to ask in this regard include: • • • • • •
Have employees performed any simulated testing or restores of systems according to the firm’s BCP/DR plans? Is contact information for service providers (i.e. – administrator, legal counsel, auditor etc.) up to date should employees need to contact them? Who is responsible for activating the firm’s business continuity and disaster recovery plans? Are employees provided with each other’s contact information in the event of a disaster? Who makes sure this information is up to date? Should the hedge fund’s office become inaccessible, can employees access their desktops remotely? If yes, has this been tested by employees? Does the firm maintain a disruption gathering location should the hedge fund’s offices become inaccessible?
Business continuity and disaster recovery planning is a complex area of a hedge fund’s operations. BCP/DR planning touches a number of different operational functions throughout a firm including the areas of compliance, business planning and information technology. Investors taking care to thoroughly vet this area of a hedge fund’s operations may find that they sleep better at night when a disaster event strikes.
Originally posted on the Corgentum Consulting blog at www.Corgentum.com/blog For More Information
Corgentum.com firstname.lastname@example.org Tel. 201-360-2430
© 2011 Corgentum Consulting, LLC