911 left its tragic mark on the financial world, and the hope is that a catastrophe like that will never happen again. But in an open society, it is difficult to expect “never.” There are many other potential threats out there of a natural order that can have an equally destructive impact on the investment and trading community: fire, earthquake, hurricane, power outage, and flood, to name a few. There is also the human threat of cyberattacks. Financial centers clustered in major cities only add to the potential devastation possible with local disaster.

Any interruption to the high level, dynamic interaction of financial processing can be catastrophic and have far-reaching, possibly global impact. It is not surprising, then, that more and more regulations are being put in place to prevent the negative consequences of cataclysmic events.

It is also not surprising that banks and investment firms are becoming more sophisticated in Disaster Recovery strategies in an effort to protect their assets and prevent the proliferation of fallout that could occur from a crisis – like the bank bailouts and takeovers that have occurred in the past. The wholesale financial sector is improving its DR programs because of the complex nature of its business – and because DR is being driven by increasing regulations.

Regulations driving DR

Examiners are increasingly asking banks and financial institutions what they would do in the event of a disaster. In the US, The FFIEC (Federal Financial Institution Examination Council), governs the operations of federally funded banks and provides comprehensive implementation and review procedures for financial institutions.

The FFIEC produces the IT Examination Handbook which provides IT standards for the business operations of financial institutions. In addition to these standards, more standards and operational review procedures have been established by such organizations as the SEC, NASD and NYSE to govern security dealers. The financial industry is very well regulated to ensure compliance with federal and state standards as well as Business Continuity in time of disaster.

Business Continuity the Goal

The goal for financial institutions is the same as for any other business enterprise: Business Continuity. How it is achieved, however, is quite different because of the complex operating environments and highly sensitive and volatile information being processed 24/7. Business Continuity Management (BCM) requirements and practices even differ within the financial community itself. Wholesale institutions have different procedures than retail institutions. Let’s look at some of those wholesale concerns.

Financial services for the wholesale sector are centered on the dealing room. This is where traders, analysts, salespeople and others create financial products and provide advice to investors. Activities are performed within strict compliance regulations. If traders have to be moved or relocated, it must be done with this same level of compliance. Often, WAR (Work Area Recovery) rooms or areas are designated for the relocation of traders where compliance can be followed.

The Operations Department has the tasks of matching, confirming, reconciling and settling transactions. This process goes on continually throughout the day and is handled by computers for the most part. The uptime is critically important here.

The so called “middle office” of the trading organization handles governance and risk management responsibilities. Transactions are processed and recorded, and stock, bond and other financial positions are managed carefully and continually. Maintaining the current status of this information is fundamental to Business Continuity.

Since markets are so volatile, time is of the essence for all these trading functions. Even a small disruption can create huge losses for many vested individuals and companies. Recovery Time Objectives (RTOs) are set by many companies to be days or weeks to get business back up and running normally. But in the financial world, RTOs can be a matter of seconds. Some institutions actually set “zero” as their expectation.

Security is essential

Most financial institutions have Security Operations Centers (SOC) to monitor, analyze and report on the handling of information and to manage any violations of company security policies. In the event of a disaster, the security team has to be on top of several situations simultaneously, protecting data sensitivity and privacy among them.  Any of these situations  could have serious impact on the company’s survival as well as affecting the livelihood of its investors.

A growing number of financial institutions partially or fully outsource their security management to third parties called Managed Security Service Providers (MSSP). Although they provide valuable services, they also present risks – which are called out by the FFIEC and specified in its Handbook. A comprehensive DR plan has to include risk management of MSSP organizations as well.

Communications in real-time

In the event of disaster or serious interruption of financial services, the financial institution has a responsibility to communicate all essential information to all its publics as fast as possible. Email systems are too slow and undependable. More immediate methods are available today.

Social media like Facebook and Twitter and a host of other sites provide the means for companies to disseminate information to all employees – traders, salespeople, executives – and to the investment community including investors and regulators.

Mobile devices like laptops, tablets, and smart phones can all being used to facilitate communications while in DR mode.

Zero tolerance the target

Where millions of dollars are transacted non-stop, and fortunes are made and lost within seconds, the financial industry is forced to have a “zero tolerance” mentality.  Through virtualization of its processes with electronic vaulting, shadowing and mirroring, redundant operational centers, mobile banking, and air-tight DR schemes, the industry is demonstrating its concern for – and action against – potential threats.  The RTO target of “zero”  says it all.

Prosyn Ltd, was founded in 2002 to offer IT support and disaster recovery services to businesses in the UK.