Backup Systems Go Beyond Disaster Recovery, 24/7 Access
October 21, 2002
For the most part, mutual fund companies were able to recover quickly from the terrorist attacks of Sept. 11.
Still, consultants and regulators say some firms haven't done enough to plan ahead, and many firms continue to look for disaster-recovery improvements - which may be one of the reasons why the industry will take another swing at the problem during the Investment Company Institute's Operations Conference in Scottsdale, Ariz., this week. Mutual Fund Market News Associate Editor Tony Lystra spoke recently with Mary Carrido and Don Saracco, president and EVP/COO, respectively, of MLC & Associates, a business-continuity consulting firm in Port Orchard, Wash.
The big question in terms of business continuity these days is what changed after Sept. 11?
Carrido: Companies were not identifying up-front who was the weakest link in the supply chain. Business continuity plans were mostly internal planning. Companies didn't look at the external part of their planning process.
The second thing is communication. There was a lack of coordination between their own organization and the public sector and the lifelines.
What do you mean by "lifelines"?
Carrido: Find out who is in charge of the incident, i.e. is it the city, county, state or the federal government? If it's city-level, is it the fire department? The mayor? The police? The FBI? There are a lot of agencies that were called in on Sept. 11. Most the companies that were affected by Sept. 11 didn't have a clue how to coordinate with the various public agencies.
What's the benefit of coordination?
Carrido: For those inside the World Trade Center on Sept. 11, had they known how to communicate ahead of time with any one of those agencies, they could have found out how to evacuate.
The other thing you could tell from that day was some of the companies in that building took evacuation drills seriously, and others did not. Most companies try to schedule their evacuation drills during holiday seasons, when they have very few employees in house.
Have you known any fund companies to cut these corners?
Carrido: [Laughs.] Oh yeah.
So, if another attack of similar proportions to Sept. 11 happened today, what would be different at companies today?
Carrido: I would say that they've done a good job in trying to put in an effort.
Saracco: One of the problems the financial-services sector has is it's regulated fairly heavily, with an increased sense over the past year that more regulation is coming.
These kinds of events tend to urge regulators to expand their influence. So I think there's been a lot of "wait-and-see" to find out what new regulations may be imposed before they make any changes.
Here's an industry that is not used to being its own master, so the fund industry has been childlike in its relationship with the regulators. It has said: "Well, let's see what the regulators come up with, and we'll meet those requirements."
That's one way to control the costs associated with these kinds of efforts. I won't say that they do that when it comes to human-life safety issues, but when it comes to the continuity of the business, they do.
The SEC requires firms to back up their customer data, but there is a lot of ambiguity in how the rule can be applied. Have you seen a lot of variation in the way firms go about complying with that rule?
Carrido: Yes. Depending on the size of the organization and its customer base, that will determine the type of technology that they use.
Saracco: If your business is fairly traditional, retail banking for example, one of the changes over the years has been the shift away from customers coming into branches. Companies have been moving their customers very deliberately to the Internet to do all of their transactions.
The more you do that, the less tolerance your customers have for downtime in their systems. I may not have liked the fact that there were bankers' hours, but I understood that. If you are a fund company telling me, essentially, through your Web site that you're available 24/7 and you're not, I'll go somewhere else.
So the term "backup" becomes archaic. We can't have backup. Instead, we have to have a bullet-proof system that never goes down.
Carrido: Especially with mutual fund companies, they do not have the luxury of having a backup plan as their means of being able to recover their customer base. It's unacceptable. Now, even though they're given 72 hours, you'll see that many institutions make it a zero-tolerance of downtime. They do not want to lose market share. They can't afford not to be up and running and have the customers be able to access the system at any time.
If not, the customer will simply sell out and say, "You guys don't have your act together. I'm going somewhere else."