Operational disruptions are no longer hypothetical risks. Cyber incidents, natural disasters, technology outages, and key-person events have become increasingly common, and the Securities and Exchange Commission continues to emphasize operational resilience as a fundamental component of an adviser’s compliance program.
For Registered Investment Advisers, a well-designed Business Continuity Plan (BCP) is both a regulatory requirement and a critical safeguard for clients. At Core Compliance and Legal Services, we routinely see that firms with thoughtful, well-maintained BCPs are better positioned to respond to disruptions and regulatory scrutiny alike.
While the SEC does not prescribe a specific BCP template, regulators expect advisers to maintain written policies and procedures reasonably designed to ensure continuity of operations and protect client interests during significant business disruptions tailored to the Firm’s business.
Key Regulatory Expectations Include:
- Written BCP policies and procedures as part of the firm’s compliance program
- Identification of critical business functions and supporting systems
- Alternate operational arrangements for facilities, personnel, and technology
- Communication plans for employees, clients, service providers, and regulators
- Periodic testing and employee training
- Ongoing review and updates based on changes to the firm’s business or risk profile
A recurring theme in SEC examinations is not whether a firm has a BCP, but whether the plan is tailored, current, tested, and understood by personnel.
The SEC recognizes that advisory firms vary significantly in size, structure, and complexity. Accordingly, BCP requirements are principles-based rather than prescriptive. What matters is that the plan is reasonable in light of the firm’s operations and supported by documentation demonstrating oversight, testing, and training.
Small and mid-sized advisers are not held to the same operational scale as large institutions—but they are expected to thoughtfully assess risks and prepare accordingly.
A compliance-ready Business Continuity Plan should clearly address the following components:
1. Risk Assessment and Business Impact Analysis
The BCP should begin with an assessment of risks that could materially disrupt operations, such as:
- Technology or system failures
- Cybersecurity incidents
- Natural disasters or regional emergencies
- Loss of key personnel
- Third-party service provider outages
The firm should document how these events could impact critical operations and client service.
For smaller advisers: A concise written assessment and review of their mission critical vendors is sufficient, provided it clearly explains the firm’s risks and response strategies.
2. Identification of Critical Business Functions
Advisers should identify the functions that must continue during a disruption, which commonly include:
- Portfolio management and trading
- Client communications and reporting
- Compliance supervision and monitoring
- Access to books and records
- Technology systems and data security
For each function, the BCP should identify responsible personnel and supporting systems.
3. Alternate Operations and Recovery Strategies
The plan should describe how the firm will operate if normal business locations or systems are unavailable, including:
- Remote work capabilities and secure system access
- Data backup and recovery procedures
- Alternate communication methods
- Contingency arrangements with key vendors
For small firms: Cloud-based platforms and secure remote access often serve as effective, scalable continuity solutions.
4. Communication Procedures
Clear communication during a disruption is essential. The BCP should outline procedures for communicating with:
- Employees
- Clients
- Third-party service providers
- Regulators, when appropriate
Maintaining accurate contact lists for staff and mission critical vendors with escalation protocols is critical and should be part of ongoing maintenance.
Testing: A Regulatory Expectation, Not a Formality
The SEC routinely reviews whether advisers test their BCPs—and whether those tests are documented (Remember: according to regulators if it’s not documented it didn’t happen).
Effective testing may include:
- Desk walkthroughs of response procedures
- Tabletop exercises based on realistic scenarios
- Targeted testing of remote access or data recovery
Testing results should be documented, along with any identified gaps and remediation steps.
Training: Ensuring the Plan Can Be Executed
A BCP is only effective if employees understand their roles during a disruption.
Training programs should include:
- Firm-wide BCP awareness training
- Role-specific training for key personnel
- Training following material updates to the plan
For small firms: BCP training can be incorporated into annual compliance meetings or periodic staff check-ins, provided attendance and content are documented.
Senior management remains ultimately responsible for business continuity planning. Firms should ensure:
- Clear assignment of BCP oversight responsibility
- Periodic review and approval of the plan
- Documentation of updates, testing, and training
Strong governance not only supports operational readiness but also demonstrates a culture of compliance during SEC examinations.
Practical BCP Considerations for Small Advisory Firms
Smaller advisers can enhance their BCPs by focusing on practicality and clarity:
- Tailor the plan to actual operations rather than using generic templates
- Leverage technology to support remote operations and data security
- Prioritize likely disruption scenarios, such as system outages or key-person risks
- Document everything—testing, training, reviews, and updates (be sure to document reviews, with a manager signature, and date of the review at least annually).
A well-designed, right-sized BCP is far more effective than a complex plan that cannot be executed.
Business continuity planning remains a core compliance obligation for Registered Investment Advisers. Firms that maintain thoughtful, tested, and well-documented BCPs are better positioned to protect clients, sustain operations, and respond confidently to regulatory examinations.
Core Compliance supports firms with business continuity planning by helping translate regulatory expectations into written BCPs that are practical, scalable, and defensible. Our assistance focuses on gap identification, alignment of policies and disclosures, operational testing and documentation, and exam readiness, each tailored to the firm’s business model, size, and risk profile. Firms seeking additional support or guidance may contact us at info@corecls.com, call (619) 278-0020, or visit www.corecls.com.
Author: Apryl Thompson, Compliance Consultant; Editor: Matthew Rothchild, Sr. Compliance Consultant, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.