Business continuity has been part of the SEC's adviser examination priorities for more than a decade. The agency's 2013 IM Guidance Update formalized the expectation, and subsequent risk alerts have made clear that RIAs are expected to have a written plan, exercised regularly, capable of maintaining service to clients through significant business disruptions. The expectation applies to advisers of every size — a five-person firm has the same obligation as a five-hundred-person firm, scaled appropriately.
The practical challenge is that business continuity sits at the intersection of IT, operations, compliance, and leadership. A plan written only by IT tends to overemphasize technology recovery and underemphasize the operational processes that actually maintain service. A plan written only by compliance tends to be a paper exercise with no technical depth. The plans that survive examinations — and that actually work when a disruption occurs — integrate the two perspectives throughout.
What the SEC Expects to See
The 2013 guidance and subsequent risk alerts establish a consistent set of expectations. The plan must address the maintenance of critical operations and systems, the protection of clients' assets, the communication with clients, and the restoration of the adviser's ability to conduct business. The plan must be in writing, reviewed and updated at least annually, and tested through exercises.
The guidance also specifically contemplates disruptions to key personnel — what happens if the portfolio manager is unavailable, if the CCO is hospitalized, if the principal is out for an extended period. Succession planning within the business continuity plan is an expected component.
Examinations test these expectations concretely. A typical exam request list will include the written plan, the most recent exercise records, the results of the annual review, evidence that key vendors have tested their own continuity, the list of critical operations and the recovery objectives for each, and evidence that clients can be served through a disruption of a specified duration.
Component One: Critical Business Functions
The first substantive section of the plan identifies the critical business functions — the activities the firm must perform to maintain service to clients, meet regulatory obligations, and preserve the value of client assets. For a typical RIA, this list includes trade execution (if the firm has discretion), performance reporting, client communications, billing and fee administration, custody reconciliation, and the routine compliance activities that the regulatory calendar requires.
Each critical function needs a recovery time objective (RTO) and a recovery point objective (RPO). RTO is how quickly the function must be restored; RPO is how much data loss is tolerable. For trading functions, the RTO is typically measured in minutes to hours; for periodic reporting, it might be measured in days. For most firms, a standard RTO of four hours for trading-related functions and 24-48 hours for back-office functions is a defensible baseline.
The prioritization cascades into the technology architecture. High-RTO systems need geographic redundancy, real-time replication, and fast failover. Lower-RTO systems can rely on standard backup and restore procedures. Without this prioritization, firms either over-engineer everything (expensive and hard to maintain) or under-invest in everything (brittle and non-compliant).
Component Two: Key Personnel and Succession
The key personnel section of the plan identifies the individuals required to perform each critical function and documents the succession arrangement if they are unavailable. For each key role, the plan names a primary, a secondary, and optionally a tertiary.
Technical handoff is as important as the name on the org chart. The plan has to specify what the secondary needs to access, who grants that access, and how long it takes to operationalize. If the primary portfolio manager's approval is required for certain trades, and the secondary has a different level of authority, the plan has to address how that gap is handled during the disruption.
Regulatory succession is a special case. The CCO role is explicitly personal under Rule 206(4)-7, and the plan should document who assumes CCO responsibilities if the primary is unavailable and how the firm notifies clients and regulators as appropriate.
Component Three: Technology Recovery
Technology recovery is the section of the plan where IT contributes most directly. For each critical system, the plan documents the recovery architecture — cloud-hosted with built-in redundancy, replicated to a secondary site, or backup-based recovery with defined RTOs — and the specific procedures to activate recovery.
Cloud-hosted systems provide most of what modern RIAs need. Portfolio accounting platforms, CRM, productivity suites, and archiving tools are all available as managed cloud services with geographic redundancy built in. The plan should document the vendor's own continuity arrangements — SLAs, redundancy architecture, RTO commitments — and incorporate them into the firm's overall plan.
For any on-premise or firm-operated systems, the plan needs explicit recovery procedures. Backup location, restoration steps, estimated time to recover, and the testing cadence. Most firms should be aggressively reducing the on-premise footprint precisely because it simplifies continuity planning.
Communications infrastructure is a critical dependency. Clients expect to reach the firm by phone, email, and portal even during a disruption. The plan should include redirect capabilities for phone numbers, alternative email paths if the primary domain is unavailable, and a process for reaching clients through secondary channels if the usual ones fail.
Component Four: Client Communications
Client communications during a disruption is one of the most differentiating factors between firms that handle disruptions well and those that do not. The plan needs a specific strategy for how and when to communicate with clients, with pre-drafted templates for common scenarios, a defined approval process, and the technical means to send at scale.
The content of client communications matters. Clients want to know three things: is my money safe, how can I reach you, and when will things be back to normal. The plan should draft messaging that addresses those questions for each of the major disruption scenarios — technology outage, key personnel unavailability, office inaccessibility, regulatory event.
The channels for communication should include email, the client portal, phone scripts for inbound calls, and a public-facing page (often on an alternate domain) that can be updated without depending on the primary production infrastructure. The firm's website and the client portal itself should contain clear contact information for emergency use.
Component Five: Vendor Continuity
The firm's continuity is only as strong as its vendors'. The plan should include a vendor continuity assessment for each critical vendor — the platform providers, the custodian, the MSP, the archive provider — documenting their RTO commitments, their testing cadence, and the firm's dependency profile.
For the highest-criticality vendors, the annual review should include confirmation that their own BCP has been exercised in the past year. SOC 2 Type II reports typically address BCP as part of the availability criterion, and reviewing the most recent report provides useful evidence.
Vendor concentration risk gets specific attention. If the firm depends on a single custodian, a single portfolio accounting platform, and a single MSP, and any one of them has a material continuity problem, the firm has a problem. Some firms maintain alternative vendor relationships — a backup custodian, an alternative archive — that could be activated in an extreme scenario. Most do not, but the plan should acknowledge the concentration and document the mitigating factors.
Exercising the Plan
An unexercised plan is a fiction. The SEC guidance specifically contemplates testing, and examiners will ask for evidence. The minimum expectation is an annual tabletop exercise that walks through a realistic scenario, involves the key personnel identified in the plan, and produces documented findings and corrective actions.
Higher-value exercises go beyond tabletop. A partial failover test that actually moves a critical function to a secondary site provides real data on RTO achievability. A communications drill that actually sends test messages through the secondary channels validates the client communication strategy. A staff availability drill — a surprise test of whether the right people answer the phone when the disruption starts at 3am — tests the operational realities the paper plan may not capture.
Exercise findings drive the next year's plan updates. A finding that the RTO was not met becomes a remediation project. A finding that a communication template needs revision becomes an update to the plan. The cycle of exercise-finding-remediation is what keeps the plan alive.
The Evidence File
For examination purposes, the evidence file should contain: the current written plan, the prior two years' versions with change history, the annual review records, the exercise records including scenarios, participants, findings, and remediation, the vendor continuity assessments, and the minutes of any governance committee review. The file should be assembled and maintained on a rolling basis, not created in response to an examination notice.
Our financial services practice drafts, maintains, and exercises business continuity plans for RIAs across the country. The approach integrates the IT recovery architecture with the operational procedures and the compliance evidence in a single deliverable. If your firm is assessing its current BCP or building one for the first time, schedule a consultation to discuss the scope.
About the Author
Team Techvera
Techvera Team
Articles written collaboratively by the Techvera team, combining expertise across cybersecurity, managed services, and digital transformation.