If Pat McAnally from Sungard is correct, then Information Technology Risk is here to stay especially when it comes to Continuity of Business Operations.
"Basel II represents the first time technology entered the definition of operational risk," McAnally says. "In Basel it’s the first time we’ve seen this enter the lexicon—normally it’s all about credit risk and liquidity and market portfolios. We’re hearing from our clients that it’s trickling down even to institutions that are not top-tier because they believe that eventually, if the big firms will have to adhere to that, then they will, as well. And the whole issue of it coming out of some of the European accords as the market moves more into global outsourcing of business processes means it doesn’t matter if you’re headquartered in the US if your processes are being managed elsewhere."
McAnally sees similar beefed-up business continuity requirements in the SEC’s new mandates for hedge funds and investment advisors.
"From the hedge fund perspective, the SEC’s registration rule follows rules 206 and 38A for registered investment advisors passed last February," she says. "These rules require board approval for a chief compliance officer, and specifically spelling out security and privacy, and they’re specifically spelling out business continuity plans. So if you want to register as an investment advisor with the SEC, if that’s important to your business model, then they’re requiring those things."
For hedge funds with institutional investors and that utilize incubators, ASP providers or other third parties for their business continuity function, McAnally recommends extensive due diligence—fund managers themselves should make sure their providers can duly support any business interruption.
"If institutional investors are not careful, they’re going to be exposed to risks that are not under their control, and smaller hedge funds utilize things like technology incubators," McAnally says. "You’ve got to find out if they did their due diligence to see what the provisions are for availability, for continuity."