Keep Calm and Carry On

By Joe Campbell, CTO, PEF Services LLC

Joe Campbell at PEF Services

Every business can experience a serious incident that can prevent it from continuing normal operations. In this day and age, no business is immune from external or internal threats that can compromise the integrity of the business.  This can range from a flood or fire to a serious computer malfunction or information security incident.

Regardless of the type of threat, your organization needs a Disaster Recovery and Business Continuity Plan to ensure the security of client data files and to recover from such incidents with minimal disruption.



The major goal of Disaster Recovery is to minimize interruptions to normal operations, limit the extent of disruption and damage, minimize the economic impact of the interruption, and provide rapid restoration of services.

A disaster recovery strategy starts at the business level to determine which applications are most important to running the organization. Recovery strategies define an organization’s plans for responding to an incident, while disaster recovery plans describe how the organization should respond.  In determining a recovery strategy, consider such issues as:

  • Budget
  • Resources — people and physical facilities
  • Management’s position on risks
  • Technology
  • Data
  • Suppliers

Management approval of recovery strategies is important. All strategies should align with the organization’s goals. Once disaster recovery strategies have been developed and approved, they can be translated into disaster recovery plans.


Business Continuity (BC) is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. (Source: ISO 22301:2012) Formal disaster recovery and business continuity planning minimizes the impact of a disaster to the firm, its employees, and clients.

Forrester Research and the Disaster Recovery Journal published a number of market studies in business continuity and disaster recovery to gather data for company comparison and benchmarking and to guide research and publication of best practices and recommendations for the industry.

According to the Disaster Recovery Journal, “Since we first fielded this study in 2008, we have seen dramatic increases in the adoption of advanced replication technologies and sophisticated multi-site data center architectures. Despite, these technological advancements, only 18 percent of respondents feel very prepared they could recover their data center in the event of a site failure or disaster event, and 37 percent rate themselves as prepared (see Figure 1). As we’ll see in the rest of the study, much of this lack of preparedness can be attributed to a lack of maturity in core planning processes, out of date plans, and very limited testing. It comes as no surprise then that the vast majority of organization say that improving DR at their firm is a critical priority and while regulatory compliance continues to be a driver, it’s the business need to stay online and competitive 24×7 that’s the top driver (see Figure 2).”



Financial data is at high risk of security breaches. A recent IBM report revealed that financial services are targeted 65 percent more by cyber-attacks than the average organization, and in a 2016 survey of 91 private equity firms conducted by PFM and eSentire, more than half of respondents (53 percent) confirmed that they had already experienced a cyber-attack.

Data security should be top of mind for GPs as they evaluate fund administrators and consider outsourcing fund administration. The first box to check is to make sure that the company has SOC 1 Type 2 reporting standards in place, which means that an independent auditor has reviewed the company’s procedures and controls over a period of six months or more. Without this standard in place, your firm can’t be sure that the fund administrator is adhering to operational procedures that protect the integrity of your data, including multiple review touchpoints.

The fund administrator you choose should also have a documented disaster recovery and business continuity plan for their technology stack. As the holder of your fund data and documentation, it’s critical that your fund administrator have procedures in place that enable them to continue delivering service under any adverse circumstance. Their technology should be built on a platform that includes a production site, multiple redundant sites, and automatic daily backups.


The fund administrator should consistently and successfully complete its annual SSAE No. 16 (Statement on Standards for Attestation Engagements), Reporting on Controls at a Service Organization (SOC 1) Type 2 examination, in accordance with the American Institute of Certified Public Accountants (AICPA) guidelines.

The SSAE No. 16 SOC 1 Type 2 Exam provides independent, third-party verification that a service organization’s policies and procedures meet or exceed industry standards. The exam is a comprehensive review of the firm’s procedures and business process controls related to new client set-up and administration, fees and expenses, money movement and IT security.

Achieving SSAE No. 16 SOC 1 Type 2 compliance reaffirms the fund administrator’s ongoing commitment to meet the highest industry standards for security, reliability, and controls in delivering and operating our managed services.  The needs and security of your clients and their investors remain your highest priority.

A note on Business Continuity vs. Disaster Recovery

Let’s consider a sports analogy when considering the differences between business continuity and disaster recovery.  If you’re watching a game on television and your audio goes out, you may tap into the audio from a mobile device to stream the audio.  This is an example of business continuity. Because you just needed to continue listening to the game. However, you still need to determine why the disruption occurred in the first place and recover from it (fix the television or cable connection). You then need to review your BCP and modify where applicable, to increase television uptime in the future and possibly increase the number of contingency plans.

To learn how PEF Services can help you manage your fund administration outsourcing needs, please contact us at