Orchard App, Inc. Business Continuity & Disaster Recovery Plan
This Business Continuity & Disaster Recovery Plan (the “BCP Plan” or “Plan”) applies to Orchard App, Inc. and all of its operating subsidiaries, including, without limitation, Orchard Platform Advisors, LLC, a registered investment advisor (“OPA”), and Orchard Platform Markets, LLC (“OPM”), a registered broker dealer. Orchard App, Inc., together with OPA, OPM, and its other subsidiaries, is referred to collectively as “Orchard” or the “Company”.
1] Background, Definitions, and Preliminary Matters:
Orchard was formed and commenced operations in August 2013. The Company’s current business (as of January 2016) is focused on providing technology, data, and financial products and services in the direct lending or marketplace lending sector. Orchard is not a lender or loan originator; its primary mandate is to provide order management, research, reporting, and analytics services through its registered investment advisor, OPA.
OPM has been formed for the primary purpose of operating an electronic marketplace through an Alternative Trading System (“ATS”)that will enable investors and loan originators to purchase and sell whole loans. In addition to the ATS, OPM is currently approved for private placement transactions, capital introduction/commission sharing arrangements, and whole loan brokerage (manual trades).. OPM will not custody customer funds but may facilitate the flow of payment via a designated bank partner, Wells Fargo, on a delivery vs. payment / receipt vs. payment (DVP/RVP) basis for a transaction effected through its marketplace. For clients of OPM whose funds may be flowing through Wells Fargo, in the event of a significant business disruption, customers may contact Wells Fargo for further information.
Orchard is committed to safeguarding employee health and safety, and Company and client property, to the utmost extent and under any situation of threat, emergency, and/or disruption.
The goals of this Plan are to (i) set forth in clear terms a plan for ensuring the safety of all personnel and Company property, (ii) enable rapid financial and operational assessments, (iii) ensure that variable capability exists for incident response, (iv) protect of all of the Company’s books and records, (v) allow customers to continue to transact business, and (vi) quickly recover and resume all operations. In the event that Orchard ever determines that it is temporarily unable to continue business, it will work to help ensure that customers have as full and transparent information as is available and prompt access to their funds and assets.
Where not otherwise specified, the terms of this Plan apply to the entire business of Orchard.
“Business Continuity” refers to the activities required to keep Orchard running during a period of displacement, interruption, or disruption of normal operations.
“Disaster Recovery” is the process of rebuilding the operation or infrastructure after the disaster has passed. This Plan is a collection of procedures and information which is developed, compiled, and maintained in readiness for use in the event of an emergency or disaster. Disaster Recovery management is incorporated into this Plan to make it a comprehensive Business Continuity and Disaster Recovery Plan.
Approval and Execution Authority: The Chief Executive Officer of OPM is responsible for approving the Plan and conducting an annual review to ensure its continued accuracy, viability, and usage. Backup and direct support for the Plan and its review will be provided by the BCP Lead Team (see Appendix II, below, for a complete list of members).
Communication of the BCP to employees. Orchard will ensure that all employees who could be potentially affected by a disruption have read and understand this Plan. Employees will be specifically made aware of their relevant roles in its implementation and execution. All employees will be required to participate in tests of the communications and contingency plans herein, including call tree testing and evacuation procedures.
Plan Location and Access: Orchard will maintain copies of this Plan and the poise changes that have been made to it for inspection and for ongoing access by all staff. An electronic copy of the plan will be located on the Company’s primary Google Drive in the Orchard Policies folder. A copy of this Plan will also available with one of our external legal representatives, in Orchard’s offices, and in printed form in the homes of each member of the BCP Lead Team. All employees are made aware of and trained on this Plan as a part of the employee onboarding process.
Modifying and updating this Plan. The BCP Plan will be updated and reviewed on at least an annual basis, more often if needed based on new information and/or changed circumstances. Further, it will be reviewed with all its relevant provisions during the quarterly performance of Orchard’s Risk Control Self-Assessment.
2] Risks and Threats
Orchard’s Enterprise Risk program identifies, defines, and assesses the company’s full range of risks and provides for a robust control framework and a testing and metrics program. Business Continuity and Information Security are both clearly and prominently addressed in this program. Orchard recognizes that it may be faced with several potential threats and risks when its ability to function safely and effectively, and to process client transactions and records satisfactorily, has been disrupted. The possible effects of a disruption to business operations include:
- Lost and foregone income and sales
- Substantially increased expenses, including emergency spending
- Customer defection and dissatisfaction
- Tardiness in service delivery
- Regulatory censure and fines
- Significant delay and inability to commence future business plans
This Plan seeks to address the occurrence of the following types of events, each of which could trigger or exacerbate key risks:
- Major equipment and technology failure, such as open-ended and/or severe telecommunications, systems and network outage or failure
- Sustained disruption of power supply making it infeasible to conduct business
- Application failure or significant corruption of database
- Human error, sabotage or related significant disruption
- Presence or discovery of malicious software (such as viruses, worms, Trojan horses)
- Hacking or other Internet attacks
- Social unrest or terrorist attacks
- Natural disasters such as Flood, Earthquake, Hurricanes preventing or disrupting access to premise and equipment and otherwise preventing conduct of business
We note that Orchard, including its subsidiary OPM, does not maintain custody of customers’ funds. In the event of the BCP Plan being triggered due to a significant business disruption, customers of OPM utilizing optional partner bank services can contact Wells Fargo at 1-800-956-4442 . In the event of a significant business disruption affecting Wells Fargo’s holding of OPM’s Special Account, OPM will rely on the bank’s capability to relocate and safeguard customer funds, or, if necessary, assist OPM in returning the funds to customers, or direct the funds to another suitable account or to the recipient’s account.
3] Response Priorities
The following are the major considerations for Orchard in any BCP situation:
- Safety & health of all employees, including any clients, partners, vendors in premises;
- Ability to quickly rally the teams that will help manage operations and weather the crisis;
- Ability to quickly recover and restore normal operations, with a focus on people welfare, client service, data protection, reputation management, and full resumption of business
Orchard’s headquarters is located at 386 Park Ave S., 3rd floor, New York, NY 10016. Employees travel to that office by various local means of transport, including by foot, bicycle, car, subway, train and bus.
Orchard does not believe that an event that would require most or all of its employees to work from their personal residences or from alternate locations, as defined below, would pose a material challenge to the continuity of its business, access to clients, and/or communication amongst its employees, because:
– the Company’s technology-driven operations, strong technology, and flexible work strategy already actively include a business-as-usual practice of employees working from their homes on the Company’s cloud-based systems;
– the Company extensively uses cloud-based services and storage, principally provided by globally known and resilient firms, such as Google, Amazon, and their subsidiaries; and
– the Company’s VOIP phone services can be easily re-routed via the internet to any US location.
- Orchard has determined and confirmed remote operational abilities for its staff, including those who may not be able to do so because of space, internet connectivity limitations, or other constraints. Orchard provides employees with the necessary resources for telecommuting. It is also noted that Orchard’s Information Security Policy clearly encompasses and focuses on controls over any data security risks that arise from such remote access and telecommuting, even in business-as-usual circumstances.
- In the event of a significant business disruption, any member of the BCP Lead Team (as defined in Personnel, below) may make a decision to relocate or divert Orchard staff to their own homes or one or more of the homes of the Company’s principals; such locations are equipped with remote access to mission critical systems in accordance with Orchard’s Information Security program.
- Any member of the BCP Lead Team may also designate an alternate location (such as a hotel, an executive’s home, or a partner’s office) as Orchard’s operational command center, from which mission critical systems can be brought on-line and the business of the Company may be continued.
- During the annual review of the BCP Plan, and as feasible during its quarterly Risk Control Self Assessment (RCSA), the BCP Lead Team will reconsider and determine site locations and relocation plans for contingency. This may include the determination of the amount of space required for emergency relocation, and identify a means of securing short-term space with the appropriate equipment and technology fit for emergency relocation and conduct of business.
Following the significant threat of occurrence, or the actual occurrence, of an event that disrupts normal business operation , Orchard will quickly mobilize Key Personnel (as defined below) to successfully execute Business Continuity protocols pursuant to this Plan. “Key Personnel” means those employees who fill positions without which the business absolutely cannot function, supplemented by those employees who have designated roles that will enable disruption-management and speedy recovery. By definition, this team is as large as is necessary, but as small as possible to enable it to gather, coordinate, and manage across all maintenance, business-continuity, and recovery efforts. The composition of this team is described below.
- Orchard’s mission-critical company functions and Key Personnel include its “BCP Lead Team” (consisting of the Chief Executive Officer of Orchard, Chief Compliance Officer of OPM, Chief Compliance Officer of OPA, Chief Technology Officer of Orchard, Legal Counsel of Orchard, Director of Human Resources of Orchard, Chief Financial Officer, and Director of Operations of Orchard) as well as a core operating team drawn from its Engineering, Client Services and Operations areas (referred to as the “Core Team”). This hierarchy is based on operational importance and does not reflect either the seniority of individual staff working at Orchard, or the relative importance of a given team member’s functions in a business-as-usual situation. •
- Appendix II contains the list of ALL employees of Orchard as of the effective date of this Plan, along with their contact details, and highlighting named individuals who currently form the Core Team and/or the BCP Lead Team. This list is drawn up with inputs from all managers and department heads to determine which personnel functions must be re-established immediately, which ones could be phased in over time, and which ones could be excluded in a crisis. In the event that business operations cannot continue at the regular location, telecommuting from home is a great way for employees to continue doing work as usual. Orchard employees’ ability to function satisfactorily, even when away from the office, will mean that most delays or issues in workflow-as-usual can be avoided. At this time every Orchard employee and function has the ability to telecommute if necessary.
- Appendix III contains a special contact list for personnel and firms external to Orchard that includes a description of the company (or individual) and any other critical information about them, including contact information. Included in this list are emergency contacts of attorneys, bankers, IT and other consultants, i.e., virtually anyone that the BCP Lead Team might need to call upon to assist with core operational issues. The list also includes utility companies and municipal/community/agencies such as police, fire, water, hospitals, FEMA, OSHA, the SEC, and FINRA.
iii. Equipment and data
Orchard documents all current computer data backup methods and frequencies, including its Information Security, Change Management, Vendor Management, and Model Control/Client Management policies and procedures.
Mission-critical items and information are specifically designated as those that are vital to company operations, those that would be required in the event of a disaster emergency, and those required to ensure that the funds the Company advises operate as smoothly as possible. These systems include Google Drives, AWS (Amazon’s Web Services business), OnePass, Quick Books, Bill.com, eshares, servers, phone systems, and client and Company data.
Recovery-time objectives provide concrete goals to plan for and test against. They are not, however, hard and fast deadlines that must be met in every emergency situation, and various external factors surrounding a disruption – such as time of day, scope of disruption and status of critical infrastructure, particularly telecommunications – can affect actual recovery times. Recovery refers to the restoration of all business and client activities after a wide-scale disruption; resumption refers to the capacity to accept and process new transactions and reports after a wide-scale disruption. In all cases, Orchard App, Inc. will exercise its best efforts in resuming normal business operations as quickly as possible in accordance with its aforementioned response priorities.
Orchard App, Inc. maintains electronic copies of all critical information related to customers at the Company’s office on secured cloud-based services and storage, principally provided by Google and/or its subsidiaries. Google services include redundant storage at multiple physical locations and data centers (see https://cloud.google.com/products/cloud-storage/).
Current Google data storage centers include South Carolina, Iowa, Georgia, Oklahoma, North Carolina, and Oregon (see http://www.google.com/about/datacenters/inside/locations/index.html). All email is catalogued and searchable through Google Vault via the Internet for authorized Company individuals.
In the event of an internal or external SBD that causes the loss of electronic records, Orchard will either physically recover the on-site storage media or electronically recover data from cloud-based backups. Logs from systems (trading systems) get logged nightly onto S3 Amazon servers which are replicated across multiple locations. 30 days of screen shots are kept active, and thereafter archived in an Amazon S3 Glacier. It can take 3-5 hours to access archived screenshots. For internal databases, snapshots are taken nightly and stored on the S3 Amazon servers, replicated across multiple locations. They are not archived but are continuously backed up on a rolling basis.
Orchard’s principal forms of electronic communications, including Google Mail and Slack instant messaging service, are stored in a manner consistent with FINRA Rule 17-a4 by an external vendor, Global Relay.
On-site business computers may nevertheless contain critical information that the firm and its employees must be able to access even when working off-site. A current list of critical equipment/data is maintained in Appendix IV, for quick and secure access in the event of a disruption. This will include any software that would might be considered critical equipment, especially if it is specialized software or if it cannot be replaced. Orchard also uses an external, secure password service to manage a set of backup passwords.
Financial and Credit Risk will be assessed in the event of a significant business disruption, wherein Orchard will determine the value and liquidity of its cash, investments and other assets to evaluate its ability to continue to fund its operations and remain in capital compliance. Orchard will contact its bank partner (Wells Fargo) and investors as necessary to apprise them of Orchard’s financial status. If Orchard determines that it may be unable to meet its obligations to those counter-parties or otherwise continue to fund its operations, Orchard will request financing from its bank or other credit sources to fulfill its obligations to its customers and clients. If Orchard cannot remedy a capital deficiency, it will file appropriate notices with its regulators and immediately take all appropriate steps to mitigate the exposure.
In the event of an SBD, Orchard App, Inc. will determine the value and liquidity of investments and other assets to evaluate its ability to continue to fund its operations and remain in capital compliance. Orchard App, Inc. will contact its custodial bank, and investors to apprise them of the financial status. If Orchard App, Inc. determines that it may be unable to meet its obligations to those counter-parties or otherwise continue to fund its operations, Orchard will request financing from its bank or other credit sources to fulfill its obligations to its customers and clients. If Orchard cannot remedy a capital deficiency, it will file appropriate notices with its regulators and immediately take all appropriate steps to mitigate the exposure.
Orchard App, Inc.’s fidelity bond is with Federal Insurance Company (a Chubb Company) with a bond number of 82413185. Orchard App, Inc. has Professional Liability policies with Starr Surplus Lines Insurance Company: Investment Advisor D&O and E&O, policy numbered SLSLFNL22044116; Speciality Professional Liability (Technology E&O), policy numbered SLSLPRO26255716.
Appendix IV includes all the above referenced items in this section, and has:
- A complete inventory of critical mission critical systems and data. This information may be supplemented from time to time with specific inputs of Orchard App, Inc.’s vendors or other service providers. It is noted though that given the nature of the company’s technology, a significant portion of the equipment needs only relate to the ability to remotely access the basic systems and networks, to the extent they are reachable.
- List of any software and location of their back-up copies that would might be considered critical equipment, especially if it is specialized software or if it cannot be replaced.
Orchard maintains authoritative copies of all documents vital to the Company – wherever feasible, these documents are stored electronically and backed-up in the case of a need for recreation. Orchard will also adhere to best-practice procedures to mitigate potential loss of documents, and, of course, consider paperless solutions, including scanning and cloud-based storage. Wherever paper-based documents are mandatory (which may include files, contracts, reports and financial data), Orchard will follow scanning and electronic storage. The company will determine appropriate items for off-site storage as necessary, apart from electronic copies, which could include:
– articles of incorporation and other legal papers - copies of insurance policies - building lease papers - contracts - letterhead - business checks - employee contact names and numbers, and - client, partner, and provider lists of names and numbers
In the event of a Business Continuity situation, Orchard will immediately trigger all available means to communicate with its employees, customers, employees, critical business constituents, counterparties, and regulators. The Personnel lists in Appendix I & II, and the External Contacts List in Appendix III and V, provide all access details. While the effects of the specific disruption may dictate and determine the actual means and timeline of communication, the options employed will include telephone, voicemail, text messaging, the company website, email, google hangout, and third party communication channels (i.e. Slack). In addition, key activity records, equipment, documents will be retrieved and accessed as described above.
OPA is currently a registered investment advisor regulated by the SEC and applicable states. OPA communicates regularly with its regulators using the telephone, email, Internet, and U.S. mail. In the event of a significant business disruption, OPA will assess the means of communication still available to it and use the means closest in speed and form (written or oral) to the means it has used in the past to communicate with the appropriate regulatory bodies. In the event that OPA cannot contact its regulators, it will continue to file required reports using the communication means available to it.
OPM is currently an SEC registered broker dealer and FINRA member. OPM is also registered in applicable states/jurisdictions where it currently conducts securities business. OPM communicates with its regulators using the telephone, email, Internet, and U.S. mail. In the event of a significant business disruption, OPM will assess the means of communication still available to it and use the means closest in speed and form (written or oral) to the means it has used in the past to communicate with the appropriate regulatory bodies. In the event that OPM cannot contact its regulators, it will continue to file required reports using the communication means available to it.
Contact for the primary SROs are as follows:
FINRA District 10
200 Liberty Street
FINRA Regulatory Coordinator Contact Information:
One World Financial Center
New York, NY 10281
Risk Oversight & Operational Regulation
200 Liberty Street
New York, NY 10281
NY Regional SEC Office:
200 Vesey Street, Suite 400
New York, NY 10281-1022
Andrew Calamari, Regional Director
NY State Office of the Attorney General- Investor Protection Bureau
New York City, NY
(212) 416-8222 (p)
(212) 416-8816 (f)
4] Testing the BCP Plan
The objective of a testing program is to ensure that the BCP Plan remains accurate, relevant, and operable under adverse conditions. The most successful Business Continuity and Disaster Recovery plan and strategy is one that will never be implemented; hence, risk avoidance is a critical element and focus of this Plan. It is vital therefore to test the plan and its components periodically to include a “reality-check”, to ensure that its provisions are still correct, and that the stored contacts and emergency information are current. Testing should include applications and business functions, but the scope of individual tests can be gradually expanded to eventually encompass enterprise-wide testing, including vendors and key market participants.
Achieving the following objectives provides progressive levels of assurance and confidence in the Orchard BCP Plan. At a minimum, a clear and practical approach to testing should:
- Not jeopardize normal business operations;
- Gradually increase the complexity, level of participation, and functions involved;
- Demonstrate a variety of management and response proficiencies, under simulated crisis; conditions, progressively involving more resources and participants;
- Uncover inadequacies, so that configurations and procedures can be corrected; and
- Consider deviating from the test script to interject unplanned events, such as the loss of key individuals or services.
VALIDATION OF ASSUMPTIONS:
Plan assumptions requiring validation during testing include:
- Criticality of services;
- Volume of transactions;
- Interrelationships among business functions;
- Selecting the business continuity planning strategy related to use of facilities and outages;
- Availability and adequacy of resources required to provide the planned service level, such as the time required to establish facilities, obtain back-up files, or reconstruct documents; and
- All documented data and lists in the BCP should be checked for accuracy on a quarterly basis as a part of the RCSA process.
COMPLETENESS OF PROCEDURES:
Test procedures should be checked to make sure they include:
- Emergency response procedures, including escalation and notification processes;
- Any detail on alternate processing procedures, including procedures at an alternate site; and
- Any detail on full recovery procedures, including returning to normal processing.
Given Orchard’s technology–driven operations and easy ability to operate on a remote basis, simple testing methods are appropriate and sufficient for most of its needs.
- Orientation for all employees: This will include mandatory distribution of the BCP Plan document as a part of employee onboarding, discussion about the BCP in an All-Hands group setting, individual and team training as required, and clarification and highlighting of critical plan elements.
- Call-Tree Testing: as detailed in Appendix II
- Reviewing the BCP Plan in detail during quarterly Risk Control Self Assessment. This will include:
- An assessment of whether the test objectives were completed • Assessment of risks related to Business Continuity, against any known/new threats;
- Re-rating the risk from viewpoint of likelihood of occurrence and severity; and
- Assessment of whether Controls are working, and Policy is being followed.
- Proposed modifications to the BCP; and
- Recommendations for future testing
BCP Senior Management Team Approval
I have approved this Plan as reasonably designed to enable Orchard to meet its regulatory requirements and obligations to customers in the event of a significant business disruption.
Orchard Platform Advisors, LLC Chief Compliance Officer
Orchard Platform Markets, LLC, Chief Compliance Officer
Orchard Platform Markets, LLC Chief Executive Officer
Director of Operations, Orchard App, Inc.
Chief Executive Officer, Orchard App, Inc.
Upon request and approval by any member of the BCP Senior Management Team, the enclosed Appendices can be sent to firms requiring further information.
Appendix I – List of ALL Orchard Personnel with contact details as of February 2017
Appendix II – Orchard Call-Tree, including BCP Lead and Core Teams, and call sequence
Appendix III – Orchard External Contact List
Appendix IV – Orchard Mission-Critical systems and Data
Appendix V- Orchard Key Client Contacts
Appendix I : Personnel List
Please see the master list of personnel and contact details here.
Appendix II: Orchard BCP Lead Team, Core Team, and Call-Tree
In the case of a BCP triggered event, the call tree hosted in the BCP Call Tree document will be used. Within the BCP Call Tree, the Core Team and Lead Team members are specifically noted and kept updated.
Appendix III: Third-Party Contacts
Please see the master list of third party contacts and their contact information here.
Appendix IV – Orchard Mission-Critical systems, data, equipment
Please see the master list of Orchard Mission-critical systems, data, and equipment here.
Appendix V-Critical Client List
Orchard has multiple clients which are deemed “critical” given the nature of their business with Orchard, impact on revenue, or the potential for reputational risk. A list of these clients, as well as their contact details, is kept in the master client contact tracker.