Envestnet | Retirement Services Summary BCP Disclosure 2019


Business Description

Envestnet Retirement Solutions (ERS), a wholly owned subsidiary of Envestnet (ENV), Inc. (NYSE: ENV). ERS' mission is to help enhance holistic financial outcomes for retirement plans and its participants. ERS' advice solutions combine various Recordkeeper data with outside financial data of the participants to provide meaningful, individualized investment insights and advice using a patented advice methodology. Working in partnership with our Recordkeeping partners and Advisors, we create the opportunity to drive a better outcome — a more efficient, cost-effective retirement-plan process, the ability to grow, and to help individuals with their retirement goals.

Building on Envestnet's advanced capabilities, ERS has developed a dedicated retirement platform that leverages Envestnet's technology resources, data integration, and practice management; along with our knowledge in investment research, portfolio construction, investment solutions, managed account services, and fiduciary management to meet the specialized needs of our stakeholders.

ERS has structured its offerings into 4 verticals as listed below:

  • ERS Practice Advantage™ An Advisor-centric solution that provides a scalable and flexible platform for offering robust retirement plans with an integrated IPS engine having 130+ investment criteria; investment screener for funds; proprietary portfolio evaluation engine; RFP tool; document vault; and reporting module.
  • ERS Compliance Advantage™ A solution for regulatory compliance reporting; data aggregation and delivery; fee benchmarking, etc.
  • ERS Fiduciary Advantage™ ERS’s proprietary solution for delivering 3(21) and 3(38) services.
  • ERS Participant Advantage™ A client centric solution that offers QDIAs and Managed Accounts - a personalized, customized retirement solution.

Firm Policy

Our firm’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ health, safety, and firm property; making a financial and operational assessment; quickly recovering and resuming operations; protecting all of the firm’s books and records; and allowing our customers to transact business.

Our strategy is to manage an approved corporate-wide Business Continuity Program (BCP) to maintain the policy and standards while providing a comprehensive education and implementation process. The objective is to create, document, test, and maintain departmental business resumption plans in order to recover critical systems and functions. At least annually, Operations departments with critical business processes and Technology departments test their plans to ensure that they are workable, in compliance, and that staff are aware of their roles in a business interruption. A corporate communication and management process exists to ensure critical business processes resume quickly, thereby reducing financial risk.

Annually we provide a Summary BCP Disclosure statement via our corporate website or an updated hard-copy version to customers upon request. Our firm creates and documents BCP plans based on the potential risks of disruption to our employees, work space, and/or technology in each of our critical locations. Our firm provides this through resumption plans at the department, location, and enterprise-levels.


Significant Business Disruptions

Our plan anticipates two kinds of SBDs, internal and external. Internal SBDs affect only our firm’s ability to communicate and do business, such as a fire in our building. External SBDs disrupt the operations of the securities markets for a number of firms, such as a natural disasters; acts of terrorism; cyber-attacks; equipment of system failures; unexpected loss of a critical service provider / facilities / key personnel; or a wide-scale, regional disruption. Our response to an external SBD relies more heavily on other organizations and systems, especially on the capabilities of Clearing Firms for trade execution for many of our clients.

As cybersecurity incidents have the potential to contribute to a SBD, ERS’ Business Continuity and Disaster Recovery planning controls complement the firm’s Information Security practices which have been standardized using the ISO/IEC 27001, under the direction of the firm’s Information Security Officer.


Plan Location and Access

Our firm will maintain copies of its BCP plan, including the annual reviews and approvals in accordance with our Records Management policy, along with any changes that have been made to it for inspection. An electronic copy of our plan is located on the Fusion Risk Management Platform with historical copies maintained on the Envestnet network shared drive within the Business Continuity directory. Additionally, hard copies are kept in each location and safely at BCP leaders’ homes.


Office Locations

Our parent company firm headquarters is located in Chicago, IL and our firm, including all subsidiaries has offices in Boston, MA; Denver, CO; Philadelphia (Berwyn), PA; Raleigh, NC; Redwood City, CA; Sacramento, CA; San Jose, CA; Seattle, WA; Secaucus, NJ; Tucson, AZ; and Worthington, OH. In addition international locations exist in Bangalore, India; Brisbane, Australia; London, United Kingdom; and Trivandrum, India.

ERS' US-based operations exist in Boston, MA; Chicago, IL; Denver, CO; Philadelphia (Berwyn), PA; San Jose, CA; Seattle, WA. In addition international locations exist in Trivandrum, India.


Alternative Physical Location(s) of Employees

ERS does not maintain specific ‘hot site’ recovery facilities for operational fail-over. In the event of an SBD, we will move our staff from affected locations to the relevant predetermined work space failover site, assigned to each employee record within their Department Resumption Plan in our Business Continuity Planning system.

Envestnet’s overall Business Continuity and Disaster Recovery strategies have been designed to complement each other to address not only worst case scenario in the event of a Significant Business Disruption (SBD) but also disruptions of a lesser magnitude.

Envestnet maintains stop-gap measures for business continuity, some of which are outlined below:

  • To address loss of Platform technology, ERS has an established presence in geographically disperse primary and disaster recovery data center facilities, resulting in the ability to support business out of either facility, should one of these locations by compromised by a natural disaster. Both data centers are hardened with redundant HVAC systems, electrical systems with battery backup and diesel generators, and temperature and environmental monitors. Access to the data centers is secured by cameras and card key access with biometric scanners. Both data centers are staffed 24x7x365;
  • To address contingency arrangements for loss of key personnel due to a pandemic or other limited event, Envestnet maintains an Employee Unavailability Plan as a supplemental document to the Firm’s Enterprise, Location-Specific and Departmental Business Resumption Plans. Long-term or permanent arrangements would be made in conjunction with Human Resources Succession Plans.
  • To reduce key man risk, most critical operations departments work in a distributed fashion, meaning that they have multiple locations that perform the same production work. In instances of weather issues or regional disasters, other locations can continue processing, and unaffected Envestnet locations can serve as a relocation point for critical employees should the SBD time frame be extended;
  • All employees are assigned a workplace strategy to be employed in the event of a significant business disruption – work from home; relocate to an alternate Envestnet Facility; on hold; etc. In order to support these strategies:
    • US-based employees currently have or are being issued ERS laptops to support work in a remote fashion utilizing a secure VPN capabilities and our web enabled systems to access our custom platforms to support critical business processes in a remote fashion;
    • India-based employees have pre-designated individuals that would relocate to an alternate Envestnet facility and utilize either Disaster Recovery Laptops that are distributed at the time of disaster or VDI interfaces to support work utilizing a secure connection and our web enabled systems to access our custom platforms to support critical business processes; and
    • Periodic testing of these strategies is required for critical Operations departments.

Data Backup and Recovery (Hard Copy and Electronic)

As a Registered Investment Adviser, ERS has its own books and record requirements in compliance with Rule 204-2(j) under the Investment Advisers Act of 1940. ERS is not the official books and record for its clients; however, ERS can and will assist its clients in the event that they need assistance pulling documentation from the ERS platform relating to a client’s investment advisory business. That said, an SEC-registered investment adviser is required to keep the following business records and records related to the investment adviser’s fiduciary obligations for a period of no less than five (5) years from the end of the fiscal year during which the last entry was made on such records.

Our firm maintains its backup electronic books and records through strategic partnerships with third-parties for our platform technology and backup vendors. The data vaulting / managed backup service and data center providers, which house our primary / production and secondary / disaster recovery sites, are hosted in the United States and do not have direct access to Envestnet data or client PII. Data center providers only provide physical space, security and environmental controls; Envestnet owns and manages the equipment within their secured cage. Backup vendors only store data on behalf of Envestnet; Envestnet encrypts data before transmission, vendors do not have access to encryption keys. We have a defined data protection strategy to cyclically back up our electronic records to meet the recovery time objectives of our various mission critical systems.

In the event of an internal or external SBD that causes the loss of our paper records, we will access electronic versions of these records in our various systems and Platforms. If our primary site is inoperable, we will continue operations from our backup site or an alternate location. For the loss of electronic records, we will recover the electronic data from our backup records stored in the disaster recovery site, or, if our primary site is inoperable, continue operations from our backup site.


Financial and Operational Assessments

Envestnet’s Risk Management Program at Envestnet considers the entire organization (including subsidiaries) and is designed to achieve shareholder value protection while aligning with risk and corporate governance industry best practices. This is achieved through risk awareness, annual assessments, and reporting to the cross functional Enterprise Risk Committee (RMC).

The RMC meets formally on a scheduled basis throughout the year as an entire committee to review, assess, and discuss any significant risks or exposure and steps taken to minimize identified risks or exposures. An Enterprise Risk Assessment is performed annually using best practice standards and includes the identification of company risk exposures, qualification of risks, identification of controls, and potential mitigation efforts. The results of the Enterprise Risk Assessments are confidential and cannot be shared with parties external to Envestnet; however, Envestnet can attest the assessments are performed using best practice standards.

Envestnet's Enterprise Risk Management Program maintains a robust ERM framework to ensure:

  • Significant current and emerging risks and opportunities are identified and understood;
  • Appropriate and prudent risk management systems are developed and effectively implemented to manage these risks;
  • Regular reviews are conducted to evaluate the effectiveness of risk mitigation measures; and
  • Reports are produced on a regular basis regarding adherence to policies. The firm completes an annual Risk Assessment in which potential risks are reviewed and evaluated within the Envestnet environment. Our Business Continuity Plan provides a plan to mitigate, prevent many of these risks, and/or provides steps for dealing with emergencies that will allow critical Envestnet technology, data and critical departments to be brought back online quickly in the event of a disaster.

The Enterprise Risk Assessment process identifies operational risk and exposure with the goal of eliminating risk wherever possible and preparing for any unavoidable risk. The objective of risk management is to achieve risk avoidance, mitigation, sharing, or retention for each identified operational risk. The risk assessment is the first step in identifying the level of business recovery required and the most appropriate strategy to support those requirements.

Operational Risk

Our firm recognizes that operational risk includes the firm’s ability to maintain communications with customers and to retrieve key activity records through its mission critical systems. In the event of an SBD, we will immediately identify what means will permit us to communicate with our customers, employees, critical business constituents, critical banks, critical counter-parties, and regulators. Although the effects of an SBD will determine the means of alternative communication, the communications options we will employ will include our Web site, telephone, voicemail, and secure email. In addition, we will retrieve our key activity records as described in the section above, Data Backup and Recovery (Hard Copy and Electronic).

Financial and Credit Risk

In the event of an SBD, we will determine the value and liquidity of our investments and other assets to evaluate our ability to continue to fund our operations and remain in capital compliance. To the extent that we have financing requirements at the time of an SBD, we will request additional financing from our bank or other credit sources in order to remain in compliance with any applicable capital requirements. If we cannot remedy a capital deficiency, we will file appropriate notices with our regulators and immediately take the appropriate steps.


Mission Critical Systems

NOTE: There is a 'Shared Services Agreement' between Envestnet and ERS for office / data center space and certain Shared Services support functions - Legal; Compliance; Business Continuity; Systems; Information Security; Facilities; Finance; and Human Resources.

ERS key applications are those that ensure prompt and accurate reporting of securities holdings and the processing of reconciliation. More specifically, these systems include the custom platforms that support our core business offerings for the ERS Advisor Advantage / Advisor Workstation; ERS Data Integration / Compliance Reporting / Benchmarking; and the ERS Fiduciary Services / Managed Accounts / PMC Offerings. In addition our mission critical systems include any corporate applications that support our communication needs surrounding internet, phone, and email.

We have primary responsibility for establishing and maintaining our business relationships with our customers and have sole responsibility for our mission critical functions.

Recovery time objectives provide concrete goals to plan for and test against. They are not, however, hard and fast deadlines that must be met in every emergency situation, and various external factors surrounding a disruption, such as time of day, scope of disruption, and status of critical infrastructure— particularly telecommunications—can affect actual recovery times.

As a part of ERS’ annual review and update of our the BCP Program and Plans, ERS performs a Business Impact Analysis (BIA) to account for any changes in our operations, structure, business, or locations. The BIA process is supported through our Business Continuity Management Tool, Fusion Risk Management and assists the firm in:

  • Building a criticality profile, outlining personnel resource requirements and mitigation strategies;
  • Assessing financial, operational, legal/compliance, reputation, market share, and strategic impacts over several points in time of a SBD;
  • Identifying and prioritizing critical business processes and associated Recovery Time Objectives (RTOs)
  • Providing visibility for upstream and downstream dependencies between critical business processes across the firm;
  • Providing visibility for system and technology resources for both internal systems and external service providers;
  • Identifying key personnel that support processes in either a primary or secondary role;
  • Naming alternate processing facilities where work is processed in a distributed fashion;
  • Outlining dependencies on key documents and vital records; and
  • Identifying critical strategic partners / third-party vendors required to support our business.

Mission Critical Systems Provided by Our Strategic Partners

Our firm relies, by contract, on Strategic Partners to provide data for account aggregation and asset tracking for our participant retirement plans.


Alternate Communications between the Firm and Customers, Employees, and Regulators

Customers

We communicate with our customers using our platform technology, telephone, email, our web site, fax, U.S. mail, and in person visits at our firm or at the other locations. In the event of an SBD, we will assess which means of communication are still available to us, and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party. For example, if we have communicated with a party by email, but the Internet is unavailable, we will call them on the telephone and follow up where a record is needed with paper copy in the U.S. mail.

Employees

We communicate with our employees using the telephone, email, and in person. In the event of an SBD, we will assess which means of communication are still available to us, and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party. We will also employ a call tree and/or our automated notification system, EverBridge, so that senior management can reach all employees quickly during an SBD to provide disruption notification, procedures, and contingency arrangements.

Key Service Providers / Strategic Partners

We communicate with our key service providers / strategic partners using the telephone, email, fax, U.S. mail. In the event of an SBD, we will assess which means of communication are still available to us, and use the means closest in speed and form (written or oral) to the means that we have used in the past to communicate with the other party.

Regulators

We communicate with our regulators using the telephone, email, fax, and U.S. mail. In the event of an SBD, we will assess which means of communication are still available to us, and use the communication closest to those we have used before the disruption.


Critical Business Constituents and Counter-Parties

ERS has identified dependencies on several key service providers. As a result ERS works with resources from Envestnet to follow a formalized a risk-based strategy for performing vendor due diligence and oversight. ERS works with the business to identify vendors that support their critical business processes. Envestnet performs due diligence on the vendor and their service offerings at the onset of the relationship. The due diligence review is tailored to the specific service provided by the vendor, and typically includes: information and physical security, regulatory compliance, business continuity, and enterprise risk management.

For vendor onboarding, Envestnet’s Legal department, along with Envestnet’s Information Security Officer, requires that all vendors are subject to strict confidentiality, non-use and non-disclosure restrictions, and that all contracts contain appropriate language to specifically address issues related to Information Security, Data Security, Confidentiality, and Service Level Agreements (as applicable to the specific vendor engagement).

ERS defines ‘outsourced/subcontracted’ work as leveraging a third-party vendor for operational support. ERS does not use outsourced operational support for any of its core functionalities (i.e. software development, technology support, reconciliation activities, client support, etc.). However, ERS engages in strategic partnerships with several third party vendors to leverage certain capabilities. These strategic partners do not have access to ERS’ data or client PII, with the exception of Custodians, Clearing Firms, Recordkeepers, and Statement Providers that are used at the direction of our clients.

The following are examples of our strategic partners; a comprehensive list can be made available upon request:

  • Data center providers only provide physical space, security and environmental controls; Envestnet owns and manages the equipment within our secured cage;
  • Electronic Vaulting / Backup Vendors only store data on behalf of Envestnet; Envestnet encrypts data before transmission, vendors do not have access to encryption keys;
  • Shredding vendors are supervised onsite and throughout the shredding process;
  • Data feeds are one-way to Envestnet; and
  • Custodians, Clearing Firms, Record Keepers, and Statement Providers are known directly to our Clients. Clients enter into a tri-party agreement, thus the Client has the ability to conduct direct reviews and ability to approve the relationship. Additionally, Custodians and Record Keepers are regulated and bound to laws and rules related to data security.

Business Constituents

We have contacted our critical business constituents defined as those businesses with which we have an ongoing commercial relationship in support of our operating activities, such as vendors providing us critical services and have determined the extent to which we can continue our business relationship with them in light of the internal or external SBD. We will quickly establish alternate arrangements if a business constituent can no longer provide the needed goods or services when we need them because of an SBD to them or our firm.


Regulatory Reporting

Our firm is subject to regulation by: SEC. We file reports with our regulators using paper copies through the U.S. mail and electronically using fax, email, and the Internet. In the event of an SBD, we will check with the SEC to determine which means of filing are still available to us and will use the means closest in speed and form (written or oral) to our previous filing method. In the event that we cannot contact our regulators, we will continue to file required reports using the communication means available to us.

SEC Headquarters

100 F Street, NE
Washington, DC 20549
(202) 942-8088
E-mail: help@sec.gov
SEC Chicago Regional Office

175 W. Jackson Boulevard, Suite 900
Chicago, IL 60604
(312) 353-7390
E-mail: chicago@sec.gov


Communications with Law Enforcement / FBI

In the event of a security-related incident which requires assistance from external agencies, Envestnet will communicate with local FBI authorities regarding the nature and extent of the incident.

Below is our contact information for the FBI Chicago Field Office. The Envestnet Information Security Department will coordinate all communications.

FBI Chicago Field Office

2111 W. Roosevelt Rd
Chicago, IL 60608
Phone: (312) 421-6700
Fax: (312) 8295732/38
E-mail: chicago@ic.fbi.gov


Testing

Business Continuity tests are completed with critical business resources and BCP Teams at least annually to provide Envestnet Management and our stakeholders with the assurance that the business will successfully recover following a business disruption. Below is an overview of Envestnet BCP Testing:

  • Testing is a major component of the Envestnet Business Continuity Program, tests ensure that plans are repeatable, consistent and that staff are able to fulfill roles and responsibilities;
  • The test schedule is created annually in Q4 by BCP Teams. Considerations are made for employee participation and preparedness levels along with the current risks and impacts to the business;
  • Success is measured ultimately by achievement of testing objectives;
  • As needed, Business Continuity Plans are updated to account for findings and/or feedback received from test participants; and
  • Quarterly BCP Reports are provided to management for review and action, as well as, to clients if requested.

Maintenance

Our firm will maintain copies of its BCP plan, including the annual reviews and approvals in accordance with our Records Management policy, along with any changes that have been made to it for inspection. An electronic copy of our plan is located on the Fusion Risk Management Platform with historical copies maintained on the Envestnet network shared drive within the Business Continuity directory. Additionally, hard copies are kept in each location and safely at BCP leaders’ homes.

Envestnet reviews plans on an annual basis with all owners to ensure plans are accurately maintained and fit for purpose. At the time of review, business changes and best practices are reviewed and reflected within plans.

Location-specific Business Resumption Plans are reviewed by location level owners and Department Business Resumption Plans are reviewed by department level owners. All Business Continuity Plans are reviewed by the Business Continuity Manager. It is the responsibility of the plan owners to ensure the plans have been reviewed, are accurate and complete.

All Business Continuity Plans are approved by the Chief Compliance Officer and signed off by the Chief Financial Officer, or their designee.


Updates and Annual Review

Our firm will update this plan whenever we have a material change to our operations, structure, business or location.


Senior Manager Approval

I have approved this Summary BCP Disclosure as reasonably designed to enable our firm to meet its obligations to customers in the event of a significant business disruption.

By: Babu Sivadasan
Title: Group President, Envestnet | Retirement Solutions
Date: 02/05/2019

*original signature on file in main office