Citi Institutional Clients Group - Business Continuity Management

Size: px

Start display at page:

Download "Citi Institutional Clients Group - Business Continuity Management"

Imogene Underwood
5 years ago
Views:

1 Citi Institutional Clients Group - Business Continuity Management Enterprise Risk Management Establishing a Risk Control-based Continuity Program, CBCP, CBCP Senior Vice President, Citi Institutional Clients Group Adam.Levison@citi.com

2 Goals Distinguish Compliance vs. Risk Control Stakeholder Drivers Objectives and Outcome Provide methods to establish a Program Certification/Attestation Model Transform from Business Continuity to Independent Risk Control Utility Provide methods to implement an Independent Utility Risk Control Model Governance Plan Review (BIA, Plan, Crisis Management) Testing (Validation) Typical risk control findings from a Fully Compliant program. Provide tangible how-to s to bring back to apply to your program

3 Compliance vs. Risk Control Stakeholder Drivers Program Compliance Deficiency Management and Risk Mitigation Business Recovery Coordinator Risk Control (Ops Risk/Audit) Management Track business progress against milestones Attest to business completion and compliance Determine key issues from geographical, business and discipline perspective Develop risk trends on issues and noncompliance Track business progress towards completing BCM milestones Ascertain overall program health by measuring policy compliance Track business progress towards completing BCM milestones Respond to deficiencies or missing progress Compare standing verses geographic and business peers Analyze deficiency root cause so appropriate corrective action can be taken Prioritize based on risk exposure and track issue resolution Analyze deficiency root cause so appropriate corrective action can be taken. Develop risk trends on issues and noncompliance Track business progress towards resolving program compliance and risk control issues Ascertain overall program health by measuring level of risk control and compliance issues Track business progress towards resolving program compliance and risk control issues Compare standing verses geographic and business peers

Foundation and Framework Foundation Program source and core Publish Policy, mandates, standards Align to in-country regulations, industry best practice, support firm objectives Avoid loopholes that

4 Foundation and Framework Foundation Program source and core Publish Policy, mandates, standards Align to in-country regulations, industry best practice, support firm objectives Avoid loopholes that can crack your foundation (aka program) Framework The program structure Implementation How to achieve compliance Expectations Minimum requirements Span of control Areas involved, exceptions Inspection Ensure adherence Implementation Clearly communicate mandates and expectations for all businesses Establish a steady pace to update and maintain planning milestones Ensuring Compliance and Risk Control Cyclical checkpoints to affirm compliance Business certification Independent validation and verification

5 Distinguishing between Compliance and Risk Control Business Impact Analysis (BIA) Compliance: Loss Impacts; RTO/RPO; Process Prioritization Risk Issues: The business may not be aware of all risks and corresponding impact on their processes in the event of a disaster. Crisis/Incident Management Plan (CMP) Compliance: Response and Decision Protocols; Key Contacts; Escalation Risk Issues: The plan may not be viable and ready to be executed which may impact the ability to resume and/or sustain business as usual processes. Business Recovery Plan (BRP) Compliance: Strategy; Workarea Requirements; Staffing; Impact Mitigation Risk Issues: The plan may be insufficient to minimize financial losses, continue to serve stakeholders, and mitigate the negative effects of the disruption. Governance Compliance: Having responsible owners and maintainers of the program Risk Issues: Production / Recovery planning may become out of sync resulting in a breakdown ability to recover. Testing Compliance: Execution of plan strategies and protocols to validate mitigation of impacts noted in the BIA. Risk Issues: Untested strategies leave theories unproven, discovery of gaps and more effective methods to recover.

Program Compliance Certification Defined Provides evidence as to the effectiveness continuity planning programs, which include risk assessment, business impact analysis, planning, containment and

6 Program Compliance Certification Defined Provides evidence as to the effectiveness continuity planning programs, which include risk assessment, business impact analysis, planning, containment and recovery strategies, testing, training and awareness, compliance, independent review and governance. Business certifies and takes ownership of their program Forces management action on deficiencies through corrective action plans or risk acceptances Raises exposure level to the program Supports regulatory and audit requirements Benchmarks business standing Improvement/Deterioration trending

Program Certification Process Create an attestation-type questionnaire that addresses each policy mandate to certify Yes business completed to the letter of the policy No business is not in

7 Program Certification Process Create an attestation-type questionnaire that addresses each policy mandate to certify Yes business completed to the letter of the policy No business is not in compliance Supporting evidence Yes where can evidence be found (centralized planning system, shared drive, etc.) No What is the gap? What is the resolution? When will the resolution be implemented? Business Manager approves compliance attestation standing thus certifying the compliance results and committing to resolve any deficiencies

Transform from Continuity to Independent Risk Control Limitation to relying solely on Program Certification Check the Box mentality Risk taking /

Utility Align program to Audit-style with continuity subject matter expertise Become a service organization by Validating compliance certification

8 Transform from Continuity to Independent Risk Control Limitation to relying solely on Program Certification Check the Box mentality Risk taking / rounding up Creation of artificial ceiling on program improvement and maturity Continuity Program transforms into a Centralized Independent Risk Control Utility Align program to Audit-style with continuity subject matter expertise Become a service organization by Validating compliance certification Identifying gaps and partnering to resolve Injecting risk control into a policy compliant program. Emerge your program to operate horizontal to the firm organization

9 Creating and Conducting an Independent Review Objective Evaluate plans to assess the comprehensiveness, usability and quality of the documents Establish a benchmark for what to correct prior to an official audit Assist the business to identify and correct audit or compliance deficiencies Implementation Identify and Prioritize Plans to be reviewed by Risk/Criticality rating High-rated annually Medium/Low-rated alternating Bi-annually cycle Evaluate each plan by Answering each question with a compliant, not compliant, compliant with risk issue ratings Document limitations or issues Provide recommended corrective actions Tools and Reference Material to assist in review Firm Policy and Standards Regulatory guidelines Audit program guidelines and requirements

(Escalation; Staffing; Notification) Business Continuity Plan Requirements (Protocols, Procedures, Vital Records,

10 Establish Independent Risk Control Test Create a checklist that focuses on core program remits: Governance (Roles and Responsibilities) Assessment (Identification and prioritization of processes, BIA) Crisis Management (Escalation; Staffing; Notification) Business Continuity Plan Requirements (Protocols, Procedures, Vital Records, Workarea Requirements) Validation (Call Tree, Business Continuity, Training exercises) Compliance (Audits, Certifications, Disclosures)

Validating Governance Objective: To validate that a business has An owner (e.g. Business Unit Head) who is accountable for the continuity of the business in scope. An implementer (e.g. Business Recovery Coordinator) who is responsible for developing and maintaining recovery plan components and requirements.

11 Validating Governance Objective: To validate that a business has An owner (e.g. Business Unit Head) who is accountable for the continuity of the business in scope. An implementer (e.g. Business Recovery Coordinator) who is responsible for developing and maintaining recovery plan components and requirements. Risk Control Establish the necessary framework, roles, responsibilities and backup positions for the effective administration of the CoB program Ensure adequate management, ownership and accountability of the business' continuity program. Evaluation Findings Challenge the understanding and training of the members who occupy roles. Are the Business Heads truly accountable for the day-to-day business? Does proper succession planning exist?

Validating Business Assessment Objective To identify, evaluate and prioritize functions necessary to continue operations during a contingency.

12 Validating Business Assessment Objective To identify, evaluate and prioritize functions necessary to continue operations during a contingency. Determine if the prioritization, RTO, RPO, and criticality ratings of business processes adequately reflect the current business environment. Set proper direction on recovery strategy development and implementation Risk Control Business processes are captured at the appropriate level Assigned RTO s are justified by the quantitative and qualitative impacts Evaluation Findings Policy typically requires processes to have RTO. Independent reviews challenge and validate RTO and impacts so appropriate strategies are formulated.

Validating Recovery Plan Objective To validate the plan adequacy, effectiveness, and quality through ensuring all BIA objectives and requirements are addressed in the plan strategy Risk Control by

13 Validating Recovery Plan Objective To validate the plan adequacy, effectiveness, and quality through ensuring all BIA objectives and requirements are addressed in the plan strategy Risk Control by determining whether the plan Addresses the recovery of key process and sub-processes according to its criticality ratings. Strategy sustains minimum RTO identified in the BIA and includes protocols necessary to recover functions to support business interdependencies. Considers dependencies on process that are external to the business, whether they are internal to the company or are provided by vendors, or other 3 rd parties. Provides manual workarounds to be used as appropriate when systems and technology backups are not available. Evaluation Findings Policy typically requires a strategy and basic requirements to support the strategy. Risk control fine tunes the plan to focus on cost-effective solutions, closing loop holes in the supply chain, and establishing SLA where handshake agreements may expose the business during a crisis.

Validating Crisis/Incident Response Plan Objective Identify if proper protocols, roles are appropriate and effective to allow a business to respond, react, and mitigate.

14 Validating Crisis/Incident Response Plan Objective Identify if proper protocols, roles are appropriate and effective to allow a business to respond, react, and mitigate. Risk Control Ineffective response to a crisis event can delay invocation and put critical RTO s in jeopardy from being met. Clear protocols and decision making checklists facilitate quicker response during an incident. Evaluation Findings Ensure crisis teams are not only filled but with the right staff and backups. Apply what s on the paper to local risk. Findings can be vetted during tabletop exercises.

15 Validating Recovery Exercise Process Objective Validate the adequacy and effectiveness of how the businesses test their recovery capabilities and to ensure recovery capabilities are sufficient to mitigate risk. Risk Control verifies the Plan is tested to ensure business process is functional in all aspects Test results indicate whether testing objectives and success criteria have been met. Application testing at an alternative location includes network connectivity and other critical data feed mechanisms (e.g., connections and interfaces). Test performed using the actual production data. Status of corrective action plan(s) developed to address problems encountered during the tests. Plan properly supports and reflects the goals, SLA and priorities contained in the business unit. Evaluation Findings Structure of Call Trees (linear or cascade) Recovery tests rigged for success, and do not challenge true reality situations Testing capacity

Typical findings from a Compliant Program General Findings Plans not reader friendly and lack logical flow. Most plans are too long to be of value.

16 Typical findings from a Compliant Program General Findings Plans not reader friendly and lack logical flow. Most plans are too long to be of value. Key items such as assembly points, location of recovery site and directions to the recovery site are difficult to find. Assessment Limited documentation of a threat and vulnerability assessment being conducted. Plan criticality is inconsistent in both the process requirement and impacts. Strategy Critical information such as evacuation procedures are not documented. Holes in recovery requirements. Plan Requirements Many of the notification and communication procedures are missing vital information. Limited logistical protocols (e.g. directions to the recovery site; expense management, etc.) Most strategies did not contain resumption to BAU procedures. Lack of documentation around disclosures. Testing Call tree implementation structure

Recap and Considerations Establish Baseline for Policy, Mandates, Standards Force Businesses to Certify their Program Compliance Standing Transform Continuity Program into an Independent Risk Control

17 Recap and Considerations Establish Baseline for Policy, Mandates, Standards Force Businesses to Certify their Program Compliance Standing Transform Continuity Program into an Independent Risk Control Utility Validate Certification Partner with business to address risk control issues. Separate black/white policy compliance with program quality, effectiveness, and adequacy. Expose and remediate Audit s typical touch points on the business behalf Create a Closed Loop Compliance and Risk Control System Risk Control Validation exposes check the box compliance certifications. Reap the benefits Achieve true business compliance Address key risks through corrective actions or management acceptance Have Audit place reliance on your program to centralize continuity reviews Raise program maturity level Achieve effective, executable and validated recovery plans and strategies Go beyond check the box

18 In Closing

19 Citi Institutional Clients Group - Business Continuity Management Enterprise Risk Management Establishing a Risk Control-based Continuity Program, CBCP, CBCP Senior Vice President, Citi Institutional Clients Group Adam.Levison@citi.com