US Business Continuity Safeguarding Your Business from a Disaster

Transcription

1 US Business Continuity Safeguarding Your Business from a Disaster Juanita Hardin BMO Harris Bank Head TPS Risk and Compliance William Simmons BMO Harris Bank Vice President Business Continuity Management

2 Questions? HOW DO YOU PROTECT OUR BUSINESS? 2

3 What IS Business Continuity Planning? A Business Continuity Plan (BCP) is a documented plan which defines the actions, resources and data required to ensure the continuity of the Business Unit s processes in the event of a business disruption. The BCP should be an integral part of your business continuity risk management strategy. BCP addresses the whole business continuity management process from risk & business impact analysis through strategy & plan development to implementation, testing and ongoing change control. At BMO, our program consists of four parts; Business Continuity Planning, Event Management, Life Safety and Quality Assurance 3

4 Regulatory Guidance FFIEC: Business Continuity Planning Booklet (2008) Applies to the US banks and their service providers The FFIEC is responsible for establishing standards to which financial institutions are held. The 2008 version focused on the role of the board and senior management; the addition of pandemic planning, a push toward risk management integration, the emphasis of proactive risk mitigation, and the overall attempt to eliminate ambiguity. This is a mandatory regulatory requirement. Key regulatory agencies and councils overseeing our business continuity efforts include: Federal Financial Institutions Examination Council (FFIEC) Office of the Comptroller of the Currency (OCC) Federal Reserve Bank (FRB) Securities Exchange Commission (SEC) Financial Industry, Regulatory Authority (FINRA) State agencies and other industry associations Office of the Superintendent of Financial Institutions (OSFI) is our primary Canadian Regulatory Office UPDATE: In February 2015, the FFIEC released a new appendix to the Business Continuity Planning booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services highlights that a financial institution s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. 4

5 Framework & Governance Lines of Business / Operating Group Employees are responsible for being familiar with their BCPs overall strategy and any items which pertain to them and adhering to the US BCM Mandate & Corporate Standard. The US BCM Program Office has a mandate and is responsible to satisfy US jurisdictional requirements through the implementation, maintenance and management of the BCM Program for BMO Financial Corp. US BCM 1B EBCM is part of the second line of defense. The CSA has responsibility for Governance and Methodology of the BCM Framework, its execution and its analysis. EBCM 2 nd Line Audit helps our organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Audit 3 rd Line Business Units 1 st Line The Business Continuity Management framework consists of processes, structures, controls and IT systems, managing Business Continuity Risk. It is maintained at an enterprise level and is aligned with the principles and requirements contained in the Operational Risk Corporate Policy, Guidelines and other published guidance. 5

6 Business Continuity Program Office Program Overview BCM includes both Business Continuity Planning and Event Management. These processes provide a framework for building Resilience and the capability for an effective response safeguarding the interests of our key stakeholders, reputation, brand and value creating activities. BCP Training Ongoing executive and employee training is supported by monthly BCM forums which allow business continuity coordinators to keep abreast of ongoing business continuity issues, table-top exercises, facilitated information presentations, and online annual educational materials. BCP BCM Project Managers assist the coordinators on the various items to maintain within the Sustainable Planner BCP tools; including Business Impact Analysis, Risk Assessment, recovery planning and overall quality assurance. Testing An established framework that facilitates the rapid recovery of critical operations following any disruption to business as designated by LOB and Strategic Sourcing. This framework is exercised bi-annually to ensure continuity plan robustness and technologies Maximum Tolerable Outage (MTO)/Recovery Point Objective (RPO). Also includes 3 rd party and vendor testing. Quality Assurance (QA) Conducts a Quality Assurance (QA) review is to ensure an independent assessment of the BIA, Risk Assessment and BCP and to validate its effectiveness and completeness. 6

7 The importance our organization places on our ability to respond to natural, technological, and human events (i.e. work place violence, protests and security breaches) is critical to our survival. BCM (Business Continuity Management) is a plan, a team and a process that companies use to protect themselves from financial loss, and an Incident Response Plan is a major part of BCM planning. Crisis Management 7

8 Event Management Framework: US Response & Status Team 1:Oversight Corporate Audit Enterprise Risk & Portfolio Management Compliance 2:Governance U.S. BCM Governance Committee U.S. BCM Program Office 3:US Corporate Services Overall Bank Recovery USRST US Corporate Services Operational Management Audit Human Resources Real Estate Finance Legal Corporate Communications Security 5:Technology & Operations Technology & Development Enterprise Infrastructure Operations 4:Business Operation Groups BMO Capital Markets US P&C Retail US P&C Commercial

9 Event Management Framework: Incident Response Team FEI Behavioral Health Staffs the Crisis Call Center and tracks incoming reports from employees and first responders Corporate Real Estate Assesses short and long term damage assessments, and availability of building and works to find alternate locations and equipment Corporate Communications Reviews, approves and responds to immediate external media inquires and arranges all internal communications Corporate Security (I&SS) Utilizes internal and external resources to determine the security requirements and to provide physical security to the affected and alternate sites. Human Resources Manages all employee-related communication and Corporate policy and standard issues Business Representatives Represents the business units impacted by the event and manages the on-site personal\messages The Business Continuity Program Office provides the facilitation of the IRT event calls and assists in the impact efforts. It may evoke a dashboard to record strategy decisions and aid in the communication to executives, USRST, ERST and regulatory agencies. 9

10 The Life Safety & Accounting for People process is crucial to the safety of employees following an evacuation. Assigning the Emergency Team roles, along with knowing and practicing the Accounting for People process, will ensure that missing people are quickly identified and reported to the local authorities. Life Safety 10

11 Accounting for People The Accounting for People process is trained on at least an annual bases via evacuation drills and classroom style instruction. The U.S. Business Continuity Office maintains the training and partners with the life safety teams, building landlords and facility offices to ensure maximum exposure to employees. Floor Captains Accounting for People Coordinator Searchers Accounting for People Team Leader Stairwell \ Elevator Monitors Accounting for People Team Member BMO FC Emergency Hotline XXX-XXX-XXXX XXX-XXX-XXXX Crisis Call Center 11

12 Other Life Safety Initiatives AED\CPR We manage 115 units across 41 sites across the U.S and sponsor AED/CPR certification for all U.S. sites via 3 rd party vendor. Shelter-in-Place Severe weather Extreme temperatures Public disturbance Environmental dangers Explosions or man-made dangers Active Shooter Emergency Mass Notification The Everbridge Mass Notification system is used to contact the IRT, USRST, and LOB personnel quickly and conveniently via Cell, , and Land Lines. Employee Emergency Handbooks The U.S. BCM Office maintains and publishes unique site specific handbooks that address guidelines to assist in the management of localized emergencies (i.e. medical, weather) that may disrupt business. 12

13 Business Continuity Planning aims to develop advance arrangements and procedures to avoid, mitigate and minimize losses during and after business interruptions by applying the BIA / RA and mitigation to the business applications and processes. Business Continuity Planning, and regular BCP updates, are required of all Business Units on an annual basis and/or following significant changes. BC Planning 13

14 Sustainable Planner Sustainable Planner (SP) is the enterprise-wide BCM software-based tool maintained by BCM and used across the business in determining and documenting all business unit planning activities. Coordinators are required to store all business continuity-related documentation in SP. This includes supporting documentation, QA Approvals and Executive Approvals. Business Impact Analysis Assessment of how uncontrolled, non-specific events could impact the business; and prioritization of business functions and processes that must be recovered in the event of service disruptions. Risk Assessment The RA assesses the severity and likelihood of events specific to the Business Unit and prioritizes potential business disruptions based on the impact to operations and the likelihood of occurrence. Business Continuity Plan Aims to develop advance arrangements and procedures to avoid, mitigate and minimize losses, during and after business interruptions. Executive Approvals BCP sign off must be obtained after plan completion, annual updates and whenever plans are revised due to significant changes. Executive Approval must follow completion of successful QA review 14

15 Coordinator: Roles and Responsibilities Coordinator Overview A coordinator directs the development of Business Continuity plans and procedures, and provides regular status updates to senior management, executives and the BCM Office. Administration Facilitate the gathering and organization of all the elements for the BIA\Risk\BCP in the sustainable Planner tool from the appropriate stakeholders. Coordinate electronic access to, and hard copy distribution of, the Business Continuity plans and procedures. Protect the confidentiality, integrity and availability of the Business Continuity plans and procedures. Training and Awareness Ensure all personnel with specific Business Continuity responsibilities are adequately trained to fulfill those responsibilities. Testing and Exercising Plan and coordinate testing elements involving all critical business units, personnel, and recovery locations. Document the results of all tests and exercises, and identify any recommended enhancements to the Business Continuity plans and procedures. Reporting Ensure that all records, documents and testing data are accurately accounted for within Sustainable Planner and reported to senior management, executives, and business continuity departments. 15

16 Stakeholders: Crowd Sourcing US Management Committee Federal Financial Institutions Examination Council (FFIEC) Office of the Comptroller of the Currency (OCC) Management Executive Senior Manager Line of Business Federal Reserve Bank (FRB) Securities Exchange Commission (SEC) Financial Industry Regulatory Authority (FINRA) Regulatory Subject Matter Experts Technology Business Continuity Office Clients Suppliers What is expected of Business Continuity Coordinators is NOT to be complete subject matter experts; however, they should be aware of the groups they need to talk to and gather information from. This will be accomplished by scheduling several meetings over a course of time. 16

17 Challenge: Quality Assurance The purpose of conducting an annual Quality Assurance (QA) review on the Business Continuity Planning process and supporting documentation is to ensure an independent assessment of the BIA, Risk Assessment and BCP and to validate its effectiveness and completeness. The QA review provides valuable feedback and information related to the people, technology, facilities and critical processes that the business performs. All observations and recommendations are shared with the business following the principles of effective challenge. This provides continuous improvement for effective business continuity planning and considers risk implications, outcomes and improves proactive risk mitigation. This is not an audit, nor does it substitute for an audit. Effective Challenge 1. Clarity of purpose 2. Staff expertise/capacity 3. Independence 4. Proactivity 5. Timing 6. Transparency 7. Review Criteria 8. Roles and Responsibilities 9. Consistent across the Enterprise Quality Assurance 1. BCP planning process (BIA, RA, BCP); 2. Critical examination of documentation supporting the MTO 3. Validation that RTO meets MTO and related escalation 4. DR gap analysis 5. DR Risk Acknowledgements 6. Testing 7. Issues & Mediation 17

18 In Closing: Review 27 Nothing Next Steps Mid- Level Next Steps Expert Next Steps Download the Virtual Maturity Model Template here: and get started on assessing your business Review the four Pillars for gaps and maturity; Business Continuity Planning, Event Management, Life Safety, and Quality Assurance. Consider an independent review of your plans and process via Quality Assurance. Whether it s within your department or an outside group.

19 Thank You Juanita Hardin Director - Head Risk and Compliance William Simmons CBCP Vice President, Business Continuity When planning for a year, plant corn. When planning for a decade, plant trees. When planning for life, train and educate people. - Chinese proverb 19