US Business Continuity Safeguarding Your Business from a Disaster

Similar documents
Business Continuity Management and Resilience Framework

Citizens Property Insurance Corporation Business Continuity Framework

Ensuring Organizational & Enterprise Resiliency with Third Parties

Business Continuity 101. Fairchild Resiliency Systems

City of Saskatoon Business Continuity Internal Audit Report

Business Continuity Framework

Citi Institutional Clients Group - Business Continuity Management

Optimizing an Enterprise Wide Effective Vendor Risk Management Program. Pam Schott Head and VP Enterprise Supplier Governance

A Guide to Business Continuity

Building a Standard for Business Continuity Planning

Business Continuity Management Policy. Guidance

Introducing ISO 22301

Meet Our Presenter. Equipping You For Success: An ISO Certification Case Study

Navigating the Intersection of Vendor Management and Business Continuity

External Supplier Control Obligations

Business Continuity. Building a Program Fit for Purpose

DRI CBCP. Certified Business Continuity Professional.

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

The 13th Annual Continuity Insights Management Conference

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning. LGMA Conference October 27, 2011 Presented by Lisa Benini

Global Crises: What We Really Need to Do to Be Prepared. Day One / Session C5

Effectively Communicating Enterprise-Wide Business Continuity to Senior Management and Stakeholders. October 7, 2014

Challenges and Direction of Business Continuity

ENTERPRISE RISK SERVICES Managing Risk, Driving Results

Oversight by Board, Risk Management & Audit Committee (RMAC) and other committees. Second line of defense

Audit of Business Continuity Planning

Emergency Management Program

IT EXAMS TOP 5 CITATIONS. Top 5 citations LOUISIANA BANKERS ASSOCIATION TECHNOLOGY CONFERENCE Policy and Risk Assessment 2.

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Business Continuity Policy

Office of Internal Audit. The University of Texas Southwestern Medical Center Business Continuity/Disaster Recovery. Internal Audit Report 16:32

Business Continuity Management PHILIPPINES :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Continuity Awareness & Training The Right Way

WILTSHIRE POLICE FORCE POLICY

BUSINESS CONTINUITY PLANNING WORKPROGRAM

Presentation on Crisis Management and Business Continuity. ISCA Breakfast Talk 13 September See Hong Pek, Partner, PwC

Points of Discussion

Head of Security and Business Continuity

BCP Methodology Benefits realisation

Ref Domain Standard Detail

Protecting Information Assets - Week 9 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protecting Information Assets

The City of Edmonton. Enterprise Risk Management and Business Continuity Management

EY s Africa Resilience Survey 2016

Business Continuity Guide 2017

THE ARCG CHARTER. Issued in March 2008

SMS Elements Veriforce, LLC. All rights reserved.

FOUNDATION OF THE PLAN WAS A RISK ANALYSIS. Basic Flaw focus on threat probability instead of potential impact

Business Continuity Management Policy

Business Continuity Management and Business Impact Analysis (BIA)

Risk Management at Statistics Canada

EDINBURGH NAPIER UNIVERSITY BUSINESS CONTINUITY POLICY AND FRAMEWORK

pwc.co.uk Business continuity management

Sub-section Content. 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx

Indigenous and Northern Affairs Canada. Internal Audit Report. Audit of Business Continuity Planning. Prepared by: Audit and Assurance Services Branch

Enterprise Risk Management 2016

Broadridge Business Process Outsourcing, LLC Business Continuity Plan Disclosure

[RESTRICTED ACCESS: SECURITY] COMMONS EXECUTIVE COMMITTEE Update on business resilience capability and annual approval of Business Resilience Policy

RISK ENGINEERING GUIDELINE

Appendix A - Service Provider RACI Model

International Standards for the Professional Practice of Internal Auditing (Standards)

October WFE Response to the BoE-FCA-PRA Discussion Paper: Operational Resilience

Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

Jennie Clinton, Pearce Global Partners May 10 th, 2012

Office of the Superintendent of Financial Institutions. Internal Audit Report on Supervision Sector: Deposit Taking Group - Conglomerates

Crisis Management Who s In Charge?

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

IT Framework Memorandum. For. Supervised Institutions

Operational Resilience Measure and Report

TABLE OF CONTENTS ONLY Business Continuity - Critical Supplier Management Assessment

How to Build an Enterprise BC Program (That gets around the roadblocks)

5/28/2018. Disaster Recovery Are You Ready. Speaker. Agenda

Management Excluded Job Description

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

Creating a Risk Intelligent Enterprise: Risk governance

Coastal Equities, Inc.

Creating a Business Continuity Plan for your Health Center

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

Business Continuity Management Policy. Date Version Number Planned Review Date Oct 2014 Issue 1 Oct 2017

Business Impact Management Moving Beyond the Traditional BIA THINK DIFFERENT. THINK SUCCESS.

BUSINESS CONTINUITY MANAGEMENT

Supply Chain Management within Business Continuity

Mr. Paul Druckman Chief Executive Officer, International Integrated Reporting Council

WHITE PAPER KEY PRINCIPLES OF INTEGRATED BUSINESS RESILIENCY

Risk Management Strategy

BUSINESS CONTINUITY MANAGEMENT A MANAGER S TOOLKIT A

BCP Methodology Benefits realisation

REGULATORY HOT TOPIC Third Party IT Vendor Management

Business Continuity vs. Operational Risk Management vs. Business Resiliency. Karen Dye Oakley, CBCP, MBCI

Hot Topics in Third Party Management. April 5, 2018 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

RISK MANAGEMENT REPORT

18 Business Continuity Management

BUSINESS CONTINUITY MANAGEMENT

POLICY ON RISK MANAGEMENT

Risk Management Policy and Framework

Business Continuity Planning: As A Business Owner, What Do I Need to Consider? David Sutton Manager, Environment, Safety and Health.

Business Continuity Management (BCM) Chicagoland Safety Conference October 24, 2013

Business Continuity Management Policy and Framework

BCP MANUAL. February 2012

Transcription:

US Business Continuity Safeguarding Your Business from a Disaster Juanita Hardin BMO Harris Bank Head TPS Risk and Compliance William Simmons BMO Harris Bank Vice President Business Continuity Management

Questions? HOW DO YOU PROTECT OUR BUSINESS? 2

What IS Business Continuity Planning? A Business Continuity Plan (BCP) is a documented plan which defines the actions, resources and data required to ensure the continuity of the Business Unit s processes in the event of a business disruption. The BCP should be an integral part of your business continuity risk management strategy. BCP addresses the whole business continuity management process from risk & business impact analysis through strategy & plan development to implementation, testing and ongoing change control. At BMO, our program consists of four parts; Business Continuity Planning, Event Management, Life Safety and Quality Assurance 3

Regulatory Guidance FFIEC: Business Continuity Planning Booklet (2008) Applies to the US banks and their service providers The FFIEC is responsible for establishing standards to which financial institutions are held. The 2008 version focused on the role of the board and senior management; the addition of pandemic planning, a push toward risk management integration, the emphasis of proactive risk mitigation, and the overall attempt to eliminate ambiguity. This is a mandatory regulatory requirement. Key regulatory agencies and councils overseeing our business continuity efforts include: Federal Financial Institutions Examination Council (FFIEC) Office of the Comptroller of the Currency (OCC) Federal Reserve Bank (FRB) Securities Exchange Commission (SEC) Financial Industry, Regulatory Authority (FINRA) State agencies and other industry associations Office of the Superintendent of Financial Institutions (OSFI) is our primary Canadian Regulatory Office UPDATE: In February 2015, the FFIEC released a new appendix to the Business Continuity Planning booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services highlights that a financial institution s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. 4

Framework & Governance Lines of Business / Operating Group Employees are responsible for being familiar with their BCPs overall strategy and any items which pertain to them and adhering to the US BCM Mandate & Corporate Standard. The US BCM Program Office has a mandate and is responsible to satisfy US jurisdictional requirements through the implementation, maintenance and management of the BCM Program for BMO Financial Corp. US BCM 1B EBCM is part of the second line of defense. The CSA has responsibility for Governance and Methodology of the BCM Framework, its execution and its analysis. EBCM 2 nd Line Audit helps our organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Audit 3 rd Line Business Units 1 st Line The Business Continuity Management framework consists of processes, structures, controls and IT systems, managing Business Continuity Risk. It is maintained at an enterprise level and is aligned with the principles and requirements contained in the Operational Risk Corporate Policy, Guidelines and other published guidance. 5

Business Continuity Program Office Program Overview BCM includes both Business Continuity Planning and Event Management. These processes provide a framework for building Resilience and the capability for an effective response safeguarding the interests of our key stakeholders, reputation, brand and value creating activities. BCP Training Ongoing executive and employee training is supported by monthly BCM forums which allow business continuity coordinators to keep abreast of ongoing business continuity issues, table-top exercises, facilitated information presentations, and online annual educational materials. BCP BCM Project Managers assist the coordinators on the various items to maintain within the Sustainable Planner BCP tools; including Business Impact Analysis, Risk Assessment, recovery planning and overall quality assurance. Testing An established framework that facilitates the rapid recovery of critical operations following any disruption to business as designated by LOB and Strategic Sourcing. This framework is exercised bi-annually to ensure continuity plan robustness and technologies Maximum Tolerable Outage (MTO)/Recovery Point Objective (RPO). Also includes 3 rd party and vendor testing. Quality Assurance (QA) Conducts a Quality Assurance (QA) review is to ensure an independent assessment of the BIA, Risk Assessment and BCP and to validate its effectiveness and completeness. 6

The importance our organization places on our ability to respond to natural, technological, and human events (i.e. work place violence, protests and security breaches) is critical to our survival. BCM (Business Continuity Management) is a plan, a team and a process that companies use to protect themselves from financial loss, and an Incident Response Plan is a major part of BCM planning. Crisis Management 7

Event Management Framework: US Response & Status Team 1:Oversight Corporate Audit Enterprise Risk & Portfolio Management Compliance 2:Governance U.S. BCM Governance Committee U.S. BCM Program Office 3:US Corporate Services Overall Bank Recovery USRST US Corporate Services Operational Management Audit Human Resources Real Estate Finance Legal Corporate Communications Security 5:Technology & Operations Technology & Development Enterprise Infrastructure Operations 4:Business Operation Groups BMO Capital Markets US P&C Retail US P&C Commercial

Event Management Framework: Incident Response Team FEI Behavioral Health Staffs the Crisis Call Center and tracks incoming reports from employees and first responders Corporate Real Estate Assesses short and long term damage assessments, and availability of building and works to find alternate locations and equipment Corporate Communications Reviews, approves and responds to immediate external media inquires and arranges all internal communications Corporate Security (I&SS) Utilizes internal and external resources to determine the security requirements and to provide physical security to the affected and alternate sites. Human Resources Manages all employee-related communication and Corporate policy and standard issues Business Representatives Represents the business units impacted by the event and manages the on-site personal\messages The Business Continuity Program Office provides the facilitation of the IRT event calls and assists in the impact efforts. It may evoke a dashboard to record strategy decisions and aid in the communication to executives, USRST, ERST and regulatory agencies. 9

The Life Safety & Accounting for People process is crucial to the safety of employees following an evacuation. Assigning the Emergency Team roles, along with knowing and practicing the Accounting for People process, will ensure that missing people are quickly identified and reported to the local authorities. Life Safety 10

Accounting for People The Accounting for People process is trained on at least an annual bases via evacuation drills and classroom style instruction. The U.S. Business Continuity Office maintains the training and partners with the life safety teams, building landlords and facility offices to ensure maximum exposure to employees. Floor Captains Accounting for People Coordinator Searchers Accounting for People Team Leader Stairwell \ Elevator Monitors Accounting for People Team Member BMO FC Emergency Hotline XXX-XXX-XXXX XXX-XXX-XXXX Crisis Call Center 11

Other Life Safety Initiatives AED\CPR We manage 115 units across 41 sites across the U.S and sponsor AED/CPR certification for all U.S. sites via 3 rd party vendor. Shelter-in-Place Severe weather Extreme temperatures Public disturbance Environmental dangers Explosions or man-made dangers Active Shooter Emergency Mass Notification The Everbridge Mass Notification system is used to contact the IRT, USRST, and LOB personnel quickly and conveniently via Cell, Email, and Land Lines. Employee Emergency Handbooks The U.S. BCM Office maintains and publishes unique site specific handbooks that address guidelines to assist in the management of localized emergencies (i.e. medical, weather) that may disrupt business. 12

Business Continuity Planning aims to develop advance arrangements and procedures to avoid, mitigate and minimize losses during and after business interruptions by applying the BIA / RA and mitigation to the business applications and processes. Business Continuity Planning, and regular BCP updates, are required of all Business Units on an annual basis and/or following significant changes. BC Planning 13

Sustainable Planner Sustainable Planner (SP) is the enterprise-wide BCM software-based tool maintained by BCM and used across the business in determining and documenting all business unit planning activities. Coordinators are required to store all business continuity-related documentation in SP. This includes supporting documentation, QA Approvals and Executive Approvals. Business Impact Analysis Assessment of how uncontrolled, non-specific events could impact the business; and prioritization of business functions and processes that must be recovered in the event of service disruptions. Risk Assessment The RA assesses the severity and likelihood of events specific to the Business Unit and prioritizes potential business disruptions based on the impact to operations and the likelihood of occurrence. Business Continuity Plan Aims to develop advance arrangements and procedures to avoid, mitigate and minimize losses, during and after business interruptions. Executive Approvals BCP sign off must be obtained after plan completion, annual updates and whenever plans are revised due to significant changes. Executive Approval must follow completion of successful QA review 14

Coordinator: Roles and Responsibilities Coordinator Overview A coordinator directs the development of Business Continuity plans and procedures, and provides regular status updates to senior management, executives and the BCM Office. Administration Facilitate the gathering and organization of all the elements for the BIA\Risk\BCP in the sustainable Planner tool from the appropriate stakeholders. Coordinate electronic access to, and hard copy distribution of, the Business Continuity plans and procedures. Protect the confidentiality, integrity and availability of the Business Continuity plans and procedures. Training and Awareness Ensure all personnel with specific Business Continuity responsibilities are adequately trained to fulfill those responsibilities. Testing and Exercising Plan and coordinate testing elements involving all critical business units, personnel, and recovery locations. Document the results of all tests and exercises, and identify any recommended enhancements to the Business Continuity plans and procedures. Reporting Ensure that all records, documents and testing data are accurately accounted for within Sustainable Planner and reported to senior management, executives, and business continuity departments. 15

Stakeholders: Crowd Sourcing US Management Committee Federal Financial Institutions Examination Council (FFIEC) Office of the Comptroller of the Currency (OCC) Management Executive Senior Manager Line of Business Federal Reserve Bank (FRB) Securities Exchange Commission (SEC) Financial Industry Regulatory Authority (FINRA) Regulatory Subject Matter Experts Technology Business Continuity Office Clients Suppliers What is expected of Business Continuity Coordinators is NOT to be complete subject matter experts; however, they should be aware of the groups they need to talk to and gather information from. This will be accomplished by scheduling several meetings over a course of time. 16

Challenge: Quality Assurance The purpose of conducting an annual Quality Assurance (QA) review on the Business Continuity Planning process and supporting documentation is to ensure an independent assessment of the BIA, Risk Assessment and BCP and to validate its effectiveness and completeness. The QA review provides valuable feedback and information related to the people, technology, facilities and critical processes that the business performs. All observations and recommendations are shared with the business following the principles of effective challenge. This provides continuous improvement for effective business continuity planning and considers risk implications, outcomes and improves proactive risk mitigation. This is not an audit, nor does it substitute for an audit. Effective Challenge 1. Clarity of purpose 2. Staff expertise/capacity 3. Independence 4. Proactivity 5. Timing 6. Transparency 7. Review Criteria 8. Roles and Responsibilities 9. Consistent across the Enterprise Quality Assurance 1. BCP planning process (BIA, RA, BCP); 2. Critical examination of documentation supporting the MTO 3. Validation that RTO meets MTO and related escalation 4. DR gap analysis 5. DR Risk Acknowledgements 6. Testing 7. Issues & Mediation 17

In Closing: Review 27 Nothing Next Steps Mid- Level Next Steps Expert Next Steps Download the Virtual Maturity Model Template here: http://www.virtualcorp.com/business-continuity and get started on assessing your business Review the four Pillars for gaps and maturity; Business Continuity Planning, Event Management, Life Safety, and Quality Assurance. Consider an independent review of your plans and process via Quality Assurance. Whether it s within your department or an outside group.

Thank You Juanita Hardin Director - Head Risk and Compliance William Simmons CBCP Vice President, Business Continuity When planning for a year, plant corn. When planning for a decade, plant trees. When planning for life, train and educate people. - Chinese proverb 19

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback