Vicki GavinHead of BCM, Corporate Services,Barclays Bank PLC

An All Hazards Approach To Recovery Planning and Crisis Management

How Barclays is Planning for Pandemic Flu.

Agenda

Why do we all need BCM?

What is BCM?

What are your options?

How does this all come together?

How do you know when it’s a crisis?

How does all this apply to pandemic flu?

Barclays approach.

Why do you need BCM?

Context• Increasing level of threat and number of incidents

• Our offices are in high risk locations• Terrorism and Terror Alerts

• Complex operating environment – increasing reliance on technology • Increasingly stringent audit and regulatory expectations• Expectation of your clients / customers• Competitors willing to take your business if you can’t deliver

Objectives• Ensure the continuance of business operations under all circumstances• Provide an adequate, fit-for-purpose suite of capabilities

What is BCM? A brief history of planning.

Disaster Recovery• Focused on recovery of IT Systems and Infrastructure• IT supports not drives the business – Systems alone cannot ensure recovery

Business Continuity• Focus on the continuance of business and identifying the resources needed for

recovery• Scenario Based Planning

• How to respond if you have a . . . • Big (unusable) plans

• Impact Based Planning• The cause is largely unimportant• All incidents lead to a limited number of possible outcomes

• Work area unavailable• Systems unavailable• People unavailable

What do you need to recover?

Business Impact Assessment• What are the “critical” things that you do?• Impact of Non-Recovery

• Loss of Business, Loss of Reputation, Legal/Regulatory Breach, Loss of Money

• Recovery Objectives• Required Resources

• Facilities• IT

• Critical Systems (includes data), Market Data Services, Telephony, Hardware, Desktop Software, Personal & Departmental Data

• People• Documents, Stationery, Supplies

When do you need work area recovery facilities?

• Does the solution match the risk?

Can you stop doing

it?

No further action required.

Can you move the

task?

Is this a BAU

procedure?

You will need a recovery facility.

YES YES

YES

NO

NO NO

Move the task to another team in another

geography.

Making your documents and supplies available.Documents

• Reference materials – copies should be stored offsite• Important records – should be securely stored offsite and recall

processes should be documented

Stationary & Supplies• Maintain a central store of standard stationary items• Individual business units should maintain a supply of “specialty” items

There are widely-adopted standard approaches to dealing with critical system outages!

• Critical systems support critical tasks

• System recovery requirements based on task recovery requirements

• Recovery v Resilience.• “Fit-for-Purpose” solution

How do you prepare for your people not being available?Generalist

Characteristics• Skills/ knowledge readily available

from the market• Many people able to perform task

Recovery Solutions• Ensure up-to-date procedure

manuals are in place• Establish a skills matrix

Specialist

• Special knowledge required• Limited number of people able to

perform task

• Identify single points of failure and cross train as needed

• Identify alternates

How does this all come together?

• Impact based planning means we are 90% ready for any event• The rest is impossible to predict in advance so is addressed through

strong, well rehearsed Crisis Leadership during the incident

Businesses

Barclays

Crisis Response & Recovery Team (CRT)

Crisis Management Team (CMT)Heads of Businesses

CrisisLeadershipTeam (CLT)

Core: COO, BCM, CIOVariable: Heads of Infrastructure

CRT

CMT

CLT

CRT

CMT

CLT

CRT

CMT

CLT

CRT

CMT

CLT

CRT

CMT

CLT

CRT

CMT

CLT

Crisis Leadership• Decide corporate strategy

for this incident

Crisis Management• Decide business strategy

for this incident

Crisis Response• Recover the business

according to plans

Building Incident Plans

Cluster Crisis

Leadership Plans

Staff Incident Plans

ITBusiness

Resumption Plans

CSBusiness

Resumption Plans

Barclays Crisis Leadership Plan

Comms Crisis

Response Plan

ITCrisis

Response Plan

Facilities Crisis

Response Plan

HRCrisis

Response Plan

Cluster Crisis

Response Plans

IT System Recovery

Plans

Barclays Corporate Plan

Cluster Business

Resumption Plans

Key Crisis Responders

• Manage the relationship with and communications to the exchanges

• Manage the relationship with and communications to the Board

Corporate Secretariat

• Manage the relationship with and communications to the regulator

• Provide legal council

Legal & Compliance

• Manage and deliver communications to staff

• Manage the relationship with and communications to the media

• Manage and deliver communications with shareholders and analysts

• Manage involvement with and communication to governments

Comms

• Control and co-ordination of technical recovery

• Technical support of business recovery

IT

• Monitor and escalate critical event information

• Provision of experts (Maintenance, Engineering, Catering, Security, Mail, Telephony, Cleaning, Chauffeurs, Construction) on best practice recovery methods

Facilities

• Staff Welfare• Incident Specific Staff

Education and Awareness• Professional Stress

Management and Support• Accounting for People• Communication with Unions

and/or Staff Bodies• Post-Event Support

HR

How do you know when its a crisis?Major Incident Handling ProcessStandard method used to classify and escalate incidents across the Barclays Group regardless of the root cause based on:

• Staff impact• Business/Financial impact• Brand/Reputational impact• Customer impact• Process impact

In general, • Incidents will be handled through

the normal BAU response• Incidents with the potential to

become crises will be monitored by BCM

• When an incident meets the “Crisis”criteria the crisis management response will be triggered

Crisis – an event, or potential event, that impacts or threatens the continuity of our business, the response to which is beyond our normal day-to-day structure.

• Negligible business impact• Routine daily issues4

• Limited business impact• Partial service degradation• Minor outage

3

• Considerable business impact

• Substantial service degradation

• High impact service failure

2BAU

• Severe business impact• Serious/ widespread

customer impact• Complete loss of crucial

services• BCM monitor

1

• Critical business impact• Direct threat to Barclays• Direct threat to brand• Crisis Management

activated

CrisisCRISIS

How does all this apply to pandemic flu?

• In the case of pandemic flu, long lead times allows for extra vigilance• BCM have engaged the business, reviewing existing plans and

exploring the impact of a pandemic event on their business• Key responders have reviewed their plans

• Human Resources• Facilities• Corporate Communications• Security (includes Travel)

Barclays Approach

Full Global Activation

HIGH (Full alert, business interruption)

Sustained human-to-human transmissions reported in country affected and/or risk of rapid and wide-spread infection by air-travel.

This level of alert corresponds to the existing Barclays’ MIH Level Crisis.

6

MEDIUM (Cautionary alert, some business interruption)

Larger cluster(s) of localized human-to-human spread. This level of alert corresponds to the existing Barclays’ MIH Level 1.

5

Full Activation In Affected Country(s)“On Alert” Globally

MEDIUM (Cautionary alert, some business interruption)

Small cluster(s) of limited human-to-human transmission. In country affected and/or issue of cautionary alert by local

government authorities.

This level of alert corresponds to the existing Barclays’ MIH Level 2

4

Monitor, Plan and Prepare

LOW (No alert, business as usual)

No cases of human-to-human transmission in country affected. Possible cases of disease may exist in isolation or away from

business centres.

This level of alert corresponds to the existing Barclays’ MIH Level 3.

3!

ActionsWho PhaseBarclaysPhase

Key RespondersHuman Resources

• Staff Welfare• Absence Management

Review work practice and staff well being policies and services. Update Ex-pat databaseImplement well-being and work practice arrangements. Liaise with local authorities for advice/instructions.Suspend meetings, workshops and conferences. Restrict access to communal facilities.

Communications• Communication Campaigns• Events Management

Develop communications campaigns.Implement various campaigns.Cancel community and other events

Security• Travel Security• Repatriation

Review travel policies.Implement business travel restrictions. Implement quarantine. Manage evacuation of staff.

Facilities• Supplier Preparedness• Premise Safety & Security

Review food handling and cleaning policies. Establish coordination. Review critical suppliersImplement enhanced cleaning regime. Restrict non-essential works.Implement alternate arrangements for routine travel.

BCM• Continuation of Business• Crisis Management

Review people unavailability planning. Retain specialist support / advice.Activate local Crisis Leadership. Implement alternate working practices. Implement business risk mitigation measures per resumption plans.Activate Barclays Crisis Leadership.

What if Your People Can’t Get to Work?Discussion• Have you identified your critical staff?

• Are there many people able to perform the same recovery role?• Document processes and procedures.

• Is a special skill set required and/or are there a limited number of people who can perform the necessary tasks?

• Identify single points of failure and cross train as needed.• Identify alternates (as many as possible).• Document processes and procedures.

• Could you exploit alternate working practices?• Could some/all of your team work from home?

• Who currently has RAS? Should anyone else?• Who currently has home kit? Should anyone else?

• Could you disperse your team?• Using multiple locations to minimise business risk and/or • Using locations closer to home to minimise travel and/or• Merging or closing down locations (e.g. branches)?

• Would you be impacted if your critical third party suppliers were suffering from the same problem?

• Have all critical third party dependencies been identified?• Will they provide a statement to affirm they have planned for a

people outage?• Could you provide help to your third parties (e.g. technical)?

• Would you be impacted if another Barclays business unit or location was unavailable?

• Have you identified all your critical dependencies ?• Have these been reciprocated?• Are there alternatives?

• Would your customers be impacted? How will you mitigate this?• Can you reduce your workload?

• Review tasks which can be discontinued.• Review tasks which can be transferred to another (unaffected)

Barclays team or location.

Examples• Natural Disaster e.g. Hurricane, Earthquake• Extreme Weather e.g. Snow, Flood• Transport Failure e.g. Strike, Fuel Shortage• Major Health issue e.g. Pandemic Flu

Considerations• Extended (long duration – weeks to months)

“people” outage.• Operating with a reduced workforce – high (rolling

25%) absenteeism for the duration of the event.• Assume the market will be hit with the same

problem. • Consider the feasibility of all options to your

business.

Business / Economic Impact of an Avian Flu Pandemic

XXXWill want to maintain market liquidity and credit lines to businesses.

XXXBusiness failures will increase.

XXXXIncreased activity in areas such as credit sanctioning.

XXXReduction in capital flows to emerging markets.

XXXDeclining commodity prices.

XXXXXXWidening of credit spreads.

XXXDeclines in asset prices.

XXIncrease in risk aversion is likely leading to an increase in demand for liquidity (cash, low risk assets).

XXExports could suffer from lower global demand and domestic supply disruptions.

XTourism, leisure, travel, retailing and catering may be most vulnerable could drop sharply and may be slow to recover.

XOpen economies could be vulnerable to a deterioration in their current account balances.

XDirect economic impact from culling of diseased fowl (similar impact to Foot and Mouth in the UK).

Private B

anking

Retail B

anking

International

Asset

Mt

anagemen

Investment

Banking

Credit C

ardPossible economic impacts

* Once the pandemic has run its course economic activity should recover quickly

Summary• Impact based planning ensures you are able to respond to any incident,

regardless of the cause, quickly and effectively.

• To be effective the planning process must include;• Comprehensive business impact assessment• Structured analysis of the data collected• Fit-for-purpose recovery solutions• Strong, well rehearsed crisis leadership

Questions