us business continuity - c.ymcdn.comc.ymcdn.com/sites/ · pdf filevice president business...
TRANSCRIPT
Juanita HardinBMO Harris BankHead TPS Risk and Compliance
William SimmonsBMO Harris BankVice President Business Continuity Management
US Business ContinuitySafeguarding Your Business from a Disaster
Questions?HOW DO YOU PROTECT OUR BUSINESS?
2
What IS Business Continuity Planning?
A Business Continuity Plan (BCP) is a documented plan which defines the actions, resources and data required to ensure the continuity of the Business Unit’s processes in the event of a business disruption.
The BCP should be an integral part of your business continuity risk management strategy. BCP addresses the whole business continuity management process from risk & business impact analysis through strategy & plan development to implementation, testing and ongoing change control.
At BMO, our program consists of four parts;
Business Continuity Planning, Event Management, Life Safety and Quality Assurance
3
UPDATE: In February 2015, the FFIEC released a new appendix to the Business Continuity Planning booklet Appendix J: “Strengthening the Resilience of Outsourced Technology Services” highlights that a financial institution’s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner.
FFIEC: Business Continuity Planning Booklet (2008)
Applies to the US banks and their service providers
The FFIEC is responsible for establishing standards to which financial institutions are held. The 2008 version focused on the role of the board and senior management; the addition of pandemic planning, a push toward risk management integration, the emphasis of proactive risk mitigation, and the overall attempt to eliminate ambiguity. This is a mandatory regulatory requirement.
Key regulatory agencies and councils overseeing our business continuity efforts include:
Federal Financial Institutions Examination Council (FFIEC) Office of the Comptroller of the Currency (OCC)
Federal Reserve Bank (FRB) Securities Exchange Commission (SEC) Financial Industry,
Regulatory Authority (FINRA) State agencies and other industry associations
Office of the Superintendent of Financial Institutions (OSFI) is our primary Canadian Regulatory Office
44
Regulatory Guidance
Framework & Governance
Lines of Business / Operating Group Employees are responsible for being
familiar with their BCPs overall strategy and any items which pertain to them and adhering to the US BCM Mandate &
Corporate Standard.
The US BCM Program Office has a mandate and is responsible to satisfy US jurisdictional
requirements through the implementation, maintenance and management of the BCM
Program for BMO Financial Corp.
EBCM is part of the second line of defense. The CSA has responsibility
for Governance and Methodology of the BCM Framework, its execution
and its analysis.
Audit helps our organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.
The Business Continuity Management framework consists of processes, structures, controls and IT systems , managing
Business Continuity Risk. It is maintained at an enterprise level and is aligned with the principles and requirements
contained in the Operational Risk Corporate Policy, Guidelines and other published guidance.
Business Units1st Line
US BCM1B
EBCM2nd Line
Audit3rd Line
5
6
Business Continuity Program Office
TrainingOngoing executive and employee training is supported by monthly BCM forums which allow business continuity coordinators to keep abreast of ongoing business continuity issues, table-top exercises, facilitated information presentations, and online annual educational materials.
BCP
BCPBCM Project Managers assist the coordinators on the various items to maintain within the Sustainable Planner BCP tools; including Business Impact Analysis, Risk Assessment, recovery planning and overall quality assurance.
TestingAn established framework that facilitates the rapid recovery of critical operations following any disruption to business as designated by LOB and Strategic Sourcing. This framework is exercised bi-annually to ensure continuity plan robustness and technologies Maximum Tolerable Outage (MTO)/Recovery Point Objective (RPO). Also includes 3rd party and vendor testing.
Program Overview
BCM includes both Business ContinuityPlanning and Event Management. Theseprocesses provide a framework for buildingResilience and the capability for an effectiveresponse safeguarding the interests of ourkey stakeholders, reputation, brand and valuecreating activities.
Quality Assurance (QA)Conducts a Quality Assurance (QA) review is to ensure an independent assessment of the BIA, Risk Assessment and BCP and to validate its effectiveness and completeness.
6
Crisis Management The importance our organization places on our ability to respond to natural,
technological, and human events (i.e. work place violence, protests and security breaches) is critical to our survival. BCM (Business Continuity Management) is a
plan, a team and a process that companies use to protect themselves from financial loss, and an Incident Response Plan is a major part of BCM planning.
7
Event Management Framework: US Response & Status Team
5:Technology & OperationsTechnology & Development
Enterprise Infrastructure
Operations
3:US Corporate ServicesOperational Management
Audit
Human Resources
Real Estate
Finance
Legal
Corporate Communications
Security
4:Business Operation GroupsBMO Capital Markets
US P&C Retail
US P&C Commercial
1:OversightCorporate Audit
Enterprise Risk & Portfolio Management
Compliance
2:GovernanceU.S. BCM Governance Committee
U.S. BCM Program Office
Overall
Bank
Recovery USRST
US C
orp
orate
Services
FEI Behavioral HealthStaffs the Crisis Call Center and tracks incoming reports from
employees and first responders
Corporate CommunicationsReviews, approves and responds to immediate external media
inquires and arranges all internal communications
Human ResourcesManages all employee-related communication and Corporate
policy and standard issues
Corporate Real EstateAssesses short and long term damage assessments, and availability of building and works to find alternate locations and equipment
Corporate Security (I&SS)Utilizes internal and external resources to determine the security requirements and to provide physical security to the affected and alternate sites.
Business RepresentativesRepresents the business units impacted by the event and manages the on-site personal\messages
The Business Continuity Program Office provides the facilitation of the IRT event calls and assists in the impact efforts. It may evoke a dashboard to record strategy decisions and aid in the communication to executives, USRST, ERST and regulatory agencies.
Event Management Framework: Incident Response Team
9
Life SafetyThe Life Safety & Accounting for People process is crucial to the safety of employees
following an evacuation. Assigning the Emergency Team roles, along with knowing and practicing the Accounting for People process, will ensure that missing people are
quickly identified and reported to the local authorities.
10
Floor Captains
Stairwell \ Elevator Monitors
Searchers
Accounting for People Coordinator
Accounting for People Team Member
Accounting for People Team Leader
BMO FC Emergency Hotline XXX-XXX-XXXX XXX-XXX-XXXX Crisis Call Center
The Accounting for People process is trained on at least an annual bases via evacuation drills and classroom style instruction. The U.S. Business Continuity Office maintains the training and partners with the life safety teams, building landlords and facility offices to ensure maximum exposure to employees.
Accounting for People
11
Other Life Safety Initiatives
Shelter-in-PlaceSevere weatherExtreme temperaturesPublic disturbanceEnvironmental dangers Explosions or man-made dangersActive Shooter
Employee Emergency HandbooksThe U.S. BCM Office maintains and publishes unique site specific handbooks that address guidelines to assist in the management of localized emergencies (i.e. medical, weather) that may disrupt business.
AED\CPRWe manage 115 units across 41 sites across the U.S and sponsor AED/CPR certification for all U.S.
sites via 3rd party vendor.
Emergency Mass NotificationThe Everbridge Mass Notification system is used to contact the IRT,
USRST, and LOB personnel quickly and conveniently via Cell, Email,
and Land Lines.
12
BC PlanningBusiness Continuity Planning aims to develop advance arrangements and
procedures to avoid, mitigate and minimize losses during and after business interruptions by applying the BIA / RA and mitigation to the business applications
and processes. Business Continuity Planning, and regular BCP updates, are required of all Business Units on an annual basis and/or following significant changes.
13
Sustainable Planner
Business Impact AnalysisAssessment of how uncontrolled, non-specific
events could impact the business; andprioritization of business functions and processes
that must be recovered in the event of service disruptions.
Risk AssessmentThe RA assesses the severity and likelihood of events specific to the Business Unit and prioritizes potential
business disruptions based on the impact to operations and the likelihood of occurrence.
Business Continuity PlanAims to develop advance arrangements and
procedures to avoid, mitigate and minimize losses, during and after business interruptions.
Executive ApprovalsBCP sign off must be obtained after plan completion,
annual updates and whenever plans are revised due to significant changes. Executive Approval must follow
completion of successful QA review
Sustainable Planner (SP) is the enterprise-wide BCM software-based tool maintained by BCM and used across the business in determining and documenting all business unit planning activities. Coordinators are required to store all business continuity-related documentation in SP. This includes supporting documentation, QA Approvals and Executive Approvals.
14
Coordinator Overview AdministrationFacilitate the gathering and organization of all the elements for the BIA\Risk\BCP inthe sustainable Planner tool from the appropriate stakeholders.Coordinate electronic access to, and hard copy distribution of, the BusinessContinuity plans and procedures. Protect the confidentiality, integrity and availabilityof the Business Continuity plans and procedures.
Training and AwarenessEnsure all personnel with specific Business Continuity responsibilities are adequatelytrained to fulfill those responsibilities.
Testing and ExercisingPlan and coordinate testing elements involving all critical business units, personnel,and recovery locations. Document the results of all tests and exercises, and identifyany recommended enhancements to the Business Continuity plans and procedures.
ReportingEnsure that all records, documents and testing data are accurately accounted forwithin Sustainable Planner and reported to senior management, executives, andbusiness continuity departments.
A coordinator directs the development of Business Continuity plans and procedures, and provides regular status updates to senior management, executives and the BCM Office.
Coordinator: Roles and Responsibilities
1515
Stakeholders: Crowd Sourcing
Regulatory
Management
Subject MatterExperts
Clients Suppliers
Federal Reserve Bank (FRB)
Securities Exchange Commission (SEC) Financial Industry
Regulatory Authority (FINRA)
Line of Business
Technology
Business Continuity Office
Executive
Senior ManagerFederal Financial
Institutions Examination Council (FFIEC) Office of the
Comptroller of the Currency (OCC)
What is expected of Business Continuity Coordinators is NOT to be complete subject matter experts; however, they should be aware of the groups they need to talk to and gather information from. This will be accomplished by scheduling several meetings over a course of time.
US Management Committee
1616
1. Clarity of purpose2. Staff expertise/Capacity
3. Independence4. Proactivity
5. Timing6. Transparency
7. Review Criteria8. Roles and Responsibilities
9. Consistent across the Enterprise
Effective Challenge
1. BCP planning process (BIA, RA, BCP);2. Critical examination of documentation supporting the MTO3. Validation that RTO meets MTO and related escalation4. DR gap analysis5. DR Risk Acknowledgements6. Testing7. Issues & Mediation
Quality Assurance
Challenge: Quality Assurance
The purpose of conducting an annual Quality Assurance (QA) review on the Business Continuity Planning process and supporting documentation is to ensure an independent assessment of the BIA, Risk Assessment and BCP and to validate its effectiveness and completeness. The QA review provides valuable feedback and information related to the people, technology, facilities and critical processes that the business performs. All observations and recommendations are shared with the business following the principles of effective challenge. This provides continuous improvement for effective business continuity planning and considers risk implications, outcomes and improves proactive risk mitigation. This is not an audit, nor does it substitute for an audit.
17
Nothing
Next Steps
Download the Virtual Maturity Model Template here: http://www.virtual-corp.com/business-continuityand get started on assessing your business
Mid-Level
Next Steps
Review the four Pillars for gaps and maturity; Business Continuity Planning, Event Management, Life Safety, and Quality Assurance.
Expert
Next Steps
Consider an independent review of your plans and process via Quality Assurance. Whether it’s within your department or an outside group.
In Closing: Review27
Thank You
“When planning for a year, plant corn. When planning for a decade, plant trees. When planning for life, train and educate people.”
- Chinese proverb
19
Juanita HardinDirector - Head Risk and Compliance
William SimmonsCBCP – Vice President, Business Continuity