Juanita HardinBMO Harris BankHead TPS Risk and Compliance

William SimmonsBMO Harris BankVice President Business Continuity Management

US Business ContinuitySafeguarding Your Business from a Disaster

Questions?HOW DO YOU PROTECT OUR BUSINESS?

2

What IS Business Continuity Planning?

A Business Continuity Plan (BCP) is a documented plan which defines the actions, resources and data required to ensure the continuity of the Business Unit’s processes in the event of a business disruption.

The BCP should be an integral part of your business continuity risk management strategy. BCP addresses the whole business continuity management process from risk & business impact analysis through strategy & plan development to implementation, testing and ongoing change control.

At BMO, our program consists of four parts;

Business Continuity Planning, Event Management, Life Safety and Quality Assurance

3

UPDATE: In February 2015, the FFIEC released a new appendix to the Business Continuity Planning booklet Appendix J: “Strengthening the Resilience of Outsourced Technology Services” highlights that a financial institution’s reliance on third-party service providers to perform or support critical operations does not relieve a financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner.

FFIEC: Business Continuity Planning Booklet (2008)

Applies to the US banks and their service providers

The FFIEC is responsible for establishing standards to which financial institutions are held. The 2008 version focused on the role of the board and senior management; the addition of pandemic planning, a push toward risk management integration, the emphasis of proactive risk mitigation, and the overall attempt to eliminate ambiguity. This is a mandatory regulatory requirement.

Key regulatory agencies and councils overseeing our business continuity efforts include:

Federal Financial Institutions Examination Council (FFIEC) Office of the Comptroller of the Currency (OCC)

Federal Reserve Bank (FRB) Securities Exchange Commission (SEC) Financial Industry,

Regulatory Authority (FINRA) State agencies and other industry associations

Office of the Superintendent of Financial Institutions (OSFI) is our primary Canadian Regulatory Office

44

Regulatory Guidance

Framework & Governance

Lines of Business / Operating Group Employees are responsible for being

familiar with their BCPs overall strategy and any items which pertain to them and adhering to the US BCM Mandate &

Corporate Standard.

The US BCM Program Office has a mandate and is responsible to satisfy US jurisdictional

requirements through the implementation, maintenance and management of the BCM

Program for BMO Financial Corp.

EBCM is part of the second line of defense. The CSA has responsibility

for Governance and Methodology of the BCM Framework, its execution

and its analysis.

Audit helps our organization accomplish its objectives by bringing a

systematic, disciplined approach to evaluate and improve the

effectiveness of risk management, control, and governance processes.

The Business Continuity Management framework consists of processes, structures, controls and IT systems , managing

Business Continuity Risk. It is maintained at an enterprise level and is aligned with the principles and requirements

contained in the Operational Risk Corporate Policy, Guidelines and other published guidance.

Business Units1st Line

US BCM1B

EBCM2nd Line

Audit3rd Line

5

6

Business Continuity Program Office

TrainingOngoing executive and employee training is supported by monthly BCM forums which allow business continuity coordinators to keep abreast of ongoing business continuity issues, table-top exercises, facilitated information presentations, and online annual educational materials.

BCP

BCPBCM Project Managers assist the coordinators on the various items to maintain within the Sustainable Planner BCP tools; including Business Impact Analysis, Risk Assessment, recovery planning and overall quality assurance.

TestingAn established framework that facilitates the rapid recovery of critical operations following any disruption to business as designated by LOB and Strategic Sourcing. This framework is exercised bi-annually to ensure continuity plan robustness and technologies Maximum Tolerable Outage (MTO)/Recovery Point Objective (RPO). Also includes 3rd party and vendor testing.

Program Overview

BCM includes both Business ContinuityPlanning and Event Management. Theseprocesses provide a framework for buildingResilience and the capability for an effectiveresponse safeguarding the interests of ourkey stakeholders, reputation, brand and valuecreating activities.

Quality Assurance (QA)Conducts a Quality Assurance (QA) review is to ensure an independent assessment of the BIA, Risk Assessment and BCP and to validate its effectiveness and completeness.

6

Crisis Management The importance our organization places on our ability to respond to natural,

technological, and human events (i.e. work place violence, protests and security breaches) is critical to our survival. BCM (Business Continuity Management) is a

plan, a team and a process that companies use to protect themselves from financial loss, and an Incident Response Plan is a major part of BCM planning.

7

Event Management Framework: US Response & Status Team

5:Technology & OperationsTechnology & Development

Enterprise Infrastructure

Operations

3:US Corporate ServicesOperational Management

Audit

Human Resources

Real Estate

Finance

Legal

Corporate Communications

Security

4:Business Operation GroupsBMO Capital Markets

US P&C Retail

US P&C Commercial

1:OversightCorporate Audit

Enterprise Risk & Portfolio Management

Compliance

2:GovernanceU.S. BCM Governance Committee

U.S. BCM Program Office

Overall

Bank

Recovery USRST

US C

orp

orate

Services

FEI Behavioral HealthStaffs the Crisis Call Center and tracks incoming reports from

employees and first responders

Corporate CommunicationsReviews, approves and responds to immediate external media

inquires and arranges all internal communications

Human ResourcesManages all employee-related communication and Corporate

policy and standard issues

Corporate Real EstateAssesses short and long term damage assessments, and availability of building and works to find alternate locations and equipment

Corporate Security (I&SS)Utilizes internal and external resources to determine the security requirements and to provide physical security to the affected and alternate sites.

Business RepresentativesRepresents the business units impacted by the event and manages the on-site personal\messages

The Business Continuity Program Office provides the facilitation of the IRT event calls and assists in the impact efforts. It may evoke a dashboard to record strategy decisions and aid in the communication to executives, USRST, ERST and regulatory agencies.

Event Management Framework: Incident Response Team

9

Life SafetyThe Life Safety & Accounting for People process is crucial to the safety of employees

following an evacuation. Assigning the Emergency Team roles, along with knowing and practicing the Accounting for People process, will ensure that missing people are

quickly identified and reported to the local authorities.

10

Floor Captains

Stairwell \ Elevator Monitors

Searchers

Accounting for People Coordinator

Accounting for People Team Member

Accounting for People Team Leader

BMO FC Emergency Hotline XXX-XXX-XXXX XXX-XXX-XXXX Crisis Call Center

The Accounting for People process is trained on at least an annual bases via evacuation drills and classroom style instruction. The U.S. Business Continuity Office maintains the training and partners with the life safety teams, building landlords and facility offices to ensure maximum exposure to employees.

Accounting for People

11

Other Life Safety Initiatives

Shelter-in-PlaceSevere weatherExtreme temperaturesPublic disturbanceEnvironmental dangers Explosions or man-made dangersActive Shooter

Employee Emergency HandbooksThe U.S. BCM Office maintains and publishes unique site specific handbooks that address guidelines to assist in the management of localized emergencies (i.e. medical, weather) that may disrupt business.

AED\CPRWe manage 115 units across 41 sites across the U.S and sponsor AED/CPR certification for all U.S.

sites via 3rd party vendor.

Emergency Mass NotificationThe Everbridge Mass Notification system is used to contact the IRT,

USRST, and LOB personnel quickly and conveniently via Cell, Email,

and Land Lines.

12

BC PlanningBusiness Continuity Planning aims to develop advance arrangements and

procedures to avoid, mitigate and minimize losses during and after business interruptions by applying the BIA / RA and mitigation to the business applications

and processes. Business Continuity Planning, and regular BCP updates, are required of all Business Units on an annual basis and/or following significant changes.

13

Sustainable Planner

Business Impact AnalysisAssessment of how uncontrolled, non-specific

events could impact the business; andprioritization of business functions and processes

that must be recovered in the event of service disruptions.

Risk AssessmentThe RA assesses the severity and likelihood of events specific to the Business Unit and prioritizes potential

business disruptions based on the impact to operations and the likelihood of occurrence.

Business Continuity PlanAims to develop advance arrangements and

procedures to avoid, mitigate and minimize losses, during and after business interruptions.

Executive ApprovalsBCP sign off must be obtained after plan completion,

annual updates and whenever plans are revised due to significant changes. Executive Approval must follow

completion of successful QA review

Sustainable Planner (SP) is the enterprise-wide BCM software-based tool maintained by BCM and used across the business in determining and documenting all business unit planning activities. Coordinators are required to store all business continuity-related documentation in SP. This includes supporting documentation, QA Approvals and Executive Approvals.

14

Coordinator Overview AdministrationFacilitate the gathering and organization of all the elements for the BIA\Risk\BCP inthe sustainable Planner tool from the appropriate stakeholders.Coordinate electronic access to, and hard copy distribution of, the BusinessContinuity plans and procedures. Protect the confidentiality, integrity and availabilityof the Business Continuity plans and procedures.

Training and AwarenessEnsure all personnel with specific Business Continuity responsibilities are adequatelytrained to fulfill those responsibilities.

Testing and ExercisingPlan and coordinate testing elements involving all critical business units, personnel,and recovery locations. Document the results of all tests and exercises, and identifyany recommended enhancements to the Business Continuity plans and procedures.

ReportingEnsure that all records, documents and testing data are accurately accounted forwithin Sustainable Planner and reported to senior management, executives, andbusiness continuity departments.

A coordinator directs the development of Business Continuity plans and procedures, and provides regular status updates to senior management, executives and the BCM Office.

Coordinator: Roles and Responsibilities

1515

Stakeholders: Crowd Sourcing

Regulatory

Management

Subject MatterExperts

Clients Suppliers

Federal Reserve Bank (FRB)

Securities Exchange Commission (SEC) Financial Industry

Regulatory Authority (FINRA)

Line of Business

Technology

Business Continuity Office

Executive

Senior ManagerFederal Financial

Institutions Examination Council (FFIEC) Office of the

Comptroller of the Currency (OCC)

What is expected of Business Continuity Coordinators is NOT to be complete subject matter experts; however, they should be aware of the groups they need to talk to and gather information from. This will be accomplished by scheduling several meetings over a course of time.

US Management Committee

1616

1. Clarity of purpose2. Staff expertise/Capacity

3. Independence4. Proactivity

5. Timing6. Transparency

7. Review Criteria8. Roles and Responsibilities

9. Consistent across the Enterprise

Effective Challenge

1. BCP planning process (BIA, RA, BCP);2. Critical examination of documentation supporting the MTO3. Validation that RTO meets MTO and related escalation4. DR gap analysis5. DR Risk Acknowledgements6. Testing7. Issues & Mediation

Quality Assurance

Challenge: Quality Assurance

The purpose of conducting an annual Quality Assurance (QA) review on the Business Continuity Planning process and supporting documentation is to ensure an independent assessment of the BIA, Risk Assessment and BCP and to validate its effectiveness and completeness. The QA review provides valuable feedback and information related to the people, technology, facilities and critical processes that the business performs. All observations and recommendations are shared with the business following the principles of effective challenge. This provides continuous improvement for effective business continuity planning and considers risk implications, outcomes and improves proactive risk mitigation. This is not an audit, nor does it substitute for an audit.

17

Nothing

Next Steps

Download the Virtual Maturity Model Template here: http://www.virtual-corp.com/business-continuityand get started on assessing your business

Mid-Level

Next Steps

Review the four Pillars for gaps and maturity; Business Continuity Planning, Event Management, Life Safety, and Quality Assurance.

Expert

Next Steps

Consider an independent review of your plans and process via Quality Assurance. Whether it’s within your department or an outside group.

In Closing: Review27

Thank You

“When planning for a year, plant corn. When planning for a decade, plant trees. When planning for life, train and educate people.”

- Chinese proverb

19

Juanita HardinDirector - Head Risk and Compliance

William SimmonsCBCP – Vice President, Business Continuity