Operational Risk and Business Continuity Management

May 2015

Business Continuity Planning and Crisis

Management

Federal Reserve Bank of New York

• Introduction

• Top Risks for Business Continuity Environment

• Business Continuity Program Highlights

• Best Practices

• NY Business Continuity Program - Focus

• Case Study: Superstorm Sandy

Today’s Agenda

• Continue our mission:

• Execute monetary policy,

• Support financial stability through oversight of depository

institutions, market and payments systems, and lender of last

resort,

• Provide financial services to financial institutions, the U.S.

Government and foreign central banks.

• Business Continuity Planning is a component of the

Annual Risk Assessment

• An effective business continuity plan mitigates the effects of

business interruptions and reduces overall risk to the Bank

Why Plan?

Crisis Comes in All Forms….

• Man-made Disasters

• IT Threats

 Anonymous Cyber Threats

 Hackers

• Terrorist Threats

 September 11, 2001 Terrorist Attacks

 2010 Time Square Attempted Car Bombing

 2011 Norway Bombings

 2013 Boston Marathon

• Civil Disturbances

 Anonymous Protests

 Occupy Wall Street Campaign

• Insider Threats

 Internal Sabotage

 Work Place Violence/Active Shooter

Top Risks for Business Continuity Environment

• Natural Disasters

• Weather-Related Threats

 Winter Storms

 Tornadoes

 Earthquakes

 Hurricanes

 Superstorm Sandy

• Pandemic

 Avian Flu

 Swine Flu

 MERS

 Ebola

• System-wide Business Continuity Framework and

Principles

• Business Continuity Department Within the Bank

• All Hazards Approach

• Strategic Business Partners

• Crisis Management

• Business Continuity Plans

• Flexible Contingency Arrangements

• Training and Awareness

Business Continuity Program Highlights

System wide Business Continuity Framework and

Principles

• Provides a common set of assumptions for business continuity

planning across the System

• Better define scope of effective business continuity

• Focus System’s business continuity resources on highest

priorities and risks

• Improve the System’s preparedness and resiliency

• Based on:

• The Bank for International Settlements (BIS) High-level Business

Continuity Principles for the financial sector

• Disaster Recovery Institute International (drii) professional

practices

• Used across Federal Reserve System to assess business continuity and

find improvement opportunities and best practices

System wide Business Continuity Framework and

Principles

• Leadership

• Business Continuity Management Proportionate to Risk

• Safety & Operations

• Flexibility

• Interdependencies

• Communication

• Testing

Business Continuity Office Placement Within the Bank

BCO

• Ensures staff and building safety during an

event

• Provides consultative and support services

• Hosts regular tabletop top exercises for the

emergency responders and business areas

• Partners with external emergency response

agencies

• Manages Emergency Response Work Group

• Maintains Ban-wide plans including Pandemic

events

• Conducts annual training and awareness

campaigns for the Emergency Response Team

ERM

• Identifies,

assesses,

monitors, and

manages

operational risk

Technology

• Focuses on

technology and

disaster recovery

• The Bank’s Business Continuity Program is positioned within Corporate Group to maximize synergies

between services provided by the Business Continuity Office (BCO) and Real Estate (both departments

within the Enterprise Services and Resiliency Planning (ESRP) Function within Corporate

• IRT

• Contingency

Space Activation

• MC Support

•

Technology Testing

• Risk assessments

• Emerging risks

and current threats

Business Continuity*

Oversees the strategic vision for the

Bank’s BCP and ensures alignment

with 10 FRS Principles DRI

Professional Practices

Enhances the strategic vision for

the System business continuity

landscape

Leads staff awareness efforts

Provides on-going services to

support BC Community of Practice

Leads efforts related to the Bank’s

response to a contingency event

BCLT

Provides

strategic

direction for

Bank’s BCP

DRI # 1 –

Project Initiation

& Management

DRI # 2 – Risk

Evaluation & Control

DRI # 3 Business

Impact Analysis

DRI # 4 – Develop

Business Continuity

Strategies

DRI # 5 – Emergency

Response &

Operations

DRI # 10 –

Coordination With

Agencies

DRI # 9 – Crisis

Communications

DRI # 8 – Maintaining

& Exercising Business

Continuity Plans

DRI # 7 – Awareness

& Training Programs

DRI # 6 – Develop &

Implement Business

Continuity Plans

ESRP/ BCO

Business

Areas

Real Estate

•Supervises Fire Wardens and

emergency response teams

•Maintains building

infrastructure plans

• Effects of threats are unpredictable

• Localized and regional

• Interruption can be a few days, months or years

• May be expected or unexpected

• All hazards type of approach to contingency planning.

• We plan by considering the following situations:

• Building Unavailable

• Communications Unavailable (e.g. Network,

Telecommunications, Blackberry)

• Staff Unavailable

• Combination – building, communications and/or staff

unavailable

All Hazards Approach

Strategic Business Partners

• Federal Reserve System Subcommittee on Business Continuity

• Develop and maintain high level System guidance regarding business continuity planning and testing

• Identify and share business continuity and crisis management best practices

• Lead System-wide communication about System initiatives to strengthen business continuity

• New York Business Continuity Leadership Team (BCLT)

• Help improve the Bank’s ability to manage business continuity risks before, during and after a

disruption

• Enhance the Bank’s Business Continuity Management (BCM) planning, testing and crisis management

• Review Bank-wide contingency issues and lessons learned from events, create action plans to address

problems and facilitate follow-up

• Business Continuity Liaisons/Managers

• Manage and endorses business continuity preparedness in their respective business areas

• Coordinate local emergency response in their respective business areas

• External partners such as:

• Financial and Banking Information Infrastructure Committee (FBIIC)

• Securities Industry and Financial Markets Association

• Office of Emergency Management

• New York Police Department

Crisis Management – Roles and Responsibilities

• First Responders

• Emergency Action Plan Director (EAP)

• Evacuation Coordinators/Fire Wardens

• Incident Response Team

• Crisis Management Officer/Senior Management Team

• Duty Officer

• External Partners (Fire, Police, Office of Emergency Mgmt.)

Business Continuity Plans

Business Continuity Plans include:

• Description of Business

• Business Impact Analysis

• Identification of Critical Processes and Applications

• Recovery Times Objectives and Recovery Point Objectives

• Infrastructure and Space Requirements

• Business Interdependencies

• Contact Information

• Contingency Backup Sites

Maintaining Plans:

• Policy on Business Continuity Planning and Testing

• FRBNY Standard for Business Continuity Plans

• Annual Review/Certification of Business Continuity Plans

• Quality Assurance Framework

• Hot/Cold Contingency Sites

• Buddy Banks

• Split-Operations

• Work from Home Arrangements

• Prioritization of services/operations

Flexible Contingency Arrangements

Employee Safety is the First Priority

• Safety Drills and evacuation procedures

• Computer-based Bank-wide Training

• National Preparedness Month (September)

• Active Shooter Awareness Sessions

On-going crisis management training and exercises/tests

• Technical Readiness Tests

• Table Top Exercises

• Crisis Management Scenario Exercises

• Practice, Practice, Practice!

Training and Awareness

Awareness Tools

• Wallet Cards

• Magnets

• All Staff Emergency Handbook

• Awareness Sessions and On-line training

• Crisis Management Toolkit for Senior

Management

Handbook - A high-level,

overarching guideline for crisis

management as well as information

regarding the following:

• Disaster Recovery

• Command Center Relocation

Sites

• Roles and Responsibilities

Includes the following information:

• Team membership for the

Business Continuity Program

• Relocation Decision Protocol

Information made available in

paper format, BlackBerry for

members of the Management

Committee and Incident Response

Team and on-line

Communication Tools

Frequent and effective communications is critical:

• Broadcasts over building speakers

• Emergency phones not tied to the Bank’s internal network

• Email

• Voicemail

• Calling trees

• Automated notification system

• Blackberry/Cell phones (multiple providers)

• Texts and pin to pin messages

• Mobile internet connectivity devices (aircards)

• Satellite Phones

• Remote network connectivity

• Internet/Intranet access to information

• Emergency toll-free number

• Priority Calling

• Back-up chargers/power sources

• Evaluate the efficacy of current resiliency plans

• Develop and implement a comprehensive multi year

training and testing strategy

• Assess recovery and resiliency plans in the event of cyber

intrusion

• Provide leadership and participation on FRS/SBC business

continuity initiatives

NY Business Continuity Program – Focus

• Crisis Management Roles and Responsibilities

• Ensure key/critical staffs are aware of their specific roles and

responsibilities in the event of a contingency.

• Workforce Safety and Potential Impacts

• Pre-position essential staff prior to the onset of the event, if

possible

• Establish policies and guidelines regarding

leave/compensation and other personnel related issues that

may arise during a contingency situation.

• Ensure access to various equipment and supplies that could be

used by essential staff on-site during contingency events, such

as: personal hygiene items, sheets/blankets, snow shovels, food

and beverages, etc.

Best Practices

• Continuity of Operations

• Ensure capacity to operate from alternate

site(s)/location(s) for extended periods of time; self

sufficient as first responders/emergency management

may not be available to immediately provide assistance.

• Consider establishing contracts or memoranda of

understanding (MOUs) with nearby hotels, fuel

providers, etc., in the event of availability issues in a

contingency situation.

• Ensure staff has the necessary equipment, such as

laptops, internet connectivity options, back-up power

sources, etc., that could be used if they are providing

support remotely.

Best Practices

• Communications (Internal and External)

• Review crisis communications protocols and logistics prior to a

contingency event, such as drafting holding statements, etc.

• Ensure a variety of alternate communications options are available that

could be used during a contingency event.

• Ensure contact information for Bank staff, customers and other

constituents is accurate and updated.

• Anticipate customer information needs.

• During an event, ensure consistent and frequent communications

• Coordinate Response Actions with External Partners

• Establish/Maintain relationships with key critical contacts, such as first

responders, public/health safety groups as well as trade associates and

state/federal regulators; these relationships can be leveraged in a

contingency event.

• Participate in a credentialing program that allows designated employees

to gain access to restricted areas following a disaster or serious

emergency by using a secure identification card recognized by the police.

Best Practices

Safety of staff

Effective Senior Oversight

Robust Business Continuity Program and Crisis Response

Effective Communications Tools

Practice! Practice! Practice!

Protecting the Bank’s Reputation

Questions?

Contact information:

Irina Kholdina

irina.kholdina@ny.frb.org

Deborah Willse

deborah.willse@ny.frb.org

Case Study - Superstorm Sandy 2012

Superstorm Sandy 2012

The Situation As It Evolved:

In Advance of the Storm October 27-29, 2012

• State of emergency declared

• Firms invoked business continuity plans

• Industry groups, regulators, local authorities and the

Federal Reserve Bank’s Incident Response Team began

holding regular calls and coordinating communication at least

2 days in advance of the storm

• Mayor Bloomberg ordered a mandatory evacuation of all

parts of the City in Flood Zone A (Primary

telecommunications provider offices (Verizon and AT&T) are

located in Flood Zone A)

• Essential staff pre-positioned to conduct critical operations

at primary & back-up sites

• Transportation systems suspended

• Fuel tankers moved out to sea to prevent fuel spills in NY

Harbor

• Utility provider shut off electrical service to a portion of

lower Manhattan

Superstorm Sandy 2012

Impact of the Storm:

• Widespread flooding

• 8.5 million customers without power

• Power restored to Manhattan after 7 days

• Telecommunications outages

• Central offices inoperable for months

• Wireless out for weeks

• No heat to lower Manhattan for 10 days

• Mass transit suspensions for weeks/months

• Bridges and tunnels closed for weeks/months

• Fuel shortages for weeks

Superstorm Sandy 2012

Limited power in New York City

Bank’s lights were among the

few in the area

Superstorm Sandy 2012

Widespread Flooding

Widespread Destruction

Superstorm Sandy 2012

Flooding Impacted Transportation

All Road Tunnels Leading into

Manhattan Flooded

Airports Closed for 3 to 4 Days

Subways Were Suspended from Weeks

to 3 Months

Rail Transportation Suspended for 4 to 5 Days

Superstorm Sandy 2012

Markets Closed

Strengths and Challenges

The Bank effectively responded to Super Storm Sandy. The storm served as an opportunity to review

and validate current contingency practices as well as identify enhancements to the Bank’s Business

Continuity Program

• Strengths: Planning ahead pays off

• Internal – Excellent execution of plans, safety of staff, continuity of operations, consistency and

frequency of internal communications, interagency communication, established business and

personal relationships, established governance processes and chain of command

• External - Institutions appeared to operate reasonably well in contingency mode, raised similar

issues related to telecommunications and transportation.

• Challenges:

• Internal - Vulnerability of downtown location, depth of geographic dispersion, dependency on

services providers and supply chain

• External – Industry level communications were confusing at times, especially right after the storm.

Inconsistent levels of representation on the industry conference calls sometimes lead to circulation

of incorrect information and spread of rumors.

Unscheduled market closings are extraordinary events that are viewed as an action of last resort.

There was a need for more clarity, governance and communication around decision making by market

participants to close markets.

Superstorm Sandy 2012

Lessons Learned

• Clear governance, protocols and decision-making

• Pre-planning and practice

• Recognizing dependencies: cross-sector, key partners, underlying

infrastructure

• Establishing and maintaining key business and personal relationships in

advance

• Clear communications

Superstorm Sandy 2012