RBC Business Continuity Management Program Exercising our Plans BCAW Presentation
Key Elements of the Program The RBC BCM program is global in scope Oversight of BCM is provided by the Enterprise Business Continuity Management Committee Responsible for governance throughout RBC Membership includes Sr Executive representation from across all major functions and business lines Enterprise Crisis Management Team Accountable for management of enterprise-wide incidents and crises Has representation from across RBC business lines and head office areas Incident Management Teams Accountable for management of local, regional, business-line specific issues Continuity Planning Activities The business and the BCM team are engaged in planning requirements Reporting Risk The BCM team publishes a quarterly BCM risk report across all RBC business lines 2
RBC Global Business Continuity Management Team 1 Director 34 Advisors, supporting all global business lines. 11 Senior Managers, supporting all global BCM Advisors & activities. 22 advisors in Canada supporting Canada, South America 4 advisors in the United States supporting USA 3 advisor in Trinidad supporting the Caribbean 4 advisors in United Kingdom supporting UK, Channel Islands and Europe 1 advisor in Hong Kong supporting Asia and Australia 3
Purpose of Exercising Plans Validate continuity strategies (Work Area Recovery, remote access, etc.) outlined in the plans Create awareness around the types of scenarios that would require an activation of a plan Familiarize teams with Work Area Recovery locations Familiarize employees with the business continuity strategies for their teams Create awareness around the types of scenarios that would require an Incident Management Team (IMT) to be convened Help define the decision making and communication process utilized Determine roles of team members and to assist members recognize their supporting teams Validate employee contact information and the ability to contact staff in a timely manner 4
Types of Exercises Contact Exercises Work Area Recovery Exercises Defines the requirement to be able to contact our staff Business are responsible to ensure their respective staff have updated their contact information in centralized system Testing is done at minimum annually for ALL staff globally Business is required to exercise their ability to work from alternate sites annually at a minimum Exercise event must be documented and approved in centralized BCM data base BCM completes second line of defense by approving results Business owns Plans BCM owns policy & standards IT owns Application DR Plans BCM owns governance Technology Exercises Defines application criticality through Business Impact Analysis Business executives are accountable to ensure their respective critical applications are tested according to established frequency Joint first line of defense with IT for Disaster Recovery Testing Supplier Exercises Supplier plans are to be exercised and evidence provided to RBC annually or as stipulated in contract Exercise events must be documented in centralized BCM data base Incident Tabletop Exercises Crisis and Incident management teams complete table top walkthroughs to ensure that they continually exercise their ability to think through and manage potential incidents 5
Contact Exercises Automated Use automated call out tool that can send multiple notification to multiple devices simultaneously Success criteria is identified in the plan and is set by business System provides reporting on contact capabilities by time BCM guides business unit Manual Business is required to complete the contacts directly Success criteria is identified in the plan and is set by business Business provides reporting on success Business unit owns risk IT supports business unit Emergency Automated system can be maintained to allow for quick callouts in emergency BCM maintains an Employee Emergency line that can be utilized by business to broadcast information 6
Contact Exercise Statistics In 2009, we conducted 366 exercises, testing recovery for 46,472 employees. In 2014, we conducted 174 exercises, testing recovery for 69,634 employees. We are doing half as many exercises and due to efficiencies, we covering almost 1.5 times as many employees. 7
Work Area Recovery Exercises Remote Access Business determines strategy and ability to utilize this Business typically uses this as part of regular everyday BCM guides business unit Recovery Site Dedicated recovery site geographically disparate from production Site is set up to mirror IT requirements from production Site must be exercised annually to ensure feasibility Business unit owns risk IT supports business unit Split Operations For critical business that cannot tolerate any downtimes Operations are physically split between to active production sites Sites are in perpetual state of exercise 8
Work Area Recovery Statistics In 2009, we conducted 391 exercises, testing recovery for 12,314 employees. In 2014, we conducted 696 exercises, testing recovery for 32,830 employees. We are doing 1.5 times more exercises and providing assurance for 2.6 times as many employees. 9
Technology Exercises Disaster Recovery Exercise cycles are tied to business recovery time objectives identified in business impact analysis Can be component based or full failover Centralized application inventory updated based on results Disaster recovery plans are documented by IT Events are documented and approved in centralized BCM repository Business unit owns risk BCM guides business unit IT supports business unit 10
Technology Exercise Statistics In 2009, we conducted 663 Disaster Recovery Exercises In 2014, we conducted 1381 Disaster Recovery Exercises 11
Supplier Exercises Transparent Suppliers exercise their own plans with no participation from RBC Supplier exercises have no impact on RBC processes we do not even know they are in an exercise event Supplier provides evidence after the exercise is completed BCM guides business unit Integrated Suppliers exercise their plans in conjunction with RBC Prior notification and exercise details provided to RBC RBC participates in exercise from production or recovery Joint accountability with RBC to identify and close gaps Business unit owns risk IT supports business unit Industry Wide Large scale involving many suppliers and regulators Provides opportunity to exercise RBC plans at the same time as suppliers Confirms supplier ability to recover services and for RBC to access Supplier in recovery Challenges industry to introduce systemic risk exposures 12
Supplier Exercise Statistics In 2009, we reviewed exercise information for 69 Suppliers. In 2014, we reviewed exercise information for 508 Suppliers. 13
Incident Tabletop Exercises Crisis Management Team Conducts exercises to provide learning opportunities and identify areas for improvement. Examples of exercises that have been conducted include: Assessing the impacts of a 6.0 magnitude earthquake event in Montreal, affecting our staff, operations, premises, including physical damages BCM guides business unit Reputational Crisis Management Team Conducts exercises to provide learning opportunities and identify areas for improvement. Examples of exercises that have been conducted include : Assessing the impacts of outsourcing activities affecting our staff and reputation. Business unit owns risk IT supports business unit Building/ Regional Incident Management Team Conducts exercises to provide learning opportunities and identify areas for improvement. Examples of exercises that have been conducted include: Assessing the impacts of food poisoning at a regional event affecting our staff and operations. 14
Questions??? 15