RBC Business Continuity Management Program
Exercising our Plans
Key Elements of the Program
RBC Enterprise Business Continuity Management - Confidential
2
The RBC BCM program is global in scope
Oversight of BCM is provided by the Enterprise Business Continuity Management Committee
– Responsible for governance throughout RBC
– Membership includes Sr Executive representation from across all major functions and business lines
Enterprise Crisis Management Team
– Accountable for management of enterprise-wide incidents and crises
– Has representation from across RBC business lines and head office areas
Incident Management Teams
– Accountable for management of local, regional, business-line specific issues
Continuity Planning Activities
– The business and the BCM team are engaged in planning requirements
Reporting Risk
RBC Global Business Continuity Management Team
1 advisor in Hong Kong supporting Asia and Australia
4 advisors in United Kingdom supporting UK, Channel Islands and Europe
22 advisors in Canada supporting Canada, South America
4 advisors in the United States supporting USA
3 advisor in Trinidad supporting the Caribbean
1 Director
34 Advisors, supporting all global business lines.
11 Senior Managers, supporting all global BCM Advisors
& activities.
Purpose of Exercising Plans
Validate continuity strategies (Work Area Recovery, remote access, etc.) outlined in the plans
Create awareness around the types of scenarios that would require an activation of a plan
Familiarize teams with Work Area Recovery locations
Familiarize employees with the business continuity strategies for their teams
Create awareness around the types of scenarios that would require an Incident Management Team (IMT) to be convened
Help define the decision making and communication process utilized
Determine roles of team members and to assist members recognize their supporting teams
Validate employee contact information and the ability to contact staff in a timely manner
4 RBC Enterprise Business Continuity Management - Confidential
Types of Exercises
Business owns Plans IT owns Application DR Plans BCM owns policy & standards BCM owns governance• Defines the requirement to be able to contact our staff • Business are responsible to ensure their respective staff have
updated their contact information in centralized system • Testing is done at minimum annually for ALL staff globally
Contact Exercises
• Business is required to exercise their ability to work from alternate sites annually at a minimum
• Exercise event must be documented and approved in centralized BCM data base
• BCM completes “second line of defense” by approving results
Work Area Recovery Exercises
• Defines application criticality through Business Impact Analysis • Business executives are accountable to ensure their respective
critical applications are tested according to established frequency
• Joint “first line of defense” with IT for Disaster Recovery Testing
Technology Exercises
• Supplier plans are to be exercised and evidence provided to RBC annually or as stipulated in contract
• Exercise events must be documented in centralized BCM data base
Supplier Exercises
• Crisis and Incident management teams complete table top walkthroughs to ensure that they continually exercise their ability to think through and manage potential incidents
Incident Tabletop Exercises
Contact Exercises
RBC Enterprise Business Continuity Management - Confidential
6 Business unit owns risk IT supports business unit BCM guides business unit
• Use automated call out tool that can send multiple notification to multiple devices simultaneously
• Success criteria is identified in the plan and is set by business • System provides reporting on contact capabilities by time
Automated
• Business is required to complete the contacts directly • Success criteria is identified in the plan and is set by business • Business provides reporting on success
Manual
• Automated system can be maintained to allow for quick callouts in emergency
• BCM maintains an Employee Emergency line that can be utilized by business to broadcast information
Contact Exercise Statistics
In 2009, we conducted 366 exercises,
testing recovery for 46,472
employees.
In 2014, we conducted 174 exercises,
testing recovery for 69,634
employees.
We are doing half as many exercises
– and due to efficiencies, we
covering almost 1.5 times as many
Work Area Recovery Exercises
RBC Enterprise Business Continuity Management - Confidential
8 Business unit owns risk IT supports business unit BCM guides business unit
• Business determines strategy and ability to utilize this • Business typically uses this as part of regular everyday
Remote Access
• Dedicated recovery site geographically disparate from production
• Site is set up to mirror IT requirements from production • Site must be exercised annually to ensure feasibility
Recovery Site
• For critical business that cannot tolerate any downtimes • Operations are physically split between to active production
sites
• Sites are in perpetual state of exercise
Work Area Recovery Statistics
In 2009, we conducted 391 exercises,
testing recovery for 12,314
employees.
In 2014, we conducted 696 exercises,
testing recovery for 32,830
employees.
We are doing 1.5 times more
exercises – and providing assurance
Technology Exercises
RBC Enterprise Business Continuity Management - Confidential
10 Business unit owns risk IT supports business unit BCM guides business unit
• Exercise cycles are tied to business recovery time objectives identified in business impact analysis
• Can be component based or full failover
• Centralized application inventory updated based on results • Disaster recovery plans are documented by IT
• Events are documented and approved in centralized BCM repository
Disaster Recovery
Technology Exercise Statistics
In 2009, we conducted 663 Disaster
Recovery Exercises
In 2014, we conducted 1381 Disaster
Recovery Exercises
Supplier Exercises
RBC Enterprise Business Continuity Management - Confidential
12 Business unit owns risk IT supports business unit BCM guides business unit
• Suppliers exercise their own plans with no participation from RBC
• Supplier exercises have no impact on RBC processes – we do not even know they are in an exercise event
• Supplier provides evidence after the exercise is completed
Transparent
• Suppliers exercise their plans in conjunction with RBC • Prior notification and exercise details provided to RBC • RBC participates in exercise from production or recovery • Joint accountability with RBC to identify and close
gaps
Integrated
• Large scale involving many suppliers and regulators
• Provides opportunity to exercise RBC plans at the same time as suppliers
• Confirms supplier ability to recover services and for RBC to access Supplier in recovery
• Challenges industry to introduce systemic risk exposures
Supplier Exercise Statistics
In 2009, we reviewed exercise
information for 69 Suppliers.
In 2014, we reviewed exercise
information for 508 Suppliers.
Incident Tabletop Exercises
RBC Enterprise Business Continuity Management - Confidential
14 Business unit owns risk IT supports business unit BCM guides business unit
• Conducts exercises to provide learning opportunities and identify areas for improvement. Examples of exercises that have been conducted include: Assessing the impacts of a 6.0
magnitude earthquake event in Montreal, affecting our staff, operations, premises, including physical damages
Crisis
Management Team
• Conducts exercises to provide learning opportunities and identify areas for improvement. Examples of exercises that have been conducted include : Assessing the impacts of
outsourcing activities affecting our staff and reputation.
Reputational Crisis
Management Team
• Conducts exercises to provide learning opportunities and identify areas for improvement. Examples of exercises that have been conducted include: Assessing the impacts of food
poisoning at a regional event affecting our staff and operations.
Building/
Regional Incident Management Team
