> State Street. Corporate Continuity Program. Continuity Organizational Structure. Program Oversight

>

State Street

Corporate Continuity Program

An Integrated Approach to Continuity Metrics & Progress

Reporting

Presented to:

Continuity Insights

May 2007

Presented by: Chris Glebus

2

Continuity Organizational

Structure

Executive

Management

Senior Management

Business Continuity

Manager

Business Continuity

Team Leader

Business Continuity

Team Leader

Business Continuity

Team Leader

Corporate

Continuity

&

Client

Services

(CCCS)

Program Oversight

• Examining & Audit Committee of the Board of Directors

– Annual progress report and meeting

• Executive Management

– Annual Continuity Compliance Reporting

– Signoff on business and application continuity requirements

• Major Risk Committee – Enterprise Risk Management

– Semi-annual presentation of Continuity Program to Major Risk

Committee

• Corporate Audit

• Regulatory Audits

4

Program Foundation

Incident Management

Recovery Scenarios

Continuity Exercises

Stand alone System / Application
Corporate-wide / Data Center
Business Relocation
Call Tree / Notification
Client Recovery
INTRA Data Center

Application Priority Groupings
Priority 1 (0-8 hours)
Priority 2 (9-24 hours)
Priority 3 (+24 hours) Program Standards
Business Functions
Applications & Technology
Facilities
Incident Management
Staff

Business Function Downtime Tolerance Levels

•Level 1 (0-4 hours) •Level 2 (5-8 hours) •Level 3 (9-24 hours) •Level 4 (25-72 hours) •Level 5 (73+ hours) 5

Benefits of Metrics Tracking /

Compliance Reporting

•

Well defined standards and measurements reduce subjectivity in assessing

current status

•

A repeatable measurable process demonstrates progress made in

enhancing continuity capabilities

•

Demonstrated progress can assist in gaining funding for continuity

solutions

•

Executive accountability drives home visibility and importance

•

The value proposition - information can be used for projects other than

BCP and reduce associated costs of gathering and tracking redundant data

–

mergers and acquisition, asset management, risk management, operations, risk

management, facilities, corporate security, information security, etc.

•

Provides an effective tool for internal and external audits

6

Compliance Reporting

•

Plan Evaluation Structure comprised of:

–

Standards

–

Criteria

–

Compliance Requirement

–

Measurement

–

Compliance Detail / Considerations

•

Assessing the Plans

–

initial assessment vs. ongoing reporting

–

80/20 split - Self Assessment / Corporate Assessment

•

Standards integrate both Business and Technical Continuity for an overall

picture

–

Each application / system is linked to a Business Continuity Plan

–

Ability to break out technical detail for reporting purposes

7

Compliance Reporting

•

Business Continuity Plan must be owned at an executive level

•

Effective Compliance / Metric Reporting should cover several levels

–

Overall Corporate Roll-up for benchmarking and trend analysis

–

Executive Management - overall plan status by executive, plan status by

standard, overall application by executive, detail status for each application

–

IT Executives – overall summary for applications supported, detail for

applications supported

–

Business Continuity Managers - plan level by standard and criteria, detail for

applications owned

•

Controls in place for ownership and accountability

–

Business Continuity Plan names and executive owner sign-off

–

Business Function names, recovery requirements, and executive owner

sign-off

–

Application names, recovery requirements, and executive owner sign-off

8

Plan Evaluation Structure

Business Continuity Example

•New business units can start building components of their Business Continuity Plan at the same time that the BIA is being conducted i.e. call tree, etc. •New business units may come from mergers and acquisitions

•Change of control is defined as the point in time at which State Street assumes control of the acquired business •When naming plans for business units, utilize standardized continuity plan naming convention: [Standard Text] _ [Free form Text] _ [ Locations] Ex: GLOBAL - SVCS _ BANKING SERVICES _MAO

Green:all requirements met Red:requirements not met

1.For existing business units, BIA must be conducted every 18 months with EVP review & sign-off 2.New business units must complete a BIA within three (3) months of inception and or change of control, with EVP review and sign-off and a Business Continuity Plan within six (6) months of inception 3.BIA final results should be included in plan, e.g. Appendix

2-b

Conduct a Formal Business Impact Analysis (BIA) on a Scheduled Basis and Establish a Continuity Plan

Compliance Detail / Considerations Measurement

Compliance Requirement Criteria

Standard 2

Identification and prioritization of all business functions and their recovery time

objectives.

9

Plan Evaluation Structure

Technical Continuity Example

Standard 3

Identification of all technology resources required to support business functions

i.e. applications and systems

•The business owner of an application is defined as an Executive Manager / EVP

•The business owner must approve / sign-off on recovery requirements for new applications and changes in recovery requirements for existing applications •Recovery Time Objective (RTO) is defined as the total elapsed time from the time an event is declared through the time when the business unit has complete functionality of the application, including the time to recover the application

•Recovery Point Objective (RPO) is defined as the acceptable age of the data (defined as a point in time), relative to the recovery event that is made available to the business unit when the system is recovered. For example, an application may have an RTO of 8 hours and an RPO to point of failure, which means that no data loss can occur

•Verify through your Application Support department that the Application Recovery Plan is located on “Oasis” or comparable documentation repository

Composite Applications Green: information provided

for all applications owned

Yellow: information missing

for less than 25% of applications owned

Red:information missing for

25% or more of applications owned

N/A:not applicable, do not own

applications

Individual Application Green: all information

available for a given application

Red:information missing for a

given application owned

N/A:not applicable, do not own

applications 1. Document the

following for each application owned: • Application Name • Executive Manager / EVP (Business Owner) • Recovery Time Objective in hours • Recovery Point Objective • Production location of the application* • Recovery location of the application* • Platform 2. Map each application to a business continuity plan 3-fIdentify All Applications Owned by the Executive Manager of the Plan / Business Unit and the Corresponding Recovery Information.

Compliance Detail / Considerations Measurement

Compliance Requirement Criteria

>

Sample Compliance

Reports

Business Continuity Manager

11

Corporate Continuity Program

Business Continuity Manager - Plan Compliance Detail

Jane Doe N/A John Doe

Note: Information contained in this report is created for illustrative purposes only and does not reflect the actual status of State Street Corporation

>

Sample Compliance

Reports

13

Corporate Continuity Program

Executive Business Owner - Plan Compliance Summary

Note: Information contained in this report is created for illustrative purposes only and does not reflect the actual status of State Street Corporation

14

Corporate Continuity Program

Executive Business Owner - Application Compliance Summary

Note: Information contained in this report is created for illustrative purposes only and does not reflect the actual status of State Street Corporation

15

Corporate Continuity Program

Executive Business Owner - Application Compliance Detail

Note: Location Code Legend is also provided

Note: Information contained in this report is created for illustrative purposes only and does not reflect the actual status of State Street Corporation

>

Sample Compliance

Reports

Corporate Roll-up

17

Corporate Continuity Program

State Street Corporation – Overall Plan Compliance Summary by

Standard

Note: Information contained in this report is created for illustrative purposes only and does not reflect the actual status of State Street Corporation

18

Corporate Continuity Program

State Street Corporation – Overall Application Compliance

Summary

Note: Information contained in this report is created for illustrative purposes only and does not reflect the actual status of State Street Corporation

>

Sample Compliance

Reports

Trend Analysis

20

Trending of Annual Compliance

Reporting for All Criteria

0%

20%

40%

60%

80%

100%

2003

2004

2005

Complete

Partially Complete

Incomplete

65% 8% 27% 75% 7% 18% 81% 14% 5%

Note: Information contained in this report is created for illustrative purposes only and does not reflect the actual status of State Street Corporation

>

Getting Started

22

Getting Started

•

Create a steering / advisory committee of executives

–

Business and corporate support groups

•

Define, document, and communicate standards and measurements to

Business Continuity Managers and Business Executives

–

Start with a few metrics to get the process moving forward – add more later

–

Don’t need to integrate business and technology continuity metrics in first pass

–

Email announcements and workshops / training for Business Continuity Managers

–

Determine frequency of reporting

•

Define, develop, and implement controls and processes for plan and

application ownership

–

Multiple business units using an application? Primary BU funding the application owns it

•

Define, develop, and implement reports required by audience

– Corporate Roll-up, Executive Management, IT Executives, Business Continuity Managers, etc. – Provide comment capabilities on BCM reports

•

Define, develop, and implement tools to track and report on standards

– Microsoft products (Excel, PowerPoint) can be used to start; consider databases and on-line distribution

23

Getting Started

•

Gather Data

–

Use any data that has already been collected and ask for validation / changes with

executive sign-off

–

Where there is no data

•

Obtain BUSINESS plan and application ownership list by business unit

•

Jointly assess each plan and application to establish a solid baseline for reporting

with established target dates

•

As always – get sign-off

•

Provide preliminary view of reports to one or two Business Continuity

Managers and a Business Executive for feedback

•

Before sending reports to executives, preview reports to Business

Continuity Managers – make necessary modifications

•

Conduct first round of reporting and ensure executive awareness of

baseline measurement

•

Communicate ongoing maintenance process (self assessment vs.

corporate assessment)

•

Repeat!

24

Making Program and Reporting

Enhancements

•

Work with subject matter experts in developing enhancements i.e. Global

Realty, Corporate Security, Information Technology, etc.

•

Review proposed enhancements with steering / advisory committee for

feedback and approval

•

Ease into enhancements that strengthen and or increase standards,

criteria, compliance requirements, and or measurements within a plan.

Slowly eliminate partials

•

Provide enough time for Business Continuity Managers to comply with

enhancements

–

6 month lead time between announcement and compliance

•

Consider exception reporting for high risk items

•

Consider trending analysis

25

Continuity Application Suite

State Street Notify

Compliance Reporting

Database (CPD)

Continuity Reporting

System

The Conduit

LDPRS

Future replacement for CPD

Envision CBCP

DR APP

Application Repository MS Access - Not Scaleable

Recovery Exercise Database Tracks Technology Recovery Exercise Objectives, Results,

and Resolution

Stand Alone

Initial continuity applications to be retired Strategic Continuity applications Legend

Initial continuity applications for compliance reporting

>