BUSINESS CONTINUITY MANAGEMENT & DISASTER RECOVERY PROGRAMS
BlackRock views recovery of its business operations and supporting technology, Business Continuity Management ("BCM") and technology Disaster Recovery ("DR") respectively, as a critical and fundamental part of its ability to fulfill its fiduciary responsibilities to clients. As such, significant resources and effort are dedicated to the program.
BlackRock maintains business continuity and crisis response plans to facilitate the continuity of business in the event of a business disruption. BlackRock's executive management is responsible for oversight and governance of the firm's BCM program, supported by the Business Continuity Management group, which manages the program.
In order to maintain a resilient information technology (IT) environment, the Disaster Recovery (DR) program has implemented strategies for near zero downtime and near zero data loss for all applications that support critical business processes as defined by the Business Continuity Management (BCM) Program. BlackRock employs a full time Disaster Recovery Manager to oversee its recovery program and ensure consistency across its global operation.
BlackRock’s BCM/DR programs have several key elements, including:
- Exercises and Testing
- Training and Awareness
- Third Party Resiliency
There are four main areas of focus that comprise the BCM/DR planning that BlackRock performs:
1. Business Continuity Plans: BlackRock maintains Business Continuity Plans (BCPs) for each business function, at each local BlackRock office globally. The BCPs have the following two components:
- Business Impact Analysis: The Business Impact Analysis (BIA) methodology is designed to assess both financial and non-financial impacts of the loss of a critical process. Each department periodically reviews and updates their business continuity needs through a formal Business Impact Analysis template, managed by the Business Continuity Management team. The results of this process are used to perform a “gap analysis” to identify potential areas of improvement within Business Recovery Plans (BRPs). The appropriate groups address any significant gaps and revise their departments’ BRP as appropriate.
- Business Recovery Plan: Business Recovery Plans (BRPs) are procedures designed to recover specific critical processes in support of continuity of operations in the event of a business disruption. These include recovery strategies for personnel, data, communications, information processing and facilities. Recovery Time Objectives (RTOs) are created for all critical business functions and services, and are validated through annual exercise requirements.
2. Disaster Recovery Plans: Disaster Recovery Plans (DRPs) incorporate fail over strategies and are comprehensive enough to recover from a disruptive event affecting a data center facility yet modular enough to recover from the loss of a single server. The key elements of the DRPs include:
- Communication Plan that identifies how personnel will be engaged when an event occurs as well as the frequency and method of communicating information and progress throughout the event.
- Incident Management Plan that includes information for establishing and maintaining a command center, responsibilities of the management team as well as a recommended methodology for decision making and escalation.
- Recovery Plans for each team that includes requirements, configuration and execution procedures for failing over each application to a secondary data center
3. Pandemic Policy: Under ownership of Human Resources, the global pandemic policy is implemented at local/regional levels to provide country and cultural considerations when responding to a pandemic event. A pandemic response framework addresses supplies, cleaning, social distancing strategies and crisis management response triggers.
4. Crisis Management: In addition to department-level planning, BlackRock has a program devoted to response planning which includes a full-featured Crisis Management framework that includes the following tools:
- Crisis Management Call Lists that include key global and regional business heads
- An automated crisis notification system that can broadcast messages to designated staff in the event of a crisis. Notifications are sent via email, work and personal phones, and text message
- Employee Status Lines and Emergency Websites to provide staff updates
- Employee emergency pocket cards that contain procedures for employee evacuation, assembly, check-in and communication
Training and Awareness
BlackRock uses several methods to keep employees aware of the critical role they play in preparing for and responding to potential business disruptions. Primary methods used include:
- Mandatory annual all staff Emergency Preparedness & Business Recovery online training
- Distribution of emergency pocket cards
- Business recovery exercises
- Crisis management training and exercises
- Periodic educational intranet articles and emails
Exercises & Testing
BlackRock exercises it BCPs to ensure the procedures for recovering business operations are appropriate, and that key personnel are familiar with documented procedures. Similarly, facilities- based exercises are conducted with BCM team participation. Broadly, the firm utilizes the following recovery strategies in its BCPs:
- Remote Access exercises (e.g., work from home)
- Alternative location exercises (e.g., work area recovery or alternate BlackRock office)
- System fail-over testing, including external vendors where appropriate
- Evacuation drills, notification system tests and periodic generator tests
BCM exercise results are documented and reviewed with all involved participants following each exercise. Recommendations for improvements to the recovery process are identified and any corrective actions clearly defined and assigned to the appropriate personnel.
BlackRock conducts an annual technology DR test for each of its production data centers. The DR tests include the isolation of the production data center from the BlackRock network simulating the loss of the building and a failover of applications and services to a secondary site. DR tests are managed as if it were an actual disaster, allowing BlackRock to rehearse all components of the DRP. DR tests begin with a notification to join the recovery bridge where instructions are provided by the Command Center. Each team executes its DRPs and records any encountered issues. Following each test the DR Manager publishes a report that identifies:
- The recovery time for all applications
- The pass / fail assessment of each application
- A plan to resolve any remaining open issues
- Any lessons learned along with a plan to enhance the recovery program
One of the key components of the BCM planning process is our supplier management framework, which includes periodic reviews of the business continuity programs for key service providers. Risk assessments are used to determine the criticality of each service provider. For the most critical service providers, BlackRock conducts targeted reviews and evaluations of BCM plans and, where appropriate, on-site visits.
last update May 2013