Enterprise Resilience

BlackRock |Jan 01, 2022

BlackRock is committed to providing high-quality, resilient services to its clients. Significant resources and effort are dedicated to the Business Continuity Management (BCM) and technology Disaster Recovery (DR) programs designed to meet or exceed legal and regulatory obligations in the locations we operate.

BlackRock maintains business continuity (BC) plans to facilitate the continuity of business in the event of a business disruption. BlackRock’s executive management provides oversight and governance to the firm’s BCM program, supported by the Business Continuity Management team, which manages the program.

BlackRock maintains disaster recovery (DR) plans and procedures to enable a rapid response to an event impacting its technology and data. Redundancy is the focal point of BlackRock’s Disaster Recovery program. Each data center is served by physically diverse circuits, secondary network, and alternate power sources. Primary and secondary data centers are appropriately distanced, mitigating the impact of a regional event. Applications are maintained in both the primary and secondary data centers while data is replicated in near real time. BlackRock’s DR Program relies on the Technology Risk Management team to provide oversight and governance.

Both programs are routinely examined by BlackRock’s internal audit team and external regulators. The results of these reviews and metrics are reported to the appropriate governance bodies, as required.

The programs have several key elements, including:

  • Risk Assessment & Monitoring
  • BC/DR Planning
  • Crisis Management
  • Training and Awareness
  • Exercises and Testing
  • Third Party Oversight

Risk Assessment & Monitoring

BlackRock performs annual Site Risk Assessments for offices worldwide. The results of the assessment are used to drive risk mitigation activities, including enhanced site resilience, business continuity planning, and the deployment of additional recovery strategies where appropriate.

Additionally, a comprehensive weekly Risk Outlook is created that identifies potential threats to BlackRock staff and/or offices worldwide. Threats are reviewed, escalated, and managed by senior-level staff, and disseminated broadly for awareness and action as appropriate

BC/DR Planning

There are three main areas of focus that comprise the BC/DR planning that BlackRock performs:

1. Business Continuity Plans: BlackRock maintains Business Continuity Plans (BCPs) for business functions at each BlackRock office globally. The BCPs have the following key components:

  • Business Impact Analysis (BIA): Assesses both financial and non-financial impacts of the loss of a critical process. Annually, each department reviews and updates the information for every critical process they perform. The results of this process are used to drive planning and recovery strategies to minimize potential risks.
  • Business Recovery Plans: Procedures designed to recover critical processes to provide continuity of operations in the event of a business disruption. These include recovery strategies for personnel, data, communications, information processing and facilities. Recovery strategies are validated through annual exercises.

2. Disaster Recovery Plans: Disaster Recovery Plans (DRPs) incorporate fail-over strategies and are designed broadly to recover from a disruptive event affecting a data center facility while accommodating a more narrow recovery from the loss of a single server. The key elements of the DRPs include:

  • Communication Plan that identifies how personnel will be engaged when an event occurs as well as the frequency and method of communicating information and status throughout the event 
  • incident Management Plan that includes information for establishing and maintaining an incident response team, responsibilities of the management team, as well as a methodology for decision making and escalation
  • Recovery Plans that include requirements, configuration and execution procedures for failing over each application to a secondary data center

3. Pandemic and Emerging Health Concerns: BCPs capture and identify potential risks related to staff absenteeism associated with pandemics or other health concerns. This global program is managed by BlackRock’s Health & Safety team and implemented at local/regional levels to provide country and cultural considerations when responding. The framework addresses supplies, cleaning, social distancing strategies, and crisis management response triggers

Crisis Management

BlackRock’s Crisis Management program provides a global framework for responding to disruptive events, including:

  • Crisis Management call lists that include key global and regional business heads
  • Command and control structure, including the identification of primary and alternate team members to cover key roles</li?
  • An automated crisis notification system that can broadcast messages to designated staff in the event of a crisis. Notifications are sent via email, work and personal phones, and text messages
  • Employee Support Hotline and Emergency websites to provide staff updates and assistance
  • Training and Awareness

    BlackRock uses several methods to keep employees aware of the critical role they play in preparing for and responding to potential business disruptions. Methods used include:

    • Mandatory annual all staff Emergency Preparedness online training
    • Business recovery exercises
    • Data center recovery tests
    • Crisis management training and exercises
    • Periodic, threat-specific awareness/learning sessions

Exercises & Testing

BlackRock exercises its BCPs to verify the procedures for recovering business operations are appropriate, and that key personnel are familiar with documented procedures. Each year, several exercises are performed:

  • Remote Access (i.e., from home or another external location)
  • Alternate location (i.e., dedicated recovery site or alternate BlackRock office)
  • Work transfer (i.e., transferring workload to an unaffected office and team)
  • System fail-over testing, including external vendors where appropriate
  • Evacuation drills, notification system tests, and periodic generator tests

Business Continuity exercise results are documented, reviewed and distributed as appropriate following each exercise. Recommendations for improvements to the recovery process are identified, risk-rated, and any corrective actions clearly defined and assigned to the appropriate personnel.

BlackRock conducts an annual Disaster Recovery test for each of its production data centers. During the test, the data center is isolated from the BlackRock network to simulate a total loss of the facility. Applications are failed over to secondary data centers within the stated Recovery Time Objective (RTO) and the functionality is validated by qualified testers.

DR test results are documented, reviewed and distributed to key executives following each test. Documentation includes an overview of the recovery times, a pass/fail assessment of all applications and a plan to remediate any issues discovered during the testing life cycle.

Third-Party Oversight

One of the key components of the Enterprise Resilience planning process is our supplier management framework, which includes periodic reviews of the business continuity and disaster recovery programs for key service providers. Risk assessments are used to determine the criticality of each service provider. For the most critical service providers, BlackRock conducts targeted reviews and evaluations of BCM and DR plans and, where appropriate, on-site visits.

Covid-19 Response

In response to the threat of Covid-19, BlackRock issued enhanced guidance to all staff with the aim of ensuring that the firm would continue to serve its clients effectively by operating in a remote working environment that adhered to regulatory requirements and expectations.

  • BlackRock has remained fully operational throughout the pandemic – with nearly all our employees working from home.
  • BlackRock’s technological preparedness has been maintained throughout the crisisThere has been no material effect in providing Compliance support and Risk oversight during the crisis
    A Return to Office (RTO) program has been created to provide a gradual and safe office re-occupancy for staff

Continual review of our Covid-19 response is undertaken by Senior Management and the firms Crisis Management teams.