Business Continuity and Disaster Recovery

Transcription

1 Business Continuity and Disaster Recovery

2 Index Section Title 1. Executive Summary 2. Policy Statement 3. Strategy 4. Governance 5. Key Documentation 6. Testing 1

3 Executive Summary Business Continuity describes LME Clear s capability to plan for and respond to operational disruption, including events that could cause a wide-scale or major disruptions, in order to continue at an acceptable level. LME Clear Business Continuity will meet good practice guidelines as described in Business Continuity Institute (BCI Good Practice Guide 2010,) and comply with International Standards Organisation (ISO) requirements for Business continuity management systems (BCMS) as specified in ISO The scope for recovery is: The priority for recovery is: 2

4 Policy Statement LME Clear is committed to meeting the following business continuity objectives from the commencement of commercial operations: Protect LME Clear staff, contractors and visitors welfare during an incident at all times. Anticipate, as part of our BCP analysis, threats that could disrupt normal operations and prevent their occurrence from causing greater than 2 hours disruption to critical clearing services (RTC platform) and no greater than 48 hours disruption to other all activities. Reconcile and recover all transactions. Ensure clearing is completed at the required time and day in all circumstances. Work collaboratively and openly with the LME, clearing members, key third party suppliers and market bodies to consider overall impact on market efficiency in determining recovery time objectives, enhance market resilience and develop closely integrated responses. Maintain robust strategies and plans that are thoroughly exercised on at least an annual basis. Ensure staff are fully cognisant of the importance of business continuity in protecting the system, clearing members and market confidence and understand what is expected of them should an incident occur. Adhere to industry best practices and standards and continually monitor and improve operational resilience and business continuity preparedness. 3

5 Strategy Business continuity plan This plan covers the procedures for handling a major incident which results in disruption to LME Clear and details the fail-over and recovery to the DR site, the availability of adequate human resources and coordinating the recovery with key third party providers and LME. The responsible team is the Business Continuity Team, which follows detailed procedures for the recovery of core clearing services through to the restoration of normal operations. Highly resilient IT services - Critical applications are mirrored across 2 geographically dispersed data centres on highly resilient computing platforms. Transactions are written to both locations in near-real time and DR procedures allow for switching between data-centres within required ESMA timelines. Dual lines of communication are in place between both datacentres and Leadenhall Street and Chelmsford. Citrix access - Robust remote access enabling staff to work remotely during a major incident. Testing programme - all plans and strategies are tested at least annually (internally and externally). Operational risk management framework - identifies threats and vulnerabilities that may disrupt the smooth running of LME Clear, and implements changes to reduce the likelihood and the severity, should the threat occur. 4

6 Strategy Business Impact Analyses (BIA) - assesses the impact of threats to LME Clear s operations, identifies functions critical to LME Clear and to other institutions, identifies operational dependencies, determines recovery requirements, objectives and priorities. The BIA is conducted on an annual basis, and in response to significant changes to threats, the marketplace, LME Clear s products and services, operations and technology. Contractual agreements - Business Continuity of third party suppliers that deliver critical functions to LME Clear are managed through appropriate contractual and performance management arrangements (including meeting their SLAs on business continuity and testing requirements). Review - The business continuity plans are reviewed on at least an annual basis and following tests, software changes, updates to the BIA and major incidents. Internal audit inspects all areas of LME Clear business continuity management over a two year cycle. Education, training and awareness programme - ensures staff are aware of the policy, business continuity responsibilities and are competent to perform their duties. 5

7 Governance The Board has overall responsibility for the business continuity policy and plan, and for reviewing the effectiveness of actions taken in response to concerns raised under these documents. The Chief Operations Officer has day-to-day operational responsibility for this Policy, Plan, Manual and BIA and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training. The Board shall ensure that an annual review of this Policy and Plan is carried out from an operational perspective at least once a year and shall approve any changes to such documents. The Business continuity Plan, Manual and BIA will be subject to at least annual independent review. 6

8 Key Documentation Business Continuity Manual Describes the activities and controls for the effective operation of business continuity and disaster recovery including responsibilities of the BC management team. Business Continuity Plan The Plan defines and documents the procedures to be used in the event of an emergency, disaster, or crisis. It identifies the objectives as set out in the Policy, the scenarios covered as defined in the BIA, the strategy for handling an incident, the prioritisation of the system, the responsibilities of the Business Continuity team, the invocation of the plan and the recovery and continuation of LME Clear s services. The Plan must ensure that an adequate level of staffing is provided during an emergency, disaster or crisis. LME Clear Business Impact Analysis Describes the impact of loss or disruption over time to both LME Clear and the market. It identifies processes that support LME Clear functions and process dependencies, identifies the resources required for recovery and prioritises the recovery of processes. Joint Operating Procedures These contain detailed Business Continuity requirements and set out BC SLAs. Agreed with all key service providers. All documents are stored on a centralised site with remote access. Hard copies of the relevant documents will be kept at the disaster recovery site. Call trees are in place to ensure all staff are kept informed of the situation. 7

9 Testing Testing will comprise of; Annual failover testing of all key applications within the datacentre and switching of primary and secondary datacentre. Twice yearly test at the remote DR site in coordination with the LME as well as a monthly equipment test and a quarterly test at local DR site. Quarterly remote access testing, to include announced and unannounced tests. Annual testing with our back up third party providers. Annual desktop scenario testing. Annual participation in DR testing with key suppliers. All results from the testing will be recorded and any issues logged, investigated & resolved. 8