Building a BC/DR Control Library and Regulatory Response Program David Garland, Senior Director, Disaster Recovery & Regulatory Compliance, Business Continuity Management CME Group
Regulatory Compliance & Controls September, 2016
Agenda 1 A quick introduction to CME Group 2 Business continuity management at CME 3 The evolution of regulatory response at CME 4 Regulatory response, compliance and controls 5 Questions
A Quick Introduction to CME Group Who we are and what we do
CME Group The world s leading and most diverse derivatives marketplace Our exchanges - Chicago Mercantile Exchange (CME) - Chicago Board of Trade (CBOT) - New York Mercantile Exchange (NYMEX) - Commodities Exchange (COMEX) Our markets: futures and options based on - Interest rates - Equities indexes - Foreign exchange - Energy - Agricultural commodities - Metals - Weather - Real estate Our reach - Access in 150 countries - Market connections through 11 global hubs - Relationships with 12 partner exchanges - Offices and employees around the world
CME Group The world s leading and most diverse derivatives marketplace
Business Continuity Management at CME Group What we do and what our regulators want to understand
Business Continuity Management at CME Group Our team mitigates potential impacts to our markets, customers, assets and employees based on identified risks. We are committed to ensuring CME Group can respond to an incident while safeguarding the interests of our stakeholders, ensuring the safety of employees and protecting our reputation and brand. BCM Methodology Align with US and International standards; Implement response and recovery strategies that are both flexible and agile; Build effective partnerships throughout the company; Employ tested exercise models that evolve with our environment and architecture; Seek opportunities for enhanced resilience; Identify and apply mitigation plans, based on proper risk tolerance; Establish collaborative relationships with external entities, partnerships and agencies; and Monitor and adjust program components to meet both domestic and international regulatory requirements and to reflect material changes to the business.
Business Continuity Management Program Components
Methodology
Crisis Analysis Focus Areas Execute on the requirements of the Global Program which include: Working with Enterprise Risk Management, we plan against top tier risks. Coordinate with the Threat Analysis & Planning Team and communicate with executive leadership, senior management and subject matter experts about potential threats and mitigation efforts. Key stakeholders include: Senior Leadership, Risk Management Team, Threat Planning & Analysis Team, Global Assurance, Risk Committee of the Board of Directors
Business Resilience Focus Areas Execute on the requirements of the Global Program which include: Developing Business Impact Analyses (BIA) & Business Recovery Plans (BRP) Training Business Continuity Coordinators Coordinating Alternate Work Strategies
Event Management & Response Focus Areas Employ advanced tools which serve to facilitate: Effective global notifications Leadership communication Cross-functional collaboration and coordination
Event Management & Response Q1 2016 Events 20% 10% Natural Hazard/Weather 20% Protest/Strike 10% 40% Violence/Terrorism System/Infrastructure Health/Environmental
Disaster Recovery Focus Areas Engage IT at all levels to ensure complete DR solution for existing and new applications and systems Document recovery strategy and procedures for every component of CME Group s IT systems Analyze recovery gaps and single points of failure Expand DR partner and customer relationships Enhance processes to reduce recovery time capabilities, where possible
Exercises & Education Annual Exercise Overview Name Frequency Incident Response Teams Tabletop Exercise Crisis Management Team Emergency Notification Tool Exercise Enterprise Response Team Regional Incident Response Teams National Communication Systems Exercise (GETS) Telecommuting Exercise Full System Failover Exercise Full System Failover & Business Unit Exercise Partner Exchange DR Exercises (PE DR to CME Prod) Industry-wide Exercises Annually Annually Annually Quarterly Annually Annually 2 times a year 2 times a year As requested by Partner Exchange As available & appropriate
Exercises & Education Focus Areas BCM program videos and training guides Events and increased focus during Business Continuity Awareness Week & Emergency Preparedness Month Increased BCM program awareness briefings across the enterprise, including presentations at division and task force meetings On-demand tabletops for departments and crossfunctional teams
Public/Private Partnerships
Customer Outreach Program Features Regular meetings and calls feature guest speakers that offer different perspectives on BC/DR Industry experts on hand to discuss relevant and timely topics of interest Networking opportunities allow for our customers to meet each other and establish new relationships FIA industry-wide DR exercise
Program Strategy & Compliance Focus Areas Regulatory Response Program Controls Audits and assessments Benchmarking and reporting Program maturation Policy and program documentation Policy Response New Business Support
Program Strategy & Compliance Program Alignment
Program Strategy & Compliance Regulatory Compliance Monitor US and International BC/DR regulation for program compliance Monitor global BC/DR standards to ensure program alignment Coordinate, research and respond to regulatory requests and inquiries
The Evolution of Regulatory Response at CME Group
Regulators and Regulation CME Group s Regulators Increased globalization leads to additional regulators both primary and non primary Increased number of requests Existing businesses in new locations New business in existing and new locations
Regulators and Regulation Changes in Regulations Dodd Frank Reform leads to new rules and requirements Business continuity programs must be based on industry best practices Difficult as NIST is not an international standard, but US regulators rely heavily on this standard for BCM Compliance with regulation had to be demonstrated by organizations use of standards and risk methodologies Industry Standards: NIST, FFIEC, ISO 22301, PFMI, NFPA 1600, BSI
The Need for BCM Controls
Controls A process for assuring achievement of an organizations objectives in operational effectiveness and efficiency, reliable financial reporting, compliance with laws, regulations and policies. Financial reporting AICPA SOX IT & Security ITIL NIST Business & Operations ISO ANSI SOC
Why We Need BC/DR Controls Prove operational effectiveness Address risk and understand results of noncompliance Identify tradeoffs Assist in planning Maturation and continuous improvement
Developing Controls: Gap Analysis Review all current regulations and standards Choose a guide- Most BCM standards are comparable in content and some are more prescriptive for compliance. If you can, align the program with the most prescriptive, to help avoid missing any aspects of your program a regulator might address Perform a gap analysis
Developing Controls: After Gap Analysis Write BC/DR controls based on where you want to be The control should be a clear, concise statement written to be applicable to the organization, not the standard or the regulation Share your efforts with the company. Determine testing schedules Compare controls with other company controls to help ensure alignment
Developing Controls: Elements of Our Framework Control ID: Control: Document ID Document Description Risk Description: What risk is this control attributed to? Testing requirements: Using the language from the regulations and standards you decided to use, detail what each control must adhere to. This will be used in the annual review to ensure compliance.
Developing Controls: Elements of Our Framework Standard mapping: for each control, map the standards and regulations that apply to the controls to show how the organization is meeting its objectives This also helps show the alignment with the standard the company chose to comply with and the other standards the company meets for the same control.
What s Next: Company Decisions Ownership of controls Enterprise view of all controls: IT Financial Operational Tools for managing controls Staff considerations: who will review and maintain the departments controls
Final Considerations Operational controls are not new, but how we use them in BCM might be Risk is better addressed within an environment that has controls, and clear visibility of how risk is attributed to controls Having senior leadership buy-in is essential The regulatory landscape, changes and uncertainty
Contact Information David Garland Senior Director, Business Continuity Management +1 212 299 2549 david.garland@cmegroup.com www.cmegroup.com @cmegroup #cmegroup
Thank You