THE PAYMENTS INSTITUTE — July 22-25, 2018

Emory Conference Center Hotel, Emory University, Atlanta, Georgia

Nell Campbell-Drake, VPRetail Payments Office

Federal Reserve Bank of Atlanta

Business Continuity Are You in Shape to Handle that

Unexpected Event?

2017 Natural Disasters

California Wild Fires

2017 Natural Disasters

Mexico Earthquakes

2017 Natural Disasters

U.S. Hurricanes

2017 Natural Disasters

Metro City Flooding

2017 Infrastructure Disasters

Mero Atlanta

Highway Collapse

Malware found on servers that

processed payments mage at

onsite restaurants and bars

Weak point in website software

that exposed sensitive data of over

143M consumers (i.e. social

security numbers, drivers license

numbers

Exposed customer information

in plain text on website (i.e.

email addresses, phone

numbers, IP addresses

Phishing scam seeking to gain

access to accounts through a

third party app

IRS data retrieval tool hacked

impacting approximately 100K

taxpayers with personal

information potentially stolen

2017 Data Breaches

© 2018 - Materials are not to be used without consent. 7

Make something happen

When an unexpected situation occurs, what

position do you want to be in?

Wait for something to happen

Wonder what happened

© 2018 - Materials are not to be used without consent. 8

• Business Continuity Management Process

• Components of Business Continuity Plan

• Getting Started

• Readiness Process

• Risk Assessment Process

• Key Indicators

• Social Media

Content

© 2018 - Materials are not to be used without consent. 9

Business continuity management includes three

key layers and a crisis communication process.

Business Resumption Planning

The process initiated to resume

business operations to a level

consistent with the business

requirements.

IT Disaster Recovery Planning

The recovery of information

technology processes, systems,

applications, databases, and

network assets used to support

critical business processes.

Crisis Management:

A series of actions taken to gain control

of the event quickly to minimize the

affects of an interruption and prepare

for recovery.

© 2018 - Materials are not to be used without consent. 10

Components of a Business Continuity Plan

© 2018 - Materials are not to be used without consent. 11

So, what’s included in a business continuity plan?

© 2018 - Materials are not to be used without consent.

Overall ProgramBusiness Impact assessment

Threat and Risk Assessment

Documentation Update Schedule

Test/Training

Follow-up/Action Items

Business ResumptionBusiness Resumption Plans

Contact Lists

Mock Exercises

Alternate Site Contacts

Technology

IT Disaster RecoveryIT Recovery Plans

Contact Lists

Disaster Recovery Strategy

Disaster Recover Test Scripts

Crisis ManagementCrisis Management Team

Crisis Management Plan

Contact Lists

Mock Exercises

12

• Succession plan for senior executives

• Location of evacuation plans

• Alternate means of communication

• Partnerships with local emergency response teams

• List of critical equipment, vital records and back-up data location(s)

• List of vendors/suppliers, along with emergency contact information

A few supreme basics in a business continuity

plan

© 2018 - Materials are not to be used without consent. 13

Getting a Business Continuity Plan Started

© 2018 - Materials are not to be used without consent. 14

• Identifies the organization’s most crucial systems and process and the effect a service disruption will have on the business

Business Impact Analysis

• Defines the organization’s focus in handling key business matters during disruptions from man-made to natural disasters

Mission Statement

How to get started in creating a business

continuity plan

© 2018 - Materials are not to be used without consent. 15

Business Impact

Analysis

THREE key steps in completing a Business Impact

Analysis

Step 1 Identify the business activities of your organization

Step 2 For each activity, assess what the realistic timeframe is before

there would be an impact if the activity could not be performed

Step 3 For each activity, assess what the realistic impact is against

prescribed factors if that activity could not be performed

© 2018 - Materials are not to be used without consent. 16

Mission Statement

FOUR questions to help in creating a great Mission

Statement

1. What do we do?

2. How do we do it?

3. Whom do we do it for?

4. What value are we bringing?

© 2018 - Materials are not to be used without consent. 17

Readiness and In Action

© 2018 - Materials are not to be used without consent. 18

Planning People Partnerships Practice

Coordinator

Impact Analysis

Impact Needs

File Back-Up

Trigger Points

Communication

Employee Welfare

Education

Business Partner

Community

Partner

Test, Test, Test

The Four “P’s in a Pod to readiness

© 2018 - Materials are not to be used without consent. 19

Planning

Network Recovery Timeline

Equipment

Alternate Location

Emergency Center

Work Area

Mobile Site

Recovery Time

Recovery Point

Readiness points for “Back in Action”

© 2018 - Materials are not to be used without consent. 20

A Look into the Risk Assessment Process in

Creating a Business Continuity Plan

© 2018 - Materials are not to be used without consent. 21

Potential Enterprise Risk Factors:

Operational risk

Revenue risk

Systemic risk

Technical risk

Reputational risk

Good will risk

Personal safety risk

Risk Factors

© 2018 - Materials are not to be used without consent. 22

External factors that can potentially create “Enterprise Risks”:

Natural disasters

Failure of business partners

Vendor/supplier debacles

Public utility challenges

Transportation problems

Telecommunication challenges

Nooooooo….

Risk Factors

© 2018 - Materials are not to be used without consent. 23

Key Indicators and Their Importance in the

Planning Process

© 2018 - Materials are not to be used without consent. 24

Performance and Risk indicators are key

components of business continuity

management processes to aid in

establishing specific metrics for analyzing a

credible business continuity/disaster

recovery plan.

Key Performance Indicators

(KPI) – measures how well

something is being done

Key Risk Indicators (KRI) –measures possibility of future

adverse impacts

KPI versus KRI

© 2018 - Materials are not to be used without consent. 25

Key Risk Indicator - KRI

Categories

of Risks

Disruptors

Technology

Demographics

Regulatory

Operational

StrategicDemand shortfalls

Competition

Management change

Regulation

OperationalIT issues

Supply-chain issues

Employee fraud

Non-compliance

ExternalWeather issues

Partnership issues

Legal matters

Industry crises

FinancialAsset losses

Liquidity crises

High interest rates

Improper forecasting

Components of the KRI process

© 2017 - Materials are not to be used without consent. 26

Objectives for testing the plan –

1. Familiarize staff with content of the plan

2. Evaluate the clarity of the plan

3. Ensure details of the plan are accurate

4. Identify any vulnerabilities

5. Ensure external stakeholders are familiar with components of the plan

6. Ensure resources stored off-site are accurate and sufficient

7. PRACTICE MAKES PERFECT!

People

Process

Technology

Is there really a need to test the plan?

© 2018 - Materials are not to be used without consent. 27

Social Media Component

© 2018 - Materials are not to be used without consent. 28

• Social Media Uses

– Marketing and advertising

– Customer support

– Press communications

– Employee communications

– Information gathering

• What to include

– Goals for social media

– Social media recovery guidelines

– Success measurements

Role of social media in business continuity

© 2018 - Materials are not to be used without consent.

29

• Identify community/platforms of interest

• Listen to the conversation

• Identify influencers, ambassadors and advocates

• Identify adversaries and critics

• Look for cycles, patterns and keywords

Key points for engagement in social media

© 2018 - Materials are not to be used without consent. 30

Wrap-Up: Lifecycle

© 2018 - Materials are not to be used without consent. 31

Here’s a LIFECYCLE to remember!

Know Your Business

Assessment

Develop Your Plan

Planning

Implement Your Plan

Execution

Maintain Your Plan

Practice

© 2018 - Materials are not to be used without consent. 32

So, get ready to stay ready!

Make, Wait or Wonder – it’s your call!

© 2018 - Materials are not to be used without consent. 33

© 2018 - Materials are not to be used without consent. 34