Business Continuity Management & Disaster Recovery Programs

Start Here

To explore our localized products and services, please select a country first

BlackRock views Business Continuity Management ("BCM") and technology Disaster Recovery ("DR") as a critical and fundamental part of its ability to fulfill its fiduciary responsibilities to clients. As such, significant resources and effort are dedicated to the program.

BlackRock maintains business continuity and crisis response plans to facilitate the continuity of business in the event of a significant business disruption. BlackRock’s executive management is responsible for oversight of the firm’s BCM program, supported by the Business Continuity Management group, which manages the program.

In order to maintain a resilient information technology (IT) environment, the Disaster Recovery (DR) program has developed a strategy for near zero downtime and near zero data loss for all applications that support critical business processes as defined by the Business Continuity Management (BCM) Program. BlackRock employs a full time Disaster Recovery Manager to oversee its recovery program and ensure consistency across its global operation.

BlackRock’s Business Continuity Management/Disaster Recovery programs have several key elements, including:

  • Planning
  • Training and Awareness
  • Exercises and Testing
  • Technology Processes
  • Third Party Resiliency

Planning

There are five main areas of focus that comprise the BCM/DR planning that BlackRock performs:

  1. Business Impact Analysis: The Business Impact Analysis (BIA) methodology is designed to assess both financial and non-financial impacts of a critical process on the business. Each department periodically reviews and updates their business continuity needs through a formal Business Impact Analysis template, managed by the Business Continuity Management team. The results of this process are used to perform a "gap analysis" to identify potential areas of improvement within Business Resumption Plans (BRPs). The appropriate groups address any significant gaps and revise the BRP as appropriate.
  2. Business Resumption Planning: Business Resumption Plans ("BRPs") are procedures designed to recover specific critical processes in support of continuity of operations in the event of a business disruption. These include recovery strategies for personnel, data, communications, information processing, and facilities. Recovery Time Objectives (RTOs) are created for all critical business functions and services, and are validated through annual exercise requirements. All BRPs are updated annually, or more often if conditions warrant, and are included in each department's overall Business Continuity Plan (BCP).
  3. Disaster Recovery Plans:Datacenter Recovery Plans incorporate the failover strategy and are comprehensive enough to recover from a catastrophic event affecting a data center facility yet modular enough to recover from the loss of a single server. The key elements of the Datacenter Recovery Plans include:
    • Communication Plan that identifies how personnel will be engaged when an event occurs as well as the frequency and method of communicating information and progress concerning the event.
    • Incident Management Plan that includes information for establishing and maintaining a command center, the responsibilities of the management team as well as a methodology for decision making and escalation.
    • Recovery Team Plans that document the requirements and processes that are needed to failover each application to an alternate processing site.
  4. Pandemic Policy: Under ownership of Human Resources, the global pandemic policy is implemented at the local/regional levels to provide country and cultural considerations when responding to a pandemic event. A pandemic response framework addresses supplies, cleaning, social distancing strategies and crisis management response triggers.
  5. Response Planning: In addition to department-level planning, BlackRock has a program devoted to response planning which includes a full-featured Crisis Management framework.  BlackRock recognizes that communication is crucial for effective Crisis Management, and has implemented the following tools:
    •  Crisis Management Call Lists that include key global and regional business heads;
    •  An automated crisis notification system that can broadcast messages to designated staff in the event of a crisis. The notifications are sent via email, work and personal phones, and SMS;
    •  Employee Status Lines and Emergency Websites to provide staff updates;
    •  Employee emergency pocket cards that contain procedures for employee evacuation, assembly, check-in and communication;

Training and Awareness

BlackRock uses several methods to keep employees aware of the critical role that they play in preparing for and responding to potential business disruptions. Primary methods used include mandatory annual on-line training, distribution of emergency pocket cards to all personnel, business recovery exercises, crisis management training and exercises, periodic educational intranet articles and periodic e-mails. Furthermore, BlackRock uses the recovery tests as a method to ensure all personnel are prepared should a catastrophic event occur. Testing support is rotated among the staff so that everyone has an opportunity to participate each year. As part of the planning for each test the Disaster Recovery Manager conducts a series of meetings to:

  • Ensure each participant is aware of his responsibilities at time of recovery
  • Conduct a plan walkthrough to review the timing and dependencies
  • Complete a readiness assessment to validate that each participant, recovery plan and process are ready for recovery

Exercises & Testing

BlackRock exercises its Business Continuity Plans to ensure the procedures for recovering business operations are appropriate, and ensures a key personnel competency with documented procedures. Similarly, facilities-based testing is conducted with BCM participation. Broadly, the firm requires:

  • Remote Access (e.g., work from home)
  • Alternative location exercises (e.g., work area recovery);
  • System fail-over testing, including external vendors where appropriate;
  • Evacuation drills, notification system tests and periodic generator tests.

Exercise results are documented and reviewed with all involved participants following each exercise. Recommendations for improvements to the recovery process are identified, required corrective action clearly defined and assigned to the appropriate personnel. These actions are tracked, completed and documented as appropriate.

BlackRock technology testing strategy includes an annual simulation of a catastrophic event for each of its datacenters that require the full execution of all Disaster Recovery Plans. DR tests are managed from a command center with full participation of all DR teams. Each DR team follows its plan step by step to validate the plan, make any necessary updates and record the actual recovery time. A Post Mortem report is completed following each test to:

  • Identify all Lessons Learned
  • Resolve all Issues
  • Validate the Recovery Time Objectives

Technology Processes

BlackRock emphasizes the need for reliable and repeatable technology processes. These processes are documented to a level of detail that allows execution by a person with skills in the appropriate technical discipline. Standards have been established to review and update each process as a result of:

  • Application Releases
  • Change Management
  • Validation Reviews

Third-Party Resiliency

One of the key components of the BCM planning process is our supplier management framework, which includes periodic reviews of the business continuity programs for key service providers. Risk assessments are used to determine the criticality of each service provider. For the most critical service providers, BlackRock conducts targeted reviews and evaluations of BCM plans and, where appropriate, on-site visits.

Last revised: March 2011