The importance of business continuity in times of operational risk

October 04, 2016

As the chief risk officer for OCC, I can tell you that business continuity is high on our operational risk list. It is important that we do this right in our role as a foundation for secure markets.

In 2003, a lot of financial services companies had their primary sites in Manhattan and their back-up sites in New Jersey. We learned a lesson from the 2003 blackout that the industry had to be more dispersed geographically and that we had to be able to function remotely. In 2011, when an ice storm hit Dallas during the week of the Super Bowl, and at the same time Chicago had a snow blizzard that resulted in people and cars stranded on Lake Shore Drive, OCC had 85 percent of its team operating remotely in both locations providing uninterrupted service for market participants. That exercise worked well and market participants were served, but it is something we always have to work on and stay on top of in order to meet our mission of promoting stability and market integrity through effective and efficient clearance, settlement and risk management services.

At OCC, we conduct coordinated testing of our own business continuity and disaster recovery plans with those of our partner exchanges and the clearing member firms that make up the top 80 percent of options trading volume. We also expect all of our clearing members, exchanges, and Tier 1 service providers to maintain their own business continuity plans. Our scenario-analysis program covers problems from sudden market events to a fire breaking out at a computer facility.

It is very important for OCC to develop, maintain, and constantly monitor our contingency action plans. We have to continually ask ourselves; what are the risks? How do we handle a catastrophic event? What are the probabilities that it's going to happen and what are the alternatives?

Our business continuity strategy is built on several key characteristics, such as substantial geographic separation between processing sites, a two-hour recovery goal for critical infrastructure, and working with third-party service providers, exchanges and critical clearing members to foster sector preparedness.

We also conduct internal business continuity testing and we participate in industry-wide business continuity tests. Every year we develop a business continuity/disaster recovery test plan focusing on high-risk areas based on the risk and control self-assessment results, critical areas of system processing, significant changes to the infrastructure and industry exercises for OCC participation.

Going forward, we intend to add additional employees to our risk function over the next two years to ensure that OCC has the resources necessary to develop policies, procedures, internal controls and testing and validation capabilities. Part of this increased headcount is attributable to our decision to adopt the three lines of defense model. This includes operational managers that own and manage risk, enterprise risk management and compliance functions to build and monitor the first line of defense controls, and internal auditors who provide the board of directors and management with independent assurance.