Laserfiche WebLink
C0 N F I DE NT I AL <br />Resiliency plans supporting critical business processes are updated annually or when there are <br />significant changes in the environment. Plan maintenance sessions are typically one on one <br />sessions, with the business unit, to formally review it[ aspects of the resiliency plan and make <br />updates as necessary. Where applicable, we educate each shift of the general employee <br />population on how to respond to an event at their facility, in addition to the employees that <br />will be directly involved with a recovery effort. <br />In addition, J.P. Morgan has a formal, centrally managed, validation process to evaluate the <br />adequacy of security, disaster recovery and business continuity controls in place at critical <br />vendors. A critical vendor is described as one who provides a unique, time critical service that <br />is not easily reproduced or replaceable. <br />Business Resiliency plans are subject to reviews by J.P. Morgan's Internal Audit Department <br />and the Resiliency Risk Management group, which acts as the firm's governing body for <br />Business Resiliency measures. The plans must address and comply with documented <br />organizational requirements. All findings are escalated to the business units, Risk <br />Management and division executive for review. <br />Event Management, Escalation and Response <br />J.P, Morgan has regional crisis management teams in place to address emerging risks and <br />respond to actual recovery issues. Within each line of business, a crisis management <br />framework is in place to manage business units and customers through a potential or actual <br />business interruption event. This process is tested on a regular basis and has been successfully <br />used to manage through a multitude of planned and unplanned events including hurricanes, <br />floods, snowstorms, terrorist attacks, technology interruptions and power outages. The <br />following areas are addressed: <br />I Notification of employees and activation of the plan <br />Damage assessment of facility, technology and work -in- progress <br />Evaluation and impact of established service level agreements <br />Communication with key support providers and customers <br />Recovery of work-in- progress <br />Recovery site activation <br />Impact on support groups and interdependent processes <br />Movement of work and people <br />Business unit and technology recovery <br />Restoration of the process back to the original production location <br />J.P. Morgan is a large, geographically dispersed financial institution with the ability to manage <br />complex events. Two -way pagers, e -mail, instant messaging, and teleconference bridge lines <br />are used to communicate and coordinate activities across alt business units and support <br />groups. <br />In an actual business disruption, it can be critical to determine accurately the extent of <br />damage and the resources required to resume and maintain operations. Damage Assessment is <br />comprised of three components, coordinated by groups knowledgeable in their established <br />discipline: the Facilities and Critical Infrastructure Group evaluates the facility and select <br />supporting infrastructure; business unit management evaluates the impact of in- progress and <br />expected workload and determines the appropriate level of response; Global Technology <br />Infrastructure evaluates the impact on electronic equipment, including computers, network <br />and servers. <br />JTMorcran <br />