GE Capital International

GE Capital
GE Capital International
Business Continuity Management:
Business needs, innovation and
regulatory requirements
Pier Luigi Culazzo
Sourcing & BCM Leader
GE Capital International
Agenda
1
Introduction: GE & GE Capital International
2
Business Continuity in today’s environment
3
Balance innovation and Regulatory Readiness
4
Q&A
Innovation for over 130 years
Our business units
Energy Management
5% / $7.4 B
Healthcare
12% / $18.3 B
Capital
31% / $46.0 B
Oil & Gas
10% / $15.2 B
Aviation
14% / $20.0 B
Home & Business Solutions
5% / $8.0 B
Power & Water
19% / $28.3 B
Transportation
4% / $5.6 B
~$147.4 Billion
Revenue in 2012
$16.1 B Operating Earnings
GE around the world
Europe
$27.4 B
U.S.
Asia Pacific
$70.4 B
$24.5 B
Middle East,
Africa & Others
Canada &
The Americas
$11.9 B
$13.2 B
2012 revenues total $147.4 billion
with about 304,000 employees.
1
2
Includes U.S. exports to external customers
Includes $~5B from “Other Global” areas
5
April 2013
GE Capital International
 ~27k employees  ’12 Revenue: $12B
 ‘12 ENI: $137B
Commercial Lending
and Leasing
Banks and
Consumer Finance
Strategic
Ventures
Restructuring
Platforms
Middle market lending
& leasing
Consumer & retail
financing
Strategic partnerships;
new markets
Consumer, mortgages and
corporate lending
$57B ENI
$40B ENI
$7B ENI
$33B ENI
Unique positioning
 Broad geographic reach
 Access GE
 Deep industry knowledge
 Financial strength
 Market leading products
 Domain expertise
 Strong risk management
 Great sales force
6
GE Capital International
Financials : 2012 actuals
My Role and My Profile
2013 - present , GE Capital International, UK
(~$137B assets

~27,000 employees

~1,000 bank branches)
• Responsible for BCP, Crisis Management , Physical Security, Sourcing & Supplier Risk Management
2011-2012 GE Capital EMEA, UK
•
•
•
•
BCM & Security Leader to develop the BCM program for Europe
Developed key relationships with peer companies & regulators
Key project: preparing the business for London Olympics
Completed DRII CBCP certification
2010-2011 GE Capital Global Banking, UK
(~$67B asset international banking business)
• Operational Governance Leader. Got DRII ABCP certification for BCM
2007-2010 BBKGE, Spain
• Launched new JV between GE Money Spain & BBK, one of the biggest saving banks in Spain
• Appointed CFO & Chief Compliance Officer, leading finance, HR, compliance and pricing
• Member of the BBKGE Steering Committee.
2005-2006 GE Money, Mexico
• Grew Auto business as CFO
• Partnered with CEO to restructure the Sales area
2001-2006 GE Money, Italy
• Started in the FP&A area, moved to Sales in '03 leading Sales Operations & Development
• Completed both Black Belt & Master Black Belt Six Sigma certifications
Agenda
1
Introduction: GE & GE Capital International
2
Business Continuity in today’s environment
3
Balance innovation and Regulatory Readiness
4
Q&A
• GE operates in more than 150 countries…
• GE employees take more than one million international trips annually
• Major natural disasters occur at least 25 times a year globally
Norway
bombing/
shootings
Mississippi
River Flooding
2011 Winter
Storms
Texas Fires
Hurricane
Irene
Supply Chain
Breach:
U.S./Mexico
Border
Mexico Drug
Violence
Chile
Earthquake
Brazil: 2010
Civil Unrest
North/South
Korea Tensions
2010
London
riots
Weather
Related
Disasters
Japan: 2010
Natural,
Man-Made
Disaster
Haiti
Earthquake
Oil Spill
Gulf of Mexico
2010 Nigeria
Possible
Kidnapping
Thailand: 2009
Political Upheaval
Bin Laden
Killed
Middle East
Awakening:
Egypt, Libya,
Tunisia, Bahrain
Natural
Disasters:
Australia
Flooding
Dec. 2010
Earthquake
Simultaneous Bomb Attacks on London Tube
Unidentified Suicide bombers conduct three simultaneous bombings at South
Kensington, Canary Wharf and St. Pancras stations, during peak rush hour
traffic. The following is what you can likely expect:
 London Underground is shut down – thousands stranded.
 Surface street traffic becomes a massive traffic jam & traversing the city
becomes mission impossible
 Each station becomes a rescue, recovery and crime scene
 Police, fire, ambulance, media, etc. all descend on each bomb site.
 Dozens are killed, hundreds are injured – Police, Fire and hospitals are
overwhelmed
 Numerous fires erupt at each bomb site – all emergency response units are
operating at full capacity code RED
 Power outages are reported throughout the city
 Cell phone providers report system failures – each resort to call prioritization
strategy
 London Airports (Heathrow, Gatwick & London City) are all closed as a
precautionary measure
 Massive investigation ensues to identify suicide bombers, potential confederates
and assess extent of plot – is the threat over? Is there more to come?
 The city of London is essentially shut down.
 Officials discuss suspension of Olympics
BCM, external Comms & Social Media
Agenda
1
Introduction: GE & GE Capital International
2
Business Continuity in today’s environment
3
Balance innovation and Regulatory Readiness
4
Q&A
BCM / program governance
All Risk Management (RM) Programs require a formal governance structure. The structure should
provide the framework for the execution of the program, an oversight function to ensure the
effectiveness of the program, and a mechanism to validate the program. To accomplish this, the GECC Ops
RM Program has incorporated the following three line of oversight.
• BCM / Supplier Functional Management within the BU Platforms
• Business Units are charged with implementing the program and providing day-to-day oversight.
• Governance, Management and Oversight, BCM, Sourcing, and Functional Specialists
• These groups and specialists are charged with ensuring the GECC RM Program effectively
identifies, measures, monitors, and controls the risks associated with BC / Suppliers, both on an
individual basis as well as an enterprise level.
• GE Global Audit (Corporate Audit Staff / Internal Audit)
• CAS/IA is charged with providing testing methodologies that will provide validation of the
program’s implementation and effectiveness.
13 /
COO update
September / October 2012
Business Continuity Program Structure
Lines of
Defense
GE Global Audit (CAS/IA)
3
GE Global Audit (CAS/IA)
Governance
Governance
GE Risk Committee – GECC Board
ORMC
ORMC GECC COO ERMC
GECC Program Office
SRMP COE
2
Business Unit
SRMC
ORM
Sourcing
Procurement Infrastructure
Functional Specialists
Functional Support
Compliance - Crisis Management
Sourcing - IT/DR
Operational Risk Management
Supervisory Affairs
HR/myLearning
GECC Board
Management
Governance
& Oversight
Management
Governance
& Oversight
BC Program
ERMC
IT Security/Compliance/Privacy BCP/DR
Finance/Legal
Risk Management
Functional Management
1
Compliance/PMO Legal/Regulatory Affairs
Compliance/Policies HR/MyLearning
Business Unit
Our BCM Program Structure
BC Policy
Maintenance
Executive BIA
Detailed BIA
Risk Assessment
BC Strategy
Continuity Plans
Crisis Management Plan
Emergency Response Plan
BU Business Continuity Plan
IT Disaster Recovery Plan
Testing & Awareness
Test Plan
Test Reports
Awareness Program
Information Technology
Establish Operating rythm for aligning IT DR expectations
•
•
RTO (hrs)
Achieved Last test
Adequate DR Infrastructure
in place?
YES/NO
Written DR Plan in
Place?
YES/NO
DR Procedure
tested?
YES / NO
Last DR Test Date
4 hours
8 hours
yes
yes
yes
11-Jun-09
48 hours
48 hours
yes
yes
yes
1-Nov-10
Owner
Primary Data
Centre
Application Name
RPO (hrs)
RTO (hrs)
Contracted / Agreed
UK
London
Application A
24 hours
UK
London
Application B
48 hours
FR
Paris
Application M
N/A
4 hours
N/A
No
No
No
No
IT
Milan
Application Q
24 hours
4 hours
48 hours
yes
yes
yes
1-Nov-10
IT
Milan
Application R
1 hour
10 hours
2 hours
yes
yes
yes
1-Mar-10
UK
London
Application V
24 hours
8 hours
48 hours
yes
yes
yes
1-May-11
UK
London
Application H
1 hour
8 hours
8 hours
yes
yes
yes
1-May-11
FR
Paris
Application G
24 hours
48 hours
N/A
yes
yes
No
No
IT
London
Application F
24 hours
8 hours
48 hours
yes
yes
yes
1-May-11
Invest in quality reporting on IT DR
08:00 - 13:50
Preparation Apps 1 = 5h 50min
Apps
1
08:00 - 08:30
PREP
15:00 - 19:30
RTO Apps 1 = 4h 40min
12:20 - 13:50
PREP
14:51 - 16:30
SWITCH
16:30 - 19:30
TESTING
10/04/2010 8:00
Apps
2
11/04/2010 0:00
08:00 - 12:20
PREP
12:20 - 15:45
SWITCH
15:45 - 22:15
Issue
10/04/2010 8:00
22:15 - 22:30
TESTING
11/04/2010 0:00
08:00 - 12:20
Preparation Apps 2 =5h 20min
12:20 - 22:30
RTO Apps 2 = 10h 10min
Sourcing & Purchase
• What is the impact of a TP service outage?
• What can we do to quickly recover services?
Do it yourself
Switch to
alternative supplier
Rely on the BC-DR
Capabilities of your TP
Establish BC-CM
Agreements & reviews
Recovery Strategy:
Work from Home Validation
Work from home – 30th May
Scope & Objectives
Scope
• GE Capital: Ark, Throgmorton, Hounslow, Reigate
• Employees with VPN accounts & tokens and GE laptops
• One full day with three pre-agreed times to logon and off
Objectives
• Validate work from home as a ‘continuity’ strategy / option
• Identify alternative / additional strategies (if necessary)
• Raise awareness (through exercising) of business continuity options
• ‘Stress test’ VPN capability
• Identify VPN contention / load issues
Planning & Prep
Preparation
• BCM & ITDR Leaders - EMEA HQ (planning, implementation & reporting)
• GEC Corporate IT – Olympics (VPN capability, ‘how to’ guidelines)
• GE Capital EMEA & EMRG Internal Comms (intranet, survey, awareness)
• EMEA SLT & EMRG ERMC (sponsorship & approval)
Planning
• Identify suitable dates & target participants / locations
• Obtain SLT & ERMC approval
• Prepare communications to Function & Business leaders
• Develop guidelines for participants to pre-check VPN accounts
• Communicate the date to employees & establish participation levels
• Audit of VPN account & token holders
• Pre-prepare IT Helpdesk & adjust helpdesk scripts
• Prepare survey to measure results / employee experience
Work from home – the day
30th May
Lessons so far
(this will expand)
Post Exercise
(to consider)
Operating Rhythm
• Logon ‘touch points’ at 09:00, 12:00, 16:00
Measures
• IT: business as usual VPN monitoring extended to focus on ‘touch points’ to
measure VPN behaviours
• SSO Survey: Work from home strategy validation: suitability & sustainability for
participants
Communications
• InsideGE not most effective means of communicating to mass audience
• Email distribution lists not complete
VPN Accounts
• No process for regular review and validation of accounts
• Additional options may exist for use of ‘home PC’ with temporary VPN token
(being trialled)
WFH Strategy
• Referred to as a strategy by many but practicalities, sustainability & risks not
yet understood
Other Continuity Options
• Hot Desks at GE locations around London in the event of home ‘internet’ issues
• Pre-allocated desks at GE locations for ‘office’ based employees in critical roles
HR Policies
• Occupational Health & home working guidelines (indemnities)
Communications
• Formalised ‘all occupant’ distribution lists & agreed communication channels
Work From Home Day May 30th
Setting The Scene
• Objective: validate work from home as a viable ‘continuity’
strategy / option, raise awareness of business continuity
options through exercising, ‘stress test’ VPN servers &
identify any VPN contention or load balancing issues
• Scope: Ark - GE Capital EMEA & EMRG, CFB, WCS, Capital
UK, GE Asset Management; Throgmorton – CFB; Hounslow
Cap UK employees scheduled to move to the Ark
• Approach: Participants required to validate VPN tokens in
advance of the day to resolve any immediate issues and on
the day to logon and off at pre-determined times
• Priorities: validate viability & sustainability of WFH
strategy; prove load balancing & capacity of VPN servers
Learning During Exercise Preparation
Exercise Day Experience
• 881 GE Capital EMEA & EMRG users in scope
• 23 calls to IT helpdesk
• 6 VPN token related
• 1 softphone issue
• 3 application interface & laptop setup issues
• 13 business as usual issues e.g. password resets,
application installation / removal, ‘user’ errors
• No contention issues registered & load balancing worked
between London & Amsterdam VPN servers
• WFH is only a short term (days) option for some participants
Action Plan & Next Steps
• Communication tools: emails reach target audience more
effectively than InsideGE & equivalent
• Formalise: distribution lists & ‘crisis’ communication
channels for use in a crisis & exercise preparation
• VPN accounts & tokens: no process for regular review &
validation of VPN accounts, tokens & token expiry dates
• Maintain: oversight of VPN accounts, tokens & their expiry
dates
• VPN user guide: preparation of a ‘how to’ guide was critical to
ensuring participants new how to access networks remotely
• Facilitate: annual work from home day to maintain
awareness and to revalidate strategy & guidance
document
• VPN server capacity: GE Capital has a ‘cap’ on consecutive users
• Internet service providers: tariffs / service options will determine
quality of remote working experience e.g. speed of connection &
downloads
• VPN servers: increased to triple consecutive user capability
• Identify: alternative options to home working in the event
of reliability of home internet services e.g. bookable hot
desks at GE locations around London
3rd party CM simulation
1 full day simulation and training involving:
 The Ark CM team
 Representative from each business
 Representative from each critical function
 Olympics focus
 Independent assessment/recommendations
 Documentation/DVD provided
Crisis Management Drill (The Ark)
Setting The Scene
• Objective: test the Crisis Management plan for The Ark and
identify critical gaps to be resolved before the Olympics.
• Scope: the following businesses have been represented
during this drill: GGO, all GE Cap biz., GRES.
• Approach : Table top drill with participation of key leaders
and representatives of the businesses mentioned above.
• Priorities: (Emphasis should be placed on the following
areas: Team response, engagement, communication, BC
invocation/Declaration)
Event highlights
• Good participation of the different GE tenants at the Ark.
• A lot of added value because of the participation of a Senior
Executive and the GE Corporate Security Officer.
• The break-out session has highlighted the different level of Crisis
Mgmt planning of the various businesses and allowed leveraging
& sharing knowledge between the SMEs.
• The ENS is a powerful system, but NotiFind system showed areas
for improvement and the Corporate system (AlertFind) was not
activated during the drill.
• The participants agreed on the roles & responsibilities on the Ark
Site Crisis Team.
Key gaps identified
• No alternative evacuation assembly area in case the flyover is not accessible.
• No alternative command centre if The Ark or Novotel are
not available.
• Emergency Respone plan out of date.
• No sleep-over arrangements at The Ark.
• No easily available badge system list of employees who
entered the building.
• Missing liaison with the Travel Desk and no list of people
travelling in and out of London.
• No Crisis Mgt Inbox.
Action Plan & Next Steps
• Ensure documented Crisis Mgmt Executive Decision
Making process.
• Reinforce communications across business on key CM
arrangements before the Olympics.
• Update the Site crisis Mgt Plan to reflect the solutions to
the identified gaps.
• Conduct an Olympic focussed X-biz. Crisis mgt exercise,
facilitated by an independent third party and with Senior
Leadership support.
Emergency Notification Test May 9th
Setting The Scene
• Objective: test the newly implemented GE Capital Emergency
Notification System “NotiFind” to account for all Capital staff
& contractors.
• Scope targetted all Capital EE & contractors based in
Hounslow (216) & the Ark (747).
The GGO tool accounts for non-Capital EE at the Ark.
• Approach : NotiFind used the work mobile phone, SMS, email
and fixed work phone from O-HR to contact people.
• A communication plan was rolled-out to remind people to
review & update O-HR data and to anounce the test.
What is the Outcome?
• 73% (Hounslow) and 79% (The Ark) of people were
accounted for in 3 hours timespan.
• No SMS was sent due to a NotiFind software malfunction
with a 2-way SMS functionality.
• 50% of telephone nr in O-HR were in a incorrect format
and hence could not be used by NotiFind.
• The work mobile had a ~50% acknowledgement rate and
the email ~75%.
What Have We Learnt?
Action Plan & Next Steps
•
O-HR tel # contact details need to be reviewed & updated
and, if possible, investigate a technical workaround.
• Organize a second NotiFind test for the Ark & Hounslow
before the London Olympics (June 2012) targetting +90%
acknowledgement.
•
The 2-way SMS need to fixed by the NotiFind provider.
•
The NotiFind interactive tracking & reporting capabilities
need to be improved by the provider.
• Using two tools (AlertFind & NotiFind) to account for all staff
& contractors at the Ark will be difficult to manage.
• Use exception lists to remind people to update their O-HR
data into the correct format.
• Link with provider and fixed the NotiFind the 2-way SMS
& reporting capabilities.
• Investigate the use of a single , functioning, emergency
notification tool for all EE & contractors at the Ark.
Agenda
1
Introduction: GE & GE Capital International
2
Business Continuity in today’s environment
3
Balance innovation and Regulatory Readiness
4
Q&A
Appendix
Executive Summary: Olympics preparation
Security, Business Continuity and Crisis Management
Build Awareness - Preparation
• HR Olympics guidelines / policies
• traffic conditions during events.
• public transport options.
• Flexible working hours.
• Promote and train on work from
home option.
• Promote vacation schedules
where possible
• Update ENS contact details
Enhanced Crisis Mgmt & Security
• X-biz. Ark Crisis Mgmt Task Force
established,
• Crisis management plans
developed and Teams exercised.
• Ark Site Security risk assessed.
• Critical 3rd parties assessed.
• Emergency Notification system
tested.
Business continuity planning
• Recovery strategies & BCPs in
place for locations affected by the
Olympics.
• Whereabouts & capacity planning
for “Critical” business processes.
• “Work from home day”
capabilities exercised.
Communications Strategy
• Various communications with regards to the “Work From Home” test, the Emergency Notification
tests, the representation on the HR Growth stand.
• Aiming for Senior Executive communication on the Olympic HR guidance and Manager Guide.
• Olympics Blog to be launched where daily updates on the travel impact to the GE Capital offices
will be shared throughout the Olympic period.
• Senior Leadership information sharing sessions.