When it comes to business resiliency, preparation is key

Written by Elona Ruka-Wright Chief Risk and Compliance Officer
When it comes to business resiliency, preparation is key

Crises come in all forms, and the reality is no company is immune. From data breaches to acts of terror and everything in between, a robust business resiliency program is a company’s best chance for weathering any scenario.

When it comes to being crisis-ready preparation is key. Processes are pre-established, best practices are put into place, and systems and controls are identified and stress-tested. But when a crisis occurs, there is no way to know exactly how everything will come together despite well intentioned plans.  So when Finastra was presented with the first of its kind opportunity to put ourselves to the test at the IBM’s X-Force Cyber Command Centers in London and Cambridge, Massachusetts, we jumped at the chance to exercise our plans and processes. We had buy-in from the top down, with members of our executive leadership team and functional experts spending a full day to be thrown into a crisis and react in real-time.

Our day started in IBM’s X-Force Cyber Command Centers, an impressive command center on wheels, in London with no idea of what to expect. The team, who now worked for an imagined company for the purpose of the exercise, but retained their real-life roles, sat at desks in a room surrounded by screens showing stock price and social media sentiment. Within minutes adrenaline was sent sky high. The first phone call revealed a potential data breach. Moments later, another revealed staff trapped in an elevator. The team worked quickly to determine the veracity of the claims and whether they were related or if a “red herring” was thrown in the mix. The team’s priority was to act fast to control the damage while calls kept coming in from customers and the press, all needing timely, accurate and reassuring responses.

As the day came to a close, the team was faced with perhaps its greatest challenge, the handoff. For a global company like Finastra, a crisis could be complex and far-reaching.  As the Finastra team at IBM’s Cyber Range in Cambridge was coming online for the day, it was time to pass the baton. The team in London had to provide them with a complete overview of the situation, comprehensive timeline of actions taken and the status of various issues, actions and open items. They required detailed information of where things stood to pick up where London was leaving off. And before the briefing was complete, the phones in Cambridge were ringing off the hook. It was a fun and challenging day for all team members with a few “aha” moments, and plenty of best practices and tips to incorporate into Finastra’s Business Resiliency programs.

“Financial services companies must ensure that they have the capabilities for a truly global incident response in place, as well as the ability to coordinate across multiple time zones and geographies,” said Gary B. Meshell, Global Sales and Business Development Leader, IBM. “This especially requires meticulous planning in view of the difference in regulations and laws in each locale.”

Three key takeaways of the day were:

Over communicate and document everything
Although there were two teams in separate locations during the exercise, many Finastra colleagues were able to be physically together in one location. It was easy to break into groups to handle tasks, then reconvene to provide updates. In reality, employees are scattered across the globe and located in dozens of offices. People need to understand their responsibility and feel empowered to act. And having staff spread out makes detailed documentation even more important. Timelines of incoming calls, breaking news, and actions taken are just some of the information that will be useful to colleagues in different locations and different time zones.

Trust in the process
Perhaps the biggest surprise was just how real this simulation would feel. From the beginning, it was a stressful environment with information coming from all angles, similar to a real life large scale event. While it is important to act with urgency on the information at hand, having a plan in place where everyone knew their role helped break the response into manageable pieces and ensured that various tasks were being accomplished.

Practice practice practice  
Practicing collaboration among team members and plan invocation is critical for building a resilient organization and response team, which is a top priority for Finastra. In order to continuously improve our preparedness capability, we need to build on the lessons learned and complete more exercises, just like this one. We will continue to focus on key scenarios and will practice practice practice!

The day provided something invaluable and something that couldn’t be done without the help of IBM: the opportunity to be challenged by a realistic crisis in a safe environment and test our plans and processes without facing a real-life catastrophe. Through a team of actors and state of the art technology, IBM was able to create a scenario that encouraged the response teams to collaborate, respond and manage through a serious event over the course of the day, even spanning time zones.

At the end of the day, Finastra met the challenge head-on and left confident in our processes and preparation. People knew their roles, acted as a team, and responded swiftly. As intense as it was, it was just a simulation and we know that a real crisis would be even more challenging. The lessons learned are enabling us to evolve our processes and continue to strive for a more comprehensive Business Resiliency program.

You can read more about the exercise at IBM’s X-Force Cyber Command Centers from the IBM perspective at SecurityIntelligence.

Written by
Elona Ruka-Wright

Elona Ruka-Wright

Chief Risk and Compliance Officer

Elona heads up Finastra's global risk management and governance practices and is the company's key liaison with regulatory bodies and auditors.  

She is accountable for Finastra's Enterprise Risk Management framework, strategy and governance, as well as regulatory compliance, enterprise policy...

Get in touch
We are here to help your business reach its goals

Contact us