Citigroup Business Continuity Planning Policies Manual Version 3.2 August, 2002 Intemal UVersion Control Checklist Version Number Date Person Change 1.0 ‘April 2002 Greg Gist Draft of Policy 20 May 2002 Greg Gist Revision fo policy based on CoB Committee feedback 21 May 28", 2002 Greg Gist Revision to policy based on feedback from Steve Bernstein 30 Tune 26", 2002 Greg Gist Revision to policy based on feedback from Bob Druskin and CoB Committee 31 Tuly 15, 2002 Greg Gist Revision to policy based on second round of feedback from Steve Bernstein 32 ‘August 25th,, 2002 Greg Gist Revision to policy based on Feedback from Craig Hackett of the OCC For Internal Use Only 3/02 12:52PM 2To All Citigroup Employee: ‘The facili and systems on which we rely to serve our clients and our critical internal processes can be affected by many unforeseen circumstances. These include the > Loss or limited access of personnel > Loss or limited access of technology and infrastructure } Loss or limited access of both Business continuity planning, is critical to be able to continue our activities from recovery sites with altemative equipment and functionality while maintaining a business-as-usual presence in the marketplace. Continuity planning is the responsibility of business managers (with support from technology areas including premises (CRS) and any other relevant groups). In addition, Business Continuity Planning (BCP) is a regulatory requirement. The guidelines set forth in this policy apply to Citigroup worldwide and establish the framework for specific CoB policies. Any questions on BCP should be directed to Steven A. Bernstein (212.559.5621) in New York and your CoB Committee sector representative. Robert Druskin Chief Operations and Technology Officer — Z— Steven A. Bernstein Corporate Head of Business Continuity For Internal Use Only 9/23/02 12:52PM 3Subject Introduction Table of Contents Mission Statement Objective of Business Continuity Planning Crisis Management Awareness Program Business Continuity Organizational Framework E. KR Citigroup CoB Committee Policy CoB Committee Members Business Recovery Coordinators Plan Policy Testing Policy Communications Policy Vendor/Third Party Business Continuity Policy Vital Records Policy Reporting Budget Requirements Lessons Learned Deviations from CoB Policy CoB Key Risk Indicators (KRIs) Business Interruption Risk Insurance For Internal Use Only 9/23/02 12:52PM 4 Page 6-7 10 10-14 15-16 16 16 7 18 18-19 19 19 19 20S. Review Policy 20 Appendices 21-39 (A) Citigroup CoB Committee n Regulatory Information (8) FFIEC 23 (C) _ Federal Reserve Bank/OCC 24-25 (BD) CITMP'-BCP 26-27 (E) CoB Guidelines 28-39 \CITMP - BCP- Citigroup Information Technology Management Policy on Business Continuity Planning, CITMP is the governing policy forall of Citigroup's technology management practices. For Internal Use Only 9/23/02 12:52PM 5Introduct A, Mission Statement ‘The Corporate Office of Business Continuity is chartered with > Facilitating the process of ensuring that business continuity plans have been established for each business and tested globally for each business, as well as > Promoting business continuity awareness education. > Creating and distributing policies and standards to be followed by each Citigroup business globally. The focus of the Office of Business Continuity is: > To ensure the safety of all Citigroup employees > To ensure a comprehensive end-to-end, business-as-usual processing CoB capability for front offices, technology, operations and businesses as a whole > To minimize the risk associated with a business interruption irrespective of cause both internal and external. > To standardize policies and procedures, where appropriate across all Citigroup departments worldwide. ‘This manual documents the policies for the development, maintenance and testing of business continuity plans. These policies apply to Citigroup and its subsidiaries & affiliates (e.g. NSSB) both in the United States and globally. It is the role and responsibility of business management to provide oversight and ensure compliance with CoB policy These policies and standards provide the framework for an effective business continuity program, and conform to the overall Citigroup Information Technology Management Policy (CITMP). Objective of Business Continuity Planning The purpose of a business continuity plan is: > To predefine the resources and actions required to minimize losses that might otherwise result from a business interruption. For Internal Use Only 9/23/02 12:52PM 6> To ensure a business-as-usual level of performance while in contingency mode > To ensure the timely and orderly restoration of business activities. Each business head is responsible for ensuring that his/her continuity plan adheres to the Business Continuity Planning Policies Manual established by the Head of Business Continuity that include the FFIEC (Federal Financial Institution Examination Council), SPS (See Appendix D) and other applicable guidelines. Each business head must also ensure they are in compliance with to local laws and government regulations since these can differ from country to country. Office of Business Continuity will communicate to all businesses, sector CoB Committee members and (regional) business recovery coordinators globally: any changes in regulatory requirements, changes to policy and standards and use of business continuity tools. The Office of Business Continuity will keep senior management apprised of the global recovery process Crisis Management Crisis management procedures/contingency plans may have to be invoked were a situation to seriously affect a number of business units. Such plans should address the following: > Ensuring the life and safety of people Evacuating of facilities v » Facilitating prioritization of action, allocation of resources, and effective communication (See Section P- Communications Policy) in the event of a disaster > Interacting with local authorities > Recovering for key locations/facilities/regions All plans must emphasize cross business coordination with other CoB coordinators and business heads in the event of a regional outage or where the proximity of businesses poses a concentration risk. For Internal Use Only 9/23/02 12:52 PMEach sector Continuity of Business (CoB) Committee member’ must facilitate the development and implementation of a crisis management plan. (See Appendix “A” for CoB Committee member list) D. — Awareness Program Citigroup is committed to a solid, comprehensive business continuity planning program. To support this, the Office of Business Continuity, through the CoB business sector representatives and Business Recovery Coordinators will ensure disaster recovery education across the corporation. ‘The purpose of the Awareness Program is to ensure that all our employees gain a clear understanding of the business recovery process within the company, and their role in the process, Business Continuity and emergency procedures should be part of the new employee orientation process. Each business sector should provide either a video or applicable handouts containing methodology and process, as well as, instructions for the Corporate emergency website located at http://iwww.citigroup.com/emergency and the CIB’s business continuity website (http://projects.corp.smb.com/bes/documents/index/index.htm) ‘A sector is defined as a business section or region of Citigroup and must have a lead sector business recovery coordinator. The sectors are defined by the corporate Head of Business Continuity. In addition to ensuring the region has an integrated business recovery plan, this individual has responsibility for disseminating business continuity information and actions to local businesses. This individual also is a member of the Corporate Citigroup CoB Committe. For Internal Use Only 9/23/02 12:52PM 8ess Continuity Organizational Framework Citigroup CoB Committee ‘A Citigroup CoB Committee shall be formed representing each major business sector, geographical location and key support group with the mandate to provide management oversight, and guidance for the Corporate business continuity program. Additionally they should review the progress of the business continuity program for each specific location, region or business. The local business recovery coordinators along with Senior Business ‘Managers are responsible for activating and maintaining the contingency plan. Each CoB ‘Committee member must periodically apprise the global committee as to the status of all CoB projects and issues. (See Appendix A) CoB Committee Members Each major business sector/region as defined by the Head of Business Continuity be represented by at least one principal committee member and an alternate,. Committee members will be responsible for implementing policy for for their respective sectors/regions. They will report to the Head of Business Continuity on the status of corporate-wide initiatives as those relate to their business and additionally will provide updates to projects . The sector representative will be responsible for: Ensuring timely and accurate status reporting for all projects Completing and submitting the annual SP-5 attestation on contingency preparedness Managing all outstanding issues as a result of the annual SP-5 submission Ensuring the testing of crisis management procedures for specific location and regional outages annually at minimum and after 90 days of any change in location for fa specific business. Procedures must be tested/enhanced with the purchase or sale of a business by Citigroup. Testing communication processes for posting messages to emergency phone lines and the Citigroup emergency website (www.citigroup.com/emergency) on a semi-annual basis Leveraging corporate-wide CoB solutions and providing advisory support Performing CoB business and site reviews where necessary Ensuring representation at all bi-weekly CoB Committee calls Ensuring existing or recently purchased business units follows this policy document Ensuring that business unit heads in their respective departments are fully briefed on CoB committee plans vvVY v vv vvv For Intemal Use Only 12:52PM 9Business Recovery Coordinators (BRO) Regional business recovery coordinators (i.e. individuals responsible for plans covering their geographical region/business) must ensure business continuity plans are developed and tested at alternate recovery locations in accordance with the timeframes mandated by this policy. Coordinators should ensure that the CoB Committee member and the Office of Business Continuity management in New York is kept apprised of the recovery process and that the process adheres to applicable recovery requirements. Local authorities and the Federal Reserve Bank, the Office of the Comptroller of the Currency and the Securities and Exchange Commission regulate such requirements. ‘The BRC is responsible for: > Monitoring timely plan (LDRPS) updates > Updating the sector representative to the Corporate CoB Committee. > Understanding the continuity plans of other businesses that are co-located or exposed to concentration risk. Coordinating recovery/continuity tests for their respective groups Ensuring that all plans are designed so that each area can maintain a business-as-usual presence in the marketplace. Conducting internal Business Continuity awareness Including Business Continuity in the Change Management Process Ensuring CoB is covered in all staff relocations Call trees, y vy ) Each business head has sole “ownership/responsibility” for the development and maintenance of business continuity plans. Plan Policy Each plan must contain sufficient information to ensure that the prevention, containment and recovery procedures are documented and understood by all relevant staff. Each plan should include: > Business recovery in the event facilities housing the business are rendered inoperable for an extended period of time (e.g. notification list of individuals with 24X7 contact information involved in the plan execution, responsibilities of each individual, list of vital and essential records), All plans must have short, medium and long-term strategies for an outage of greater than thirty (30) days. For Internal Use Only 9/23/02 12:52PM 10v v y Business recovery in the event people are lost in a disaster event. All plans should consider how to operate from alternate business locations/regions for periods greater than thirty days. ‘An understanding of the end-to-end process of a transaction to include dependence on key external vendors and value transfer networks" that reflects activities in the front, middle and back offices as well as support groups (technology, data centers, etc.). ‘An understanding of the country exposure that invoking contingency would create (cg. failure ofa VTN). ‘An understanding of other business plans that are co-located or subject to concentration risk due to physical proximity. Proper communication plans for notification/updates for employees, customers, regulators, media etc. which includes the use of emergency phone numbers and the emergency website (See Section J - Communications Policy) ‘Systems and telecom voice/data connectivity used by the business for production are recovered within the ‘maximum allowable downtime’ (two to six hours for mission critical systems) as indicated in the business impact analysis. Procedures to recover each critical facility, system, technology platform and mission-critical application, and procedures to migrate back to the production environment. Integration of business CoB plans with infrastructure support units (e.g. CRS, Tl etc.,) and other businesses in close physical proximity. A listing of all critical internal/external dependencies and the associated workarounds Prevention and containment strategies Education and training plans At the business recovery site level, procedures to ensure the integrity and safety of workers at the alternate business site (e.g. food, security, ete.) and procedures to migrate workers safely to their main work environments Awareness by every employee of his/her role in the plan. An analysis of the business-as-usual level of transactions/processes in order to maintain a significant market presence ® A mechanism external to Citigroup through which transfers of value (cash, securities) are made, ¢g. clearinghouses, depositories, exchanges, settlement systems, ATM networks, VISA/MasterCard Associations For Internal Use Only 02 12:52PM 11> An annual analysis of departmental employees to place them in the following four categories (short and long term) > Employees that should remain home in a contingency event and not report to work, and who do not require Remote Access > Employees that can use remote access in a contingency event and work from home or another location. > Employees that can go to a regional facility in a contingency event > Employees that should go to a dedicated recovery facility in a contingency event v Copies of plans or access to them from multiple locations v Business manager signoff and approval of the plan v Third Party dependencies (intemal and external) that are documented with reference to that parties’ recovery plan. All of the above points must be maintained current and tested at least annually Ata minimum, each business continuity plan must include: > Core Process & Business Interdependency Identification The plan must identify the core processes, which are defined as the processes considered essential by the business to ensure transaction flow from an input and output perspective and is handled in a manner that facilitates the business purpose. Business interdependency is the identification of other businesses’ processes Japplications that rely on the core processes or on which the core processes rely to further their own transaction process flow; or, businesses/applications necessary for input to the core process continuation. (i.c. input from other sources and output to other sources). > Business Impact Analysis (See Section F page 30) ‘This analysis addresses quantification and qualification of risks and their threat of occurrence. It defines the impact the loss would have to the corporation, be it financial or non-financial. Please note. > Each business/group should focus on revenue stream, the volume of transactions and other key drivers of profitability. > If the Core Process is critical, the business must ensure there is a viable, tested recovery plan for the core process/critical business function to be restored within For Intemal Use Only 9/23/02 12:52 PM> two to six hours. Other processes deemed necessary but not critical must have a recovery plan based on the rating for that core process. > Where justified by cost/benefit analysis, existing operations must be modified to eliminate or mitigate identified risks. Activation and Communication Processes > The activation/recovery team is comprised of those staff members who are directly involved with the recovery process either at the production location or alternate recovery location, Call trees, phone lines and the emergency website are means to censure that all Citigroup employees involved with the recovery process are notified. Alternate/Manual/Work-Around Business Process > In the event a critical production application fails to function correctly, a back-up version should be established. A specific recovery plan must also be developed for cach critical business process or application. This plan must provide for a manual work around process to sustain critical business functions. It must also include the process that will be followed in the event outside vendors or internal service groups are unable to provide services. This plan must be documented and made available to all staff affected by the plan, especially those businesses that are co-located or subject to concentration risk. It is the responsibility of each business or group to ensure the vendor recovery plan is adequate. (See Appendix “D” for OCC 97-23 Banking Circular statement) For all non-critical applications, for which there is no technology recovery solution in place, at a minimum, it is required that manual/work-around procedures be developed that allows recovery within a time period established by the business. Recovery Procedures Procedures must be documented describing the recovery process for: > technology systems and platforms (i.e. Wintel, UNIX) > mission-critical applications > critical business processes Procedures should ensure readiness and key steps for recovery of work-in-process and critical records as well as access to ongoing detail operating procedures to ensure personnel of For Internal Use Only 9/23/02 12:52PM 13similar skill sets and experience could recover such. It is also necessary for that procedures to be documented to reflect migration back to the production environment > Recovery Requirements Each business must ensure that they have identified the environment (e.g. hardware/sofiware requirement) needed at the altemate processing location. » Updates to Recovery Plan In the event changes are made to the planned recovery process, such changes must be recorded in the business continuity plan. Each business is expected to provide the sector's designated CoB Committee Member manager with attestation each quarter from management attesting that call trees were reviewed and updated accordingly. > Migration to Alternate Site Business, Technology and Infrastructure groups have the responsibility for developing processes and procedures that provide for the establishment of a recovery team that will assess and formally communicate to management: damage sustained recoverability alternate scenarios, if recoverability to the affected site is staggered, partial, delayed, or not feasible Recovery measures and requirements (including estimated timeframes and costs) that will reestablish operational normalcy at the original site or the backup site vv Y Plan Documentation, Management and Storage Citigroup has chosen LDRPS, (Living Disaster Recovery Planning System), as the company standard - the central repository for all business continuity plans, LDRPS is a library tool that allows you to manage and store business continuity plans across multiple regions and product lines. This system provides for a consistent way of developing and maintaining CoB plans. LDRPS templates conform to the corporate planning methodology as outlined in section F. Each plan in LDRPS must include: > Core processes For Internal Use Only 9/23/02 12:52PM 14> Business Impact Analysis > Manual Workarounds > Recovery Requirements > Call Trees The LDRPS application and additional information can be accessed through the CIB- Business Continuity website. |ittp://projects.corp.smb.com/bes/documents/index/index. html. For Internal Use Only 9/23/02 12:52PM 15Testing Policy Each business must ensure their business continuity plan is tested at least annually, unless otherwise required more frequently by the business or applicable regulatory authority. Call trees and communication processes for emergency phones and websites must be reviewed quarterly and tested semi-annually. Emergency evacuation procedures must be reviewed quarterly and tested semi-annually as well. All businesses must prepare a test script prior to testing, Where applicable, the test script should document the appropriate transactions to simulate or reflect one (1) day's workflow. Testing documentation must include: > Configuration of test environment Test of recovery steps Test plans (technology and user) Expected vs. actual results Issues and action plans Lessons learned and plan improvements for next test vv¥VVV Business participation is required along with technology support from each respective business. Designated recovery staff from each business is required to test at their respective recovery location: Critical platforms, processes and applications. Integrated systems (mainframe and distributed) Voice/telecommunications Market Data Services (if applicable) Facility space, power capacity Pre-wiring, AC VV VVVVY Note: Any issues identified during the recovery test must be included in the self- assessment process that business manages. Any items should at minimum, have a formal project (corrective action) plan within a two (2) week period. Business management must approve the testing process results by providing the designated sector CoB Committee member with a sign-off after each test. For Inteal Use Only 9/23/02 12:52PM 16J. ‘Moves/Relocations/System Conversions & Implementations Each business must conduct a recovery test within ninety (90) days after the move/relocation/conversion of a business or support area. Additionally, before a system ‘goes live the BIA and CoB plan for that system must be completed. Final testing of the CoB plan can occur post-live but no later than 90 days after the go-live date if this is in ‘accordance with the risk outlined in the BIA. Post-project implementation review must include the lessons learned from CoB testing activity. Communications Policy The Office of Business Continuity with input from Legal, Corporate Communications and Business Management must develop and implement a CoB communications policy for customers and the general public/media, This policy should be adopted by the businesses for non- ‘emergency customer CoB requests. Crisis Management communications should have the approval of the business and its respective communications officer. Businesses must retain all requests/communications on CoB in accordance with Citigroup’s Vital Records policy. ‘Communications include but are not limited to: VY VYVY Web-based communications (internal/extenal) PowerPoint presentations Responding to customer letters/inquiries Shareholder communications (Investor Relations) Marketing materials Internal (employee) communications Vendor/Third Party/Subsidiary Business Continuity Policy Each business that uses a third party vendor for any Business Continuity purpose must: > Perform an annual validation of the financial status of that company > Review vendor plans to ensure that Citigroup is covered in the event of a disaster > When possible, ensure that Citigroup receives priority coverage from third party service providers in the event of a disaster Review third party/vendor documentation to ensure the provider(s) has a current listing of Citigroup business contacts with alternate phone numbers. Ensure that all third-party vendors with associated contact names are documented in the CoB plan . 3 For Internal Use Only 9/23/02 12:52 PMThese steps are in accordance with and not meant to supercede the CITMP on Vendor ‘Management or the Citigroup Technology Vendor Selection and Management Standards. cs Vital Records Policy All vital records (those records essential to the recovery of the business) must be copied and stored at an off-site location in accordance with Citigroup’s vitals records and retention policies. The business must ensure the offsite storage facility/medium meets normal fire and security standards. Procedures must be written for copying, replicating and protecting records. This policy recommends the use of imaging technology for the processing and storage of key documents as a best practice when cost effective to do so. Vital records can include, but are not limited to: > Customer files, contracts, historical records, reference manuals, procedural ‘manuals, customer communications and business continuity plans. Off-site Storage > The off-site storage location/medium must be accessible 24 hours a day when necessary. > An accurate inventory will be maintained and documented in the business continuity plan. > Employee residential storage (i.e., home, auto, etc.) is not an acceptable primary off-site storage location method. It must not be used for maintaining PC diskettes or any other type of vital record. > Copies of CoB plans including calling trees should be maintained at the employees’ homes. > Where applicable, the business should seek guidance from the Firm’s legal counsel for specific record retention guidelines. Details of the Vital Records policy can be found in PARIS at: http://paris.citicorp.com/ For Internal Use Only 9/23/02 12:52 PM.vv Click on Citicorp Poticies Click on Operations Click on Records Management Reporting The Office of Business Continuity monitors the business continuity planning process and completion of SP-S issues throughout the company . Each CoB Committee member confirms completion of deliverables. ‘The Head of Business Continuity conducts regular meetings with senior business managers. Each BRC provides status on the milestones to the CoB Committee member. Global Monitoring System (GMS) The Global Monitoring System is a web-based reporting tool globally accessible on the Citigroup Intranet which centralizes and facilitates the communication of Severity Level One from the CoB Committee members and BRCs to Citigroup Senior Management. The definition of Severity Level One problem, which would be reported by any business sector as soon as they become aware of it, is as follows: A problem, occurring in any country in which Citigroup does business, that has a significant impact on the safety of employees, financial well-being of Citigroup, its reputation, shareholder confidence, or consumer relationships, such as, > Disruption or severe outage of a critical business function or operation > A severe or extended disruption in customer service > Full or significant invocation of a contingency plan > An act of terrorism Alll businesses should use GMS to report Severity level one problems to facilitate communication to the appropriate personnel. All CoB Committee members and their designated staff are responsible for using the system, Budget Requirements For Internal Use Only 9/23/02 12:52PM 19Each major business sector will prepare a CoB budget/financial analysis based on previous trends in CoB key risk indicators (see Section Q) and other factors that will be used to determine capital reserves requirements for operational risk objectives (see section Q). Also, this, information will be used for business interruption risk purposes (see section R) and overall Corporate CoB financial reporting. O. Lessons Learned Every situation that requires/causes the invocation of a contingency plan must have a post- mortem with a lessons learned document that is to be submitted to the Office of Business Continuity within thirty days of closure of the incident. Deviations Deviations are officially documented requests from a business that cannot , for various reasons, meet a specific policy standard. Deviations will only be considered for extreme cases and where the business is able to prove appropriate compensating controls to mitigate the risk or is able to convincingly prove, in writing, its reasons not to meet specific standards. A project plan documenting how the exception to the standard will be corrected, documenting tacks, due dates and responsible managers, is required. Deviation requests to policy standards require approval of the policy owner (Head of Business Continuity) as well as the following approvals: a, Business Recovery Coordinator b. Business Manager ¢c. CoB Committee member/Senior CoB Manager d. Head of Business Continuity. Deviations approvals are only valid for 12 months and are considered temporary. Renewals require annual approvals. For regulatory reporting purposes, all CoB deviations will be tracked through the CoB PMO database. For Intemal Use Only 9/23/02 12:52PM 20Q. CoB Key Risk Indicators All businesses must determine a set of CoB Key Risk Indicators (KRIs) for CoB planning and in accordance with Operational Risk requirements. All businesses must assess if CoB is one of the “Top 10” operational risks. This assessment must be part of the annual CoB review process that occurs during the third and fourth quarters of each year. Reporting on the status of KRIs must ‘occur quarterly or as part of the businesses” self-assessment process. Busine: Interruption Risk Insurance All businesses must perform an annual analysis of their revenue streams in accordance with Business Interruption Insurance Risk requirements during the third and fourth quarters. All facilities with significant revenue streams greater than 50MM or risks exceeding 10MM must be documented and forwarded to the Corporate Insurance and Risk Management Team in NY and the Head of Business Continuity for CoB planning purposes. Review Policy Corporate Policy Review In accordance with CITMP policy, this document and appendices will be reviewed during the third quarter of every year and all appropriate amendments will be made. Independent Review of Business Continuity Plans A qualified and independent review of all business continuity plans and test results must be performed on an annual basis. This review can take the form of a peer review, a review by compliance staff or a review by the business recovery coordinator if that person is independent of the business.) The independent review process must be documented, and approved by the division’s Senior COB Manager. For Intemnal Use Only 9/23/02 12:52PM 21Peer Review of SPS Documentation The Citigroup CoB Committee Members will organize and perform a peer review of all SP-5 submissions. One Committee member will review the submissions of an area that he/she is not responsible for. Any findings will be documented and tracked to conclusion via the CoB PMO database. For Internal Use Only 9/23/02 12:52PM 22Appendices For Internal Use Only 9/23/02 12:52PM 23Appendix-A As of July 31, 2002 group CoB Committee Members Steven A. Bernstein Program Management PBG/Asset Management cB Primerica (Consumer) CBNA (Consumer) Citicards & Citifinancial (Consumer) Travelers L&A Emerging Markets Data Centers Japan Western Europe Asia Pacific Audit and Risk Review (ARR) Corporate Security and Investigative Services Corporate Communications Consumer Controls Corporate Realty Services (CRS) Corporate Program Management Office (PMO) Chair Gregory Gist Alberto Montufar Luis Guerreiro David Wade/Lisa Casteel Thomas Connaughton Roger Kent Marissa Crean/Emest May Louis Riquelme Michael Schouten Yoshihisa Ueda Jim Foster Stuart Jones Bill Philhower Joe Marchese Ed Cheney George Pombar Steve Lane Jeff Berg For Internal Use Only 9/23/02 12:52 PM 24An institutior Appendix-B ancial Institution Examination Council/SP5 (FFIEC) is expected to have a written business resumption contingency plan and written Federal documentation supporting the plan's development and validation. At a minimum, an institution should have written documents that cover the following: > . Business resumption contingency plans and methods of implementation, including an evaluation of business resumption contingency planning options and strategies; Core business processes and business impact analysis that include failure scenarios and minimum acceptable service and output levels; A description of the method of validation, including the specific tests and target dates for completing the tests; Results of the testing of the business resumption contingency plans; Findings of the qualified and independent review (e.g. ARR, KPMG) of the business resumption contingency plan and validation processes; and Review and approval of the validated business resumption contingency plan by senior management and the board of directors (e.g., minutes of board meeting). The business resumption contingency plan(s) and all supporting documentation should be available for review by examiners For Internal Use Only 9/23/02 2:52PM 25Appendix-C Federal Reserve Bank CORPORATE BUSINESS RESUMPTION AND CONTINGENCY PLANNING (SP-5) PURPOSE: This statement emphasizes to the board of directors and senior management of each financial institution the importance of corporate business resumption and information systems contingency planning functions. This includes planning for the recovery of critical information systems processing and operations supported by external service providers. This statement also addresses issues that management should consider when developing a viable contingency plan. POLICY: The board of directors and senior management of each financial institution are responsible for: > Establishing policies and procedures, and assigning responsibilities to ensure that comprehensive corporate business resumption, contingency planning, and testing takes place. > Annually reviewing the adequacy of the institution’s business recovery and contingency plans and test results. > Documenting such reviews and approvals in the board minutes. OCC Banking Circular 97-23 TO: Chief Executive Officers of all National Banks, Department and Division Heads, and all examining personnel. On March 26, 1997, the Federal Financial Institutions Examination Council adopted the revised poticy statement (SP-5) Corporate Business Resumption and Contingency Planning. The statement continues to emphasize the importance of a business recovery and explains the goals associated with an effective business resumption and contingency plan. Revisions to this statement acknowledge the increased use of distributed computer environments and inercased reliance on external service providers for mission-critical bank activities. The Board of Directors and Senior Management are urged to consider these distributed computer platforms and outsource functions when conducting business resumption and contingency planning activities. For Internal Use Only 9/23/02 2:52 PM‘The revision was conducted as part of the combined agency Community Development and Regulatory Improvement Act (CDRIA) effort. Section 303 of CDRIA requires that the federal bank and thrift regulatory agencies review and streamline their regulations and written policies in order to improve efficiency; reduce unnecessary cost; eliminate unwarranted constraints on credit availability; and remove inconsistent, outmoded, and duplicative requirements. James Kamihachi Senior Deputy Comptroller, Economic and Policy Analysi For Internal Use Only 9/23/02 12:52PMAppendix-D Citigroup Information Technology Management Policy Business Continuity Planning Rationale Citigroup’s global customer focus, integrated service approach, and consolidated processing centers create significant interdependency among business units. This business model requires that Business Continuity Planning (COB) planning be based on: ‘© Anawareness that the purpose of COB planning is to keep the business running, not just the technology, and that each business is accountable for its COB plan and recovery. * Anunderstanding that effective COB planning must be an integrated part of business operations, not just an annual exercise. © A realization that COB plans must encompass the total business environment and address all business unit interdependencies to ensure a comprehensive and coordinated response to any business interruption. An effective COB planning process addresses three primary objectives: 1) Prevention - minimizing the probability of business interruptions by integrating safeguards into existing operations. 2) Containment - minimizing the impact of any business interruption through a focus on keeping the business running at the highest level of service possible, 3). Recovery ~ ensuring the prompt restoration of normal operations following any incident that gives rise to business interruption. Policy 1. Each organization must establish and maintain documented COB plans. 2. Each COB plan must be based on an annual impact analysis. This impact analysis must 2.1, Identify business interruption risks, 2.2. Consider realistic outage duration scenarios. For Internal Use Only 9/23/02 12:52PM 282.3. Evaluate the financial, customer and regulatory impact of various outage durations. 3. Where justified by cost/benefit analyses, existing operations must be modified to eliminate or mitigate identified risks 4, Those identified risks that cannot be eliminated by modifying existing operations must be specifically addressed in the Containment and Recovery strategies of the COB plan: 4.1. The Containment Strategy must identify actions to be taken during and following a business interruption to safeguard human life, conserve assets, and maintain as much of normal business operations as is practicable. 4.2. The Recovery Strategy must identify actions to be taken after any business interruption to restore normal business operations. 5. Each COB Plan must also include strategies for Testing and Education and Training: 5.1. The Testing Strategy must identify activities to ensure annual testing, at a minimum, of COB plans, appropriate management review of all findings and the timely correction of any identified deficiencies. 5.2. The Education and Training Strategy must identify activities to ensure staff awareness of and familiarity with the COB plan. 6. Where appropriate, businesses should work with intemal Infrastructure Support Organizations (ISO) when developing their Containment, Recovery and Testing strategies. 7. Each organization must conduct an annual effectiveness review of its COB planning process and resulting COB plans. This review must be performed during the fourth quarter as part of the annual regulatory reporting and attestation to the Board of Directors, For Intemal Use Only 02 12:52PM 29Appendix-E CITIGROUP CONTINUITY OF BUSINESS GUIDELINES * Each COB plan should be documented to a level of detail that ensures the availability of information needed to recover from a business interruption. At a minimum, documentation should include: ‘Date of last plan update ‘Business Unit Head sign-off and approval © A statement of the specific COB responsibilities of management, staff, special teams and vendors : © Procedures to activate and execute the Containment and Recovery portions of the plan, including but not limited to: - a list of individuals who can authorize activation of the plan; - a 24-hour notification list of all individuals involved in the execution of the plan; - a statement of responsi lities for each individual in checklist format; - alist of Vital and Essential records and their location; - the designation of short term and long term backup sites; - a schedule of processing priorities that identifies the order in which work must be accomplished during and after the business interruption. For example, data center organizations typically identify a list of “critical applications.” The same concept should be applied to all business processes and operations; and = alist of other individuals and organizations (internal and external) that need to be notified of the plan’s activation. Determining which individuals and organizations to notify is dependent on the business unit and the specific business interruption. Businesses should always consider notifying: CRS or the appropriate building management organization, the Business Technology Infrastructure Group, Corporate Business Services (CBS) or the equivalent organization outside the United States for the acquisition of emergency supplies, etc., and Corporate Insurance and Risk Management (CIRM). «the most current test plan, testing schedule, the results of the most recent test for all For Internal Use Only 9/23/02 12:52PM 30COB plan components, status of corrective actions and “lessons learned” document. A listing of contracts supporting the plan ‘© The results of the annual Business Impact Analysis (BJA) Sample Plan Format ‘A sample plan format is included at the end of this Guideline. ‘The Continuity of Business Planning Model depicts the life cycle of the COB Planning Process and shows the components of the process and their interrelationships. gery Sossamon (Ste dupe Orctan Sarr ‘apn emptor igo ve Ky Gris Panben Coen Sate ae Re “sesueracoe SP PROCESS — For Intemal Use Only 9/23/02 12:52PM 31Annual Business Impact Analysis (BIA) The purpose of the annual Business Impact Analysis is to identify risks (physical and operational) to business continuity and to quantify the impact of interruptions to business-as- usual (BAU). As the risks are identified, so too are the requirements of the solutions that need to be implemented to address those risks. ‘The BIA should be scheduled to provide maximum. input to the annual SP-S and FDICIA certifications. Thus, it should be completed during the third quarter. Business units should consider both the nature of potential business interruptions and the possible duration of such interruptions when identifying and assessing risk to the business. The interruptions illustrated below represent generic risks that could affect any business. Business units should supplement these examples with additional risks likely to be encountered in their specific and unique environment and geopolitical location. > Business units need to consider the risk of interruptions that may occur as a result of natural events including, but not limited to: > fires, explosions, > floods, storms, and > earthquakes. Business units need to consider the risk of technical and environmental interruptions including, but not limited to: > hardware failures (including scenarios where processing volume growth exceeds system capacity); > software failures (including scenarios where unsupported versions of internal or vendor supplied software are still in use); > utility disruptions (power, water, etc.); > communications or postal disruptions; > transportation disruptions > chemical or biological contamination; and > loss of physical premises Business units need to consider the risk of interruptions from human causes including, For Internal Use Only 9/23/02 12:52 PMbut not limited to: > terrorism v human error, v security breaches, > computer hackers or viruses, v disgruntled employees, labor disputes and work stoppages, and civil unrest Business units need to consider the risk of interruptions from failures in: > 7 v predecessor operations, successor operations, non-technology support units, technology support units, outsourced operations, and external service providers (e.g. SWIFT, CHIPS, CHAPS, Fed Wire, Market Data Feeds, Bloomberg, DTC, etc.) In examining the risk of these interruptions, business units need to consider various outage scope and duration scenarios, including any single point of failure and the impact of recovery priorities at service providers who may be providing support for multiple businesses. All likely scenarios, as well as the “worst case” scenario, should be identified and their impact on the requirements of normal business cycles (constant, daily, weekly, monthly, ete.) should be assessed. Examples include: v anticipated outage of less than 2 hours, anticipated outage of 2 to 8 hours, anticipated outage of 8 to 24 hours, anticipated outage of more than 24 hours prolonged outage due to total loss of buildings) For Internal Use Only 9/23/02 12:52 PM