Business Resiliency and Disaster Recovery are fundamental components of First Data business operations. Our Business Resiliency and Disaster Recovery programs allow First Data to provide continued service to our customers and clients and to respond effectively to a disruptive event which may impact the firm, or interrupt normal operations.
The Enterprise Business Continuity Program is comprised of firm-wide Business Resiliency and Disaster Recovery programs, which provides for the company’s need to recover its business processes and the supporting technology in a timely manner during disruption. This is accomplished by following pre-defined management approved policies, strategies, and procedures. The program allows for the restoration of both technology and business process capabilities within predetermined timeframes.
First Data has a dedicated group of business continuity professionals who are responsible for maintaining the program.
Oversight & Governance
Enterprise Business Continuity is managed by a firm-wide Business Continuity Steering Committee with representation from all major business units at First Data. Compliance with Enterprise Business Continuity program requirements for all business units are tracked with metrics monitored and escalated on a monthly basis.
The Enterprise Business Continuity program is subject to internal and external audit reviews and regulated by the Federal Banking Agency, which includes five banking regulators – the Federal Reserve Board of Governors, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. The program is also subject to the legal and regulatory requirements of other countries in which we operate.
The objectives of Business Resiliency includes the development of recovery strategies in order to minimize loss to First Data and its clients, continue to serve our customers, ensure the safety of employees, and minimize negative impacts of events. Each First Data business unit is responsible to complete a Business Impact Analysis (BIA) to determine the Recovery Time Objective of the business on an annual basis. The Recovery Time Objective allows First Data to prioritize key businesses for recovery during and after any type of incident.
Each business unit is also responsible to develop and maintain Resiliency Plans on an annual basis. Plans can be used independently or together if the incident affects multiple business units. Each plan includes key elements such as life safety, required resources, equipment, applications, recovery strategies including recovery site information and recovery tasks. All plans address high-absenteeism including pandemic and severe weather events.
Business Resiliency Plans are required to be tested on a regular basis to ensure an effective program. The firm has a varied testing program including the testing of recovery solutions such as working from another location (move and resume), work from home, and work load transfer. Our test types include tabletop exercises, simulation exercises and full disaster recovery tests. Post exercise reports are created for each event. All testing issues, as well as Business Impact Analysis and Business Resiliency Plan compliance are tracked and metrics are provided to senior management.
Disaster Recovery focuses on restoring the firm’s critical systems and applications used by our internal businesses and external clients. Application recovery is prioritized based on the Recovery Time Objective identified in the Business Impact Analysis. First Data maintains Disaster Recovery Procedures for key systems and applications, which provides detailed plans to recover the system or application. These procedures span key personnel, components and applications that are necessary to minimize the impact to vital business processes following a data center outage.
The Disaster Recovery team manages and coordinates recovery activities and rigorous exercises to demonstrate the firm’s ability to recover. Key systems and applications are tested on a regular basis. Follow Up reports are generated and reviewed with all exercise participants and all issues identified are recorded in the firm’s risk management tool and tracked through resolution.
Monthly metrics are used to track all Disaster Recovery requirements, including the maintenance of our plans and testing of our systems and applications. The metrics are socialized to First Data’s senior management, which provide a snapshot on the health of the Disaster Recovery Program.