Enterprise Resilience

BlackRock |Dec 20, 2024

Enterprise Resilience

Resilience is a core tenet of BlackRock’s culture and corporate principles, driving the way we manage the business and serve our clients. BlackRock’s Enterprise Resilience Program, which includes Operational Resilience, Business Continuity Management, Disaster Recovery, and Crisis Management, is committed to providing resilient services to all our clients. Our programs are designed to meet or exceed industry standards and comply with legal and regulatory requirements in the locations where we operate. As new regulations are introduced, our program standards and frameworks enable us to adapt quickly to new mandates and requirements. The programs have several key elements, including:

  • Risk Assessment and Site Resilience
  • BC/DR Planning
  • Threat Monitoring and Crisis Management
  • Training and Awareness
  • Exercises and Testing
  • Third Party Oversight

We have established an Operational Resilience program to enhance the resilience capabilities of our most important business services. This allows us to better prevent, adapt, recover from, respond to, and learn from potential future operational disruptions. The Enterprise Resilience team leads the program in collaboration with partner resilience teams

BlackRock maintains Business Continuity plans to facilitate the continuity of business in the event of a business disruption. BlackRock’s executive management provides oversight and governance to the firm’s Business Continuity program, supported by the Enterprise Resilience team, which manages the program. On an annual basis, each business unit is responsible for maintaining and updating their business continuity plans and critical processes.

BlackRock maintains its technology via a hybrid solution, utilizing both in-house data centers and cloud hosting sites. Disaster Recovery plans and procedures enable a rapid response to an event impacting technology and data regardless of location. Each data center and cloud region have built-in redundancy and geographical resilience. BlackRock’s Disaster Recovery Program is run by a specialized disaster recovery team supported by the Technology Risk Management team to provide oversight and governance, and by the firm’s technology support teams to develop and execute plans to be used during testing and real events.

BlackRock leverages its Crisis Management framework for disruptive events that require a coordinated response at a location, region, firm, or business level. The guiding principle for Crisis Management is to coordinate a structured command, control, and communication process in place to manage the response to a crisis. This approach enables the continuity of critical operations and greatly enhances the firm’s capability to respond and recover during a crisis.

Our programs are routinely examined by BlackRock’s internal audit team and external regulators. The results of these reviews, program updates and metrics are reported to the appropriate governance bodies periodically.

Risk Assessment and Site Resilience

BlackRock performs annual Site Risk Assessments for locations worldwide. These assessments evaluate a range of threats, including natural hazards, social unrest, city infrastructure and climate change. The results are used to drive risk mitigation activities, including enhanced site resilience, business continuity planning, and the deployment of additional recovery strategies where appropriate. These activities enhance our operational resilience.

Our risk assessments also highlight technology and data are critical to our operations. To protect these resources, critical applications are maintained in both primary and secondary data centers or multiple cloud regions, with data replicated in near real-time. Each location is served by physically diverse circuits, secondary networks, and alternate power sources. Primary and secondary locations are appropriately distanced, mitigating the impact of a disruptive regional event.

Preparedness and Planning 

BlackRock’s Enterprise Resilience planning focuses on the following:

1. Business Continuity Plans: BlackRock maintains Business Continuity Plans for business functions at each BlackRock office globally. The plans have the following key components:

  • Business Impact Analysis: Assesses both financial and non-financial impacts of the loss of a critical process. Annually, each department reviews and updates the information for every critical process they perform. As a part of this analysis, third party services and internal dependencies critical to their processes are identified and documented. The results of this assessment drive planning and recovery strategies aimed at minimizing potential risks and the continuity of critical services. 
  • Business Recovery Plans: Procedures designed to recover critical processes to provide continuity of operations in the event of a business disruption. These include recovery strategies for personnel, applications, third parties, and facilities. Recovery strategies are validated through tests and exercises.
  • Staff Absenteeism Plans: Documents the potential risks to operations from pandemics or other disruptive events that could lead to staff being absent from work, along with the associated response strategies.

2. Disaster Recovery Plans: Disaster Recovery Plans incorporate fail-over strategies and are designed to recover from a range of disruptive scenarios that may impact technology: from a data center facility or cloud region outage to the loss of a single server. The key elements of the plans include:

  • Communication Plan that identifies how personnel will be engaged when an event occurs as well as the frequency and method of communicating information and status throughout the event.
  • incident Management Plan that includes information for establishing and maintaining an incident response team, responsibilities of the management team, as well as a methodology for decision making and escalation.
  • Recovery Plans that include requirements, configuration, and execution procedures for failing over each application to a secondary location.

3. Operational Resilience Competencies: Enhancing the firm’s preparedness to a wide range of severe but plausible scenarios. The approaches and methodologies include:

  • Identification of important business services: services that, if interrupted, may cause intolerable harm to BlackRock, our clients, or the market.
  • Enhanced mapping of important business services, and documenting the critical dependencies required to support the operation of an important business service (e.g., people, processes, technology, facilities, and information).
  • Stress test important business services to identify areas of enhancement that improve firm’s resiliency.

Exercises & Testing

BlackRock exercises its plans to verify that procedures for recovering its business operations and systems are effective, and key personnel are familiar with the process. Each year, multiple types of exercise are performed including:

  • Remote Access: Testing the ability to work from home or another external location. Post-pandemic, the firm has transitioned to a hybrid Future of Work model where periodic remote working has become core to the daily operations of the firm. This provides very regular assurance that these capabilities are effective.
  • Alternate location: Testing the ability to operate from a dedicated recovery site or alternate BlackRock office.
  • Work Transfer: Testing the ability to transfer workloads to unaffected teams/offices or simulating other scenarios involving a loss of personnel or a wide-scale outage.
  • Data center/cloud fail-over testing: Testing the ability to fail over applications to secondary locations for each production data center and cloud region to validate the functionality and the Recovery Time Objective.

Additional types of exercises and attestations are also performed for other scenarios:

  • Operational Resilience exercises – to validate and demonstrate the firm’s ability to mitigate operational disruptions in response to a range of more severe scenarios (i.e., more than those covered in the aforementioned testing) for our most important business services.
  • Evacuation drills, emergency notification system tests, periodic generator tests, attestation of capabilities & capacity, etc.

Exercise results are documented, reviewed, and distributed, as appropriate, following each exercise. Recommendations for improvements to the recovery process are identified, risk-rated, and any corrective actions clearly defined and assigned to the appropriate personnel.

Third-Party Oversight

Third party oversight is a key component of the Enterprise Resilience program. The framework includes use of the firm’s third-party risk assessment methodology. For the most critical service providers, BlackRock conducts targeted reviews and evaluations of their Operational Resilience, Business Continuity and Disaster Recovery programs and, where appropriate, on-site visits and exercises are performed. These may occur as part of new third-party onboarding, ongoing oversight arrangements, or ad-hoc activities due to incidents or potential threats.

Crisis Management

BlackRock has multiple teams monitoring threats and incidents 24/7 for potential impact to our offices, technology, data centers, people or key third parties. Incidents and potential threats are reviewed and managed through the firm’s standard incident management processes and are escalated into the Crisis Management framework when required.

BlackRock’s Crisis Management framework sets out the firm’s global arrangements for responding to any event that may cause material operational, reputational, regulatory, financial or market impact. The framework includes:

  • Local, regional, and global teams
  • Team structures include the identification of primary and alternate team members, with senior global and regional leads covering key roles
  • Emergency notification system that can send messages to pre-determined call lists; notifications can be sent via email and text message to work and personal devices
  • Employee support hotline and emergency website to disseminate information to staff for awareness and action as required

Training and Awareness

BlackRock uses several methods to keep employees aware of the critical role they play in preparing for and responding to potential business disruptions. Methods used include:

  • Mandatory annual all staff Emergency Preparedness online training
  • Business recovery exercises
  • Technology disaster recovery tests
  • Crisis management training, exercises, and real events
  • Periodic, threat-specific awareness/learning sessions