Laserfiche WebLink
a <br />z <br />w <br />0 <br />LL <br />Z <br />0 <br />u <br />v <br />z <br />a <br />a <br />LL <br />r <br />J <br />u <br />Testing, Training and Education <br />All plans must comply with the Firms' Corporate Testing policy and test cycle. Each resiliency <br />plan is tested annually, at a minimum. Exercises can include: <br />• Notification Testing: Assure the accuracy and completeness of call tree information is <br />maintained through organizational changes. <br />• Walkthrough: Familiarize the business unit or support group staff with the plan and <br />their role in its execution. This validates that the resiliency plan incorporates all <br />critical processes and helps to identify gaps or other weaknesses requiring <br />remediation. <br />• Simulation Testing: Validate and share assumptions, including those related to <br />dependencies, and the ability of support groups, third parties, and other vendors to <br />provide support. A scenario -based exercise, simulation testing is an interactive <br />session where participants are presented with a disruption and must react to one or <br />more impacts and make critical decisions. <br />■ Full Physical: Validate the ability to recover business units, processes, applications, <br />and infrastructure within the established recovery time objective without dependency <br />on the primary location. <br />Business management is aware of all activity leading up to the execution of the test. Post -test <br />reports are reviewed with business management upon completion of the event. A central log <br />is maintained of significant issues encountered during a test. Each month the list of issues, if <br />any, is updated to reflect the current status, including actions taken, reviewed with business <br />management and escalated as appropriate. Issues that arise during testing are retested within <br />an appropriate timeframe. <br />Resiliency plans supporting critical business processes are reviewed and updated annually or <br />more frequently when there are significant changes in the environment. Plan maintenance <br />sessions are typically comprised of a formal review of all aspects of the applicable resiliency <br />plan and updates are contemporaeneously made, as necessary. Every J.P. Morgan employee <br />is required to complete Business Resiliency training annually. The objective of this training is <br />to provide an overview of the key components of business resiliency and illustrate how each <br />individual employee can support and play a role in Business Resiliency. Core resiliency skills <br />training is also available for Business Resiliency Professionals and Coordinators. <br />In addition, J.P. Morgan has a formal, centrally managed, assessment process to evaluate the <br />adequacy of security, disaster recovery and business continuity controls in place at critical <br />third parties. A critical third party is an external entity, which provides a product or service <br />that has client, revenue, regulatory or reputational impact to J.P. Morgan. <br />Business Resiliency plans are subject to reviews by J.P. Morgan's Global Business Resiliency <br />group, which acts as the Firm's governing body for Business Resiliency measures. The plans <br />must address and comply with documented organizational requirements. All findings are <br />escalated to the business units, Risk Management and division executive for review. <br />Additionally, the Corporate ft Investment Bank line of business Quality Planning Program has <br />been designed to assess, challenge and enhance all Corporate ft Investment Bank Business <br />Impact Analysis and Business Resiliency Plans to ensure businesses develop recovery solutions <br />that are specific to their needs taking into consideration the business model, location <br />strategy, operating assumptions and key dependencies. The program stress tests existing <br />J P.Morgan <br />