Greg Ferris – Executive Director, Morgan StanleyJohn Odermatt – Corporate Director, CitigroupPeter Poulos – Director, Credit Suisse First Boston (CSFB)

Workshop: Lessons in Risk Assessment

2

Workshop Overview

1. Introductions

2. Business Continuity Risk Assessment – Firm Perspectives in Approach

• Morgan Stanley• Citigroup• Credit Suisse First Boston (CSFB)

3. Questions & Answers

3

Business Continuity Risk Assessment –Firm Perspectives in Approach

Morgan Stanley

4

Crit 2 Crit 1

Crit 2Crit 3

Life safety mitigation and response will be constant in all locations

Prioritize business risks:

Crit 1 – Mitigation and response solutions in place for all risks

Crit 2 – Mitigation solutions in place for some risks. Response solutions in place for all.

Crit 3 – No mitigation solutions in place. Response solutions in place for all.

Analysis performed at the regional and divisional level

Probability

Impact

The Macro View: Prioritizing Risk – Determining What Matters Most

5

Identifying Risks

– Think about the events (natural and man made) that could interrupt the normal flow of operations and/or threaten the well being of employees

– Don’t focus purely on disasters in the classic sense

– Try to focus on the effect of the problem as opposed to it’s cause

Assessing Risk

– Assess the probability/impact of each risk statement

– Provide a criticality ranking for each

The Macro View: Cataloging and Assessing Risk

6

Probability Scoring

1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen)

2 33 to 65 percent chance of occurrence (likely to happen)

3 Less than 33 percent chance of occurrence (not likely to occur)

Impact Scoring

1 Outage will result in inability to meet regulatory requirements and introduce excessive risk

2 Outage will not impede ability to meet regulatory requirements or excessive risk, but will impact client service functions

3 Outage will not affect critical functions and/or critical functions are easily failed over

Getting Started: Assessing Probabilities and Impacts

7

Probability Scoring

1 Greater than 66 percent chance of occurrence (will happen or is very likely to happen)

2 33 to 65 percent chance of occurrence (likely to happen)

3 Less than 33 percent chance of occurrence (not likely to occur)

Impact Scoring

1 Outage will result in unacceptable risk to New Jersey’s citizens and/or assets

2 Outage will not result in unacceptable risk to New Jersey’s citizens and/or assets, but will impact continuity of government and/or the ability to communicate with all levels of government

3 Outage will not affect critical functions and/or critical functions are easily failed over

The Macro View: Assessing Risk

8

Criticality Assessment

1 Probability Score 3 to 1 - Impact Score 1

2 Probability Score 2.5 to 1 - Impact Score 2

3 Probability Score 3 to 2.5 – Impact Score 2; Probability Score 3 to 1 –Impact Score 3

The Macro View: Prioritizing Risk

9

Business Continuity Risk Assessment –Firm Perspectives in Approach

Citigroup

10

Sub-processes, Recovery Strategies

& Requirements

Sub-processes, Recovery Strategies

& Requirements

Threat & Vulnerability Assessment (TVA)

BIABusiness Impact

Analysis

TVAThreat & Vulnerability

Assessment

SRASector Risk Assessment

SRASector Risk Assessment

BIABusiness Impact

Analysis

The purpose of the TVA is to:• Determine standard threat scenarios and planning

constraints

• Identify vulnerability, symbolic value, single point of failure,or concentration of resources

• Composite Resilience Rating

11

Cross Functional Collaboration

• Perimeter security

• VIP security

• Proximity to other known militant targets

• Utility diversity

• Fire suppression

• Electrical grids

• UPS and generators

• Egress and risers

• Dual paths

• Data Center strategy

• Concentration of Infrastructure

• People Strategy

• Single point of failure

• Perimeter security

• VIP security

• Proximity to other known militant targets

• Utility diversity

• Fire suppression

• Electrical grids

• UPS and generators

• Egress and risers

• Dual paths

• Data Center strategy

• Concentration of Infrastructure

• People Strategy

• Single point of failure

SecuritySecurity

FacilitiesFacilities

TechnologyTechnology

HRHR

• Physical security• Physical security

• Physical plant resilience• Physical plant resilience

• Infrastructure resilience• Infrastructure resilience

• Personnel• Personnel

Team Lead: Office of Business Continuity

TVA Team Expertise Example Components

12

TVA: Threats For a Facility include …

• Vulnerability– low, medium, or high

• Symbolic Value as a Target – low, medium, or high

• Single Points of Failure– resources that do not have

redundancy at another Citigroup facility

13

TVA: Threats at a Facility (continued)

Threats include:

• Regional Blackout• Civil Unrest• Telecom Utility Interruptions• Epidemic• Hurricane• Flood• Earthquake• Bomb• Terrorist Event• Sabotage

14

TVA: Threat at a Facility (continued)

• For each potential threat the worst-case scenario is considered:

Outage duration range days, weeks, or months

Radius impacted <30 miles or >30 miles (50 km)

Loss probability low, medium, or high

• Then a composite resilience rating is calculated by the team

15

TVA: Consistent Output (continued)

Standard Threats,

scenarios, and planning

constraints Vulnerability, symbolic value, single point of

failure, proximity, or concentration

of resourcesComposite Resilience

Rating

Threats Outage

Duration Range Radius Impacted

Scope of Infrastructure

Services Affected (Potential)

Regional Blackout Days >30 miles ManyCivil Unrest Days >30 miles SomeTelco Interruption Days <30 miles FewHealth Epidemic Weeks >30 miles ManyTerrorist Event (multiple) Weeks >30 miles ManySabotage of Facilities Weeks <30 miles SomeHurricane/ Typhoon Weeks >30 miles (Cat 4/5) SomeTornado Weeks-Mos >30 miles (F 4/5) SomeFlood Weeks-Mos >30 miles SomeEarthquake Weeks-Mos >30 miles (>6.0) ManyBio/chemical release Months <30 miles ManyDirty Bomb Months <30 miles Some

16

Business Continuity Risk Assessment –Firm Perspectives in Approach

Credit Suisse First Boston (CSFB)

17

CSFB Business Continuity Prioritization of Processes / Products

Tier 1 – Critical

Process(es) and/or associated products which are required for the bank to survive or whose

unavailability would cause irreparable damage to the bank. This includes all core technology

infrastructure systems and facilities on which all applications and data are dependent to conduct

these processes. (e.g., funding the bank and associated settlement risks, safeguarding firm and

customer assets, manage market and credit risks, etc.)

Tier 2 – Required

Process(es) and/or associated products whose availability is mandated by either regulatory

requirements, customer or market obligations and/or business priorities.

Tier 3 – Less Critical

Process(es) and/or associated products that either have a delayed recovery timeframe or for

which recovery can be deferred.

18

Risk Weighting Criteria Used by CSFB

CSFB takes into consideration two key factors by location in weighing business continuity risks. The first is the relative importance of a physical location from a business perspective and the second is the associated threat(s) at that location.

Business Importance by Location1. Financial Exposures

a) Revenue Exposure or Opportunity Cost (foregone revenues due to inability to execute trades)b) Market Exposure or Value at Risk (capital loss on principal positions due to adverse market

movements)c) Contractual and Reputation Exposure (costs of inability to perform contractual obligations and long-

term impact of damaged customer franchise)2. Presence of Business Functions/Processes and Products transacted3. Presence of Technology Infrastructure supporting Business Functions/Processes and Products

Threats Associated by Location1. Environmental Risk

a) Physical Threats (e.g., inclement weather, earthquakes, civil unrest, etc.)b) Municipal Utility Infrastructure (e.g, power, water)c) Telecommunications Infrastructured) Transportation Infrastructuree) Health Care Infrastructure

2. Staff Concentration Risk3. Technology Risk4. Facility Risk

19

Business Continuity Impact Scenarios Assumed by CSFB

Partial Loss

Planning Time Horizon: Intraday (Up to start of next business day)

Assumes no physical destruction of facilities or systems. Business unit staff would either wait for IT and/or facilities disruption to be remediated or invoke business continuity plans. Internal outages/failures; examples: partial power outage or hardware/software failure.

Denial of Access

Planning Time Horizon: Up to 3 days

Assumes no physical destruction of facilities or systems. Business unit staff would need to evacuate or be denied access to their primary office space. Examples: Transit strike, inclement weather, bomb scare, gas leak, civil unrest.

Total Loss

Planning Time Horizon: Up to 1 month or longer *

Assumes physical destruction of facilities, systems and/or people. Examples: Terrorist attack, earthquake, catastrophic fire, flood.

Loss of Key External Interdependencies

Planning Time Horizon: Variable dependent on whether impact to CSFB is a Partial Loss, Denial of Access or Total Loss

Assumes interruption of service provided by Third Party Service Providers, Exchanges, Industry Utilities, Clearing Corporations,and/or Market Data Systems (e.g., pricing/news/market analysis information, communications, trade execution/deal capture, etc.). Also assumes interruption of services provided by CSFB.

* If the event is a Total Loss of primary data center collocated with people, then impact duration starts on Day 1. However, if the event is a Denial of Access to a data center facility lasting more than 3 days, then it is considered a Total Loss event.

20

Business Recovery/Resiliency Strategy Options – Considerations for Risk Mitigation

Impact Scenario Probability of

Occurrence

Business Recovery / Resiliency Strategy Option Estimated Recurring

Cost

Speed Of Recovery

Difficulty of Recovery

Split/Shared Production L H LTransference L H MDisplacement Seating L M LRemote* L M MManual Workarounds L M M

Internal Recovery/ Contingency Seating – Dedicated Trading H M MInternal Recovery/ Contingency Seating – Dedicated Non-Trading H M MInternal Recovery/ Contingency Seating – Shared Non-Trading H M MThird Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H M MThird Party Provider Recovery/ Contingency Seating - Shared Non Trading M L HSplit/Shared Production L H LTransference L H MDisplacement Seating L M LRemote* L M MManual Workarounds L M M

Internal Recovery/ Contingency Seating – Dedicated Trading H L HInternal Recovery/ Contingency Seating – Dedicated Non-Trading H L HInternal Recovery/ Contingency Seating – Shared Non-Trading H L HThird Party Provider Recovery/ Contingency Seating - Dedicated Non-Trading H L HThird Party Provider Recovery/ Contingency Seating - Shared Non Trading M L HSplit/Shared Production L H LTransference L H MDisplacement Seating L M MRemote* L M MManual Workarounds L M M

Total Loss Low

Relative

Partial Loss High

Denial of Access Medium

LegendH = HighM = MediumL = Low Remote* - Availability, functionality and capacity of key systems varies by business and by type of remote access

21

New York Downtown Campus

Jersey City Site A

Jersey City Site B

Central NJ Office and

Data Center

Jersey City Site CJersey City

DR Data Center

Current State

New York Downtown Campus

Proposed Interim State Proposed Future State

BAUAssets

BCP/ DR Assets

Through the use of optimized traditional and alternative recovery and resiliency strategies, utilization of Business-As-Usual (BAU) firm assets (people, facilities and technology) increase while physical concentration risks are mitigated and DR-only overhead costs are reduced.

Traditional Recovery – Dedicated or shared contingency seats (internally managed or third party)Alternative Recovery – Displacement, remote computing, transference, split production

BAU Assets

BCP/DR Assets

Legend

Jersey City Site A

Jersey City Site B

Southeastern US Office

Jersey City DR Data Center

Southeastern US Office and Data Center

Asia New York Downtown Campus

LondonAsia

Midtown Office

Midtown Office

Northern NJ DR Data Center

Northern NJ DR Data Center

London

Central NJ Office and

Data Center

Central NJ Office and

Data Center

London

Business Continuity Risk Mitigating Strategies –Illustrative Optimization Over Time

Jersey City Site A

Midtown Office