The Business Service Framework helps to:

• Determine the business services that, in the event of disruption, would have the greatest impact on markets, clients and the firm, i.e., BNY's Critical Business Services

• Identify dependencies of each business service

• Provide an end-to-end view of the process to deliver products and services

• Enable a clear view of business resumption

• Guide business function prioritization based on tiering system

• Shape policies and practices to incorporate global regulatory requirements into a cohesive enterprise approach to resiliency

• Facilitate better alignment of business service composition and data to foster a cohesive view across the stress continuum, including recovery and resolution

The BSF incorporates:

• Risk-Based Prioritization - services and functions are prioritized based on their business impact assessment, considering the potential impact of disruption to markets, clients or the firm

• Asset Mapping - businesses identify the resources necessary to execute their activities at the function level; resources include people, applications and other technology assets and infrastructure, services provided by third parties (e.g. vendors and financial market utilities) and facilities

• Function Tiering - functions are tiered considering the business impact assessment, incorporating criticality of service and availability of alternative processing paths

• Function Mapping Process Architecture - process maps are used to show the function level processes that deliver end-to-end business services

BNY is a Global Systemically Important Bank (G-SIB) subject to a multitude of regulatory requirements related to operational risk and resiliency, across numerous jurisdictions. BNY takes a global approach to the adoption and implementation of enhanced operational resiliency requirements to better achieve consistent levels of product and service resiliency globally.

The global regulatory landscape on operational resilience continues to evolve with the release of multiple guidelines, rules and interagency papers in recent years, including the Basel Committee on Banking Supervision, the Federal Financial Institutions Examination Council, U.K. Operational Resilience Rules, the Central Bank of Ireland's CP140, and the Digital Operational Resilience Act (DORA), we continue to mature our practices and capabilities in alignment with these standards, goals and objectives, driving compliance with regulatory requirements.

Within ERO, the Business Resiliency Intelligence and Automation group (BRI), in collaboration with Operations, has developed advanced monitoring capabilities to further promote proactive detection and resolution of potential issues. This initiative focuses on identifying anomalies in transaction processing, early warning indicators that help enhance current monitoring capabilities to proactively detect potential operational and market issues based on predefined historic transaction volumes, and automated notifications, including email alerts and on-screen push-based alerts to facilitate escalations and notify key stakeholders. If multiple anomalies are detected, priority for mitigation will be determined based on asset mapping as defined by the BSF.

The Cyber, Technology and Operations Center (CTOC) proactively displays metrics and other information developed by BRI. CTOC helps deliver next-level resiliency through cohesive, service-centric incident response and management by bringing together cyber, technology, business, and operations experts, together with real-time transaction and other data, into one center. CTOC has helped reduce the time to identify and resolve issues.

As a global institution, BNY is exposed to the risk of uncontrollable events that can cause varying degrees of disruption to normal business processes. Business continuity is a critical component of our enterprise resiliency strategy. 

The business service framework is the foundation on which BNY’s business continuity planning occurs. Business continuity plans are created and maintained at a fairly granular (function group/function) level incorporating every function within the enterprise.

Through our business continuity program, we: 

• Establish effective and sustainable recovery strategies

• Certify business requirements and capabilities across the enterprise 

• Confirm the feasibility of our recovery strategies through testing

BNY conducts many forms of resiliency testing on an ongoing basis. As part of the business continuity lifecycle, numerous types of contingency plans are tested on an ongoing basis each year with many required to be repeated annually or semi-annually. We maintain a formal disaster recovery program for testing our ability to restore and resume technology and information assets across a wide range of scenarios that vary in both type and severity and include various types of severe but plausible scenarios.

While core disaster recovery testing is still executed over weekends, our testing has evolved into more complex exercises, often lasting more than 30 days, with distinct objectives aimed at further solidifying our resiliency.  Some testing incorporates multiple businesses, enabling us to test interdependencies and the restoration priority order of business services.

Increasingly, testing involves third parties such as vendors and clients. We also participate in global forums and sector exercises — all designed to learn more and continuously enhance our resiliency posture.

Our incident and crisis management framework is a cornerstone of our resiliency strategy, helping to ensure that we can swiftly and effectively respond to any disruptions. This comprehensive approach includes continuous monitoring, rapid assessment and coordinated response to incidents, minimizing impact and maintaining business continuity.

Our global team operates 24/7/365, providing around-the-clock support to manage and resolve incidents. By integrating cybersecurity incident response, technology major incident management and post-incident reviews, we can help our clients experience minimal disruption and maximum reliability.

This proactive and structured approach underscores our commitment to delivering resilient and uninterrupted services while a dedicated resiliency communications function within ERO manages the incident and crisis management communication process by preparing, reviewing and facilitating notifications to stakeholders, including regulatory authorities and client service teams which communicate as necessary to affected clients.

Each test and each incident are viewed as an opportunity to learn and improve. We have a structured process in place to promote continuous improvement.