Providing investment services for individuals and organizations around the world requires the delivery of real-time investment information on a 24 by 7 basis, 365 days a year. Failure to maintain technology systems for investors represents a huge risk for mutual fund providers, such as Fidelity Investments. Our April 11, 2008 ERM Roundtable speaker, Brian Ward, Senior Vice President of Fidelity Investments’ Risk Advisory Services Group, provided an overview of how Fidelity integrates its focus on business continuity planning and IT risk assessments into its overall enterprise-wide risk management approach.
Managing Risks at Fidelity
The mutual fund industry is filled with a wide array of potential risk exposures. Customers expect real-time delivery of investment information that is dependent on world-wide investment markets where complex financial instruments are bought and sold on a never-ending basis. The interconnected marketplace means that the ability to deliver investment services at Fidelity is dependent on other market participants outside Fidelity’s control. This data-intensive industry faces an ever evolving portfolio of product offerings in an environment with emerging regulatory oversight, not only in the U.S., but around the globe. Clearly, the management of risks is vital to Fidelity’s core business operations, warranting the need for a constant focus on emerging risk exposures. That enterprise focus is led by Ward and the Risk Advisory Services Group that he oversees.
Given the nature of the investment industry, there are numerous risk-related functions spread throughout all Fidelity business operations. The Risk Advisory Services Group helps coordinate and support all the various risk managers spread throughout the Fidelity operation to ensure the entity-wide approach to risk management is conducted on a consistent basis throughout the enterprise. The Risk Advisory Services Group provides the enterprise-wide oversight and governance of the risk management functions and identifies the structure and approach that provide consistent direction for risk management across the entire organization.
Strategy Drivers Provide Focus on Core Risks
To help the Risk Advisory Services Group prioritize the complex portfolio of emerging risks Fidelity faces, Ward and his group structure their focus on risks surrounding the core drivers to its business strategy. The core value drivers at Fidelity help the Risk Advisory Services Group prioritize the multitude of risk exposures that Fidelity faces. Risks are considered across seven risk categories that include reputational, strategic, financial, operational, organizational, compliance/legal, and technology related risk exposures.
Intersection of BCP with Fidelity’s Strategy
Fidelity’s strategy of providing investment services to an investor base all across the globe creates unbelievable demand for resiliency in its information technology functions. The tolerance for system outages or lack of access to pricing information approaches a non-zero level. Customers have little appetite for Fidelity to say their “systems are down.”
Recognizing and effectively managing IT related risks is vital to Fidelity’s core business strategy as one of the world’s largest privately held mutual fund companies. Given the significance of maintaining continual IT operations, one of the key focus areas of Fidelity’s Risk Advisory Services Group is to oversee the business continuity planning processes at Fidelity.
Business Continuity is Broader than IT
While the technology infrastructure obviously directly impacts Fidelity’s ability to provide continuous operations, Fidelity’s oversight of business continuity appropriately recognizes that the company’s ability to maintain continuous operations depends heavily on people, including Fidelity employees and vendors who support core IT operations around the globe. Thus, the evaluation of IT risks involves a significant focus not only on technology, but also on people-related risks that might threaten Fidelity’s ability to maintain continuous operations.
One area of focus is on monitoring emerging threats to employee health that might impact an employee’s ability to provide key IT related functions. With Fidelity employees located around the globe, a chief concern is employee resiliency to illnesses, including risks associated with a pandemic outbreak. Variations in vaccination treatment patterns and other health prevention techniques around the world create different levels of key health-related risk exposures for key employees who help Fidelity maintain and deliver real-time information to its global customer base. As a result, Fidelity’s ERM process focuses on monitoring emerging health-related threats, such as those related to pandemic outbreaks, as part of its overall risk management strategy and ensures that Fidelity has resiliency plans for mitigating risk exposures if employees in certain parts of the globe are unable to perform core functions due to an unexpected health outbreak. The Risk Advisory Services Group regularly conducts risk impact analyses to monitor potential emerging health related threats.
This impact analysis also extends beyond consideration of the impact on employees to also include an assessment of the impact of key vendors that Fidelity relies on to support and deliver key IT operations. Given the complexity of Fidelity’s information technology systems, Fidelity works with external technology vendors on a regular basis. Thus, in addition to ensuring a viable and available workforce, part of Fidelity’s enterprise risk management process considers impact analyses of risks associated with vendor ability to deliver core support services.
Fidelity’s Risk Advisory Services Group constantly measures systems availability and capabilities, including monitoring of data quality measures. The Group is always trying to fine-tune its key risk indicators to improve its ability to monitor leading indicators of emerging risks that might threaten Fidelity’s ability to maintain continuous operations on a 24 by 7 basis.
Ongoing Risk Communications and Escalation Policies
The complexity of Fidelity’s operations means that there are numerous business functions that support or rely on core IT operations. Management of IT risk exposures is done at the business unity level where triage is initially conducted as risks emerge. To ensure that risk events are appropriately elevated by business unit leaders to more senior leaders, the Risk Advisory Services Group works with key business functional units to establish predefined severity levels that determine thresholds whereby certain individuals should become involved in responding to an emerging risk as it arises. As the potential threat increases in severity, the security levels specify how information about an emerging risk event is to be elevated among the chain of command at Fidelity. These pre-specified security levels help ensure that appropriate management attention is received on a timely basis as risk events arise.
One technique that Fidelity uses to determine these security levels is tabletop exercises whereby core members of management evaluate the significance of potential risk scenarios to Fidelity’s ability to maintain core operations. These tabletop exercises build upon past experiences and “near misses” to help predict the future impact of a particular risk event. These tabletop exercise not only help identify potential risk exposures and set risk escalation levels, but they also serve to help maintain an employee awareness of potential risk exposures that can constantly evolve. The goal is to encourage a proactive risk evaluation and monitoring process at Fidelity.