Calastone's operational resilience: the importance of business continuity planning
28 Apr 2016
When I started my career, business continuity was viewed as a nice to have, but it is now at the core of every well managed business. Whether it be a cyber-attack, natural disaster, change induced error, power failure or even terrorism, a strong business continuity plan (BCP) is the responsibility of everyone in the company. If implemented correctly, it mitigates risk to acceptable levels and allows the business to continue functioning regardless of circumstance.
A well-rehearsed, well communicated and fully understood business continuity plan is essential, and should be an integral part of any business structure in order to protect customers and mitigate the impact of any disruption. Increasingly, resilience is becoming a real topic of concern within the funds management industry and this is an area where Calastone particularly excels.
A report written by Continuity Central stated that for every $1 spent on disaster recovery, society saves $4 in response and recovery costs. Furthermore, of companies that have dealt with a major data recovery issue, 43% never reopen and 29% close within 2 years (1.) The value and importance of a BCP cannot be overstated.
What does Calastone’s operational resilience mean for clients?
Calastone’s operational resilience is critically important in providing clients, industry participants, and employees with the confidence that the business is able to withstand potential threats and continue operating through a wide array of major incident scenarios.
In addition to Calastone’s business requirements for BCM, our planning takes account of the requirements defined by the Financial Conduct Authority (FCA) and forms a key part of our annual FCA submission.
What do we do to counter external threats?
Calastone’s systems utilise industry standard protection and all components of the infrastructure are regularly upgraded, with our systems running the latest stable versions of any given product. Calastone has one codebase with approximately 12 major releases a year. To test our own resilience, we commission independent penetration tests at least once a year and systematically test vulnerability at every release. This is in addition to our extensive Quality Assurance testing which ensures that our systems are always fully secure.
At Calastone, our business continuity plan mandates a disaster recovery plan that is at the core of our BCM processes. Disaster recovery (DR) is a subset of business continuity, which focuses on ensuring that the core technologies remain functional.
For us, examples of the need to invoke DR include:
- The loss of a primary data centre
- The loss of the network surrounding the data centre (preventing client connections to the Primary data centre)
- The failure of major network components with no possible internal recovery
At the heart of Calastone’s business model is flexibility. Dual connectivity, using diverse technologies, is available to all clients and adds an additional level of resilience to our clients across the network.
To ensure that clients receive the best possible support, we run a multi-lingual ITIL (Information Technology Infrastructure Library) conformant service desk with ITIL certified staff, 24 hours a day, 5.5 days a week, covering all of the markets we operate in.
For standard incident management, we consistently hit a first line fix rate in excess of 95%. I am particularly proud that we are able to offer such a high level of service to our clients. This is achieved by a continuous training and up-skilling program in the Operations team, aimed at improving the speed and quality of responses to clients and minimising the need for second line escalations.
In order to further reduce risk, we perform exception monitoring at every point on our system in real time. To do this we baseline and track the state of our processes and responses. Each server has a dynamically-assigned tolerance which alerts the team when the tolerance is breached. In real terms, this means we can closely manage our counter-party connections and in most cases fix a problem before it becomes a client impacting incident.
In addition to the above, Calastone operates a comprehensive capacity management regime. Again, system base-lining along with proactive and predictive monitoring ensure that we never exceed pre-defined thresholds for system utilisation and performance. Additional capacity can be added dynamically and root cause of any increased system utilisation can be established and remediated through our problem management processes well ahead of any possible client impact.
Teamwork and culture are key
When I joined Calastone in 2009, I worked from the outset with the business leadership team and began implementing the Business Continuity Management model which, through a programme of continuous service improvement, has evolved into the robust suite of processes we follow today. At Calastone, BCM is not just an activity carried out by the IT teams; it is a part of the corporate culture. It takes significant application, time and practice to keep business continuity at the forefront of the team’s mind. The irony is that we hope we never have to use it.
1. Business continuity statistics: where myth meets fact. Continuity Central. 24 April 2009.