BCM Initiation and Management

Please provide the following information: How many BCM projects have you initiated and managed. Describe the process adopted and what the scope of the projects entailed. Any challenges and how these were overcome, should be detailed. If you are part of a team and have only participated in these activities, please detail your involvement.

I am responsible for Quality Assurance of BCM across AIB Group and have been in this position since 2006. I work in a team of 5 who are responsible and accountable to senior management in AIB for all facets of BCM across the Bank. ) We own the entire BCM process across AIB group, a bank with 24,000 staff, over 800 branches in Ireland, UK and Poland. It is our responsibility to ensure that 1. BCM policies and standards are current and reflect industry best practice. 2. BCM Plans are accurate for all major business units and signed off by local Executives 3. BCM annual test schedules are in place 4. BCM testing is carried out in line with the schedule and that test results are documented and approved. Where necessary tests are repeated if outcomes are deemed unsatisfactory 5. IMTs are in place at Divisional level and conduct regular rehearsals 6. A quality assurance programme is in place across the Group to ensure the effectiveness of BCM In particular, I have specific management responsibility for items 2, 3, 4 and 6 above and I co-ordinate the annual BC test programme for all priority Business Units in AIB Group. I also manage the preparation of monthly testing and incident metrics to senior management team, including the Director of Operations & Technology and the Group Chief Risk Officer. Group BCM published an updated Policy document 2006. I have recently worked as part of the team authoring a set of BCM Standards (in line with BS 25999) based on the updated Policy. The updated standards were approved by the AIB Senior Management Team in June of this year. A key aspect of my role is relationship management which necessitates ongoing dialogue and meetings to achieve buy-in from the BC stakeholders across the Group, in particular Divisional BC Co-Ordinators and Heads of Operational Risk. I have joint responsibility for monitoring adherence to the Group BCM Policy & Standards throughout the organisation by identifying issues arising from regular meetings and monthly status reports from each of the Divisions. I also attend quarterly Group BCM Steering Committee meetings and progress assigned Business continuity issues to resolution. In previous roles, I have updated and exercised continuity plans for J P Morgan Dublin. I also managed a review and update of BCM plans in permanent tsb bank during the euro switchover and I authored and exercised the disaster recovery plan for the banks core banking systems. Business Impact Analysis
Please provide the following: The number of BIAs you have undertaken. Describe the approach adopted and provide an example of the tools used (i.e. Questionnaires/Spreadsheets etc.) Describe the type of information obtained and what the information was to be used for. If possible provide some form of documentary evidence of a completed BIA.

Previously, AIB did not use a formal BIA methodology but relied on management experience to define mission critical activities and associated resilience and recovery specifications. I have this year participated in the design of a BIA template and have agreed this template with our divisional BCM co-ordinators. This was successfully piloted in the four Divisions during the Spring of 2007, with roll-out across all priority Business Units within these Divisions during throughout 2007. The BIAs have been progressively rolled out across the Group in 2007. I attended six Business Unit BIAs and delivered a further three. Many of the business units are updating their BCM Plans following completing the standard BIA template. The BIA rollout assisted Business Units in their understanding of whether or not their processes are Mission Critical within the Bank as a whole and alos helped validate the number of BCM syndicated seats required at our work area recovery sites. The completed BIAs are being stored in AIBs central BCM application (Strohls LDRPS application).

Risk Evaluation and Control

Please provide the following: The number of risks assessments you have undertaken and describe some information on how these were undertaken. Please give examples of some of the mitigation strategies emanating from the evaluations and any control measures introduced as a result. If possible, please provide documentary evidence of the Risk Evaluation Reports.

All major projects in AIB must conduct a risk evaluation before it is approved and must then maintain a risk register as the project is initiated and proceeds. These risk registers are reviewed in the normal course of events at project and steering committee meetings. We use a 4X3 matrix approach where the risks are graded prior to mitigation and then re-graded post risk mitigant application. Our approach is not to eliminate risk completely but to ensure that no killer risks remain open during a project and particularly at completion of a project. I substantially improved the risk evaluation templates used in the Bank to show not only the category of risk but the trend in the risk (rising, flat, falling, etc). I have managed at least 20 major projects that involved the use of risk evaluation and control processes. Some examples of the risk evaluation that I have managed are listed below: Bankcentre Redevelopment Project BCM Strategy Review of Work Area Recovery capacity in light of changing property portfolio in the Bank. Pandemic Contingency Planning and risk mitigation strategies Identification of Flood Threats and deployment of flood defences Migration of all data networks to IP and standardisation on Cisco technology; upgrade of the Banks main PABX to a provide resilience and redundancy capacity upgrades to the IBM mainframes, and operating system upgrades rationalisation and consolidation of the Banks Internet platforms

I have exercised controls on all projects under my management by ensuring that they were delivered to specification, on schedule and within budget. We operate a matrix management structure for most projects where the project manager draws on the skills of the technical resources required for the project while ensuring that the needs of all stakeholders are met. We use an AIB project management methodology which is based on CIPD principles. In my role I am focussed on identifying and mitigating the strategic BC risks that could impact AIB Group. Some examples are: (a) Developing and implementing a BC strategy to address the concentration risk arising from an increase from 2,200 staff to 4,500 staff in AIBs main Head Office complex by: - working with external consultants and Divisional BCM Co-Ordinators on a needs assessment. - developing viable and fully costed options and presenting to senior management for ratification. - production of Request For Proposal and leading negotiations with external vendor to signing of contract. In addition, I represent the business continuity stream on the Bankcentre Working Group. (b) Preparing a framework pandemic plan for AIB Group to address the Avian Flu threat. This was achieved by: desk based research and attendance at BC conferences and workshops to develop expert knowledge. Working with stakeholders in relevant disciplines e.g. Facilities management, Occupational Health, HR, Operational Risk Management etc. as a member of the Avian Flu Working Group. Obtaining approval from top management for recommendations. In addition, I act as Deputy Chair of the Pandemic Planning Group. (c) Addressing systemic risk across the Financial Services industry: I currently represent AIB on the Financial Services Industry Systemic Planning Working Group (Business Continuity stream) which is co-ordinated by the Institute of Bankers and receives input from the Financial Services Regulator and the Central Bank of Ireland. The outputs from this group, together with high level recommendations to address the above risk, to be presented to the Chief Risk Officers from the main Clearing Banks for their consideration. Within the process designed in AIB this element aligns very much with BIA where we use the ORM SART process to identify the risks and mitigants across all processes carried out by individual Business Units As part of the BCM process we would focus on the defined critical processes and access the risks and mitigants for those see Attachment 2.

This process usually identified gaps . Where gaps were identified we initiated a process where we would review the risk, the likelihood and the cost of the resolution. In some cases there would be no costs but a change in process or controls around a process ( staff rotation , training , awareness etc) Where costs were identified the details were put to the Management of the Business Unit for approval In 2003 I took on the responsibility of managing the ORM template at Divisional level within the AIB Group Payroll Business Unit. I closely monitored all risks and mitigants, ensuring that they were current and that any additional risks identified were updated to the template. I drove the bi-annual review for my business unit with the Divisional Co-ordinator ensuring all risks and mitigants were correct and in line with best practice. All processes were identified and looked at from the risk potential under the Legal, Financial, Regulatory, Reputational and Fiduciary categories. Mitigants such as the examples below were put in place: management signed off on Revenue Returns ensuring that all data was correct and return date deadlines were met for PAYE, National Insurance & BIK; having an up to date BCM plan in place and exercising same annually at minimum; running comparison reports in order to highlight changes from the previous payroll run and validating same for management sign off; strict system access monitoring/control ensuring that only the relevant staff had access to such sensitive data. In my current Group BCM role I have set up the SART for Group Business Continuity Management itself Mitigants in place focus on: creating an awareness of BS25999 and AIB policy and standards at Divisional level to be cascaded to the Business Unit Co-ordinators. In an effort to create this awareness and spread the knowledge I engaged a consultant to assist in developing the Group BCM Training module which is currently being delivered to all Business Unit Co-ordinators across the Group. Ensuring the annual test schedule is in place for both the Business and IT Disaster Recovery Units and that it is both relevant and exercised. Monthly metrics returns are received from all the Divisions regarding tests that took place, were deferred, failed etc. Developing and implementing a BCM strategy to address the concentration risk arising from an increase from 2,200 staff to 4,500 staff in AIBs main Head Office complex by working with the Divisions to establish their seating requirements in the event of a BCM invocation, developing costing options and negotiating with external vendors regarding work area recovery sites. Identification of flood threats and working with Facilities Management to ensure deployment of flood defences during period of High Risk. Preparation of a framework pandemic plan for AIB Group to address the Avian Flu threat working with the relevant departments within AIB e.g. Facilities Management, Occupational Health, Human Resources, and Operational Risk Management and working with external agencies such as the Heath Services Executive, Department of Health, etc. Developing BCM Strategies
Please provide the following: The number of strategies you have developed and implemented. Give examples of the types of BCM strategies you have developed and how these were implemented. Any documentary evidence such as development and implementation plans would assist.

I am responsible for the development of BCM strategy in AIB. In conjunction with my team we write the BCM policies and standards for the Bank and ensure that they are signed off by Divisional and Group Operational Risk Committees. We have recently updated the BCM policy to specifically include new areas of concern including concentration risk evaluations, business impact assessments, loss of people (in addition to loss of facilities, premises and key IT systems) and to highlight the key role played by the recently formed Operations and Technology community in the Bank that reports to the Director of Operations & Technology.

I have initiated a review and updating of the BCM standards across the Bank and we are using PAS 56, PAS77 and BS25999 to guide this review. New standards will be approved by the respective committees in the Bank in 1Q2007. AIB is doubling the size of it corporate headquarters and rationalising many of it Head Office locations across Dublin. This project will see an increase from 2,200 staff to 4,700 staff in a single location in 2007. I have initiated a review of the BCM considerations involved in this project working with BCM specialists from BT, BCM managers and operational risk experts in assessing the impact on business units and Divisions. We have developed a strategy which will see a very significant increase (over 1,000 seats) in the number of BCM seats as a result I have driven the Banks centralised Pandemic Planning initiative in AIB. I led the team which developed the high level contingency plan that is progressively demanding as World Health Organisation alert levels increase. I have sponsored the initiative to ensure that all business unit plans include scenarios of 15% and 30% staff loss over and above normal absentee levels in 2007. I have initiated and staffed a Quality Assurance programme at the Group BCM level to check the quality of business unit BCM Plans and Test Results with a view to improving the quality of BCM testing across the Bank. I developed an Emergency Response Plan as part of an overall redesign of AIBs BC plan (refer next section). This was fully exercised during an invocation due to a fire at 6.30 p.m. on Thursday, 26th September 2002 in a a building in which AIB leased two floors. The sequence of events were as follows: - fire alarm activated and AIB staff evacuated - member of management alerts Group Security control and who, in turn, alerts me - I contact member of senior management from Business Unit impacted (TBSS), the Chair of the Group BCM Steering Committee, the Head of Public Relations and the Head of Group Security - senior member of management from TBSS who was on site invokes the Disaster Recovery site (Synstar Swords) - Divisional IMT convened and plans put in place to commence operations in Swords following morning - call trees activated and all staff advised to report to City Centre location by 9.00 a.m. the following morning - at 9.45 a.m. TBSS staff boarded buses to Swords where they were operational by 10.30 a.m. - myself and other members of the Group BCM team maintained a presence in Swords from 9.00 p.m. on the Thursday evening until close of business on Friday - we visited the fire damaged site on Saturday morning and subsequently co-ordinated a lessons learned report - after a four week period in the Disaster Recovery site the TBSS team relocated to temporary premises for a further five months. For a two year period, I co-ordinated the Incident Management Team for the RoI Retail Division which included the organisation of regular meetings and rehearsals. I also represented Group BCM as an IMT member. As part of this I engaged an external consultancy firm (Risk Management InternationaI) and worked with them on the design and implementation of two major Incident Management Team (IMT) rehearsals. (This exercise was observed by a representative from each of the other Divisions who subsequently used it as a template for rehearsals in their Divisions). As part of this I identified and equipped two Emergency Operations Centres (one onsite and one offsite). At the conclusion of this exercise I updated the IMT manual for that Division and produced Battle Boxes containing all the vital information (call trees, site maps of buildings, emergency contact lists, first aid kit etc.) that may be required in the initial stages of an invocation. In my current role, I keep abreast of the Incident Management Team capability in each of the Divisions and, in conjunction with the BC Co-Ordinator in one of the Divisions, am working with IBM to develop a pilot pandemic planning rehearsal that will, ultimately be rolled-out to all Divisions in 2007. This element of the project is about the formulation, development and implementation of a formal Business Continuity Strategy to meet the Business Units needs. In my experience all of the following areas need to be addressed to ensure the most cost effective and optimum strategy is identified and developed. IT Strategy Hardware , Software , Communications , Data Recovery Site

Communications Phones etc

An important element in this phase is to ensure the focus of the BCM strategy remains on process recovery. Too often the focus can shift to hardware dependencies with the belief that if a process is not recovered on an identical platform it will never work. A successful strategy can only be developed if a team is assembled with representatives from the following. Business Experts Knowledge of the business process. Continuity Service Provider What the recovery site provides IT Infrastructure Experts- IT infrastructure supporting the Business 3rd Party Suppliers. One of the major learning curves at this stage has always been the gaps identified between Business expectations and the IT delivery. At this point in time issues about the ability to recover in the timeframes required raise their head. This in turn requires that Recovery Solutions are designed and costs based on the recovery times required by the Business. The Business then needs to agree to pay the extra costs to meet their timeframes or re-access the recovery timeframe to meet what is currently available. The timeframe for this phase depend on the complexity of the recovery solution and recovery timeframe. Examples 1 - An excellent example of this relates to AIBs 24 hour solution where we spent over a year investigating Call Centre recovery options. The options finally came down to Replicate the existing Call Centre switch used internally Rejected too costly Replicate the existing Call Centre switch in our recovery providers Rejected too costly Use a syndicated Call Centre switch that could be configured to mimic the existing system used. This was the solution implemented. While the decision on strategy took a long time the implementation of the strategy also took time as the configuration element was time consuming phone set up , pre recorded messages etc. However it has proved to be a very good solution. 2 One of the advantage of working with multiple Business Units is that I can assist Business Units in delivering a BC solution that accommodate multiple Business Units and leads to substantial savings. Through my involvement with the various I identified a common gap relating to back up servers. A lot of Business Units had no back up servers for critical applications that required recovery after 24 hours. Rather than purchase multiple server we added a server farm of 7 servers to our recovery site contract thus giving the Business units back up servers for testing and invocation. Note : Given the geographical location of the Business Units in Dublin this was a very practical solution. I work with the Divisional Co-ordinators to determine recovery strategies for priority Business Units bank wide. Our approach is to protect the Bank against loss of buildings, IT systems and people. With regard to buildings our main BCM strategy focuses on the purchase of syndicated and dedicated recovery seating in alternative premises from external Vendors, and the use ghosting technology to recreate the desktops. We are currently in negotiation with vendors in relation to the increased seating requirements which have arisen due to the increase from 2,200 staff to 4,500 staff in the Head Office complex here in Bankcentre. I participate in these negotiations. I also assisted in producing a cost benefit analysis for presentation to Senior Management who have approved the proposal. With regard to IT systems, I have worked closely with our main IT units to ensure they have developed IT service continuity plans, that they exercise these plans regularly and that steps are taken to improve the resilience of key IT systems.

As previously stated I have worked on the revised AIB Group BCM Policy and on the AIB Group BCM Standards which are closely aligned to the BS25999. These policies have been updated specifically to reflect new areas of concern including concentration risk evaluations, BIAs and loss of people - in addition to the existing loss of facilities, premises and key IT Systems. With regard to loss of people I have been heaviliy engaged in developing Pandemic Flu strategies and these have included: Evaluation of the purchase of anti-virals and deployment of the distribution plan Secure options on purchase of anti-bacterial disinfectants Brief staff and display notices in respect of hygiene e.g. handwashing Evaluation of the -purchase of facemasks and other protective clothing Remote access working Communications plan for staff Review all material third party providers, to include both internal and external in the context of a pandemic threat. Emergency Response and Operations
Provide the following: Details of practical experience in responding to an emergency and any strategies implemented by your self. Include as much detail as possible in relation to the types of Emergency Response plans and procedures you have developed and also provide documentary evidence if practical. If you are part of a Team, please describe your involvement.

During my six year period in charge of IT infrastructure services for the Bank I and my team provided third level technical support in the event of service disruptions and problems. On many occasions I chaired the Crisis Management Team that convened at short notice to deal with major services disruptions. The CMT comprised seasoned technical managers and specialists and the CMT would sit until the service issue was resolved. Our CMT is based in ITIL and CoBIT principles. In conjunction with my team we developed a Major Incident Report process (MIRF) where the short term, medium term and long term actions required to completely eliminate a service issue were described and then the MIRF is tracked to conclusion through a monthly Forum which reviews all open MIRFs. On many occasions I chaired this Forum. In conjunction with one of my senior colleagues we sponsored the rollout of an SMS alert systems which provides all key IT management and senior business executive with real time notification of any major service issues and keeps them updated on progress through to resolution of the issue. I have first hand experience of dealing with major crises spanning a wide range of service disruptions ranging from all 400 branches off air, to loss of all Point of Sale and ATM services to loss of internet based services for retail and business customers. A typical examples would include loss of power to AIBs primary datacentre in early 2005; not only did I manage the immediate emergency response team, I lead a team that recommended and implemented short term tactical improvements (more robust power, flood defences and better floorspace management) and I initiated a strategic review of our datacentres through IBM. This latter review ultimately resulted in a recommendation to vacate our two existing datacentres and relocate to new sites. Another example was the loss of our production K Series Tandem computer in February 2005 with the loss of all ATM and Point of Sale services. This led to a decision to upgrade the central servers with latest technology which significantly improved the resilience of the services and simultaneously reduced the RTO from 4 hours to 2 hours or less. One of the key areas of Business Continuity is the ability of the Business Unit Management team to manage an incident. Each Business Plan incorporates a 2 page Emergency Response Plan (Incident management roles and responsibilities, primary contact number, list of critical processes and downtime tolerance and invocation procedures) One of the key areas of BC is the ability of the Business Unit management teams ability to manage an incident. Our BC plan have evolved over time (see 6 below) however a key focus on our BC plans now is the roles and responsibilities of the Management team in a crisis. The team identify their command centre as part of their evacuation points and this is documented. We have developed a 2 page emergency Response plan (Incident Management Roles and responsibilities , primary contact number , list of most Critical process and downtime tolerance and invocation procedures).

To supplement this we have introduced a Desk Top training exercise as part of the annual test process. We give the team an incident and role play the various issues that arise throughout the incident. The objective of the exercise are Provide training to the Management team on the roles they are expected to play in the event of an incident Identify any gaps in the ERP. Create awareness of the impact and issues arising in an incident. Verify that the BCM plan reflects the priorities of the Business and their requirement for the recovery site.

This process was fully tested during the first AIB invocation in Ireland in 2002. See full report in Attachment III. In my previous BCM role in Group Payroll I ensured that the management team had a laminated copy of these pages in addition to the Full Plan and that they fully understood their roles. I co-ordinated the annual Management Rehearsal with the Divisional Co-ordinator who presented the scenario, thereby ensuring that the Incident Management Team for the unit had a full assessment of how they would deal with a particular scenario. The scenarios presented always included loss of building. In addition, this emergency response plan was exercised to a minor extent in October 2005 when a toaster in the Group Payroll Business Unit coffee area went on fire at about 8.45am setting off the fire alarm. This just happened to be the day a weekly payroll had to be completed by 10.00 am in order to meet the transmission time deadline. The sequence of events were as follows: Fire alarm activated and all staff in the building evacuated to primary evacuation point Staff were accounted for and the call tree was activated for those en route to the office I liaised with the Incident management team and it was agreed that all staff were accounted for, facilities management were checking out the building with me in my role of incident site manager and I established that the only critical issue was to ensure that the payroll was completed on time. Immediate decision to send the staff member responsible for this payroll to the Payroll IT Support Unit (located in a nearby building) who were able to complete the requirements and meet the time deadline of 10.00am transmission. All other 19 staff remained at the primary evacuation point to await update I liaised with facilities management to assess the situation/damage which in the end was minimal, and within 30minutes staff were given the all clear to return to their desks. As this was just a minor incident with all staff returned to the building within 30minutes of the initial evacuation there was no need to invoke the work area recovery site and it was possible to complete the critical process on the day by the 10.00 am deadline. In my current role: I deliver the Management Rehearsal scenarios to the Business Units within the Group Division as part of the annual test process. In 2008 I plan to run a scenario based on loss of people. I also keep abreast of the Incident Management Team capability in each of the Divisions, and in conjunction with the BCM Co-ordinator in one of the Divisions am working with IBM to develop a pilot loss of people planning rehearsal that will ultimately be rolled out to all Divisions in 2008 Design and Implementation of Plans
Provide details of the different types and number of plans you have developed and what aspects these covered. Examples of these should be provided if possible. If you are part of a Team, please describe your involvement.

My Group BCM team recommended the use of LDRPS (Strohl) as a central repository for the BCM Plans for all important business units and this has been implemented across the Bank. The LDRPS application uses a standard template for the drafting of BCM plans and BIAs. All major business units in AIB are using LDRPS. As part of our datacentre relocation project I sponsored a sub-project to update all Disaster Recovery Plans based on a standard template developed jointly by my Group BCM team and the relevant technical specialists and with support from IBM. All DR Plans across the Group will conform to the new template by end 1Q2007.

I have sponsored and staffed a new Quality Assurance programme within the Group BCM team which will independently test the quality of business units BCM Plans, their test results for accuracy, currency, scope, scale and approved sign off. When I first joined BCM I undertook a root and branch review of the discipline. Following feedback from BC Co-Ordinators in Business Units, one of my first initiatives on joining BCM was to review and restructure the BC plan, which is housed on Strohl LDRPS. In conjunction with stakeholders, the contents were restructured into three sections: Emergency Response Plan - The Emergency Response Plan (ERP) sets-out the actions to be taken at the time of an incident, key individuals involved, and how they are to be contacted. This plan may be the only information available to the Management Team at the early stages of a crisis and as such should contain all relevant information that the team may rely on. Each member of the Management Team must have an up-todate copy of the ERP, accessible at all times. Communications Plan - This aspect of the plan details the communication process to all staff, critical supports and suppliers and key customers. Each member of the Management Team must have an up-todate copy of the communications plan. All staff members identified as having communication responsibilities in the Staff Call Tree report must have an up-to-date copy of this report at their home locations. Recovery Plan - The Recovery Plan addresses the units short and medium term recovery requirements. (Long-term recovery requirements will depend on the nature and severity of the incident and is dealt with as an intra-divisional project, sponsored by the Head of the Business unit / Division). The Management Team Leader, the Recovery Manager and BCP Co-ordinator must have an up-to-date copy of the recovery plan. The BCP Co-ordinator will ensure that all members of the Management Team receive a copy of the recovery plan on BCP invocation. AIB currently use the application LDRPS however we have customised the software to suit our needs in AIB. However over the years our process has evolved and the plan design has changed. Initially the plan structure was around the following Management Structures - Incident Management Roles Operational Teams - The Processes and teams required Communications Staff , Customers etc Recovery Requirement for recovery. One of the issues initially with the plan design and delivery was that volumes of information were contained in the plan and the Business units tended to take the view that loads of content equalled a good plan. As we all know this is not the case. In 2002 I was responsible for managing the 1st full invocation within AIB and this event led to me fully redesigning out BC plan. The focus was to simplify the document and ensure it was usable and relevant in a BC incident . In effect the continuity plan now used is 1- Emergency Response Plan 2 page document that included Incident Management Roles , primary contact numbers (recovery teams , facilities etc) , list of most Critical process and downtime tolerance and invocation procedures. 2 - Communications Section - Staff , Customers etc 3 Recovery Section Full list of Processes , Downtime tolerance , equipment required , seats required ,IT procedures , series of aid memoirs for Business and recovery teams. The Operations teams section was removed and instead we refer to normal work procedures i.e. detail data location on specific drives. As a result of the changes to the plan I undertook a major review and implementation programme visiting all Business Units and reviewing plans and assisting in updating same.

AIB currently use the application LDRPS (Strohl) as a central repository for the BCM Plans for priority Business Units throughout the Bank. The software has been customised to suit the needs within AIB. I am currently working on Quality Assuring all the Business Unit Plans on file. This involves going through the individual plan for the Business, assessing the scope and accuracy of these plans, and ensuring the plans have been approved and signed off by their Senior management. This involves working closely with that particular Business Units Divisional Co-ordinator, and challenging the content where appropriate. As referred to under BCM Initiation and Management I was firstly introduced to the BCM process at the Divisional level when appointed BU Co-ordinator for AIB Group Payroll Business Unit in April 2002. This was new thinking within the unit, and my job was to put together a relevant plan to ensure that the unit could successfully locate offsite, and run the critical processes to include the administration of all Revenue Returns within the required timelines. The Plan included: Emergency Response Plan: a 2 page document that includes Incident Management Roles, a list of primary contact numbers (e.g. WAR site, facilities, media relations etc) a list of the critical processes, downtime tolerance and invocation procedures. Each member of the Management Team must have an up to date copy of this ERP accessible at all times. Communications: This details the communication process to all staff, critical supports, suppliers and customers. I ensured that each member of the Management Team was given an up to date copy of this communications plan Recovery: - This plan addresses the units recovery requirements e.g. Full list of processes with downtime tolerance, equipment required, IT Applications and procedures and number of seats at the Work Area Recovery site. I ensured that each member of the Management Team was given an up to date copy of the above, and that this data was always current. Successful annual testing took place annually from 2003.

Awareness and Training

Please indicate how you have approached awareness and training in the organisations for which you have worked. Please provide practical training material you have used if appropriate. If you are part of a Team, please describe your involvement.

We have reviewed BCM best practices across the Globe looking to USA, Australian and UK best practice. On foot of this review I have decided that AIB will align itself with BCI and BS25999 best practices. Our BCM strategies, policies, standards and training will be determined against this backdrop. I have set as AIB policy that staff involved in BCM activities across the Group will attend only BCM approved training courses. Through my team I have initiated discussions with accredited training specialists to initiate a training programme for all BCM co-ordinators in 2007. We will run the course 6-8 times in Dublin, 2 in Belfast and 2 in London at minimum. This will be an annual event in 2007 and subsequent years. For those staff at the centre or at Divisional level in fulltime BCM roles I have agreed with them that they will attend BCM Master Classes over the period 4Q2006 2 Q2007. I will actively encourage them to become Associates or Members of BCI. For BCM business unit co-ordinators we are arranging foundation courses in the use of LDRPS to ensure that all users know how to use the application and get the most out of its MIS capabilities. As an integral part of my BCM role, I adopt a consultation process, both formal and informal, on an ongoing basis with key stakeholders to progress issues to resolution. Formal meetings are held on a bimonthly basis with each of the Divisional Co-Ordinators, together with the Head of Operational Risk from each Division. Consultation meetings are held as required and, informally I make contact with the Divisional Co-Ordinators on a very regular basis. I have commenced planning for a BCM professionalism programme specifically for BC Co-Ordinators based in Business Units across the Group (including Poland). This will be a BCI accredited training course.

Over the years, I have planned and co-ordinated a number of BCM workshops for both Divisional CoOrdinators and BC Co-Ordinators across all Divisions (at least twice a year). I developed a BC module for inclusion in a group-wide Operational Risk Management Professionalism Programme. As part of the annual BC testing process I have undertaken desk top scenarios with management teams. This training takes the form of a scenario desktop-based exercise for the Incident Management Teams in each of the Business Units and takes place on the morning of the actual BC test day. The objectives of the exercise are to: - Provide training to the Management team on the roles they are expected to play in the event of an incident - Identify any gaps in the Emergency Response Plan (refer previous section). - Create awareness of the impact and issues arising in an incident. - Verify that the BCM plan reflects the recovery priorities of the Business Unit. One of my key roles within AIB is to embed BCM within the normal day to day activities of AIB. In this roles I communicate with Upper Management BC Stakeholders IT supports , recovery providers, facilities, HR functions etc Business Unit Management & Staff . There are a number of ways I undertake this Day to day involvement with Business units assisting with plan development , change management and problem resolution. Presentations I have made presentation s to Upper Management on implementing and maintaining BCM within AIB , to stakeholders on their role in BCM incidents , to Business units on BCM in general and the process we employ within AIB Training individuals on the LDRPS application. I have also been involved with training in new staff within the BCM Group function. One of my key BCM roles is to embed the BCM culture within AIB. I achieve this in both a formal and informal manner. I participate fully in the formal meetings held bi-monthly with the Divisional Co-ordinators to include the Head of Operational Risk from each Division, and the monthly meetings held with the IT Support Division. Informally I am in regular contact with all the Divisional and IT Service Continuity Coordinators. For the past two years I have co-ordinated and assisted in the planning of the bi-annual BCM Workshops for the key BCM staff and Divisional Co-ordinators across all Divisions. During the past months I worked closely with a consultant engaged by Group BCM to design a training programme designed specifically for the BC Co-ordinators based in Business Units across the Group. The course session is given over a full morning, and discussion amongst the attending co-ordinators is encouraged. This course is closely aligned to the BS25999 with content as follows: Defining BCM What you need to know Your role as BCM Co-ordinator What you need to do Where you can get assistance Putting knowledge into practice

I am currently co-ordinating the roll out of this programme, and it is planned to run this course on an annual basis going forward.

I have attended the following training courses and conferences in order to ensure that I am fully up to date with Business Continuity, and in addition have found this a very useful as a way of making new professional contacts for the future. Annual BCI Conference in London October 2006 MIS Business Continuity Training - London June 2006 Automata Business Continuity Masterclass Northampton July 2007 BS25999 Masterclass Northampton July 2007 FSA Marketwide Pandemic Findings London July 2007

I am leading the initiative to completely re-design the Group BCM Intranet site within AIB. This new site has been developed on the BCM lifecycle which covers the key functions of an effective BCM programme. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 BCM Programme Management established and maintains our BCM capability Understanding the Organisation Determining BCM Options Developing and Implementing a BCM response Exercising, maintaining and reviewing Embedding BCM in the Organisation

In addition to the above this site also provides the URLs to useful reference sites some of which I list below. www.thebci.org, www.continuity.co.uk, www.fsc.gov.uk www.contingency-planning-disaster-recovery-guide.co.uk I attach a copies of a sample of the documents on this site which have been written in close alignment to the BS25999. Divisional, IT and Group BCM contact information is also available on this site. The target audience for this site are both the Divisional and Business Unit BCM Co-ordinators. It is expected that this new site will be launched and available to staff from mid December.

Maintaining and Exercising Plans

Please indicate the process you have adopted for the maintenance of plans. Also provide the number of exercises you have undertaken and what type of exercises these have been. If you are able, please provide evidence of approaches and reports on exercises. If you are part of a Team, please describe your involvement.

Our Group BCM policy mandates that all business units in AIB must have BCM plans in place. However there are critical business units that require strong management focus, these include Treasury, Clearing and Payments. Particular attention is paid to these business units to ensure their BCM Plans are accurate, current and signed off by local Line Executives. This is provided by the BCM Quality Assurance program that I have initiated and will progressively rollout in 2007. As Head of BCM in AIB I have responsibility for ensuring that there is a BCM test schedule in place across the Group that encompasses BCM testing at business unit level ands DR testing at a central IT level. I ensure that key BCM tests are witnessed by my BCM managers and that test results are signed off by Line Executives. These activities are overseen by our recently launched BCM QA program. Much of the day to day work associated with this activity is carried out by my managers. I chair the quarterly Group BCM steering Committee where all issues relating to BCM policies, standards, processes, procedures and recent major incidents are reviewed and discussed. This Forum ensures consensus across the BCM community before new policies and standards are proposed and adopted by Group ORMCO. I initiated monthly reporting where BCM metrics together with other Operational Risk KPIs are reported to Divisional and Group ORMCO and to the Risk Management Committee (RMC) which comprises the most senior management in the Bank. In 2003, I led an initiative to restructure AIBs BC test process and introduced a standardised process

for all Divisions. (Prior to this various approaches to testing had been adopted by each of the Divisions). The scope of the BC test was standardised and the test cycle was broken down into the following components: - Review of BC Plan - Preliminary Meeting - Configuration/Update work (Change Control) - Pre- Test Meeting - Live Test Date - Post Test meeting - Test Sign-Off Over the years in Group BCM I have facilitated BC tests from review of BC plans to observation of the BC test in the recovery site to review of the BC tests and lessons learned and updating of BC plans. I have addressed key issues identified as a consequence of the annual business continuity testing schedule e.g.: - Tivoli Service Management (TSM): Significant improvements achieved in data recovery timeframes. - Implementation of Ghost technology to substantially increase recovery timeframes and resilience. - Development of ITSCM BC plans, customised for each Business Unit. In my current role, I have responsibility for monitoring the annual BCM tests for two priority areas in Group Supports. When I joined the BCM team in 1998 this element of BCM was my primary focus. The key to a BC plan is testing it to ensure the assumptions and recovery timeframes can be met. A plan that is not tested is of NO VALUE. My approach to this element within AIB was in 2 stages Stage 1 Plan Development Testing This took the form of an incremental testing approach. Once the recovery site strategy was agreed we went about incrementally testing the elements Desktop development Server re-build Data recovery Telephony Finally user testing Stage II Testing and Maintenance This is the stage we are at currently and involves 1- Testing Developing an annual test programme for all critical Business Units Full User Testing Against recovery timeframes Primary scenario is loss of operational Building. Test Process Includes Pre Test Meeting Business & Stakeholders Develop Test Document Standard template developed by myself BC plan Review Crisis Team Desktop Exercise Test Post test Review Plan update Executive sign off 2 - Change Management Schedule This is done as part of the main test schedule where Business Unit implement a regular change control process ensuring that their BC infrastructure is kept up to date. Stage III IT Infrastructure testing

The main focus on normal BC testing is around the loss of your operational building and the relocation to a recovery site. But there is also the issue of IT infrastructure supporting the Business but not resident in the operational building. The testing of this has usually done by the IT but with little reference or participation of the Business. This is one of the gaps Ive identified in my time in BCM i.e. the lack of communication between IT and the Business. The strategy is Bring the IT and Business together to workshop their requirements and develop IT recovery plans to meet the Business needs, these plans are attached as an appendix to the main BC plan. Develop an annual schedule of IT infrastructure testing and ensure that the Business participate in this testing. The AIB Group BCM policy clearly mandates that all business units in AIB must have BCM plans in place. The critical business units that require a strong management focus include Treasury & Settlement and Clearing and Payments. In my previous role (2003) as business unit co-ordinator I liaised with the Group Support Unit to ensure that successful Testing took place for my unit since 2003. As referred to earlier, it was not possible to run a live payroll off site during the earlier years, but I worked towards the target of running an actual payroll offsite, and this was successfully accomplished within the scope of the 2006 test. In my current role I have responsibility for scheduling and monitoring the annual BCM tests for three priority areas within the Group Division. I ensure that their Business Plans are accurate, BIAs have taken place and that when the testing has been completed that all is signed off by the business unit Line Executive. This is part of the Quality Assurance program which has been rolled out during 2007. I am a member of the quarterly Group BCM Steering Committee meetings where all issues relating to BCM Policies & Standards, procedures. major incidents and the testing process are discussed and appropriate action take. I follow up with the Divisions to ensure all actions agreed are completed within the time frame.

Crisis Communications
Please describe the process you have adopted for maintaining crisis communications. If you have had practical experience of real life incidents, describe how the communications flow worked. If you are part of a Team, please describe your involvement.

In my six years in IT, I chaired the Situation Management Team (SMT) on many occasions. The SMT is charged with managing major IT incidents that impact customers or large blocks of AIB staff. The SMT which comprises, seasoned IT experts, manages such incidents from inception to conclusion. A report on each major incident, together with lessons learned, issues to senior management AIB operates an Emergency Information line which was established and is managed by my BCM managers This Helpline can be used to issue general information to all staff across the Group Through our Group Public Affairs unit, we have established relationships with all of the major media players. I have been a member of the senior management team that held an IMT in 2006 to consider the impact of a pandemic flu on the Division which spans Northern Ireland and great Britain. We have encouraged other Divisions to replicate this IMT rehearsal. I implemented an Emergency Information Line (free phone number) for staff to contact in the event of an emergency which was launched by a letter from the Group CEO. In the event of a crisis, BCM leverage off the existing internal communications channels, that are well established and tested. AIB Group Policy on Talking to Media sets-out very strict guidelines in relation to communications with external groups.

I have been involved in a number of elements within this area I will give an overview below 1- Development of Business Units Incident Teams . All critical Business units have a Incident team as part of their BC plan. This team is trained annually via a desktop exercise I carry out which forms part of the annual exercise schedule. These exercise cover off areas such as incident management , HR , facilities issues and communication (internal , external and media). 2- I interact regularly with the major support functions in relation to their roles in BC incidents these include HR Staff Issues, Counselling( separate contract in place) , Contact information , general HR support Security Emergency services contact and liaison, security of main and back up site in an invocation , deal with any security issues (incident cause issues , looting etc) Facilities Incident information, building status (H&S, surveyors etc). Property Expert information on building status , leasing arrangements , alternate locations (other than recovery site). Media Relation we have a central Media section and they are responsible for co-ordinating external communications. 3 Development of a Capital Markets Incident Management Team. This team is in effect the board of AIB Capital Markets and would form in a major incident , their primary objective is The broader divisional/ group impacts of the incident. Communicate internally and externally. Make strategic decisions and make practical decisions on priorities, resources and budgets. Offer support to impacted Business Units.

Again this team is exercised at least once a year via desk top scenarios. AIB operates an Emergency Information line (free phone number) which was established and is managed by my Department. Staff will contact this number for current information in the event of an emergency. I participated in an IMT rehearsal in September 2006 which considered the impact of a pandemic flu on the AIB Northern Ireland & UK Division. The other AIB Divisions are working towards a similar IMT. I am participating in meetings with the ROI Division to assist in facilitating this process. The AIB Group Policy on Talking to Media sets out very strict guidelines regarding external communications which all staff must adhere to. Co-ordination with External Agencies
Please describe the process you have developed within your plans for coordination with external agencies. If you have had the practical experience in relation to real life incidents, describe these in detail indicating the external agencies involved and how the coordination worked.

We in AIB have taken a lead role at national level in terms of pandemic planning in respect of financial institutions and the financial industry generally. We highlighted the systemic risk implications of the financial services industry to the Central Bank and Regulator, we engaged with IPSO the payments body and with IBF the industry body with a view to establishing forums with representative banks involved in considering the systemic implications of pandemic flu and other possible threats to the industry. We have also engaged heavily with the Health Services Executive to understand the national response to pandemic and to streamline AIBs preparedness plan accordingly. In Ireland in recent months we have experienced 18 year high tides. We have engaged with the major Port Authorities to understand the implications of these tides and prevailing weather conditions. As a result we implemented measures to sandbag over 20 branch and 4-5 head office locations where flooding history justified this action. We regularly seek best advice form the Fire Authorities and the Health & Safety Authorities to ensure that we are aware of best practice in these areas and that our plans and drills are to a standard that ensures the Bank is meeting its legal requirements.

I am a member of the Emergency Planning Society in Ireland. However, emergency planning in Ireland would not be as well developed as UK and we do not have the equivalent of the Civil Contingencies Act I have attended Emergency Planning Society meetings. This aspect of BC planning is not as mature in Ireland as, for example, in the UK and the emergency services tend to work in a piecemeal fashion. A recent publication A Framework for major emergency management (2006) updates the previous publication (1984) and it is hoped this will lead to a more integrated approach in the future. I also represent AIB in relation to business continuity matters at the Institute of Bankers and the Irish Payments Service Organisation. Im a member of the Emergency Planning Society here in Ireland. I find this an excellent forum for getting up to speed on this subject. The society regularly hold some very informative presentations on legislation directives and on the current state of thinking with public authorities here in Ireland. Im also vice chairman (Chair 2006) of the HP Continuity User Group and this an excellent forum for meeting other BC people and networking. I am a member of the team which attends Emergency Planning Society Meetings. Business Continuity planning is not as well developed here in Ireland as it is in the UK, and we do not have the equivalent of the Civil Contingencies Act. However a recent publication A Framework for major emergency management (2006) updates a previous one (1984) and it is expected that this will lead to a more integrated approach going forward. During the Autumn of 2006 Ireland experiences 18 year high tides. I engaged with the major Port Authorities to understand the implication of these tides and prevailing weather conditions. I scheduled and attended weekly meetings with the relevant units in AIB ensuring measures were implemented to mitigate flooding in their buildings. I also participate in the quarterly review meeting with our Work Area Recovery Site Management. This forum enables both sides to discuss and resolve any issues and to future plan. I also liaise closely with this team throughout the year with regard to scheduled testing for the business units within my brief.