AXA BUSINESS RESILIENCE

The transition to Resilience –

Scottish Continuity -Resilient Scotland Conference 23rd Feb 2017

Confidential

Version 1.0

AXA Group

A connected world

CONFIDENTIAL2 | Business Resilience

Table of contents

1. About AXA

2. What is Resilience

3. Business Continuity

4. AXA’s journey

5. Operational Resilience

CONFIDENTIAL3 | Business Resilience

64 COUNTRIES 103M CUSTOMERS

166,000 EMPLOYEES

2015 REVENUE

EURO 98,534 MILLION

NET INCOME: EURO 5.6BILLON

UK & IRELAND REPRESENTS 6% OF GROUP

REVENUE

AXA Insurance

4 | Business Resilience

AXA GROUP FACTS & FIGURES

Confidential

39%

36%

25%

Property & Casualty, International

Savings & Asset Management

Protection & Health

UK & IRELAND REPRESENTS 6% OF GROUP REVENUE = £4.1B

revenue

AXA Insurance

5 | Business Resilience

AXA in the UK

Confidential

Glasgow

Teesside

Bolton

Tunbridge-Wells

London Cardiff

Bristol

Cobham

Ipswich

Birmingham

Manchester

Leeds Morecambe

Dublin

Belfast

AXA Insurance

AXA PPP Healthcare

AXA Corporate Solutions

AXA Art

AXA Group Solutions

AXA Technology Services AXA Investment Managers

Alliance Bernstein

AXA Liabilities Managers

AXA Assistance

AXA Rosenberg

“ the capacity to recover quickly from difficulties; toughness”

Oxford Dictionary

“the capacity of a system to absorb disturbance and reorganize while

undergoing change” The Resilience Alliance

“the ability to prepare for and adapt to changing conditions and withstand

and recover rapidly from disruptions” Department of Homeland Security

“The ability of a system or organisation to withstand and

recover from adversity. Resilience is underpinned by good design

of networks, effective emergency response, business continuity

planning and recovery arrangements” The Cabinet Office

AXA Insurance

6 | Business Resilience

What is Resilience?

Confidential

In 2011 AXA Insurance BCCM looked like most traditional busines unit

set ups:

Operational Risk & Compliance Director

Business Continuity & Crisis Manager

BCCM Team X 2

• Business Impact Analysis Workarea Recovery Exercises

• Business Recovery Strategies Scenario exercises

• Business Recovery Planning Incident Management

• Crisis Management Planning BC Awareness & training

AXA Insurance

AXA Business Continuity & Crisis Management

Confidential 7 | Business Resilience

PHYSICAL SYSTEMS

HUMAN

AXA Insurance

8 | Business Resilience

Threats & Triggers

Confidential

Water / Fire Damage

Utility Failure

Adverse Weather

Data leakage

Cyber attack

Network failure

Internet outage

Terrorist

Supply Chain

Theft

Data Centre outage

Demonstrators/protests

Telephony failure

Process failure

Categories:

AXA Insurance

Incidents & Root Cause Analysis

Confidential 9 | Business Resilience

Data Applications

Telephony

Power

Supplier Links

Project / Change

Third-Party

Networks

Server Infrastructure

Website Mainframe

10 Business Resilience

AXA Insurance

Critical

Infrastructure

Communications

Property

IT

Infrastructure

People

Security

Governance

Telephony

Systems Resilience

Networks

Physical Security

Contingency Space

Applications

Infrastructure

HR SystemsEnvironmental, H&S

AXA Tech

Group IS

Corporate

Server Infrastructure

Data Centres

Staff Inductions

Change Programme

Change Advisory Board

Live Projects

AXA Insurance

11 Business Resilience

PROPERTYSERVICES

Infrastructure

Site & Threat Assessment

Contingency Space

Physical Security

Regular Inspections

Annual Physical Security review

SIA trained manned guards

Governance

Property Steering Committee

Clear Desk Policy

BRS & Property Forum

UPS & Generator

Maintenance Schedules

Projects & Space Planning

External Audit of access control

CAD –regular update of plans

CCTV code of practice

Bomb Threat

Dealing with Protestors

FM contracts

Post 2011 AXA Insurance BCCM changed to Business Resilience and

looked like:

Operations Director

Head of Resilience & Corporate Security

BRS Team X 4

• Business Impact Analysis Workarea Recovery Exercises

• Business Recovery Strategies Scenario exercises

• Business Recovery Planning Incident Management

• Crisis Management Planning BC Awareness & training

• Data Leakage/ Monitoring Physical Security Assessments

• Third-Party Security Health checks Change Control Board

• Property Steering Committee Internal Financial Controls

• PCIDSS Service Assurance

AXA Insurance

AXA Business Continuity & Crisis Management

CONFIDENTIAL12 | Business Resilience

Power incident at NW location – December 2015

Power sub-station at Caton Road, Lancaster

AXA Insurance

Example

CONFIDENTIAL13 | Business Resilience

THE FUTURE?

CONFIDENTIAL

AXA Insurance

AXA commissioned ‘pwc’ to run an Operational Resilience Maturity Assessment within the UK based on what the

Financial Regulators would expect to see.

CONFIDENTIAL15 | Business Resilience

Governance of IT

Operational Resilience

Resilience Framework

Capability

Service Operation &

Capacity

Risk Management

Change Management

Service Continuity

Operational Resilience

Incident Management

Sourcing & External

Dependencies

Incident management

Incident response processes are in place to identify, classify and to help ensure appropriate, measured responses. Incident related MI helps drive strategic Operational Resilience decisions and investments.

Service Continuity

Appropriate continuity plans are in place for all critical services which are well understood by the organisation. These plans are reviewed and assessed regularly to help ensure successful implementation in a continuity scenario.

Governance of IT Operational Resilience

The Operational Resilience strategy is aligned and embedded with the Business and IT strategies. Operational Resilience drives investment and risk decisions. The Board and Executive Management have accurate and adequate oversight of resilience activity, trends and remediation to assist them in making decisions.

Resilience Framework

An Operational Resilience framework is in place across the organisation, with clear definition and accountability for the different aspects of resilience. The framework is current, communicated and understood by the organisation.

Capability

The organisation has sufficient skills and resources to deliver and help ensure operational resilience. There is a clear understanding of roles and responsibilities and the organisations Operational Resilience risks.

Change management

Assurance and resilience is embedded in change control and SDLC activity where testing occurs across application development and infrastructure change. Well governed, documented change processes are in place and are fully understood by the organisation.

Service operations and capacity

Technology services and processes have been designed in such a way that they ensure continuity and there is appropriate investment in these services and processes. Organisations can demonstrate through testing and monitoring the effectiveness of capacity and continuity measures.

Sourcing and External Dependency

There is clear consideration and understanding of the dependencies on external or sourcing partners and the level of risk that is introduced into the critical services. Performance, risk and effectiveness of these relationships are frequently assessed and understood.

Risk management

An effective ‘Three Lines of Defence’ model is in place whereby operational resilience risks are understood, assessed, monitored and communicated to the Board and Executive Management. Risk Appetite for critical services have been defined and drive risk acceptance and risk mitigation activities. Risk MI assists in both strategic and tactical decisions.

AXA Insurance

16 | Business Resilience Confidential