JPMorgan Chase (JPMC) is committed to providing high quality and resilient services and supporting functions to our customers and clients. This is achieved through a rigorous control program committed to meeting legal and regulatory obligations in each of the jurisdictions where we conduct business.
Our Global Resiliency and Crisis Management program is designed to provide an integrated firmwide resiliency program aligned with our business and technology strategies, as well as the requirements of our customers and clients globally. We do this by:
- Providing continuity of client and customer services while protecting the firm’s employees and assets;
- Engaging senior management on key aspects of the program, including determining the resiliency risk appetite, strategy, leadership and program oversight;
- Proactively managing resiliency risks incorporating appropriate mitigations and controls;
- Developing and maintaining resiliency plans based on impact analysis and criticality; and
- Helping employees understand their role in recovery scenarios and undertaking validation tests and exercises across critical functions and locations.
The information below provides details about the key aspects of our program.
Regulation and Compliance:
Our resiliency policy and standards establish requirements for resiliency planning, response and recovery across the firm. The program is:
- Managed by a firmwide resiliency committee, comprised of senior management from each line of business as well as relevant JPMC corporate functions;
- Reviewed and approved by the Audit Committee of the Board of Directors of JPMC on an annual basis;
- Subject to risk-based examinations by JPMC internal auditors; and
- Subject to regular inspection by regulatory authorities, including the US Office of The Comptroller of the Currency (OCC), The Federal Reserve Board (FRB), The UK Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA), the Monetary Authority of Singapore (MAS) and other national regulatory authorities around the globe.
Crisis Management Processes:
A robust crisis management process exists to enable efficient, effective and timely response to incidents of varying severity and types.
- Firm-wide notification tools are used internally to communicate in crises;
- Escalation processes are in place and are routinely tested; and
- Post event reviews are undertaken to ensure event management procedures and resiliency capabilities are continually enhanced.
Managers throughout the firm develop and maintain resiliency plans as part of the program.
- Annual impact analyses are performed to determine or confirm the relative criticality of processes;
- Lines of business and corporate functions maintain resiliency plans, based on their business impact analysis and risk assessments, addressing business, staff, operations and technology components, and critical services provided by third parties;
- Plans address high-level absenteeism events, including pandemic and severe weather;
- Quality reviews and audit assessments are undertaken and where appropriate corrective measures implemented; and
- Senior management reviews and approves resiliency plans annually.
Testing and Exercising:
The firm employs a comprehensive testing approach to regularly validate the effectiveness of the resiliency program under different impact scenarios:
- Tests include simulation exercises and physical tests of recovery strategies;
- Test results are communicated to the firm’s senior management across business and technology functions, as appropriate; and
- The firm regularly participates in market-wide and industry sponsored exercises.
JPMC continues to make significant investments in cybersecurity to enable us to maintain our defenses and actively enhance our threat resiliency. We operate several 24/7 global cyber operational centers with dedicated cybersecurity staff and work closely with government agencies and organizations to identify areas of weakness as well as proactively respond to cyber threats.