We have an Enterprise Risk Management team, led by the Chief Corporate Risk Officer. The team includes regional Chief Risk Officers that oversee each business unit: clearing houses, exchanges, trade repositories and the data and benchmark services.
We employ a three-lines model to enterprise risk management, a concept endorsed by the Institute of Internal Auditors. This framework helps ensure strong redundancies and preparation.
ICE ensures both the physical and digital security of our markets, clearing houses, data and mortgage software through industry-leading security technology and processes. Our Information Security Department consists of diverse and skilled teams that work to protect confidential data and systems from unauthorized access, misuse, disclosure, destruction, modification or disruption.
Our crisis management team handles our end-to-end response to any potential issues and regularly conducts global drills to ensure our processes are ready to be implemented. Our operations team maintains an incident management program to handle any incident with operational impact - security or otherwise. The goal of the incident management program is to provide a cohesive framework for the communication, resolution and recording of incidents and to ensure incidents are resolved in a planned and controlled manner so that any interruption is resolved quickly and normal operations are restored.
System resiliency and business continuity management is a core tenant of our system design process and redundancies are purpose-built into our applications, network infrastructure and across primary and backup data centers.
Such design resiliency may include “hot/hot” system components with real-time failure capabilities, readily available back-up components, robust recovery and/or failover procedures, and geographically-diverse backup data centers. These geographically-diverse “like for like” disaster recovery data centers are maintained and governed by an enterprise wide policy. Per policy, all ICE core procedures, systems and operational tasks are duplicable in recovery facilities, exercised at least annually and documented comprehensively.
Following each acquisition of a new company, this process is reviewed to ensure crisis management procedures are in place across our entire organization.