Operational Resilience
at CME Group

The Business Resilience Program is designed to help ensure CME Group can rapidly adapt and respond to internal or external changes – demands, disruptions or threats – while prioritizing essential business operations and safeguarding people and assets.

CME Group utilizes Business Impact Analyses (BIAs) to identify potential impacts and requirements if CME Group were to experience an event. The BIA process is designed to prioritize business functions by assessing the potential impacts that might result if any part of CME Group were to experience a disruption. BIA information is fundamental to the Business Recovery Plans. These plans provide frameworks for an efficient response to a disruptive event and assist in managing the recovery process. The recovery plans document the mitigation strategies based on the recovery time objectives identified during the BIA process. CME Group has the ability to execute, and validates, various strategies such as regional work transfer, remote working, and manual work arounds for the majority of critical business processes.

CME Group’s Operational Resilience planning takes an all-hazards approach. However, some of the scenario categories we use for planning include:

Compliance Management serves as part of the second line of defense model by overseeing compliance matters relating to Operational Resilience and Global Security. Our Compliance Management team works with other second line functions across the organization to ensure practices are aligned and information is shared. Efforts have been taken to align the Operational Resilience Program with industry-best practices and U.S. and international standards, stemming from our categorization as a Systemically Important Financial Market Utility and Systemically Important Derivatives Clearing Organization.

Compliance Management supports the following activities as they relate to the program:

System Resilience is the intersection of Operational Resilience efforts and the technology that supports the delivery of CME Group’s critical business services. Not limited to a catastrophic event, System Resilience prepares for and identifies alternative ways that critical processes can be completed when dependencies (including systems) are not available.

The System Resilience Program works to mitigate risk by helping ensure CME Group can recover its systems following an event that impacts the delivery of technology services through production environments or deployments. This is done by establishing requirements, approving system design, and testing that systems can meet their requirements – including their ability to recover with their applicable recovery time objectives as identified within the Business Resilience BIAs and/or by applicable regulatory mandate.

As a leader in the global financial marketplace, CME Group has fostered relationships with peers in the financial sector, critical infrastructure sectors, sector-wide resiliency and security agencies, and public safety and law enforcement agencies worldwide for information sharing and large-scale planning. Through these relationships, the company drives and shares best practices around resilience, security, and emergency preparedness.

• Active engagement with financial sector firms, government agencies, regulators, and industry associations
• Development of playbooks and response plans to mitigate systemic impacts to the sector
• Involvement in private and public sector tabletops
• Staying abreast of industry, business resilience, and emergency preparedness best practices
• Engagement in cross-sector planning initiatives

The Vendor Risk Management (VRM) Program works in coordination with the enterprise-wide Third-Party Risk Management (TPRM) Program to identify potential operational resilience and physical security risks with services outsourced by CME Group.

Through the TPRM due diligence program, the VRM Program helps to ensure that third-party vendors that support critical operations have resiliency strategies, appropriate controls, and mature resilience programs in place. VRM also facilitates Disaster Recovery testing and exit planning components for CME Group’s key vendors.

The Essential Functions Program evaluates what is important internally, to customers, and to the broader marketplace, and is a cohesive list of processes that is signed off on by senior leadership. This information provides a consistent and comprehensive framework for senior leadership and subject matter experts to make decisions about resiliency and prioritization. The team then looks for ways to test how these processes would withstand the strain of extreme but plausible scenarios. The results of these planning efforts help CME Group better analyze, plan, and respond.

An Essential Function is defined as a group of specifically defined actions vital to systemic stability and CME Group’s ability to provide services to market participants to generate revenue and maintain financial health.

The Operational Resilience team monitors and prepares for unique, high-risk events that fall outside routine, all-hazards planning activities through the Crisis Analysis and Response (CAR) Program, like the Russian invasion of Ukraine or tensions with China. The CAR Program helps CME Group prepare for certain extreme but plausible events and provides a framework for response to events that are unique and sometimes geopolitical in nature. 

Through the CAR Program, CME Group ensures that the appropriate expertise is gathered from across the enterprise to evaluate, plan for and manage any incidents that may impact our markets, customers, employees, and reputation.

CAR is involved in the planning efforts around things like major geopolitical changes or ongoing unrest where market structure, sanctions, and cyber threats may be in play. 

CME Group has a global, unified framework for incident response. Operational Resilience manages CME Group’s multi-tiered Incident Response framework, which includes the company’s Crisis Management Team, Global Incident Response Team, Local Incident Response Teams, and the Threat Analysis and Planning Team. Operational Resilience manages plan development and mitigation strategies, coordinates incident response activities, facilitates exercises, and, in many cases, is the liaison with external partners.

The purpose of the CME Group Global Incident Response Plan is to establish a global incident response framework that promotes effective coordination and decision-making at all levels and in all regions of the company. The process allows the company to monitor and manage events that could affect standard operating procedures.

CME Group’s Incident Response Framework follows an all-hazards approach designed to address any potential impact from individual offices to the company as a whole. Incidents are escalated from Incident Response Teams representing local offices up to our Crisis Management Team depending on severity and impact. Incident Response teams participate in annual exercises with a variety of scenarios, including extreme but plausible, designed to consider the unique aspects of each office, region, culture, and team.

Exercises are a key part of operational resilience planning at CME Group, as they allow us to validate our resiliency strategies. We use exercises as a way to explore new scenarios, push on new tolerances or business developments, and to keep our thinking current. We not only perform exercises internally, but we also participate in a number of the industry-wide exercises to ensure our plans and frameworks are strategically aligned with our vendors, peers, customers, and government agencies. 

In each of the program areas, you will find short descriptions of the various exercises we perform.