Enterprise Resilience

BlackRock |Apr 24, 2025

Enterprise Resilience

Resilience is a core tenet of BlackRock’s culture and corporate principles, driving the way we manage the business and serve our clients. BlackRock’s Enterprise Resilience Program, which includes Operational Resilience, Business Continuity Management, Disaster Recovery, and Crisis Management, is committed to providing resilient services to all our clients. Our programs are designed to meet or exceed industry standards and comply with legal and regulatory requirements in the locations where we operate. As new regulations are introduced, our program standards and frameworks enable us to adapt quickly to new mandates and requirements. These programs have several key elements, including:

  • Preparedness and Planning
  • Risk Assessment and Site Resilience
  • Exercises and Testing
  • Third Party Oversight
  • Crisis Management
  • Training and Awareness

We have established an Operational Resilience program to enhance the resilience capabilities of our most important business services. This allows us to better prevent, adapt, recover from, respond to, and learn from potential future operational disruptions. The Enterprise Resilience team leads the program in collaboration with partner resilience teams.

BlackRock maintains Business Continuity plans to facilitate the continuity of business in the event of a business disruption. BlackRock’s executive management provides oversight and governance to the firm’s Business Continuity program, supported by the Enterprise Resilience team, which manages the program. On an annual basis, each business unit is responsible for maintaining and updating their business continuity plans and critical processes.

BlackRock maintains its technology via a hybrid solution, utilizing both in-house data centers and cloud hosting sites. Disaster Recovery plans and procedures enable a rapid response to an event impacting technology and data regardless of location. Each data center and cloud region have built-in redundancy and geographical resilience. BlackRock’s Disaster Recovery Program is run by a specialized disaster recovery team supported by the Technology Risk Management team to provide oversight and governance, and by the firm’s technology support teams to develop and execute plans to be used during testing and real events.

BlackRock leverages its Crisis Management framework for disruptive events that require a coordinated response at a location, region, firm, or business level. The guiding principle for Crisis Management is to coordinate a structured command, control, and communication process in place to manage the response to a crisis. This approach enables the continuity of critical operations and greatly enhances the firm’s capability to respond and recover during a crisis.

Our programs are routinely examined by BlackRock’s internal audit team and external regulators. The results of these reviews, program updates and metrics are reported to the appropriate governance bodies periodically.

Preparedness and Planning 

 BlackRock’s Enterprise Resilience planning focuses on the following: 

1. Business Continuity Plans: BlackRock maintains Business Continuity Plans for business functions at each BlackRock office globally. The plans have the following key components:

  • Business Impact Analysis: Assesses both financial and non-financial impacts of the loss of a critical process. Annually, each department reviews and updates the information for every critical process they perform. As a part of this analysis, third party services and internal dependencies critical to their processes are identified and documented. The results of this assessment drive planning and recovery strategies aimed at minimizing potential risks and the continuity of critical services.
  • Business Recovery Plans: Procedures designed to recover critical processes to provide continuity of operations in the event of a business disruption. These include recovery strategies for personnel, applications, third parties, and facilities. Recovery strategies are validated through tests and exercises.
  • Staff Absenteeism Plans: Documents the potential risks to operations from pandemics or other disruptive events that could lead to staff being absent from work, along with the associated response strategies.

2. Disaster Recovery Plans: Disaster Recovery Plans incorporate fail-over strategies and are designed to recover from a range of disruptive scenarios that may impact technology: from a data center facility or cloud region outage to the loss of a single server. The key elements of the plans include:

  • Communication Plan that identifies how personnel will be engaged when an event occurs as well as the frequency and method of communicating information and status throughout the event.
  • Incident Management Plan that includes information for establishing and maintaining an incident response team, responsibilities of the management team, as well as a methodology for decision making and escalation.
  • Recovery Plans that include requirements, configuration, and execution procedures for failing over each application to a secondary location.

3. Operational Resilience Competencies: At BlackRock, we are committed to enhancing our preparedness for a wide range of severe but plausible scenarios. Our approaches and methodologies include:​

  • Identification of Important Business Services: We identify important business service that, if interrupted, could cause intolerable harm to BlackRock, our clients, or the market.​
  • Setting the Impact Tolerance: For each important business service, we establish the maximum tolerable level of disruption. This reflects the point at which any further disruption could cause intolerable harm to BlackRock, our clients, or the market.​
  • Enhanced Mapping: We document the critical assets and dependencies required to support the operation of each important business service. This includes people, processes, technology, facilities, and information.​
  • Stress Testing: We stress test important business services and their impact tolerances to identify areas for enhancement, thereby improving the firm's resiliency.​
  • Legal and regulatory requirements: At BlackRock, our programs are designed to meet or exceed industry standards and comply with legal and regulatory requirements in the locations where we operate. As new regulations are introduced, our program standards and frameworks enable us to adapt quickly to new mandates and requirements. At BlackRock, we continuously adjust our practices to comply with any new regulations while ensuring that the program is no less effective. A recent example is the EU Digital Operational Resilience Act (DORA), an EU regulation focused on enhancing ICT resilience within the financial sector. Where appropriate, BlackRock is aligning its existing systems and controls with DORA's requirements to comply with the new regulation. These requirements include ICT risk management, operational resilience, incident management, and third-party risk management.

Risk Assessments & Site Resilience

BlackRock performs annual Site Risk Assessments for locations worldwide. These assessments evaluate a range of threats, including natural hazards, social unrest, city infrastructure and climate change. The results are used to drive risk mitigation activities, including enhanced site resilience, business continuity planning, and the deployment of additional recovery strategies where appropriate. These activities enhance our operational resilience.

    Our assessments drive our resiliency measures at each site ensuring that our technology and data systems have built in redundancies and no critical single points of failure. To protect these resources, critical applications are maintained in both primary and secondary data centers or multiple cloud regions, with data replicated in near real-time. Each location is served by physically diverse circuits, secondary networks, and alternate power sources. Primary and secondary locations are appropriately distanced, mitigating the impact of a disruptive regional event.

    Exercises and Testing

    BlackRock exercises its plans to verify that procedures for recovering its business operations and systems are effective, and key personnel are familiar with the process. Each year, multiple types of exercise are performed including:

    • Remote Access: Testing the ability to work from home or another external location. Post-pandemic, the firm has transitioned to a hybrid Future of Work model where periodic remote working has become core to the daily operations of the firm. This provides very regular assurance that these capabilities are effective.
    • Alternate location: Testing the ability to operate from a dedicated recovery site or alternate BlackRock office.
    • Work Transfer: Testing the ability to transfer workloads to unaffected teams/offices or simulating other scenarios involving a loss of personnel or a wide-scale outage.
    • Data center/cloud fail-over testing: Testing the ability to fail over applications to secondary locations for each production data center and cloud region to validate the functionality and the Recovery Time Objective.

    Additional types of exercises and attestations are also performed for other scenarios:

    • Operational Resilience – BlackRock executes extensive firmwide testing which is performed through several testing methods such as Questionnaires, Self-Assessments, Walk-throughs, Tabletop, Validation Tests, Simulations, Functional testing, Live testing and Full-Service Specific Testing. Testing is risk-based to identify weaknesses, deficiencies, gaps and opportunities for improvements in BlackRock’s Operational Resilience ability to prevent, adapt, respond, recover, and learn from Operational Disruptions. The goal of BlackRock’s testing program is to validate and demonstrate the firm’s ability to mitigate operational disruptions in response to a range of severe but plausible scenarios (i.e., more than those covered in the aforementioned testing) and verify the firm’s ability to continue to operate Important Business Services (IBS), or Critical or Important Functions (CIFs), during and after a disruption.
    • Evacuation drills, emergency notification system tests, periodic generator tests, attestation of capabilities & capacity, etc.

    Exercise results are documented, reviewed, and distributed, as appropriate, following each exercise. Recommendations for improvements to the recovery process are identified, risk-rated, and any corrective actions clearly defined and assigned to the appropriate personnel.

    Third-Party Oversight

    Third party due diligence and oversight is a key component of the Enterprise Resilience program. The framework includes use of the firm’s third-party risk assessment methodology. For the most critical service providers, BlackRock conducts targeted reviews and evaluations of their Operational Resilience, Business Continuity and Disaster Recovery programs and, where appropriate, on-site visits and exercises are performed. These may occur as part of new third-party onboarding, ongoing oversight arrangements, or ad-hoc activities due to incidents or potential threats.

    Crisis Management

    BlackRock has multiple teams monitoring threats and incidents 24/7 for potential impact to our offices, technology, data centers, people or key third parties. Incidents and potential threats are reviewed and managed through the firm’s standard incident management processes and are escalated into the Crisis Management framework when required.

    BlackRock’s Crisis Management framework sets out the firm’s global arrangements for responding to any event that may cause material operational, reputational, regulatory, financial or market impact. The framework includes:

    • Local, regional, and global teams
    • Team structures include the identification of primary and alternate team members, with senior global and regional leads covering key roles.
    • Emergency notification system that can send messages to pre-determined call lists; notifications can be sent via email and text message to work and personal devices.
    • Employee support hotline and emergency website to disseminate information to staff for awareness and action as required.

    Training and Awareness

    BlackRock uses several methods to keep employees aware of the critical role they play in preparing for and responding to potential business disruptions. Methods used include:

    • Mandatory annual all staff Emergency Preparedness online training
    • Business recovery exercises
    • Technology disaster recovery tests
    • Crisis management training, exercises, and real events
    • Periodic, threat-specific awareness/learning sessions