Business Continuity Plan (BCP)

October 3, 2016

Version 2.0

Revision History

Original Author(s) EDDIE MILLER Current Revision Author(s) Tricia Kitchens

Version Date Author(s) Revision Notes 1.1 APRIL 1, 2013 EDDIE MILLER APRIL 10, 2013 RUSTY LACY UPDATES 2.0 OCTOBER 3, 2016 TRICIA KITCHENS UPDATES

Table of Contents

1. EXECUTIVE SUMMARY .................................................................................. 1

2. PURPOSE ............................................................................................................. 1

3. SCOPE .................................................................................................................. 1

3.1 SCENARIOS IN THE PLAN .......................................................................................... 1

3.2 ASSUMPTIONS FOR THE PLAN ................................................................................ 2

4. CRISIS RESPONSE ............................................................................................ 2

4.1 CONTINUITY OF GOVERNMENT............................................................................. 3

4.2 EMERGENCY CONTACT PROCEDURES ................................................................ 3

4.3 CRISIS COMMUNICATIONS WITH THE PUBLIC ................................................ 6

5. CRITICAL BUSINESS FUNCTIONS BY DIVISION ..................................... 7

ADMINISTRATIVE FUNCTIONS ....................................................................................... 7

5.1 DIVISION OF ADMINISTRATION (ADM) ................................................................ 7

5.1.1 ADM Function # 1: Direction and coordination of the office of the Comptroller of the Treasury and the various divisions of the Comptroller’s Office ....................................... 7

5.1.2 ADM Function # 2: Representation of the Office of General Counsel (legal) ................. 7

5.1.3 ADM Function # 3: Representation of the Office of Communication ............................... 7

5.1.4 ADM Function # 4: Identify and prioritize potential fraud, waste, and abuse matters (Special Investigations) ..................................................................................................... 7

5.1.5 ADM Function # 5: Water and Wastewater Financing Board (WWFB) ........................... 7

5.1.6 ADM Function # 6: Utility Management Review Board (UMRB) ................................... 8

5.1.7 ADM Function # 7: Office of Open Records Counsel ....................................................... 8

5.1.8 ADM Function # 8: Office of Small Business Advocate (SBA) ....................................... 8

5.2 OFFICE OF MANAGEMENT SERVICES (OMS) ..................................................... 8

5.2.1 OMS Function # 1: Process Time and Labor......................................................................8

5.2.2 OMS Function # 2: Process hiring, separating employee and position transactions ......... 8

5.2.3 OMS Function # 3: Monitor Payroll .................................................................................. 8

5.2.4 OMS Function # 4: Fiscal Processing ................................................................................ 9

5.2.5 OMS Function # 5: Review and approve personal services contracts, grants, RFPs and related documents ............................................................................................................ 9

5.2.6 OMS Function # 6: Sourcing Process ................................................................................ 9

5.2.7 OMS Function # 7: Ensuring work Facilities are operational and staff have the resources necessary to function in the work environment .............................................................. 10

5.2.8 OMS Function #7: Edison Security Access ..................................................................... 10

5.2.9 OMS Function #8: Ensuring work Facilities are operations and staff have the resources necessary to function in the work environment .............................................................. 10

5.2.10 OMS Function #10: Ensuring mail services continue...................................................... 10

5.3 OFFICE OF RESEARCH AND EDUCATION ACCOUNTABILITY (OREA) ..... 11

5.3.1 OREA Function # 1: Preparing Fiscal Note support forms for the Fiscal Review committee staff ................................................................................................................. 11

5.3.2 OREA Function # 2: Office of Higher Education Resource Officer ............................... 11

5.4 DIVISION OF STATE AUDIT (DSA) ......................................................................... 11

5.4.1 DSA Function # 1: Performance and Compliance Audit Group ...................................... 11

5.4.2 DSA Function # 2: Conduct limited program evaluation audits in accordance with the Governmental Entity Review Law (Sunset) and conduct performance reviews in accordance with the Tennessee Governmental Accountability Act ................................ 12

5.4.3 DSA Function # 3: Conduct all of the desk reviews, examinations, and engagements related to the TennCare and Medicaid programs per state statute as related to health care facilities and report results to the public and appropriate officials ................................. 12

5.4.4 DSA Function #4: Identify and prioritize potential fraud, waste, and abuse matters (Financial and Compliance Investigations) ..................................................................... 12

5.5 DIVISION OF LOCAL GOVERNMENT AUDIT (DLGA) ...................................... 12

5.5.1 DLGA Function #1: Perform annual audits, general & application control reviews ....... 12

5.5.2 DLGA Function # 2: Provide assistance to the General Assembly as they research issues and consider legislation ................................................................................................... 13

5.5.3 DLGA Function # 3: Per TCA Code 9-3-211, monitor contracts, perform desk reviews of audits performed by CPA firms of over 1500 entities .................................................... 13

5.6 DIVISION OF PROPERTY ASSESSMENTS (DPA) ................................................ 13

5.6.1 DPA Function # 1: Property Tax Billing Services to Cities and Counties ...................... 13

5.6.2 DPA Function # 2: Tax Relief Payments to Low Income Elderly and Disabled Veterans .. ......................................................................................................................................... 13

5.6.3 DPA Function # 3: Valuation Calculations (Reappraisal Programs and Assessment Rolls) ......................................................................................................................................... 13

5.7 OFFICE OF STATE ASSESSED PROPERTIES (OSAP) ........................................ 14

5.7.1 OSAP Function # 1: Annual assessments of public utilities and transportation companies completed and mailed ..................................................................................................... 14

5.7.2 OSAP Function # 2: Complete distribution to cities and counties and compile tax rate information ...................................................................................................................... 14

5.7.3 OSAP Function # 3: Certification of public utilities and transportation companies sent to cities and counties ........................................................................................................... 14

5.7.4 OSAP Function # 4: Telecommunications ad valorem tax .............................................. 14

5.7.5 OSAP Function # 5: Appraise real property of public utility and transportation companies........................................................................................................................ 14

5.7.6 OSAP Function # 6: Perform routine audits of assessable public utility and transportation companies........................................................................................................................ 15

5.7.7 OSAP Function # 7: Research to discover public utility and transportation companies to be added to be assessed ................................................................................................... 15

5.8 OFFICE OF LOCAL GOVERNMENT (OLG) .......................................................... 15

5.8.1 OLG Function # 1: Maintenance of Parcel Geographic Information Systems (GIS) Data .. ......................................................................................................................................... 15

5.8.2 OLG Function # 2: Maintenance of Redistricting Data ................................................... 15

5.8.3 OLG Function # 3: Maintenance Municipal boundary information required by TCA 6-51-121 ............................................................................................................................. 15

5.9 STATE BOARD OF EQUALIZATION (SBOE) ........................................................ 16

5.9.1 SBOE Function #1: Review or calculate certified (tax-neutral) property tax rates for reappraisal counties ......................................................................................................... 16

5.9.2 SBOE Function # 2: Receipt and processing of filing fees, appeals and exemption applications received via USPO, FedEx, etc. .................................................................. 16

GOVERNMENTAL FINANCE

5.10 OFFICE OF STATE AND LOCAL FINANCE (OSLF) ........................................... 16

5.10.1 OSLF Function # 1: Process disbursements ................................................................... 16

5.10.2 OSLF Function # 2: Annual requirement for Long-term Debt Service ........................... 16

5.10.3 OSLF Function # 3: Continuing preparation of Financial Statements and Comprehensive Annual Financial Report (CAFR) ................................................................................... 17

5.10.4 OSLF Function # 4: Program administration .................................................................. 17

5.10.5 OSLF Function # 5: Facilitate and staff board meetings ................................................. 17

5.10.6 OSLF Function # 6: Continuing disclosure compliance .................................................. 17

5.10.7 OSLF Function # 7: Retrieval of retained records ........................................................... 17

5.10.8 OSLF Function # 8: Process deposit ................................................................................ 17

5.10.9 OSLF Function # 9: Commercial Paper (CP) and Revolving Credit Facility (RCF) ...... 17

5.10.10 OSLF Function # 10: Review requests to issue debt from local governments ................ 18

5.10.11 OSLF Function # 11: Review annual operating budgets submitted from local governments .................................................................................................................... 18

5.10.12 OSLF Function # 12: Timely response to Open Records requests ................................. 18

5.10.13 OSLF Function # 13: Timely response to Fiscal Note support forms............................. 18

5.11 DIVISION OF TECHNOLOGY SOLUTIONS (DoTS) ............................................. 18

5.11.1 DoTS Function # 1: Provision and support of IT infrastructure ...................................... 18

5.11.2 DoTS Function # 2: Provision and support of personnel computing devices .................. 18

5.11.3 DoTS Function # 3: Development and support of custom built in-house software applications ..................................................................................................................... 19

5.11.4 DoTS Function # 4: Support of vendor-developed software applications ....................... 19

5.11.5 DoTS Function # 5: Security management for Comptroller systems and devices ........... 19

5.11.6 DoTS Function # 6: Management of end-user accounts and permissions to Comptroller systems ............................................................................................................................ 19

5.11.7 DoTS Function # 7: Service Desk.................................................................................... 19

APPENDIX A – BCWG CHARTER AND GOALS ........................................................................ 20

APPENDIX B – FIRST RESPONSE ACTIVITIES ........................................................................ 21

APPENDIX C – DEFINITION OF TERMS ..................................................................................... 22

1

1. EXECUTIVE SUMMARY This document describes the current Business Continuity Plan (BCP) for the Office of the Comptroller of the Treasury in the event of a serious disruption to normal services. The contents of this plan include specific scenarios (by severity from least to most severe); crisis response with emergency procedures & communications guidelines; Critical Business Functions (CBFs) by Division with specific responses for each disaster scenario (see the matrix in Appendix K); in addition to emergency contact and notification procedures. 2. PURPOSE Regardless of the cause of the emergency situation (anything from a tornado to terrorism), the purpose of this plan is to:

• Provide for the safety and well-being of our people. • Sustain the critical business functions (CBFs) of the Office. • Establish emergency communication procedures. • Minimize the damage and loss during the crisis. • Facilitate effective coordination of recovery tasks. • Reduce the complexity of the recovery effort. • Resume full business operations as quickly as possible.

3. SCOPE The scope of this plan is defined by specific conditions that could possibly occur which would cause a serious disruption to normal business operations. In preparing the plan, strict parameters (with basic assumptions given below) were determined in order to define realistic scenarios for which we could plan. 3.1 SCENARIOS IN THE PLAN Because of enormity and severity of potential disasters, this plan keys on two main factors:

1) Can our people access the James K. Polk building? (or not?); and 2) Are systems available? (or not?).

Within these boundaries, this plan has been written. Therefore, the following three Disaster Scenarios were established (from least severe to most severe situations):

1) Yes access to JK Polk building – AND – Systems are not available • (sample cause: computer virus corrupts information systems).

2) No access to JK Polk building – AND – Systems are operational

• (sample cause: water pipes burst in building).

3) No access to JK Polk building – AND – Systems are not available • (sample cause: regional disaster).

2

3.2 ASSUMPTIONS FOR THE PLAN The focus of this plan is primarily those things that are under the control of this Office. So the basic underlying assumption for this version of the plan is that all services and support that are outside the control of the Comptroller’s Office will be available and fully operational1. This includes communications infrastructure (e.g., telephone networks, Office 365 Cloud email), electrical power, all support provided by the State’s Strategic Technology Solutions (STS); Department of Finance & Administration), banking partners, financial institutions, and local offices under the venue of the Comptroller (e.g.; state and local government auditors).

• This version of the plan assumes that the business disruption will last for as long as (but not longer than) three months. Non-availability beyond three months is beyond scope.

• IT systems are not available and the Disaster Recovery Site is unavailable

(hardware & software). Note: The Disaster Recovery Plan for IT Systems (not this BCP) will address backup and recovery of those systems. If there are special activities that must be done by any Division (until the IT Systems are fully restored), that should be noted in the Division section of this plan. The Recovery Time Objective (RTO) that has been established for each system is the specific amount of time that the system can be down before contingency operations are activated. Those contingency operations should be documented here in this plan.

• For the scenario where “systems are not available,” a key assumption is that a core

segment of technical staff will be available to roll systems to the Disaster Recovery Site. • Interruption to normal access to the Polk building (for ‘No Access’ scenarios) will be

nondestructive. This is due to the near-impossibility of planning for all the variations of damage to the facilities, work files, computer equipment, etc. (for example, damage caused by an explosion).

4. CRISIS RESPONSE For any crisis situation, the response will incorporate various components; e.g., Comptroller business units (provision of critical business functions, etc.), information technology (provision of functional business systems, etc.), among other possible components. Closely tied to this Business Continuity Plan is the Comptroller’s Disaster Recovery Plan (DRP) and Emergency Workforce Management Plan (EWMP). Whereas the BCP is focused on the business operations (e.g, critical business functions), and the EWMP addresses the emergency personnel issues, the DRP is geared more toward IT and recovery of critical information systems. In the event of a disaster situation, the Division of Technology Solutions (DoTS) is responsible for recovering IT infrastructure, applications, databases, connectivity (users, programmers, etc.) and data files. But once that is performed, it is the responsibility of the Divisions to validate that their systems are fully functional again. DoTS can restore the technical capability, but functional capacity must be verified by the business units.

1 Under development.

3

4.1 CONTINUITY OF GOVERNMENT In the event of an actual emergency, formal emergency declaration will be done as follows: There are only three individuals who can declare an emergency in downtown Nashville. First, The Governor can declare an emergency in any jurisdiction in the state or if need be the entire state of Tennessee (TCA-58-2-101). The Governor can give this declaration authority to the Director of the Tennessee Emergency Management Agency (TEMA) during periods of emergency (TCA-58-2-101). The Mayor of the City of Nashville can declare an emergency within his political jurisdiction (all of Davidson County). No other individuals can legally declare states of emergency within Tennessee. This does not affect the internal operations of a specific agency or department of state or local government. Each group may set up their own procedural operations inside their own agency or department. [Source: TEMA; see “Authority To Compel Emergency Evacuations,” by Tennessee Office of Attorney General, Opinion No. 06-172, 11/22/2006]. COT has developed a Continuity of Operations Plan (COOP) that will provide further details on declaration and notification in an incident. That document should be referenced for additional information regarding COT continuity. An exception to this is the Capitol offices of the Comptroller and Chief of Staff which is covered by the COOP developed by TEMA. There are countless disaster scenarios that could negate this plan in its current version. Even if the initial response is within the scope of what is in the plan, conditions could quickly escalate and make the plan more difficult to use. What if the building is okay, but the downtown area is inaccessible? What if there is access to the Polk building but not to any other Comptroller locations (including the Capitol building)? Indeed, these are hard questions, and ones that may need to be planned for in the future. The members of the Business Continuity Working Group realize there are many more scenarios that are beyond the current scope of this plan. But there had to be some boundaries established in order to get this version of the plan completed for use. 4.2 EMERGENCY CONTACT PROCEDURES With any emergency situation our priorities must be 1) assuring the safety of the public and our staff, and 2) quickly resuming critical public services for which we are responsible. The first concern with any situation is the safety and well-being of our people. In order to facilitate communication during an emergency, the Recovery Planner System provides emergency contact information for all Comptroller employees as well as a means of automatically notifying employees of key information and allowing them to acknowledge its receipt. Recovery Planner is hosted by an outside vendor, and is therefore available from any device that has internet access. In the event of an emergency, a message will be sent via Recovery Planner to all affected employees by order of the Comptroller or Chief of Staff. If the Comptroller or Chief of Staff are not available, the Deputy Chief of Staff, Public Information Officer, Communications and Publications Manager, General Counsel, and/or the Information Technology Director may issue the message. A message will also be placed on the Comptroller home page and provide a message page along with a link. Employees are required to respond to the message sent via the Recovery Planner system to acknowledge the notification, account for their well-being, and provide their availability to perform any workload needed/required. All Supervisors. Managers, Assistant Directors,

4

Directors and member of the Division of Administration have access to view responses and have the ability to follow up with their direct reports. If contact with any particular person cannot be made, attempts to make contact will continue until either contact is made or a reason contact cannot be made is determined. After initial contact is established, additional instructions may be relayed back and forth between the Manager and employees as needed. Edison is the primary source of contact information for all employees, so employees are required to ensure their contact information is always up-to-date. Recovery Planner is updated via the information in Edison, so incorrect information in Edison will be propagated to Recovery Planner. Recovery Planner also provides employees the ability to prioritize their contact method, such as email, cell phone, text and/or alternate phone numbers. It is important employees keep their preferences updated in Recovery Planner, so they can be notified in the most expeditious and efficient manner. The Emergency Contact System Recovery Planner will be tested with regular frequency (e.g. annually). Messages will specifically indicate it is a Test Emergency Notification. If an actual emergency occurs, more details will be provided (description of the nature of the event, impact to their job, impact to job location, etc.) For such an event, instructions will be posted for everyone to follow. These instructions will be found at the Comptroller’s emergency telephone line at 866-283-7109, Recovery Planner https://rpx.recoveryplanner.us/recoveryPlanner/, or internet website at www.tn.gov/comptroller/

To access Recovery Planner at any time, not just in an emergency, the link is available on the Comptroller’s internet site: Click “Contact Us” then under “For Comptroller’s State Only” click “Emergency Contact System Login” or go directly to the site at https://rpx.recoveryplanner.us/recoveryPlanner/.

Specific duty instructions will also be posted on the special Disaster Recovery webpage on the Comptroller’s internet site at www.comptroller.tn.gov. The same instructions can be heard on the Comptroller’s emergency contact telephone line: 1-866-283-7109. Every employee has a Comptroller-issued identification badge and an emergency sticker (below) which should be attached to the back of the ID-badge. Each Division can get these stickers from OMS-HR.

5

6

4.3 CRISIS COMMUNICATIONS WITH THE PUBLIC With overall responsibility for disseminating information concerning the emergency or event requiring recovery efforts, the Comptroller’s Public Information Officer (PIO) will provide accurate, essential, and timely information to discourage the spread of rumors and adverse publicity. A media call list will be maintained by the PIO. The PIO and the Communications Team will work together to post information on the website and phone system for employee information. During crisis management, the Comptroller’s Office needs to strive to uphold its values and stay focused on its mission. The main objective of crisis communications is to respond to any crisis with accurate information and to protect the office’s reputation and image. A Media Command Center may be set up with select employees chosen to help with communications. The following time frame is recommended to help the Comptroller respond to the media in a crisis. Response should be given by the Comptroller, his designee, or the PIO, according to established procedures for release of information to the media.

• 1-3 hours - What is known about the situation and what steps are being taken should be released as initial communication.

• 1 day - A short-term communication plan needs to be in place with messages, facts, talking points and additional spokesperson identified, if needed.

While our entire organization is dedicated to safe responsible operations, nothing will test our public reputation more than our conduct during a crisis. During an emergency or other crisis, our communications objectives are to:

1. Become the authoritative, reliable source of correct information for the media and public, 2. Help the news media focus on known facts and positive behavior, 3. Portray the Comptroller of the Treasury as responsible and caring, 4. Monitor media for errors and correct discrepancies as soon as possible, and 5. Maintain public confidence in the Comptroller’s Office and our programs.

READINESS All Comptroller employees should always be aware of their roles and responsibilities during an emergency, and ensure that systems and equipment are maintained in a constant state of readiness to validate all aspects of the BCP Plan. Managers may be creative when it comes to BCP readiness which may include snow days, power outages, server crashes, and other ad- hoc opportunities to assess operational readiness. The Division of Technology Solutions will perform at least one disaster recovery per year and encourage divisions to participate.

BCP PLAN MAINTENANCE A complete review of this Business Continuity Plan should be done periodically.

7

5. CRITICAL BUSINESS FUNCTIONS BY DIVISION For the duration of contingency operations due to any server disruption to normal operations, certain business functions that are deemed critical to the operation of the Comptroller’s Office should be performed (as the situation allows). Each division is included below. Critical Business Functions (CBFs) should be tied to each Division’s Strategic Plan.

ADMINISTRATIVE FUNCTIONS 5.1 DIVISION OF ADMINISTRATION (ADM)

5.1.1 ADM Function # 1: Direction and coordination of the office of the Comptroller of the Treasury and the various divisions of the Comptroller’s Office

Key Date(s): Continuous function Brief description of the Business Function: Fulfill the statutory and constitutional responsibilities of the Comptroller. Duties include: Audit of State and Local governmental entities; participation in the general financial and administrative management; oversight of state government. Number of employees required to perform the function: 5 (Comptroller of the Treasury, Chief of Staff, Deputy Chief of Staff, General Counsel, Executive Administrative Support) Can employees work remote? Yes

5.1.2 ADM Function # 2: Representation of the Office of General Counsel (legal)

Key Date(s): Continuous function Brief description of the Business Function: Provides legal guidance to all the divisions of the Comptroller’s Office, Liaison with the Attorney General and Reporter, legal representation in judicial and administrative litigation. Number of employees required to perform the function: 2 Can employees work remote? Yes, unless physical presence is required for resolution

5.1.3 ADM Function # 3: Representation of the Office of Communication

Key Date(s): Continuous function Brief description of the Business Function: External and internal communication and publications to the citizens of TN and the employees of the Office of the Comptroller. Number of employees required to perform the function: 4 Can employees work remote? Yes

5.1.4 ADM Function # 4: Identify and prioritize potential fraud, waste, and abuse matters (Special Investigations)

Key Date(s): Continuous function (24/7/365) Brief description of the Business Function: Per state statute provide a toll-free hotline for reporting fraud, waste or abuse. Keep record, investigate (Special Investigations Division), provides assistance, and appropriate information to citizens, auditors, all state department and agencies, and law enforcement and prosecutorial agencies. Number of employees required to perform the function: 2 Can employees work remote? Yes, unless physical presence is required

5.1.5 ADM Function #5: Water and Wastewater Financing Board (WWFB)

Key Date(s): Continuous function Brief description of the Business Function: Supports municipal water and sewer enterprises by

8

ensuring the legislative objective that public water and wastewater systems are self-supporting. Annual reports. Number of employees required to perform the function: 2 Can employees work remote? Yes

5.1.6 ADM Function #6: Utility Management Review Board (UMRB)

Key Date(s): Continuous function Brief description of the Business Function: Supports natural gas, water and wastewater public utility district by assuring that they are financially self-supporting and by requiring appropriate action by those districts. Liaison for complaints, authorization of new utility districts. Number of employees required to perform the function: 2 Can employees work remote? Yes

5.1.7 ADM Function #7: Office of Open Records Counsel Key Date(s): Continuous function Brief description of the Business Function: Per state statute, assist requestors (citizens, media and local governmental entities) in determining and locating the correct governmental records custodian expeditiously as possible. Number of employees required to perform the function: 1 Can employees work remote? Yes

5.1.8 ADM Function #8: Office of Small Business Advocate (SBA) Key Date(s): Continuous function, annual report July 1st Brief description of the Business Function: Per state statue, serve as a liaison for small businesses (50 employees or less) providing information and assisting in resolution of issues with state departments and agencies. Number of employees required to perform the function: 1 Can employees work remote? Yes

5.2 OFFICE OF MANAGEMENT SERVICES (OMS)

5.2.1 OMS Function # 1: Provide customer service in basic employee needs such as benefits and insurance

Key Date(s): As needed Brief description of the Business Function: HR provides assistance to employees in the areas of benefits and insurance. In an emergency situation, volume and urgency may increase. Number of employees required to perform the function: In an emergency situation, up to three employees may be needed, depending on volume. Can employees work remote? Yes. HR phone lines must be functional.

5.2.2 OMS Function # 2: Process Time and Labor Key Date(s): T&L Deadline days immediately following each pay day Brief description of the Business Function: HR monitors and coordinates the accurate completion of time and labor entry so that payroll can correctly populate. Number of employees required to perform the function: 1 (who must be able to communicate with employees and division liaisons.) Can employees work remote? Yes

5.2.3 OMS Function # 3: Process hiring, separating employee and position transactions

Key Date(s) Effective dates as requested by divisions. Brief description of the Business Function: Keying transactions into Edison, coordinating/conducting

9

prescreening and separation procedures. Number of employees required to perform the function: 2 Can employees work remote? Yes, with a Citrix connection

5.2.4 OMS Function # 4: Monitor payroll Key Date(s): Due dates established by F&A preceding each pay day Brief description of the Business Function: Checking and monitoring payroll to ensure accuracy on pay day. Number of employees required to perform the function: 1 Can employees work remote? Yes

5.2.5 OMS Function # 5: Fiscal processing Key Date(s) Various due dates, especially critical at fiscal year-end. Brief description of the Business Function:

• Vouching Invoices - Fiscal Services is required by TCA to pay invoices within 45 days of receipt. This requires obtaining approval of the appropriate division, processing the transaction in the accounting system, and approving it for payment. Number of employees required to perform the function: 2 (not including the approval of the respective division personnel.) Can employees work remote? Yes

• Expense Claims - Fiscal Services strategic goal is to approve employee expense claims within 5 business days of receipt. Number of employees required to perform the function: 2 (one to enter into the accounting system and one to approve.) Can employees work remote? Yes

• Deposit - Checks received by Fiscal Services are required to be deposited in compliance with F&A Policy 25. Number of employees required to perform the function: 2 (one to enter into the accounting system and one to approve.) Can employees work remote? No

• Journal Entries - enter and approve journals in Edison. This is both for billing and paying other agencies or for correcting accounting entries. Interunit journals are required by F&A Policy 18 to process within 3 working days and interdepartmental activity should be accounted for within the month that it occurs. Number of employees required to perform the function: 2 (one to enter into the accounting system and one to approve.) Can employees work remote? Yes

• Payment Card Management - manage the payment card program to ensure the payment card holders can continue to use their cards as needed. Number of employees required to perform the function: 2 (card holder to verify transaction in the accounting system and one to approve.) Can employees work remote? Yes

• Creating Invoices - To comply with F&A Policy 23, state agencies are required to identify, record, and collect amounts due the state where goods and services have been provided and payment is due. Number of employees required to perform the function: 2 (one to enter into the accounting system and one to approve.) Can employees work remote? No

5.2.6 OMS Function # 6: Review and approve personal services

contracts, grants, RFPs and related documents Key Date(s): Review of documents must be timely. End of State fiscal year is critical. Brief description of the Business Function: Review contracts required to be approved by the

10

Comptroller's Office. Number of employees required to perform the function: 3 Can employees work remote? Staff working with CPO contracts could work remotely. Staff working with SBC contracts would need to work in a central location or have the contracts mailed or couriered to the location this staff member is working.

5.2.7 OMS Function # 7: Sourcing Process Key Date(s): Review of transactions must be timely. End of State fiscal year is critical. Brief description of the Business Function: To assist the COT divisions procure the goods and services they need. Included as part of this process is receiving, tagging (as applicable), and distributing goods.

• Requisition/Purchase Order - Requisitions are entered into the accounting system by division staff or a sourcing staff member. The purchase order is source from the requisition in the accounting system by a sourcing staff member. The requisitions and purchase orders are approved by fiscal management.

• Receiving, Distributing, Tagging - a fiscal staff member is responsible for receiving ordered goods that are shipped from the various vendors, tagging them when required, and then distributing them to the appropriate staff member in division that order the goods. To the extent possible, goods can be shipped to the exact location where they will be used.

Number of employees required to perform the function: 2 (for most transactions, one to enter requisition/PO, and another to approve.) Higher dollar amount transactions may require additional approvals. Only one employee is required for the receiving, distributing and tagging function. Can employees work remote? Yes, except for the employee receiving/distributing/tagging goods. This employee would need to work at a central location where goods would be shipped from the vendor and the goods could be processed and distributed to the correct location.

5.2.8 OMS Function # 8: Edison Security Access

Key Date(s): This function is important all year round, but will become extremely critical if a work facility un-expectantly becomes unavailable and/or staff become unavailable for an extended period of time. Brief description of the Business Function: Key OMS staff have the authorization to modify/delete COT staff’s access to FSCM and HCM Edison modules. Number of Employees required to perform the function: 1 Can employees work remote? Yes

5.2.9 OMS Function # 9: Ensuring work Facilities are operational and staff have the resources necessary to function in the work environment

Key Date(s): This function is important all year round, but will become extremely critical if a work facility un-expectantly becomes unavailable for an extended period of time. Brief description of the Business Function: Facility staff receive requests for office configurations, electrical or data access needs, and other facility related requests. In addition, facility staff assists with any special requests for space management, facility repair/maintenance concerns, and TOSHA compliance. Number of Employees required to perform the function: 2 minimum Can employees work remote? Facilities staff could initially work remote if the building is unavailable, but once alternative office space is identified, they would need to work in the office.

5.2.10 OMS Function # 10: Ensuring mail services continue Key Date(s): This function is important all year round, but will become extremely critical if a work facility un-expectantly becomes unavailable for an extended period of time. Brief description of the Business Function: OMS is responsible for the interoffice mail collection and

11

delivery. Number of Employees required to perform the function: 1 Can employees work remote? No. Staff responsible for mail would need to be stationed at a central location to receive incoming mail and distribute mail accordingly. This may involve physically delivering mail to remote working locations or repackaging mail to be sent via the United State Postal Service.

5.3 OFFICE OF RESEARCH AND EDUCATION ACCOUNTABILITY (OREA)

5.3.1 OREA Function #1: Preparing Fiscal Note support forms for the Fiscal Review Committee staff

Key Date(s): During General Assembly Brief description of the Business Function: Per state statue, provide fiscal and data analysis to the Legislature during General Assembly. Number of employees required to perform the function: 6 Can employees work remote? Yes

5.3.2 OREA Function #2: Office of Higher Education Resource Officer

Key Date(s): During General Assembly Brief description of the Business Function: Office assists faculty, staff or employees of Tennessee’s higher education systems and institutions. Also reviews and evaluates higher education policy. Number of employees required to perform the function: 1 Can employees work remote? Yes

AUDIT FUNCTIONS 5.4 DIVISION OF STATE AUDIT (DSA)

5.4.1 DSA Function # 1: Performance and Compliance Audit Group - Conduct financial and compliance audits of state departments, agencies, and institutions per state statute in accordance with applicable standards so each audit includes the necessary tests for compliance with applicable laws, regulations, contracts, grants, and required consideration of internal control, and report audit results to appropriate officials and the public Conduct performance audits in statewide processes and programs or agency-specific operations and activities pursuant to the Tennessee Governmental Entity Review Law. Coordinate with the Financial and Compliance section on audits of the state’s major programs for the Single Audit, pursuant to the Single Audit Act.

Key Date(s): Prepare and release CAFR by December 31 and Single Audit by March 31. Per the Tennessee Governmental Entity Review Law, dates vary. These audits are completed for Fall Hearings (as much as 1 year prior to a June 30th year end termination date.) Brief description of the Business Function: We perform audits at the auditee’s site as well as in our own office when space in not available at the auditee’s location. Most auditee’s are located in downtown state office buildings. We must have access to TeamMate, Edison, and relevant agency networks and systems at the auditee’s site. We also need access to the auditee personnel and paper documents. Number of employees required to perform the function: 51

12

5.4.2 DSA Function # 2: Conduct limited program evaluation audits in accordance with the Governmental Entity Review Law (Sunset) and conduct performance reviews in accordance with the Tennessee Governmental Accountability Act

Key Date(s): Dates vary Brief description of the Business Function: Per state statute, complete limited program evaluation audits (performance audits) of major state entities six months prior to the entity termination schedule set forth in statute. Complete 100% of other public hearing information six months prior to the entity termination schedule set forth in statute. Complete a performance review of 100% of agencies participating in performance-based budgeting. Number of employees required to perform the function: 5 Can employees work remote? Yes, for the short term. Otherwise coordination is required with other business units.

5.4.3 DSA Function # 3: Conduct all of the desk reviews, examinations, and engagements related to the TennCare and Medicaid programs per state statute as related to health care facilities and report results to the public and appropriate officials

Key Date(s): April – August – Medicaid reimbursement rate setting; September – cost settlements and computation of rates; Quarterly reports Brief description of the Business Function: Perform reviews on all nursing facilities for the purpose of calculating Medicaid reimbursement rates. Perform settlements on all Critical Access Hospital (CAH), Federally-Qualified Health Centers (FQHC) and Rural Health Clinics (RHC) for the purpose of reimbursing a provider’s incremental costs above the routine reimbursement received from the Managed Care Organizations (MCO). Conduct field examinations of certain providers, generally selected by risk analysis and/or significant shifts in costs, resident days, or revenues. Number of employees required to perform the function: 20 Can employees work remote? Yes

5.4.4 DSA Function # 4: Identify and prioritize potential fraud, waste, and abuse matters (Financial and Compliance Investigations)

Key Date(s): No key dates for this function. (24/7/365) Brief description of the Business Function: Perform investigations of allegations of fraud, waste, and abuse in support of State Audit and Local Government Audit. Number of employees required to perform the function: 2 Can employees work remote? Yes

5.5 DIVISION OF LOCAL GOVERNMENT AUDIT (DLGA)

5.5.1 DLGA Function # 1: Perform annual audits, general & application control reviews

Key Date(s): Per the Federal Single Audit Act A-133 and TCA Code 9-3-211, annual Audits to be completed and released by March 31st for the year ending June30th. Audit procedures conducted throughout the year in support of the annual audits. Brief description of the Business Function: On a yearly basis, audit all counties. Publish annual audits each year by March 31st. By June 30th, review 100% of the district attorneys general and Judicial District Drug Task Forces funds. Also, by June 30th, perform all general and application control reviews on computer systems and financial software in accordance with the annual audit plan. Number of employees required to perform the function: 82 employees Can employees work remote? Yes

13

5.5.2 DLGA Function # 2: Provide assistance to the General Assembly as they research issues and consider legislation

Key Date(s): Major dates are during the legislative session, January – May, yearly. Minimal support throughout the rest of the year. Brief description of the Business Function: Preparing fiscal notes for the legislature and research on laws and inquiries. Number of employees required to perform the function: 2 Can employees work remote? Yes

5.5.3 DLGA Function # 3: Per TCA Code 9-3-211, monitor contracts, perform desk reviews of audits performed by CPA firms of over 1500 entities

Key Date(s): Performed year round, but audit review activity increases during the legislative session. Brief description of the Business Function: Monitor contracts for audits of municipalities, utility districts, certain not-for-profit organizations, school activity and cafeteria funds, housing authorities and various quasi-governmental entities. Review audits of the listed entities to determine compliance with GAAP, GAGAS, laws, rules and regulations. Perform desk reviews or work paper reviews of the audits of six counties, special school districts and other related entities audited by CPA firms. Number of employees required to perform the function: 10

Can employees work remote? Yes

PROPERTY TAX FUNCTIONS [Note: DPA elected to address the three Disaster Scenarios only once as applying to all of the DPA Critical Business Functions (CBFs)].

5.6 DIVISION OF PROPERTY ASSESSMENTS (DPA)

5.6.1 DPA Function # 1: Property Tax billing services to cities and counties

Key Date(s): June 1 to December 1 Brief description of the Business Function: Assessment Systems staff members perform critical data quality checks and initiate processes within the IMPACT system to calculate local property taxes owed on over 2 million parcels of both real and personal property for 83 or more counties. Number of employees required to perform the function: 5 Can employees work remote? Yes. Theoretically, this work could be performed remotely but with decreased efficiency due to decreased collaboration.

5.6.2 DPA Function # 2: Tax Relief payments to low income elderly and disabled veterans

Key Date(s): January 1 to June 30 and September 1 to October 31 Brief description of the Business Function: Tax Relief staff members receive approximately 175,000 Tax Relief applications from every property tax collecting jurisdiction in the state. Staff members then perform critical examination and review of these applications. Those applications ultimately approved are then processed for payment. Number of employees required to perform the function: 10 Can employees work remote? No. The Tax Relief processing system (TRAIN) is not available outside the COT infrastructure due to security maintained to protect PII contained with applications.

5.6.3 DPA Function # 3: Valuation calculations (Reappraisal Programs and Assessment Rolls)

Key Date(s): January 1 to May 31 Brief description of the Business Function: Assessment Systems staff members perform critical data quality checks and initiate processes within the IMPACT system to calculate property values for counties undergoing a reappraisal program. The number of counties undergoing a reappraisal program varies each

14

year according to schedules and cycles. After value calculations are complete and have been approved, assessment rolls are produced and delivered to the counties. Number of employees required to perform the function: 4 Can employees work remote? Yes. Theoretically, this work could be performed remotely but with decreased efficiency due to decreased collaboration.

5.7 OFFICE OF STATE ASSESSED PROPERTIES (OSAP)

5.7.1 OSAP Function # 1: Annual assessments of public utilities and transportation companies completed and mailed

Key Date(s): On or before the first Monday in August as stated by statutory law Brief description of the Business Function: OSAP is charged with valuing and assessing all property (tangible and intangible) that falls under our jurisdiction. These assessments must be in Impact and letters are to be produced and mailed to all companies by the first Monday of August. Number of employees required to perform the function: All OSAP Staff (12) Can employees work remote? Yes

5.7.2 OSAP Function # 2: Complete distribution to cities and counties and compile tax rate information

Key Date(s): Goal is to be completed by November 30, annually Brief description of the Business Function – Assessments that are mailed to companies in August are broken down by investments and situs property and keyed into Impact Distribution Module. Current year tax rates are entered into Impact. Number of employees required to perform the function: 8 Can employees work remote? Yes

5.7.3 OSAP Function # 3: Certification of public utilities and transportation companies sent to cities and counties.

Key Date(s): Goal is to have sent by December 20, annually Brief description of the Business Function: Tax Roll, Tax Book and Tax Notices are generated from Impact and either emailed or sent via postal service to all county and city collecting officials. Number of employees required to perform the function: 4 Can employees work remote? No

5.7.4 OSAP Function #4: Telecommunications ad valorem tax reduction fund

Key Date(s): On or before June 1 as stated by statutory law Brief description of the Business Function – Monies collected from March through February by Department of Revenue as noted in TCA 67-6-221 is distributed to the appropriate Telecommunication companies. Number of employees required to perform the function: 1 Can employees work remote? No (per email – cannot work remotely). Does it have to be sent certified mail?

5.7.5 OSAP Function # 5: Appraise real property of public utility and transportation companies

Key Date(s): Ongoing Brief description of the Business Function: OSAP appraiser visits and building owned by the company that is assessed by OSAP and derives a value and is added to Impact. Number of employees required to perform the function: 2 Can employees work remote? Yes

15

5.7.6 OSAP Function # 6: Perform routine audits of assessable public utility and transportation companies

Key Date(s): Ongoing Brief description of the Business Function: Ad Valorem tax reports are received by the office and desk audits are performed. Should there be a need to visit the company, the appropriate Analyst/Auditor will make the trip to the company's business. Number of employees required to perform the function: 2 Can employees work remote? Yes

5.7.7 OSAP Function # 7: Research to discover public utility and transportation companies to be added to be assessed

Key Date(s): Ongoing Brief description of the Business Function: January 1 of each year is assessing date. However, resources (examples: other state agencies, newspapers, web sites, internet) are used to make sure that all property is assessed and on the tax roll either by the local assessor or by OSAP. Number of employees required to perform the function: 8 Can employees work remote? Yes

5.8 OFFICE OF LOCAL GOVERNMENT (OLG)

5.8.1 OLG Function #1: Maintenance of Parcel Geographic Information Systems (GIS) data

Key Dates/deadlines: Continuous Brief description of the Business Function: Parcel mapping is the creation, collection and / or maintenance of Tennessee property parcel boundaries in digital form using Geographic Information Systems (GIS). The electronic data are published in recognizable map form but can also be electronically merged with property records stored in the state’s Computer-Assisted Mass Appraisal (CAMA) system. The parcel GIS data are used to accurately map and assess real property parcels in Tennessee. Number of employees required to perform the function: 10 Can employees work remote? Yes, the Senior Analyst can work remotely since this business area is highly technical, hardware/software based. With the remainder of staff decreased efficiency would be expected due to limited availability of research materials required to accurately map.

5.8.2 OLG Function #2: Maintenance of Redistricting data Key Dates/deadlines: 2 years before & after Decennial Census (i.e. 2020 Census= 2018 -2022) Brief description of the Business Function: The Redistricting business area primarily focuses on assisting local government officials in each county with the local Redistricting process. This includes assisting local government officials with tech support and help for matters relating to redistricting and voting precinct maintenance. The Redistricting Data Program (RDP) takes place at least once every ten years and generally coincides with the decennial Census conducted by the U. S. Census Bureau. The Redistricting Data Program consists of five phases, four of which require significant involvement by OLG. In addition, the redistricting area also fulfills map order sales relating to redistricting and oversees the continuing maintenance of redistricting maps on the Comptrollers website. Number of employees required to perform the function: 5 Can employees work remote? No. Collaboration would be required with other business areas.

5.8.3 OLG Function #3: Maintenance Municipal boundary information required by TCA 6-51-121

Key Dates/deadlines: Sporadic throughout year Brief description of the Business Function: Upon adoption of an annexation ordinance or upon referendum approval of an annexation resolution as provided in Tennessee Code Annotated, an annexing municipality shall record the ordinance or resolution with the register of deeds in the county or counties where the annexation was adopted or approved. The ordinance or resolution shall describe the territory that was annexed by the municipality. A copy of the ordinance or resolution shall also be sent to the

16

comptroller of the treasury and the assessor of property for each county affected by the annexation. Number of employees required to perform the function: 2 Can employees work remote? No. Collaboration would be required with other business areas.

5.9 STATE BOARD OF EQUALIZATION (SB0E)

Introduction – The purpose of this analysis is to identify critical business functions of the State Board of Equalization (SBOE) and project consequences of specified disaster scenarios for planning purposes. The primary (continuous) functions of the SBOE are the hearing and administrative resolution of property tax assessment complaints and the review and determination of claims for religious, charitable and related property tax exemptions. Secondary (seasonal) functions are review of certified (tax-neutral) property tax rates following county reappraisals, registration of taxpayer agents, receipt of filings related to tax increment financing (TIF) and payments-in-lieu-of-taxes (PILOT). Of these functions, only the tax rate review function is deemed critical because it affects the validity of local property tax levies and could interrupt cash flow to counties and municipalities. Other functions could suffer interruptions for as long as three months or more without affecting public finance or public health, safety or welfare.

5.9.1 SBOE Function # 1: Review or calculate certified (tax-neutral) property tax rates for reappraisal counties

Key Date(s): Annually on or before July 1 Brief description of the Business Function: Provide notice or calculation on or before July 1 in support of county and city processes for adopting annual budget and property tax levy. Number of employees required to perform the function: 1 Can employees work remote? Yes 5.9.2 SBOE Function #2: Receipt and processing of filing fees,

appeals and exemption applications received via USPO, FedEx, etc.

Key Date(s): Daily process Brief description of the Business Function: Processing of appeals, exemption applications, and checks received to document the pertinent information. Checks must be delivered in accordance with the chain of custody to OMS Fiscal Number of employees required to perform the function: 1 Can employees work remote? No

GOVERNMENTAL FINANCE 5.10 OFFICE OF STATE & LOCAL FINANCE (OSLF)

5.10.1 OSLF Function # 1: Process disbursements Requirements Key Date(s): Regularly and daily Brief description of the Business Function: Payment of project disbursement requests and administrative expenses. Number of employees required to perform the function: 2 Can employees work remote? Yes

5.10.2 OSLF Function # 2: Annual requirements for Long-term Debt Service

Key Date(s): As needed (issuance); on the 1st day of each month (debt service) Brief description of the Business Function: Issue long-term debt when needed; access critical information to process payments of principal and/or interest on bonds.

17

Number of employees required to perform the function: 3 Can employees work remote? Yes

5.10.3 OSLF Function # 3: Preparation of Financial Statements and Comprehensive Annual Financial Report (CAFR)

Key Date(s): Annual (November of each year) Brief description of the Business Function: Compile financial statements for each program and the TSSBA CAFR. Number of employees required to perform the function: 5 Can employees work remote? Yes, Debt Management System Access is required

5.10.4 OSLF Function # 4: Program Administration Key Date(s): Daily Brief description of the Business Function: Maintain functionality of programs—monitor projects, evaluate loan applications, send invoices, receive ACH & wired payments, monitor & manage cash balances. Number of employees required to perform the function: 4 Can employees work remote? Yes, Debt Management System Access is required

5.10.5 OSLF Function # 5: Facilitate and Staff Board Meetings Key Date(s): Varies Brief description of the Business Function: Compile and distribute informational packets to staff and board, schedule meetings. Number of employees required to perform the function: 4 Can employees work remote? Yes

5.10.6 OSLF Function # 6: Continuing Disclosure Compliance Program Key Date(s): January 31, February 24, & June 30 of each year. Brief description of the Business Function: Submission of continuing disclosure information to the Municipal Securities Rulemaking Board’s Electronic Municipal Market Access website. Number of employees required to perform the function: 4 Can employees work remote? Yes

5.10.7 OSLF Function # 7: Retrieval of retained records Key Dates: Approve debt proposals within five (5) days of receipt Brief description of the Business Function: Objective is to provide written approval to local governments if proposals are in accordance with statutes. Need access to electronic records on FileNet and ability to request retrieval from Richards & Richards. Number of employees required to perform the function: 1 Can employees work remote? Yes

5.10.8 OSLF Function # 8: Process deposit Key Dates: Daily Brief description of the Business Function: Record checks and process deposit in iNovah and Edison. Number of employees required to perform the function: 2 Can employees work remote? No, need ability to receive mail and access to iNovah equipment

5.10.9 OSLF Function # 9: Commercial Paper (CP) and Revolving Credit Facility (RCF)

Key Dates: Daily Brief description of the Business Function: Verify accuracy of amount and days outstanding and recalculate interest on trade tickets on CP roll dates; issues requests for additional CP to be issued; issue requests to draw on RCF; bill borrowers for interest (monthly). Number of employees required to perform the function: 3

18

Can employees work remote? Yes

5.10.10 OSLF Function # 10: Review requests to issue debt from local governments

Key Dates: Approve requests within statutory time frames ranging from five (5) to fifteen (15) days of receipt. Brief description of the Business Function: Provide written approval and/or reports to local governments consistent with statutes. Number of employees required to perform the function: 6 Can employees work remote? Yes

5.10.11 OSLF Function # 11: Review annual operating budgets submitted from local governments

Key Dates: Approve budgets within thirty (30) days of receipt. Brief description of the Business Function: Provide written approval or acknowledgement to local governments consistent with statutes. Number of employees required to perform the function: 6 Can employees work remote? Yes

5.10.12 OSLF Function # 12: Timely response to Open Records requests

Key Dates: Respond to requests for public records within seven (7) business days (TCA § 10-7-503). Brief description of the Business Function: Provide public documents as requested by Tennessee citizens and other interested parties. Number of employees required to perform the function: 3 Can employees work remote? Yes

5.10.13 OSLF Function # 13: Timely response to Fiscal Note Support Forms

Key Dates: Seasonal, during legislative session Brief description of the Business Function: Respond to fiscal note support form requests. Number of employees required to perform the function: 3 Can employees work remote? Yes

SYSTEM FUNCTIONS 5.11 DIVISION OF TECHNOLOGY SOLUTIONS (DoTS)

5.11.1 DoTS Function # 1: Provision and support of IT infrastructure

Key Date(s): Continuous Function Brief description of the Business Function: Network connectivity, systems, and storage. The Disaster Recovery Plan will be implemented if applicable. Number of employees required to perform the function: 10 Can employees work remote? Yes

5.11.2 DoTS Function # 2: Provision and support of personnel computing devices

Key Date(s): Continuous Function Brief description of the Business Function: Desktop PC’s, laptops, tablets, support mobile devices, printers, scanners, and other external peripherals. Number of employees required to perform the function: 4 Can employees work remote? Yes

19

5.11.3 DoTS Function # 3: Development and support of custom built in-house software applications

Key Date(s): Continuous Function Brief description of the Business Function: Includes all software applications developed by COT software developers, including SharePoint. Number of employees required to perform the function: 4 Can employees work remote? Yes

5.11.4 DoTS Function # 4: Support of vendor-developed software applications

Key Date(s): Continuous Function Brief description of the Business Function: All software applications developed by a vendor, both those housed within COT’s infrastructure and those hosted by the vendor. Number of employees required to perform the function: 10 Can employees work remote? Yes

5.11.5 DoTS Function # 5: Security management for Comptroller systems and devices

Key Date(s): Continuous Function Brief description of the Business Function: Validating and maintaining security policies within infrastructure, systems, network communication, storage, and all devices (computer, tablet, and phone). Number of employees required to perform the function: 14 Can employees work remote? Yes 5.11.6 DoTS Function # 6: Management of end-user accounts and

permissions to Comptroller systems Key Date(s): Continuous Function Brief description of the Business Function: Set-up and maintenance of end-user permissions. Number of employees required to perform the function: 2 Can employees work remote? Yes 5.11.7 DoTS Function # 7: Service Desk

Key Date(s): Continuous Function Brief description of the Business Function: Coordination of IT service requests, Tier 1 troubleshooting and support. Number of employees required to perform the function: 2 Can employees work remote? Yes, unless the resolution requires hands-on access to the device.

20

APPENDIX A – BCWG CHARTER AND GOALS CHARTER The Charter of the Business Continuity Working Group (BCWG) is to develop and continually expand the plans, strategies, and contingency operations for emergency preparedness of the Comptroller’s Office. This comprehensive approach to Business Continuity will include the multiple components of three primary focal points:

o Emergency Response

o Disaster Recovery o Business Resumption.

Emergency Response is always the first concern to establish contact with the employees of the Office as quickly as possible and to ensure their safety (as well as that of their family members so they can contribute to the Office without worry from home). Thus, emergency communications are critical.

Disaster Recovery includes all the efforts to reestablish the Information Technology systems and support that is necessary to fully accomplish the responsibilities of the Office. All the hardware, software, and network infrastructure must be operational in as little time as possible.

Business Resumption includes the day-to-day processes and procedures that comprise all the critical, important, and routine business functions of the Office. Together, these components of Business Continuity lead to an ever-increasing state of readiness. Planning and preparation are the keys.

Since emergency conditions and appropriate responses are virtually unlimited, this working group shall consist of one representative from each division in the Office who will serve in a perpetual manner to ensure all three focal points are brought together and carried out smoothly in the event of a disaster. As a subordinate unit of the Comptroller’s Business Resumption Taskforce, the BCWG is the working group to “add the details and fill in the gaps.”

Each division member assigned to the BCWG shall represent their division’s strategic, program, and business line needs with any related tasks or assignments. As members rotate out, retire, or otherwise vacate their seat on the BCWG, the Division will assign a new member to fill the vacancy. The full group will have regular meetings at agreed-upon intervals, and minutes will be taken to document the proceedings. The Comptroller’s formal Business Continuity Plan will be updated and maintained by approval and direction of this group.

GOALS The primary overarching goal is to continuously update and expand the Comptroller’s Business Continuity Plan in order to guide operations of the Office in the event of an actual disaster.

The Business Continuity Plan integrates emergency response, disaster recovery, and business resumption needs of the office.

21

APPENDIX B – FIRST RESPONSE ACTIVITIES Any time an actual emergency occurs, remember: DO NOT TALK TO NEWS MEDIA (the Comptroller Communications Officer will do that). • Receive alert notification (from a credible source) • Notify Senior Management team (each division’s senior member must be contacted) • Senior Management team may assemble at a designated assembly site or conference

call (as directed by the Comptroller) o Location

Time: Contact Name:

• Use Emergency Contact List to notify additional personnel to proceed to Assembly site: If needed bring this business continuity plan If appropriate, be prepared to travel Bring ID badges Bring pertinent resources from home or off-site

• The Information Technology personnel may need to meet their team at an alternate location (as directed by the Assistant Director of Information Technology)

o Location: o Time: o Phone Number:

• Meeting and briefing for Senior Management Team o Document information at briefing o Contact appropriate authorities

Description of disaster and expected down time Injury to personnel Building entry Extent of crisis

o Determine messages at briefing Message to be placed on Emergency phone line (1-866-283-7109) Message to be placed on the Comptroller Disaster Recovery webpage Message to be given to the media (consult Communications Officer)

o Initiate personnel call tree. Every supervisor will contact his/her direct-reports (down to the lowest level).

o Notify recovery teams o Contact vendors and other clients as appropriate o Prepare report of critical functions status and potential concerns during the

briefing • Brief staff on situation • Begin team recovery activities

22

APPENDIX C – DEFINITION OF TERMS Alert – advanced notification that a disaster situation may occur. This forewarns participants of the possible implementation of the BCP. ‘Alert Exercise’ refers to training scenarios.

Alternate Site – a location, other than the normal facility, used to process data and/or conduct critical business functions in event that access to the primary facility is denied or the primary facility is damaged. Examples of alternate sites include: cold site, warm site, and hot site:

• Cold Site – typically a fully-constructed data center or similar facility without com- puter hardware or similar equipment. This facility usually has necessary environ- mental and support systems such as access controls, raised flooring, chilled water, electrical power, air conditioning & telecommunications access for voice & data

• Warm Site – an alternate recovery facility partially equipped with hardware, communications, power, and environmental support equipment.

• Hot Site – this is a fully equipped computer facility. A hot site contains the stand-by computer equipment, environmental systems, communications capabilities, and other equipment necessary to fully support a using organization's immediate data processing requirements in the event of an emergency or a disaster.

Backup – the practice of copying information, regardless of media (paper, microfilm, audio or video tape, computer disks, etc.) to provide a duplicate copy. This is done for protection in case the active information is unreadable or destroyed. Backups to support a recovery effort must include a storage strategy which physically separates the backup data from the original data so there is a minimum of chance that the same event could destroy both copies. Backups may be of various media types.

Business Continuity – describes the processes and procedures an organization puts in place to ensure that critical functions can continue during and after a disaster. Business continuity planning seeks to prevent extended interruption of mission-critical services, and to reestablish full functioning as swiftly and smoothly as possible. Includes three levels:

• Emergency Response (ER) – actions taken immediately after and during a disaster. • Disaster Recovery (DR) – ability to respond to an interruption in services by imple-

menting a recovery plan for orderly and timely restoration of business services and supporting resources.

• Business Resumption (BR) – full restoration of normal business processes/operations. Business Continuity Plan (BCP) – a document containing the recovery timeline methodology, test-validated documentation, procedures, and action instructions developed specifically for use in restoring organization operations in the event of a declared disaster.

Business Impact Analysis (BIA) – the process of identifying an organization's exposure (threats) to the sudden loss of selected business functions and/or supporting resources. It also includes analyzing the potential disruptive impact of those risks on key business functions and critical business operations.

Business Interruption – any event, anticipated or unanticipated, which disrupts the normal course of operations at a business location.

23

Command Center – a command center will typically be a location with ample voice communications capabilities as well as office space, furniture, and office equipment to support emergency management team members. The command center can be located in an alternate recovery facility, mobile facility, in another building, or in a facility such as a hotel or conference center, remote from the normal business facilities.

Critical Business Function (CBF) – vital business functions necessary for the continued success of the organization. If a critical business function is non-operational, the organization could suffer serious legal, financial, goodwill, or other serious losses or penalties. Generally, critical business function(s) must operate continuously or sustain only brief interruptions.

Data Integrity – information and data that accurately reflects the status of a business function at a given point in time, representing complete, synchronized information that has passed all data validation and error checking routines. Data integrity is critical in the post interruption environment when data is reconstructed from backups.

Disaster Recovery Plan (DRP) – an IT-focused plan designed to restore operability of the target systems, applications, or computer facility at an alternate site after an emergency. A DRP addresses major site disruptions that require site relocation. The DRP applies to major, usually catastrophic, events that deny access to the normal facility for an extended period of time. Typically, Disaster Recovery Planning involves an analysis of business processes and continuity needs; it may also include a significant focus on disaster prevention.

Disaster Tolerance (DT) – defines an environment's ability to withstand major disruptions to systems and related business processes. DT at various levels should be built into an environment and can take the form of hardware redundancy, high availability/clustering solutions, multiple data centers, eliminating single points of failure, and distance solutions.

Exercise – a test or drill in which actions in the contingency plan are performed or simulated as though responding to an event. It is during the exercise that planners and participants can evaluate whether the planned activities and tasks properly address potential situations.

High Availability – describes a system's ability to continue processing and functioning for a certain period of time - normally a very high percentage of time, for example 99.9%. High availability can be implemented in your IT infrastructure by reducing any single points-of- failure using redundant components. Similarly, clustering and coupling applications between two or more systems can provide a highly available computing environment.

Network Recovery Objective (NRO) – indicates the time required to recover or failover network operations. Systems level recovery is not fully complete if customers cannot access the application services via network connections. Hence, the NRO includes the time required to bring online alternate communication links, re-configure routers and name servers (DNS) and alter client system parameters for alternative TCP/IP addresses. Comprehensive network failover planning is of equal importance to data recovery in a Disaster Recovery scenario.

Mitigation – measures taken to reduce or eliminate the exposure of assets or resources to risk.

24

Off-Site Storage – the process of storing vital records in a facility that is physically remote from the normal site. Usually this facility is environmentally protected for proper care and storage of magnetic media, microfilm and paper.

Recovery – the long-term activities and programs which are designed to be implemented beyond the initial crisis period of an emergency or disaster in order to return all systems to normal status or to reconstitute those systems to a new condition that is less vulnerable.

Recovery Time Objective (RTO) – time needed to recover from a disaster or, saying it another way, how long you can afford to be without your systems.

Recovery Point Objective (RPO) – describes the age of data needed to restore in the event of a disaster. For example, if your RPO is 6 hours, you want to be able to restore systems back to the state they were in, as of no longer than 6 hours ago. To achieve this, you need to be making backups or other data copies at least every 6 hours. Any data created or modified inside your recovery point objective will be either lost or must be recreated during a recovery. If your RPO is that no data is lost, synchronous remote copy solutions are your only choice.

Restoration – this is the act of returning a piece of equipment or some other resource to operational status. Commercial service companies provide a restoration service with staff skilled in restoring sensitive equipment or large facilities. Such vendors often work with insurance companies and may restore equipment for a fee or may purchase damaged equipment with the intent of restoring the equipment and re-marketing the product.

Risk – the potential for harm or loss caused by an undesirable event.

Risk Analysis – A risk analysis identifies important functions and assets that are critical to a firm's operations, and subsequently establishes the probability of a disruption to those functions and assets. Once the risk is established, objectives and strategies to eliminate avoidable risks and minimize impacts of unavoidable risks can be set. A list of critical business functions and assets should first be compiled and prioritized. Following this, determine the probability of specific threats to business functions and assets. For example, a certain type of failure may occur once in 10 years. From a risk analysis, a set objectives and strategies to prevent, mitigate, and recover from disruptive threats should be developed.

Stand Alone Processing – processing typically on a PC which has no communications link with other processors.

Threat – events that cause a risk to become a loss; e.g., an earthquake or fire that destroys a central computer network. Threats include natural phenomena such as storms and floods, as well as man-made incidents such as cyber-terrorism, sabotage, power failures & bomb threats.

Vital Records – records or documents, regardless of media (paper, microfilm, audio or video tape, computer disks, etc.) which, if damaged or destroyed, would disrupt business operations and information flows and cause considerable inconvenience and require replacement or recreation at considerable expense.