Business Continuity / Disaster RecoveryEffective Date: March 18, 2020
MortgageTech recognizes the importance of maintaining a business continuity strategy and has developed a comprehensive strategy designed to prevent interruptions in our business operations. Our Business Continuity Team is dedicated to evaluating risk, developing, testing and implementing business continuity plans to protect co-workers, critical corporate data assets and to minimize delays in the delivery of products, services and support to our customers.
Business Continuity Program
MortgageTech, Inc (“MortgageTech”) recognizes the importance of maintaining a viable business continuity strategy and has developed a comprehensive business continuity program (“Program”) designed to prevent interruptions in the business operations.
Business Continuity Planning Process
The business continuity planning involves the entire company. The Program is reviewed and approved by MortgageTech’s Board of Directors Plans are developed based on the full loss of MortgageTech’s operational facilities, but also on the basis of a partial loss of such facilities. At time of an incident, an assessment by the MortgageTech – Management Incident Response Team (MIRT), may result in either a full or partial activation of the business recovery plan(s). The highest-level business recovery team is the MortgageTech – Management Incident Response Team (MIRT). The MIRT is responsible for driving the continuity initiatives for MortgageTech in the event of a business interruption, including damage assessment, declaration, direction and control for corporate communications, personnel and financial resource allocation, and implementation of the appropriate actions for response, recovery and restoration of MortgageTech’s Critical business processes Example of a full activation: destruction of facilities within MortgageTech’s headquarters where data processing and finance functions are conducted. Example of partial activation: closing of a remote location due to environmental conditions, or loss of a business function caused by an isolated incident, requiring the relocation of personnel and services.
MortgageTech conducts Business Impact Analysis’ to determine the Maximum Tolerable Outage (MTO) for each business processes. The MTO is the maximum time a business process can remain unavailable before its loss starts to have an unacceptable impact on the goals or survival of the organization. Recovery plans which include Recovery Time Objectives (RTOs) are developed and prioritized based on BIA results.
Recovery plans for Critical business processes are reviewed every two years or as needed in response to new or changing business unit requirements. Call trees and personnel contact lists are updated each quarter and tested at minimum on an annual basis using MIR3, MortgageTech’s Emergency Notification Tool. Program funding requirements are reviewed periodically.
Critical business processes consist of but are not limited to those business processes which impact key customer relationships, generate revenue, or ensure compliance with contractual or regulatory requirements in a material respect.
Customer Communication following a Business Interruption Declaration
• E-mails will be sent to all MortgageTech customer contacts in a timely fashion.
• Subsequently, information will be available by calling MortgageTech’s Customer Service Department at 833-684-8324
The principal objectives of the Program are to:
• Recover MortgageTech’s critical business processes within 24 hours of a business interruption declaration.
• Satisfy obligations and commitments to safeguard the confidential information of MortgageTech, the customers, employees, and other business associates throughout the business resumption process.
• Minimize adverse financial consequences associated with an interruption of business operations.
Business Continuity Team Hierarchical Structure
Business continuity is based on a three level team structure.
• Level 1 Leaders (L1s), a.k.a. the Management Incident Response Team (MIRT), are responsible for overall management and direction of the Program and response to a business interruption. L1s are responsible for approving corporate-wide high level strategy for business continuity and reporting on its status to executive management and the Boards of Directors of MortgageTech. They approve allocation of funds and resources for these purposes. At the time of a business interruption, they notify persons who need to be mobilized, declare or cancel the assessment of the business interruption, activate emergency responses and resolve questions that arise in the response to the business interruption.
• Level 2 Leaders (L2s) are responsible for direction of the critical business processes if a business interruption is declared. L2s provide guidance in planning, promote awareness of the Program within MortgageTech, review and approve elements of planning and participate in testing the Program. At the time of a declaration, they assist the L1s in mobilizing resources and activating emergency responses.
• Level 3 Leaders (L3s) are responsible for tactical planning and recovery of business processes if a business interruption is declared. L3s create business continuity plans for their teams, review their plans and participate in testing and establish priorities for recovery within their Critical business processes. At the time of a declaration, they mobilize team members, conduct recovery team meetings, prioritize recovery initiatives, support recovery efforts and report on their status within their areas of responsibility.
• MortgageTech Command and Control (diagram below)
At time of a business interruption declaration, Level 1 Leaders will organize into a command and control structure similar to the Incident Command System (ICS). The Incident Command System is a well organized team approach for managing critical incidents. It has been in practice for over 35 years and is used today by Federal, State, County and local emergency response agencies. ICS is being widely adopted by the private sector.
• MortgageTech uses a hierarchical team structure for business recovery marked by clear separation of duties, decision making and communication in order to maximize the efficiencies of the recovery teams.
• The highest-level business recovery team is the Management Incident Response Team (MIRT). The MIRT is responsible for driving the recovery initiatives for MortgageTech in the event of a business interruption, including damage assessment, declaration, direction and control for corporate communications, personnel and financial resource allocation, and implementation of the appropriate actions for response, recovery and restoration of MortgageTech’s Critical business processes. The MIRT is led by SVP Information Services/Chief Information Officer, who has primary responsibility for the Program, together with the Vice President Information Services – Chief Information Security Officer. Their primary roles and responsibilities include:
– Declare or cancel the assessment of the business interruption. MortgageTech will declare a business interruption when natural occurrences, technological problems or other emergencies interrupt the operations of a critical business process of MortgageTech, resulting in the time to resume the critical business process exceeding the Maximum Tolerable Outage (MTO) of that critical business process.
– Activation of the Emergency Operations Center (EOC). The EOC is a pre-defined location that is activated in a business interruption or emergency from which the overall command, control, communication and coordination are conducted.
– Supervision and management of the MIRT.
– Management and monitoring of overall recovery efforts.
– Authorization and prioritization of all recovery efforts.
• MortgageTech’s goal is to recover all Critical business processes within a recovery time objective of 24 hours from declaration of a business interruption.
• Critical business processes consist of but not limited to those business processes which impact key customer relationships, generate revenue, or ensure compliance with contractual or regulatory requirements in a material respect.
• Business Recovery Plans are developed for all Critical business processes. Every three years a complete evaluation is undertaken to define these business functions within MortgageTech.
• MortgageTech protects all electronic and hard-copy “Production” information for the purposes of recovering MortgageTech’s critical business processes in the event of a business interruption.
• Recovery Data Center – MortgageTech owns or leases all equipment necessary to recover MortgageTech’s computing environment. This equipment is installed and in a rapid recovery state within the Microsoft Azure Cloud.
• MortgageTech establishes an Emergency Operations Center in the event of a business interruption.
• MortgageTech’s business recovery plan is developed to support three distinct phases of the business interruption: response; recovery; and resumption of business. (See diagram)
Business interruptions at a Customer’s Location:
• An event could interrupt business operations of the customers of MortgageTech and its affiliates, consisting of mortgage lenders and servicers. The insurance operations of MortgageTech and its affiliates do not involve direct contact with borrowers whose loans are insured or require physical presence at the insured’s property. Therefore, MortgageTech does not need to deliver personnel, equipment or other resources to the site of a customer’s business interruption.
• MortgageTech’s contacts are almost entirely with lenders which submit loans for insurance and loan servicers who collect mortgage payments and handle and report to MortgageTech defaults and foreclosures. Those servicers remit premiums to MortgageTech and report the status of the loan default to MortgageTech primarily by electronic means, but they can also remit premiums by other methods of payment and report and communicate with MortgageTech by mail, fax, phone and other customary forms of delivery. MortgageTech communicates with lenders and servicers and makes claim payments by electronic means, but also by the other above-mentioned means customarily used.
• MortgageTech’s internal operations at its corporate headquarters and remote field facilities would continue after an event affecting a customer because they are independent of the event impacting the customer. These operations include fraud investigation, claims, premium processing, and underwriting.
• In particular, MortgageTech could conduct fraud investigations even after an event affecting a customer in substantially the same way it conducts them before the event, because they are conducted primarily on the basis of files and information available at MortgageTech’s offices incidentally by direct contacts with customers and other persons and public records. Those contacts generally can be conducted as described above by various means that should remain available even if the customer is affected by an event. Fraudulent activities can then be reported to regulatory authorities under MortgageTech’s current procedures.
• Impacted customers can leverage numerous pre-existing communication methods offered by MortgageTech to continue business. (i.e. internet, fax, traditional mail, electronic mail and telephones)
925 Lincoln St.
Denver, CO 80203