Equinix leads the way with integrity and purpose because of our solid governance foundation. To maintain trust with Equinix’s stakeholders, it is essential to closely monitor and manage key business risks. To enhance our procedures for identifying and mitigating risks, we established routine systems that allow us to regularly collaborate with stakeholders from both within the company and outside.
When unforeseen events like international conflict, cyberattacks, global pandemics and natural disasters occur, managing risks is essential to minimize operational, financial and reputational repercussions. We are actively planning to make sure we can react swiftly to shifting circumstances and maintain the seamless operation of our company. As a global organization, we actively engage individual sites to ensure that consistent procedures are in place to identify local risk exposures and implement measures to protect our teams and sites.
The Enterprise Risk Management (ERM) program at Equinix is designed to drive the identification, assessment, management, monitoring and reporting of key business risks, including those associated with environment, social and governance. Our ERM process incorporates guidelines and best practices from the ISO 31000 standard (Risk Management – Principles and Guidelines) and the COSO standard (Enterprise Risk Management – Integrating with Strategy and Performance). As we grow, we continually look for ways to enhance our ERM process and incorporate risks associated with the diverse regions in which we operate.
Equinix’s risk reporting structure enables our internal teams to monitor the status of key risks and the effectiveness of our mitigation efforts. Our Risk Management Practices are managed by our VP, Global Risk and Security with support from the VP, Business Assurance Services. Key risks are communicated to the Board, and the Nominating and Governance Committee receives quarterly updates on key risk topics.
Equinix evaluates key risks and controls by using a standard risk assessment template. Key risk topics may include business continuity and disaster recovery planning, human capital challenges, supply chain, cybersecurity, water-related emergencies and regulatory compliance, as appropriate.
We work diligently to discuss key risks with respective owners who embed the risk conversation throughout the organization. In 2022, we began a multi-phase process to refresh and conduct a deeper analysis on Equinix’s risk list. Phase 1, which included interviews with over thirty senior leaders and board representatives, highlighted a shift and added risks such as environmental, social and governance to our top risk list.
Equinix remains committed to ensuring a safe and secure environment for our employees, contractors and visitors, while maintaining the continuity of our business operations. Our Business Continuity Program Office (BCPO) aims to take appropriate precautions and uses a standardized methodology to detect and respond to incidents before they develop into unplanned interruptions. The BCPO is continually evolving to incorporate more mature processes and integrate regional differences throughout its four components:
The BCPO is sponsored by the company’s EVP, Global Operations, and is governed by the BCP Executive Steering Committee, consisting of Equinix executives and subject matter experts who meet at least quarterly. The Executive Steering Committee maintains visibility over BCP activities, receives regular updates/reports regarding program progress and testing results, and provides program direction and support. BCP matters are further discussed at the Board Nominating and Governance Committee as needed.
We empower all IBX® data center managers to work closely with the BCPO while proactively responding to their own incidents. Each center has a documented Business Recovery Plan containing site-specific information about how to manage identified risks and outlining response procedures, mitigation and recovery measures. These plans are tested, reviewed and signed off annually, or more frequently as needed. Plans are developed on an as-need basis and include guidance on: Civil Unrest, Severe Injury or Death and Severe Weather.
With extreme weather events increasing in frequency and severity, there was a need for our IBX® data center site managers to be equipped to manage their respective sites’ responses. Each of our locations has a site-specific Severe Weather Checklist engrained in site procedures so that there is no need to wait for the BCPO to drive efforts during an extreme weather event. In 2022, we piloted standardized exercises to test preparedness for extreme weather, including standardizing the drill, trigger and output so that we can audit and compare all sites globally.
In 2022, all IBX® data center sites were required to perform one of two specific Business Continuity Scenarios, either Building Management System (BMS) Failure or Civil Unrest Outside the Site Location. Additional scenarios are expected to be tested in 2023.