Business%20Continuity%20%20%20and%20Crisis%20Management

1

• Business Continuity and Crisis
  Management
• Michael van Doeveren and Paul Osse
  Conference Financial Sector of Macedonia on
  Payments and Securities Settlement Systems
• Ohrid 23 June 2008

2
Agenda

• Introduction
• The Dutch situation
• DNB Assessment Framework
• Concepts of crisis management
• Arrangements and initiatives in the Netherlands
• The Escalation Committee for Payments and
  Securities
• Government initiatives on Critical Infrastructure
  Protection Dutch Counterterrorism Alert System
• International context
• Concluding remarks
• Questions

3
What is Business Continuity?

• Business Continuity Management a
  whole-of-business approach, that includes
  policies, standards, and procedures, to ensure
  (critical) operations can be maintained, or
  restored in a timely fashion, in the event of a
  disruption.
• Its purpose is to minimise the financial, legal,
  reputational and other material consequences
  arising from disruptionSource BIS 2005

4
BCP in an international context

• The American White Paper on Sound Practises to
  strengthen the Resilience of the US Financial
  System
• The Tripartite Standing Committee on Financial
  Stability
• Bank of Japan resilience plans
• Initiatives of the Eurosystem
• Joint Forum/Financial Stability Forum/BIS/CPSS
  work

5
The Dutch situation

• Small country, few large banks
• DNB is both central bank and prudential
  supervisor for banks, pension funds and
  insurance companies
• Financial core infrastructure for Payments and
  Securities, in NL defined as
• Central bank
• CSD (Euroclear Netherlands)
• CCP (LCH.Clearnet SA)
• Stock exchange (NYSE Euronext Amsterdam)
• ACH (Equens Netherlands)
• Major banks (a.o. ABN AMRO, Fortis, ING, Rabobank)

6
DNB BCP Assessment Framework
7
DNB BCP Assessment Framework (1)

• First version in 2004, new version in 2007
• Drafted in cooperation with the financial
  institutions
• Commitment to use it on a high level
• Assessment Framework consists of
• 9 principles
• Guidance note Human Factor
• Agreement between DNB and the financial sector
  for joint BCP initiatives
• In line with international principles such as BIS
  
• Used by supervisor and overseer to assess the
  institutions
• of the financial core infrastructure against
  these principles

8
DNB BCP Assessment Framework (2)

1. BCP should be approved by the EB/senior
   management
2. Risk analyses of critical systems and activities
   should be made
3. Explicit attention should be paid to the human
   factor

9
DNB BCP Assessment Framework (3)

• 4. Each institution should have a crisis
  organisation, including senior management
• Single points of failure (SPOFs) should be
  identified
• Critical processes and systems should be resumed
  as quickly as possible

10
DNB BCP Assessment Framework (4)

• 7. A back-up site/secondary site should be
  available
• 8. Alternate systems and contingency procedures
  should be regularly tested and exercised
• 9. Each institutions should have a
  communication plan for all stakeholders

11
Guidance Note Human factor

• Assessment showed that institutions have problems
  with principle 3, paying explicit attention to
  the human factor
• DNB developed a Guidance note human factor to
  assess the human factor aspect for critical
  systems and business processes, depending on the
  level of knowledge that is required (specific in
  the extreme, highly specific, specific, not very
  specific, not specific)
• Matrix with level of required knowledge and human
  factor strategy ? see www.dnb.nl payments - BCP

12

• GUIDANCE NOTE REGARDING IMPLEMENTATION
  CONTINUITY OF THE HUMAN FACTOR FOR CRITICAL
  SYSTEMS/ BUSINESS PROCESSES

13
Required Knowledge

• Specific in the extreme.
• Highly specific.
• Specific.
• Not very specific.
• Not specific.

14
Ways of ensuring staff continuity 1. double staffing at another location 2. planned scheduling days off 3. shift work 4. use of staff from another location where a similar situation is operational 5. use of staff from another location where a similar situation is not operational
Required level of knowledge of systems/business processes

specific in the extreme (a) red
highly specific (b)
specific (c)
not very specific (d) green
not specific (e)
15
Concepts of crisis management (for payments)
16
Concepts of crisis managementfor the payment
system (1)

• Basic assumption
• Payments can be regarded as what oil is for an
  engine
• Continuity of payments is essential for both the
  public and the financial system.
• Consequences
• Measures should be implemented that guarantee
  business continuity of the payment system
• Implementation of a crisis management structure
  to prevent contagion and limitation the risks as
  for as possible

17
Concepts of crisis managementfor the payment
system (2)

• Crisis management preconditions
• Involvement required of critical participants of
  the whole payment system
• Focus the continuation of the operation of the
  whole payment chain.
• Implementation
• Formation of crises management team
• Prepare organisation. Discuss objectives, define
  concept crisis management, investigate objects,
  invest existing measures, define effectiveness
  measures, investigate alternatives
• Prepare and perform tests. Both internal and
  sector wide. (include suppliers of critical
  services and local and national government)

18
Arrangements and initiatives in the Netherlands

• The Escalation Committee for Payments and
  Securities

19
Escalation Committee history Why

• Escalation Committee established around the euro-
  introduction in 1999
• Stand-by at millennium
• To cooperate in case of problems
• WHEN something could happen was rather clear
• Today The issue is back on the agenda
• Overall agreement that sector-wide coordination
  and cooperation is needed to handle (operational)
  crises in payments and securities.
• You need each other in times of crisis!
• WHEN is not clear ? Escalation Committee is
  Crisis management organisation for payments and
  securities

20
Escalation Committee - Who

• The Dutch financial core infrastructure
• Market infrastructures Central bank, ACH, Stock
  Exchange, CSD, CCP
• Major banks (a.o. ABN Amro, ING, Rabobank,
  Fortis)
• Other members Dutch banking association,
  representing other banks, scheme owner payment
  products
• DNB is chairman and secretary, and linking pin ot
  other authorities
• Members have decision-making mandate of their
  organisation for payments and securities issues

21
Escalation Committee What

• Crisis management
• Respond to payments and securities sector-wide
• (major) operational crises procedures regarding
  
• (one voice) communication, decision making etc.
• Members of the committee are linking pin to their
  
• own crisis organisations
• Sector BCM
• Peace time preparation for times of crises
  plans, good overview of critical processes for
  the sector, alternatives and possibilities in
  case of a crisis, communication, knowing each
  other

22
Escalation Committee - When

• When market infrastructures or banks
• have a crisis,
• might not meet their Recovery Time Objectives
  (RTO)
• or when individual measures are insufficient,
• this can have sector-wide impact.
• The chairperson of the Escalation Committee needs
• to be notified.
• When outside-in crises (flood, pandemic, etc)
  have
• impact on more than one institution in the field
• of payments and securities, the Escalation
• Committee needs to assess the sector impact.

23
Escalation model
24
Escalation Committee How

• Red Booklet contains information about
• Crisis management, communication and decision
  making procedures
• Wholesale, retail, securities alternatives
• However, not many viable alternatives Possible
• alternatives based on rerouting of key processes
  
• CLS, TARGET1/2, EBA, correspondents
• Cash/ATMs, mass payments, one-off direct debit
• Bilateral accounts for OTC etc.
• In practice combination of emergency procedures
• of the different parts of the chain
• At the moment no viable alternative for SWIFT
• Communication and trust is key!

25
Example Wholesale (1)
26
Example Wholesale (2)

• The following were regarded as the most important
  wholesale payments (per bank)
• CLS incoming (and outgoing) payments
• MM and FX transactions
• Liquidity transfers to/from offices/agents abroad
• EBA settlement payments and liquidity swaps
• Payments for the clearing and settlement of
  securities
• Critical payments for clients (corporates,
  pension funds)
• Margin calls (collateral for securities
  clearing)
• Broadly speaking, around 20-30 critical payments
  per bank per day
• In case of one banks failure, this can be
  processed manually
• In case of TARGET2 failure, strict rules apply
  only very critical payments can be processed

27
Arrangements and initiatives in the Netherlands

• Government project on critical infrastructure
  protection (CIP)

28
CIP in the Netherlands

• Government project on critical infrastructure
  protection was started in 2004
• In cooperation with the private sector, the
  government defined 12 infrastructures as
  critical airports, public transport, energy,
  health care, etc.
• Payments and securities processing is one of them
• Follow up of the project in 2004, among others
  Counterterrorism Alert System

29
Dutch Counterterrorism Alert System (1)

• Set up by the government in 2005 to alert
  critical infrastructures in the event of
  heightened terrorist threat
• Measures to be taken quickly in order to minimise
  the risk and to limit the potential impact of
  terrorist acts.
• Cooperation between the government and private
  sectors
• More than 10 sectors are currently connected
  (a.o. airports, harbours, public transport, oil
  and gas, etc.)
• Financial core infrastructure (including
  Netherlands Bankers Association representing the
  other banks) connected as of May 1, 2006

30
Dutch Counterterrorism Alert System (2)

• Four levels of threat standard, low, moderate,
  high
• Each level comes with its own set of (additional)
  security measures, both for the sector and for
  the government
• Government and sector agree together on the
  measures to be taken
• Contacts with local authorities very important
• Workshops, tests and exercises are organised per
  sector

31
Experiences Counterterrorism Alert System

• Formalised (communication) procedures to inform
  the sector about threats
• Increased cooperation and information sharing
  within the financial sector in the area of
  security and with other sectors (such as energy
  and telecom)
• Improved contacts and cooperation with local
  authorities and other stakeholders (police,
  community, fire brigade, neighbour companies
  etc.) who is doing what and going where in times
  of crisis?

32
Exercising experienceThink BIG, start SMALL

• For Escalation Committee and Counterterrorism
  Alert System exercises increase in complexity and
  depth
• Connectivity/communication tests several times a
  year
• Crisis management workshops Discussion, based on
  scenario
• Table top exercises simulation with real play
• Large scale government exercise regarding ICT and
  cybercrime
• Operational exercise where security measures are
  taken for real
• Next step complete market wide exercise?

33
International context for business continuity in
payments and securities

• Dutch market infrastructure is hardly Dutch
  anymore
• This is due to the consolidation trend and the
  battle for efficiency
• Not only for commercial institutions, but also
  for central banks
• An operational crisis in Brussels/Frankfurt/Paris
  may impact the Dutch market more than a local
  crisis in Amsterdam

34
Increasing (need for) interaction cooperation

• Linked to ESCB crisis management
• Co-ordinated communication with market
  infrastructures en major participants
• Possible international solutions to domestic
  problems
• Central banks can help each other
• Solving problems in cooperation

35
Concluding remarks

• Regular assessments work!
• Increase your level of resilience by
• Control Top level commitment
• Coordination Central bank/regulator role
• Cooperation Financial core infrastructure
• Communication All stakeholders, both national
  and international
• Exercising keeps BCP alive
• Human factor is key for everything

36
Questions

• www.dnb.nl / payments / BCP