Title: Business%20Continuity%20%20%20and%20Crisis%20Management
1 - Business Continuity and Crisis
Management - Michael van Doeveren and Paul Osse
Conference Financial Sector of Macedonia on
Payments and Securities Settlement Systems - Ohrid 23 June 2008
2Agenda
- Introduction
- The Dutch situation
- DNB Assessment Framework
- Concepts of crisis management
- Arrangements and initiatives in the Netherlands
- The Escalation Committee for Payments and
Securities - Government initiatives on Critical Infrastructure
Protection Dutch Counterterrorism Alert System - International context
- Concluding remarks
- Questions
3What is Business Continuity?
- Business Continuity Management a
whole-of-business approach, that includes
policies, standards, and procedures, to ensure
(critical) operations can be maintained, or
restored in a timely fashion, in the event of a
disruption. - Its purpose is to minimise the financial, legal,
reputational and other material consequences
arising from disruptionSource BIS 2005
4BCP in an international context
- The American White Paper on Sound Practises to
strengthen the Resilience of the US Financial
System - The Tripartite Standing Committee on Financial
Stability - Bank of Japan resilience plans
- Initiatives of the Eurosystem
- Joint Forum/Financial Stability Forum/BIS/CPSS
work
5The Dutch situation
- Small country, few large banks
- DNB is both central bank and prudential
supervisor for banks, pension funds and
insurance companies - Financial core infrastructure for Payments and
Securities, in NL defined as - Central bank
- CSD (Euroclear Netherlands)
- CCP (LCH.Clearnet SA)
- Stock exchange (NYSE Euronext Amsterdam)
- ACH (Equens Netherlands)
- Major banks (a.o. ABN AMRO, Fortis, ING, Rabobank)
6DNB BCP Assessment Framework
7DNB BCP Assessment Framework (1)
- First version in 2004, new version in 2007
- Drafted in cooperation with the financial
institutions - Commitment to use it on a high level
- Assessment Framework consists of
- 9 principles
- Guidance note Human Factor
- Agreement between DNB and the financial sector
for joint BCP initiatives - In line with international principles such as BIS
- Used by supervisor and overseer to assess the
institutions - of the financial core infrastructure against
these principles
8DNB BCP Assessment Framework (2)
- BCP should be approved by the EB/senior
management - Risk analyses of critical systems and activities
should be made - Explicit attention should be paid to the human
factor
9DNB BCP Assessment Framework (3)
- 4. Each institution should have a crisis
organisation, including senior management - Single points of failure (SPOFs) should be
identified - Critical processes and systems should be resumed
as quickly as possible
10DNB BCP Assessment Framework (4)
- 7. A back-up site/secondary site should be
available - 8. Alternate systems and contingency procedures
should be regularly tested and exercised - 9. Each institutions should have a
communication plan for all stakeholders
11Guidance Note Human factor
- Assessment showed that institutions have problems
with principle 3, paying explicit attention to
the human factor - DNB developed a Guidance note human factor to
assess the human factor aspect for critical
systems and business processes, depending on the
level of knowledge that is required (specific in
the extreme, highly specific, specific, not very
specific, not specific) - Matrix with level of required knowledge and human
factor strategy ? see www.dnb.nl payments - BCP
12- GUIDANCE NOTE REGARDING IMPLEMENTATION
CONTINUITY OF THE HUMAN FACTOR FOR CRITICAL
SYSTEMS/ BUSINESS PROCESSES
13Required Knowledge
- Specific in the extreme.
- Highly specific.
- Specific.
- Not very specific.
- Not specific.
-
14Ways of ensuring staff continuity 1. double staffing at another location 2. planned scheduling days off 3. shift work 4. use of staff from another location where a similar situation is operational 5. use of staff from another location where a similar situation is not operational
Required level of knowledge of systems/business processes
specific in the extreme (a) red
highly specific (b)
specific (c)
not very specific (d) green
not specific (e)
15Concepts of crisis management (for payments)
16Concepts of crisis managementfor the payment
system (1)
- Basic assumption
- Payments can be regarded as what oil is for an
engine - Continuity of payments is essential for both the
public and the financial system. - Consequences
- Measures should be implemented that guarantee
business continuity of the payment system - Implementation of a crisis management structure
to prevent contagion and limitation the risks as
for as possible
17Concepts of crisis managementfor the payment
system (2)
- Crisis management preconditions
- Involvement required of critical participants of
the whole payment system - Focus the continuation of the operation of the
whole payment chain. - Implementation
- Formation of crises management team
- Prepare organisation. Discuss objectives, define
concept crisis management, investigate objects,
invest existing measures, define effectiveness
measures, investigate alternatives - Prepare and perform tests. Both internal and
sector wide. (include suppliers of critical
services and local and national government)
18Arrangements and initiatives in the Netherlands
- The Escalation Committee for Payments and
Securities
19Escalation Committee history Why
- Escalation Committee established around the euro-
introduction in 1999 - Stand-by at millennium
- To cooperate in case of problems
- WHEN something could happen was rather clear
- Today The issue is back on the agenda
- Overall agreement that sector-wide coordination
and cooperation is needed to handle (operational)
crises in payments and securities. - You need each other in times of crisis!
- WHEN is not clear ? Escalation Committee is
Crisis management organisation for payments and
securities
20Escalation Committee - Who
- The Dutch financial core infrastructure
- Market infrastructures Central bank, ACH, Stock
Exchange, CSD, CCP - Major banks (a.o. ABN Amro, ING, Rabobank,
Fortis) - Other members Dutch banking association,
representing other banks, scheme owner payment
products - DNB is chairman and secretary, and linking pin ot
other authorities - Members have decision-making mandate of their
organisation for payments and securities issues
21Escalation Committee What
- Crisis management
- Respond to payments and securities sector-wide
- (major) operational crises procedures regarding
- (one voice) communication, decision making etc.
- Members of the committee are linking pin to their
- own crisis organisations
- Sector BCM
- Peace time preparation for times of crises
plans, good overview of critical processes for
the sector, alternatives and possibilities in
case of a crisis, communication, knowing each
other
22Escalation Committee - When
- When market infrastructures or banks
- have a crisis,
- might not meet their Recovery Time Objectives
(RTO) - or when individual measures are insufficient,
- this can have sector-wide impact.
- The chairperson of the Escalation Committee needs
- to be notified.
- When outside-in crises (flood, pandemic, etc)
have - impact on more than one institution in the field
- of payments and securities, the Escalation
- Committee needs to assess the sector impact.
23Escalation model
24Escalation Committee How
- Red Booklet contains information about
- Crisis management, communication and decision
making procedures - Wholesale, retail, securities alternatives
- However, not many viable alternatives Possible
- alternatives based on rerouting of key processes
- CLS, TARGET1/2, EBA, correspondents
- Cash/ATMs, mass payments, one-off direct debit
- Bilateral accounts for OTC etc.
- In practice combination of emergency procedures
- of the different parts of the chain
- At the moment no viable alternative for SWIFT
- Communication and trust is key!
25Example Wholesale (1)
26Example Wholesale (2)
- The following were regarded as the most important
wholesale payments (per bank) - CLS incoming (and outgoing) payments
- MM and FX transactions
- Liquidity transfers to/from offices/agents abroad
- EBA settlement payments and liquidity swaps
- Payments for the clearing and settlement of
securities - Critical payments for clients (corporates,
pension funds) - Margin calls (collateral for securities
clearing) - Broadly speaking, around 20-30 critical payments
per bank per day - In case of one banks failure, this can be
processed manually - In case of TARGET2 failure, strict rules apply
only very critical payments can be processed
27Arrangements and initiatives in the Netherlands
- Government project on critical infrastructure
protection (CIP)
28CIP in the Netherlands
- Government project on critical infrastructure
protection was started in 2004 - In cooperation with the private sector, the
government defined 12 infrastructures as
critical airports, public transport, energy,
health care, etc. - Payments and securities processing is one of them
- Follow up of the project in 2004, among others
Counterterrorism Alert System
29Dutch Counterterrorism Alert System (1)
- Set up by the government in 2005 to alert
critical infrastructures in the event of
heightened terrorist threat - Measures to be taken quickly in order to minimise
the risk and to limit the potential impact of
terrorist acts. - Cooperation between the government and private
sectors - More than 10 sectors are currently connected
(a.o. airports, harbours, public transport, oil
and gas, etc.) - Financial core infrastructure (including
Netherlands Bankers Association representing the
other banks) connected as of May 1, 2006
30Dutch Counterterrorism Alert System (2)
- Four levels of threat standard, low, moderate,
high - Each level comes with its own set of (additional)
security measures, both for the sector and for
the government - Government and sector agree together on the
measures to be taken - Contacts with local authorities very important
- Workshops, tests and exercises are organised per
sector
31Experiences Counterterrorism Alert System
- Formalised (communication) procedures to inform
the sector about threats - Increased cooperation and information sharing
within the financial sector in the area of
security and with other sectors (such as energy
and telecom) - Improved contacts and cooperation with local
authorities and other stakeholders (police,
community, fire brigade, neighbour companies
etc.) who is doing what and going where in times
of crisis?
32Exercising experienceThink BIG, start SMALL
- For Escalation Committee and Counterterrorism
Alert System exercises increase in complexity and
depth - Connectivity/communication tests several times a
year - Crisis management workshops Discussion, based on
scenario - Table top exercises simulation with real play
- Large scale government exercise regarding ICT and
cybercrime - Operational exercise where security measures are
taken for real - Next step complete market wide exercise?
33International context for business continuity in
payments and securities
- Dutch market infrastructure is hardly Dutch
anymore - This is due to the consolidation trend and the
battle for efficiency - Not only for commercial institutions, but also
for central banks - An operational crisis in Brussels/Frankfurt/Paris
may impact the Dutch market more than a local
crisis in Amsterdam
34Increasing (need for) interaction cooperation
- Linked to ESCB crisis management
- Co-ordinated communication with market
infrastructures en major participants - Possible international solutions to domestic
problems - Central banks can help each other
- Solving problems in cooperation
35Concluding remarks
-
- Regular assessments work!
- Increase your level of resilience by
- Control Top level commitment
- Coordination Central bank/regulator role
- Cooperation Financial core infrastructure
- Communication All stakeholders, both national
and international - Exercising keeps BCP alive
- Human factor is key for everything
36Questions
- www.dnb.nl / payments / BCP