Title: IMPLEMENTING BUSINESS CONTINUITY: A BANK OF ENGLAND PERSPECTIVE
1IMPLEMENTING BUSINESS CONTINUITY A BANK OF
ENGLAND PERSPECTIVE
- STEPHEN P COLLINS
- BANK OF ENGLAND
2FOR AN EFFECTIVE CONTINGENCY PLAN, YOU NEED TO
EFFECTIVE PLANNING
- Understand your business what are the key
activities? - Assess the impact on your institution and on
others of not being able to carry them out. - Establish recovery time objectives the point
where loss of a key activity becomes critical to
the business. - Estimate what is required to provide an
acceptable level of service, eg- minimum
staffing levels over time- minimum work-station
and telephony requirements over time- minimum
PC and server requirements over time-
application requirements over time
3RESILIENCE MEASURES
- Planning
- Testing/Exercising
- Contingency Sites
- IT Resilience
- Split-Site Working
- Remote Access
- BlackBerries
4SCENARIO PLANNING
- What are we planning for ?
- Five possible types of event
- SERVICES Loss of power, water, sewage to Bank
locations - COMMUNICATIONS Loss or severe degradation of
public and/or private telephone networks,
including mobile networks - SYSTEMS Acute systems failure (eg successful
virus attack) - STAFF Significant numbers of staff
unable/unwilling to travel to work (eg transport
disruption, civil emergency, flu pandemic) - PREMISES Loss of access to single or multiple
Bank locations (eg fire/ flood/ bomb/ something
worse)
5HIERARCHY OF PLANS
- Bank of England uses an integrated 3-tier
structure of business continuity plans - High level plan
- Used by executive and senior management provides
an outline plan of action, assigns
responsibilities, identifies key people, and sets
out who will be involved in the recovery process.
Written and maintained by Business Continuity
Division. - Core and Crisis Function checklists
- Each function has an individual Action Summary
checklist which briefly sets out the key actions
required to cover each function. These are
brief, cut across areas, and are in note format.
Set format, but maintained by lead areas. - Local area plans
- These set out what each area needs to do in the
aftermath of an operational disruption, and who
is responsible. Covers both core/ crisis
functions and other functions. Are more detailed
and cover a longer time frame. We do not impose
any set format for these plans.
6Business Continuity planning structure and
ownership
Drafting and testing responsibilities
Plan ownership
Executive Team
Business Continuity Division
Local Area management
BCD and local areas
All Staff
7WHY TEST?
- To check the assumptions implicit in your plan
- To check that all parties have sufficient
knowledge of the plan, and that the plan is
adequately documented - To check that proposed actions are achievable
- To check business resilience
- To check that strategies, technology are
appropriate - To generate confidence in the plan
8WHAT SHOULD YOU TEST?
- Processes, not individuals
- Communication strategies
- External interaction (customers, media, etc)
- Contacting staff
- Plan content
- Logical, realistic, no assumptions
- Interdependencies
- Internal external, including links with civil
authorities - Technology solutions
- Component level, data centres, data restoration
- Alternative locations
- Recovery sites, reciprocal arrangements
9GENERIC FORMS OF TESTS
- Review of local area plans (do they complement or
conflict?). Undertaken by a third party. - Tabletop walk-through. Undertaken by the people
mentioned in the plan talk-through a given
scenario. Focus on training, familiarisation
with roles, procedures, responsibilities. But no
need to arrange elaborate facilities or
communications. - Simulation. Uses a predefined scenario. May be
announced or unannounced. As realistic as
possible. Takes place in real time. May bring
in players to act the roles of external bodies.
May test facilities, communications, systems.
All decisions and actions generate real responses
and consequences from other players - Tests of kit, individual processes, premises.
10Types of tests used at the Bank of England
- Phone cascades
- Desk-top scenario walk-throughs
- Acted-out exercises (testing crisis functions)
- Real-time scenario-based crisis management
exercises (both internal and market-wide) - Connectivity (kit) tests
- Invacuation and evacuation tests
- Live working from contingency sites
11MARKET WIDE EXERCISE - HISTORY
- Annual exercise to test the resilience of
financial sector. - First MWE in 2003
- Previous scenarios have included floods, and
bombs desktop and live-exercise simulation.
12MWE 2006
- Human influenza pandemic.
- 70 UK firms took part with some 4,000
participants. - Largest ever business continuity exercise.
- 6 week rising tide scenario covering several
months in exercise time. - Starting at WHO stage 4 (limited human-to-human
transmission) to stage 6 (widespread, worldwide
impact.)
13 - THE TRIPARTITE AUTHORITIES
- HM TREASURY
- BANK OF ENGLAND
- FINANCIAL SERVICES AUTHORITY
14GOVERNMENT/EMERGENCY SERVICES
COBR
Gold
DMO
HMT
TRIPARTITE AUTHORITIES
Standing Committee
BC Sub-Group
FSA liaison
BoE liaison
Tripartite Press Group
CMBCG
FSC website/ Teleconference
All
Firms Counterparties Exchang
es Markets Clearing Houses Payment
Systems Settlement systems
Members/ Participants
Other groups
MMLG
FXJSC
FINANCIAL PRIVATE SECTOR
15SCHEMATIC OF TRIPARTITE/MARKET LIAISONFOR CRISIS
MANAGEMENT
- Tripartite elements -
- Tripartite/market elements -
- Wider government elements -
- Tripartite/government elements -
- Tripartite/market info. exchange -
- Tripartite/wider government links -
- Tripartite info. to market -
16GLOSSARY
- BC Sub-Group Business Continuity Sub-Group of
the Tripartite Sub-Committee - FSA Financial Services Authority
- BoE Bank of England
- HMT Her Majestys Treasury
- DMO Debt Management Office
- COBRA Cabinet Office Briefing Room
- Gold Strategic Planning Committee
- FSC Financial Sector Continuity Website
(www.fsc.gov.uk) - CMBCG Cross Market Business Continuity Group
- MMLG Money Markets Liaison Group
- FXJSC Foreign Exchange Joint Standing Committee