View
222
Download
0
Category
Preview:
DESCRIPTION
Willem A. Hoekstra, Regional head of BCM and Corporate Security Asia ex Japan, Nomura International (Hong Kong) shares his experiences with the delegates about concepts and methodology of BCM in industry banking during the World Continuity Congress (WCC) Singapore 22 April 2014 at Carlton Hotel. Copyright 2014 @ World Continuity Congress www.worldcontinuitycongress.com BCM Institute www.bcm-institute.org Read more of Willem Hoekstra @ http://www.bcmpedia.org/wiki/Willem_Hoekstra
Citation preview
BCM in Banking Industry
Willem A. Hoekstra, M, MBA, MBCI, BCCERegional head of BCM and Corporate SecurityAsia ex JapanNomura International (Hong Kong)
Table of contents
1.Concepts2.Methodology
We ♥ Crises
Executive Summary
危機
• 1. ConceptsThe principles of Business Continuity Management
• BCM = ORM• BCM = IT• BCM = alternative seating /
Corporate Services• BCM = Security• BCM = IT Security• BCM = BCP• BCM = Evacuations• BCM = Call tree• BCM = Testing• BCM = Crisis Management• BCM = 2013• BCM = $$$• BCM = Corporate Communications• BCM = Operations• BCM = Avian Flu Pandemic
What is BCM
5
• Preparing a response to unexpected disruptions
BCM
6
BCM = 2013 ?
7
• December 25, 1925• Higher risk?
– 9/11?– Global warming– IT-dependency and integrated
global processes: small glitches can have massive & immediate financial impact
– Processes are ‘cutting-edge’, more sensitive
– Media & communication much faster Reputation loss in minutes
Why Now?
8
Unless IT is your business, Business Continuity is not (only) IT!
9
Can we meet the commitment to our customers
10
BCM is not about predicting the cause of disruptionsbut about preparing for the consequences
BCM is not about predicting the cause of disruptionsbut about preparing for the consequences
11
BANK=- Buildings
- People
- IT
- Suppliers
- Capital
- Clients
Buildings
12
People
13
IT
14
IT
15
Capital
16
Third parties
17
Black Swan theory
There are known knowns; there are things we know we know.We also know there are known unknowns; that is to say we know there are some things we do not know.But there are also unknown unknowns – there are things we do not know we don't know. ”
—United States Secretary of Defense Donald Rumsfeld
The likelihood of something very unlikely happening is very likely
No business means: ImpactA. loss of revenues & loss of opportunities
19
B. Non-financial impact: loss of reputation, legal claims, regulatory problems
20
Nomura is a bank
• BCM is about continuity of Business, which requires– Office– People– IT– Capital– Third parties
• BCM is not about predicting the cause, but preparing for the consequence. However…
• Impact can be financial– Immediate loss– Missed opportunities
• Impact can be non-financial– Reputation– Legal– Regulatory / compliance
• Impact can be upstream / downstream: Dependencies
Recap: some principles
21
1. Financial Sector is vital to society – National Financial Authorities• MAS; HKMA; FSA; FAS; ECB; FED; Etc. etc. etc.• ORM standards / Basle-III capital requirements• Information Security standards
2. BCM as “Insurance policy”; or…3. Resilience as quality attribute of banking services
Motivation to do BCM
23
2. Methodology
The profession of Business Continuity Management
1. Crisis Management Team
The BCM Methodology
25
2. Setting Priorities(Business Impact Analysis)
3. Plan a response(Business Continuity Plan)
4. Build the facilities(Alternative work space & IT-
DR)
5. Test & exercisethe plans and facilities
6. Embedding into the organization
• CMT• The CMT plan• The Command Center• The CMT scenario exercise• Emergency communication: the Call Tree
Step 1 Building a Crisis Management Team (CMT)
26
An objective Analysis of all units:1. What are the processes & activities2. How much will it cost if you cannot do your activity
– Per timeslot– Financial / non-financial
3. What are the minimal requirements to continue doing what you’re doing– Per timeslot– Office space, people, IT, other
4. Dependencies– Upwards & downwards
Based on consolidation of this, the time-critical priorities become clear
Step 2 – Priorities. The Business Impact Analysis (BIA)
27
28
Online BIA
• Business Continuity Plans: Practical ‘runbook’ specifying:– Continuity Strategy– Response organization and special mandates– Communication procedures– List of activities to be recovered first– Invocation procedures of alternative facilities and DR– Practicalities like Transportation options– Cash provisions– Emergency passwords, security & compliance waivers– Resources and Systems that can be expected available in DR-mode– Restoration plan: procedure to return to Business-as-Usual
• Evacuation and people safety plan• Communication Plan
– Communication messages for the key stakeholders: clients, staff, authorities, shareholders, media, public• Special plans – where applicable
– Pandemic diseases– Earth quake– Typhoon– Monsoon– Bank run
Step 3: Business Continuity Plan (BCP):What are we going to do?
29
30
BCP - I
• Facilities– Alternate Site, perhaps Engage external service provider– Split Site: Reciprocal arrangement (where possible) or
Service office rental– Remote Working: Ability to work outside of SG premises
via remote access* • People
– Backup Team, Formed from within the country or regional / global
– Split Site, Staff working from the unaffected sites– Rotating Shift Team, Staff working in rotating shift
• Vital Records– Offsite Backup e.g. backup tapes sent offsite, copy files to
backup server, replicate hardcopy and send offsite– Reconstruct From Source: Obtain source documents for
reconstruction• IT Systems
– Data-Centre hosting: Disaster Recovery system (hardware,software) at another location; Active-Active Configuration, etc..
– Alternate Workaround Procedures: Continue to operate around the system eg using hardcopy files, log trading deals in the paper blotter, and transaction slips
• Dependencies– Reduce Concentration Risk : Engage two or more service
providers capable of deliver the required service– Switch to alternate service provider– Take over the activities from the service provider
Continuity strategies
31
BCP - II
• In Hong Kong:– Around 172 Work Area Recovery seats– IT –DR of critical applications and data. Many
applications in Tokyo
• Other possible facilities:– Remote-working– Face masks– Satellite phones– Automated Call tree tools– Mini-booklets– etc
Step 4. Facilities
32
• Testing AND Exercise• Component test, BU test and Business Integration Test
– Coordination with IT and Admin, plus end-users– Test scenario, test script & test case development– Monitor test findings & follow-up
5. Testing
33
• Awareness & training• Sense-of-urgency• Responsibility• Organization
6. Embedding into the organization
34
1. Crisis Management Team
The BCM Methodology
35
2. Setting Priorities(Business Impact Analysis)
3. Plan a response(Business Continuity Plan)
4. Build the facilities(Alternative work space & IT-
DR)
5. Test & exercisethe plans and facilities
6. Embedding into the organization
Recommended