Business Continuity Planning and Crisis Management & Principles for Financial Market Infrastructures

De Nederlandsche Bank Eurosysteem

Business Continuity Planning and

Crisis Management & Principles for Financial Market Infrastructures

Michael van Doeveren 4th Conference on Payments and Securities Settlement Ohrid, Republic of Macedonia 22 June 2011

De Nederlandsche Bank


Contents

Introduction DNB Assessment Framework Business Continuity

Planning Concepts of Crisis Management Arrangements and initiatives in the Netherlands Concluding remarks BCP FMI Principles


What is Business Continuity?Business Continuity Management: a whole-of-

business approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption.

Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruption

Source: BIS 2005


BCP in an international contextThe American White Paper on Sound

Practises to strengthen the Resilience of the US Financial System

The Tripartite Standing Committee on Financial Stability

Bank of Japan resilience plansInitiatives of the EurosystemJoint Forum/Financial Stability

Forum/BIS/CPSS’ work


The Dutch situation

Small country, few large banks DNB is both central bank and prudential supervisor for banks,

pension funds and insurance companies Financial core infrastructure for Payments and Securities, in NL

defined as:Central bank CSDCCP Stock exchangeACH Major banks


DNB BCP Assessment Framework (1)

First version in 2004, current version of 2007; Drafted in cooperation with the financial institutions Commitment to use it on a high level Assessment Framework consists of

9 ‘principles’ based on international standardsGuidance note Human Factor Agreement between DNB and the financial sector for joint BCP

initiatives In line with international principles such as BIS Used by supervisor and overseer to assess the institutions

of the financial core infrastructure against these principles



1. BCP should be approved by the EB/senior management

2. Risk analyses of critical systems and activities should be made

3. Explicit attention should be paid to the human factor



4. Each institution should have a crisis organisation, including senior management

5. Single points of failure (SPOFs) should be identified

6. Critical processes and systems should be resumed as quickly as possible



7. A back-up site/secondary site should be available

8. Alternate systems and contingency procedures should be regularly tested and exercised

9. Each institutions should have a communication plan for all stakeholders


Guidance Note Human factor

Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factor

DNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required: specific in the extreme, highly specific, specific, not very specific, not specific

Matrix with level of required knowledge and human factor strategy see www.dnb.nl

http://www.dnb.nl/


Required Knowledge

Specific in the extreme. Highly specific. Specific. Not very specific. Not specific.

http://images.google.nl/imgres?imgurl=http://www.library.uthscsa.edu/images/Phrenology10.jpg&imgrefurl=http://www.library.uthscsa.edu/internet/km/&start=2&h=351&w=300&sz=64&tbnid=AwMRPoR1CMCfiM:&tbnh=120&tbnw=103&hl=nl&prev=/images%3Fq%3Dknowledge%26gbv%3D1%26hl%3Dnl%26sa%3DG


Ways of ensuring staff continuity

1. double staffing at another location

2. planned scheduling days off

3. shift work

4. use of staff from another location where a similar situation is operational

5. use of staff from another location where a similar situation is not operational

Required level of knowledge of systems/business processes

specific in the extreme (a)

red

highly specific (b)

specific (c)

not very specific (d) green

not specific (e)


Concepts of crisis managementfor the payment system (1)Basic assumption

Payments can be regarded as what oil is for an engine

Continuity of payments is essential for both the public and the financial system.

ConsequencesMeasures should be implemented that guarantee business continuity of the payment system

Implementation of a crisis management structure to prevent contagion and limitation the risks as for as possible


Concepts of crisis managementfor the payment system (2)Crisis management preconditions

Involvement required of critical participants of the whole payment system

Focus the continuation of the operation of the whole payment chain.

ImplementationFormation of crises management teamPrepare organisation. Discuss objectives, define concept crisis management, investigate objects, invest existing measures, define effectiveness measures, investigate alternatives

Prepare and perform tests. Both internal and sector wide.


Tripartite Crisis Management in the Netherlands

Tripartite Crisis Management: Ministry of Finance, AFM, DNB

Consultation Group (Board level)

Advisory Groups: - Retail - Wholesale - Securities


Crisis Management – What

Crisis managementRespond to payments and securities sector-wide

Operational crises: procedures regarding communication, decision making etc.

´Sector BCM´´Peace time´ preparation for times of crises; plans, good overview of critical processes for the sector, alternatives and possibilities in case of a crisis, communication, knowing each other

http://www.mellencompany.com/images/Info%20Services/cooperation.gif


Escalation model

Alert Scaling

Impact forpayments and

securities

ActivationType of crisis

Local Global

Large

Small


Crisis Management – How

“Red Booklet” contains information about: Crisis management, communication

and decision making procedures Wholesale, retail, securities

alternativesHowever, not many viable alternatives: Possible alternatives based on rerouting of key processes:

CLS, TARGET2, EBA, correspondents Cash/ATM´s, mass payments, one-off

direct debit Bilateral accounts for OTC etc.

In practice: combination of emergency proceduresof the different parts of the chain

At the moment no viable alternative for SWIFT

Communication and trust is key!


Payment flows from andto the institutions

themselves and/or theirclients

EURO1 (EUR)

TARGET/local TARGETcomponents/TARGET2

(EUR)

SWIFT

CLS (EUR and non-EUR))

Correspondent Banking(EUR and non-EUR)

Institutions Transport Payment circuit/system

Example – Wholesale (1)

http://images.google.nl/imgres?imgurl=http://www.azizibank.af/Pictures/SWIFT.jpg&imgrefurl=http://www.azizibank.af/html/payment_remittances.html&start=36&h=463&w=468&sz=34&tbnid=iol_2VMZNO2TpM:&tbnh=127&tbnw=128&hl=nl&prev=/images%3Fq%3Dswift%2Bpayments%26start%3D20%26gbv%3D1%26svnum%3D10%26hl%3Dnl%26sa%3DN

http://www.ecb.int/paym/target/current/view/shared/img/target.jpg


Example – Wholesale (2)The following were regarded as the most important wholesale payments (per

bank): CLS incoming (and outgoing) payments MM and FX transactions Liquidity transfers to/from offices/agents abroad EBA settlement payments and liquidity swaps Payments for the clearing and settlement of securities Critical payments for clients (corporates, pension funds) ´Margin calls´ (collateral for securities clearing)

Broadly speaking, around 20-30 critical payments per bank per dayIn case of one bank’s failure, this can be processed manuallyIn case of TARGET2 failure, strict rules apply; only ‘very critical payments’ can be

processed


CIP in the Netherlands

Government project on critical infrastructure protection started in 2004

In cooperation with the private sector, the government defined 12 infrastructures as critical: airports, public transport, energy, health care, etc.

Payments and securities processing is one of them

Follow up of the project in 2004, among others: Counterterrorism Alert System


Dutch Counterterrorism Alert System (1) Set up by the government in 2005 to ‘alert’ critical

infrastructures in the event of heightened terrorist threat

Measures to be taken quickly in order to minimise the risk and to limit the potential impact of terrorist acts.

Cooperation between the government and private sectors

More than 10 sectors are currently connected (a.o. airports, harbours, public transport, oil and gas, etc.)

Financial core infrastructure connected as of May 1, 2006


Dutch Counterterrorism Alert System (2)

Four levels of threat: standard, low, moderate, high

Each level comes with its own set of (additional) security measures, both for the sector and for the government

Government and sector agree together on the measures to be taken

Contacts with local authorities very important Workshops, tests and exercises are

organised per sector


Experiences Counterterrorism Alert SystemFormalised (communication)

procedures to inform the sector about threats

Increased cooperation and information sharing within the financial sector in the area of security and with other sectors

Improved contacts and cooperation with local authorities and other stakeholders (police, community, fire brigade, neighbour companies etc.)


Exercising experienceThink BIG, start SMALL

For Crisis Management exercises increase in complexity

and depth:

Connectivity/communication tests: several times a year

Crisis management workshops: Discussion, based on

scenario

Table top exercises: simulation with ‘real play’

Large scale government exercise regarding ICT and

cybercrime

Operational exercise where security measures are taken

for real

Market wide exercises


International context for business continuity in payments and securities

“Dutch” market infrastructure is hardly Dutch anymore

This is due to the consolidation trend and the battle for efficiency

Not only for commercial institutions, but also for central banks

An operational crisis in Brussels/Frankfurt/Paris may impact the Dutch market more than a local crisis in Amsterdam


Increasing (need for) interaction & cooperation

Linked to ESCB crisis managementCo-ordinated communication with

market infrastructures en major participants

Possible international solutions to “domestic” problems

Central banks can help each otherSolving problems in cooperation


Concluding remarks BCP

Regular assessments work!

Increase your level of resilience by Control – Top level commitment Coordination – Central bank/regulator roleCooperation – Financial core infrastructureCommunication – All stakeholders, both national and international

Exercising keeps BCP alive

Human factor is key for everything


Principles for Financial Market Infrastructures (FMI)

Co-production of: BIS Committee on Payment and Settlement Systems Technical Committee of the International organization

of Securities Commission (IOSCO) FMI Principles replaces all older separate principles

for Systemically Important Payment Systems, Securities Settlement Systems and Retail Payment Systems

Report is for public market consultation until 29 July 2011

Final report will be publishes in 2012


FMI Principles (1)

General organisationPrinciple 1: Legal basisPrinciple 2: governancePrinciple 3: Framework for the comprehensive

management of risks


FMI Principles (2)

Credit and liquidity risk managementPrinciple 4: Credit riskPrinciple 5: CollateralPrinciple 6: MarginPrinciple 7: Liquidity riskPrinciple 8: Settlement finalityPrinciple 9: Money settlementsPrinciple 10: Physical deliveries


FMI Principles (3)

Central securities depositories and exchange-of-value settlement systems

Principle 11: Central securities depositoriesPrinciple 12: Exchange-of-value settlement

systems


FMI Principles (4)

Default managementPrinciple 13: Participant-default rules and

proceduresPrinciple 14: Segregation and portability


FMI Principles (5)

General business and operational riskmanagementPrinciple 15: General business riskPrinciple 16: Custody and investment riskPrinciple 17: Operational risk


FMI Principles (6)

AccessPrinciple 18: Access and participantion

requirementsPrinciple 19: Tiered participation

arrangementsPrinciple 20: FMI links


FMI Principles (7)

EfficiencyPrinciple 21: Efficiency and effectivenessPrinciple 22: Communication procedures and

standards


FMI Principles (8)

TransparancyPrinciple 23: Disclosure of rules and

proceduresPrinciple 22: Disclosure of market data


Responsibilities of central banks, market regulators and other authorities

Responsibility A: Regulation, supervision and oversight of FMIs

Responsibility B: Regulatory, supervisory, and oversight powers and resources

Responsibility C: Disclosure of objectives and policies with respect to FMIs

Responsibility D: Application of principles for FMIs Responsibility E: Cooperation with other authorities

Documents

Business Continuity Planning and Crisis Management & Principles for Financial Market Infrastructures