BCM in Banking Industry

Willem A. Hoekstra, M, MBA, MBCI, BCCERegional head of BCM and Corporate SecurityAsia ex JapanNomura International (Hong Kong)

Table of contents

1.Concepts2.Methodology

We ♥ Crises

Executive Summary

危機

• 1. ConceptsThe principles of Business Continuity Management

• BCM = ORM• BCM = IT• BCM = alternative seating /

Corporate Services• BCM = Security• BCM = IT Security• BCM = BCP• BCM = Evacuations• BCM = Call tree• BCM = Testing• BCM = Crisis Management• BCM = 2013• BCM = $$$• BCM = Corporate Communications• BCM = Operations• BCM = Avian Flu Pandemic

What is BCM

5

• Preparing a response to unexpected disruptions

BCM

6

BCM = 2013 ?

7

• December 25, 1925• Higher risk?

– 9/11?– Global warming– IT-dependency and integrated

global processes: small glitches can have massive & immediate financial impact

– Processes are ‘cutting-edge’, more sensitive

– Media & communication much faster Reputation loss in minutes

Why Now?

8

Unless IT is your business, Business Continuity is not (only) IT!

9

Can we meet the commitment to our customers

10

BCM is not about predicting the cause of disruptionsbut about preparing for the consequences

BCM is not about predicting the cause of disruptionsbut about preparing for the consequences

11

BANK=- Buildings

- People

- IT

- Suppliers

- Capital

- Clients

Buildings

12

People

13

IT

14

IT

15

Capital

16

Third parties

17

Black Swan theory

There are known knowns; there are things we know we know.We also know there are known unknowns; that is to say we know there are some things we do not know.But there are also unknown unknowns – there are things we do not know we don't know. ”

—United States Secretary of Defense Donald Rumsfeld

The likelihood of something very unlikely happening is very likely

No business means: ImpactA. loss of revenues & loss of opportunities

19

B. Non-financial impact: loss of reputation, legal claims, regulatory problems

20

Nomura is a bank

• BCM is about continuity of Business, which requires– Office– People– IT– Capital– Third parties

• BCM is not about predicting the cause, but preparing for the consequence. However…

• Impact can be financial– Immediate loss– Missed opportunities

• Impact can be non-financial– Reputation– Legal– Regulatory / compliance

• Impact can be upstream / downstream: Dependencies

Recap: some principles

21

1. Financial Sector is vital to society – National Financial Authorities• MAS; HKMA; FSA; FAS; ECB; FED; Etc. etc. etc.• ORM standards / Basle-III capital requirements• Information Security standards

2. BCM as “Insurance policy”; or…3. Resilience as quality attribute of banking services

Motivation to do BCM

23

2. Methodology

The profession of Business Continuity Management

1. Crisis Management Team

The BCM Methodology

25

2. Setting Priorities(Business Impact Analysis)

3. Plan a response(Business Continuity Plan)

4. Build the facilities(Alternative work space & IT-

DR)

5. Test & exercisethe plans and facilities

6. Embedding into the organization

• CMT• The CMT plan• The Command Center• The CMT scenario exercise• Emergency communication: the Call Tree

Step 1 Building a Crisis Management Team (CMT)

26

An objective Analysis of all units:1. What are the processes & activities2. How much will it cost if you cannot do your activity

– Per timeslot– Financial / non-financial

3. What are the minimal requirements to continue doing what you’re doing– Per timeslot– Office space, people, IT, other

4. Dependencies– Upwards & downwards

Based on consolidation of this, the time-critical priorities become clear

Step 2 – Priorities. The Business Impact Analysis (BIA)

27

28

Online BIA

• Business Continuity Plans: Practical ‘runbook’ specifying:– Continuity Strategy– Response organization and special mandates– Communication procedures– List of activities to be recovered first– Invocation procedures of alternative facilities and DR– Practicalities like Transportation options– Cash provisions– Emergency passwords, security & compliance waivers– Resources and Systems that can be expected available in DR-mode– Restoration plan: procedure to return to Business-as-Usual

• Evacuation and people safety plan• Communication Plan

– Communication messages for the key stakeholders: clients, staff, authorities, shareholders, media, public• Special plans – where applicable

– Pandemic diseases– Earth quake– Typhoon– Monsoon– Bank run

Step 3: Business Continuity Plan (BCP):What are we going to do?

29

30

BCP - I

• Facilities– Alternate Site, perhaps Engage external service provider– Split Site: Reciprocal arrangement (where possible) or

Service office rental– Remote Working: Ability to work outside of SG premises

via remote access* • People

– Backup Team, Formed from within the country or regional / global

– Split Site, Staff working from the unaffected sites– Rotating Shift Team, Staff working in rotating shift

• Vital Records– Offsite Backup e.g. backup tapes sent offsite, copy files to

backup server, replicate hardcopy and send offsite– Reconstruct From Source: Obtain source documents for

reconstruction• IT Systems

– Data-Centre hosting: Disaster Recovery system (hardware,software) at another location; Active-Active Configuration, etc..

– Alternate Workaround Procedures: Continue to operate around the system eg using hardcopy files, log trading deals in the paper blotter, and transaction slips

• Dependencies– Reduce Concentration Risk : Engage two or more service

providers capable of deliver the required service– Switch to alternate service provider– Take over the activities from the service provider

Continuity strategies

31

BCP - II

• In Hong Kong:– Around 172 Work Area Recovery seats– IT –DR of critical applications and data. Many

applications in Tokyo

• Other possible facilities:– Remote-working– Face masks– Satellite phones– Automated Call tree tools– Mini-booklets– etc

Step 4. Facilities

32

• Testing AND Exercise• Component test, BU test and Business Integration Test

– Coordination with IT and Admin, plus end-users– Test scenario, test script & test case development– Monitor test findings & follow-up

5. Testing

33

• Awareness & training• Sense-of-urgency• Responsibility• Organization

6. Embedding into the organization

34

1. Crisis Management Team

The BCM Methodology

35

2. Setting Priorities(Business Impact Analysis)

3. Plan a response(Business Continuity Plan)

4. Build the facilities(Alternative work space & IT-

DR)

5. Test & exercisethe plans and facilities

6. Embedding into the organization

Budget

36