Upload
vudiep
View
216
Download
2
Embed Size (px)
Citation preview
© 2012, www.periculum.in 1 Internal © 2012, www.periculum.in
BCM – Challenges in Indian
Banking Industry
Director, Periculum Technology & Consulting Services Jan’ 2012
By – Brijendra Yadava
2 © 2012, www.periculum.in Internal
• Relevance of BCM in Banking Sector
• Basel –II – high level principles of BC - Summary
• Challenges in Indian Banking Industry with focus on :-
• Technology recovery considerations in banking sector, esp :-
• Core Banking System
• Payment & Settlement Systems
• ATMs
Agenda
3 © 2012, www.periculum.in Internal
• Business Continuity Management (BCM) is particularly relevant to banking sector as :-
• It operates in high risk environments • Is part of crucial financial sector where capability to operate
continuously is essential, both for the Bank and for its stakeholders including customers
• Growing BC Risks and challenges - Terrorism, Global Warming, Arab unrest, Financial turmoil– Impact is long-term and wider
• Regulatory pressure • Financial Sector particularly vulnerable as they are clustered in high
profile business districts, have highly interdependent supply chain and strategic importance impacts global economy + Financial stability
• BC exercises becoming more complicated, more coordinated and more connected…
• Financial sector itself is becoming more connected and increasingly cooperative realising the importance of taking an industry-wide approach and benefits of knowledge-sharing amongst themselves
Objectives & Importance
Relevance in Financial Industry
4 © 2012, www.periculum.in Internal
• High level Principles of Business Continuity, by Joint Forum of Basel Committee on Banking Supervision ( Basel –II ), August 2006
• Special focus, cooperation and expectations from financial industry
• Intends to promote resilience across national boundaries
• Principles are neither prescriptive nor directive, one size doesn’t fit all, have a BC practise that’s proportionate to business risks
• 7 High level Principles. Mostly banking regulator/auditor’s perspective
• Principle 1 - Sound BCM applies to all financial authorities and financial
industry participants and that the ultimate responsibility for BCM rests with an organisation’s board of directors and senior management.
• Principle 2 - Organisations should explicitly consider and plan for major operational disruptions in light of increasing frequency of such events.
High Level Principles of BC - Summary
Basel- II
5 © 2012, www.periculum.in Internal
• Principle 3 - Participants should develop recovery objectives that reflect the risk they represent to the operation of the
financial system. Financial industry participants that provide critical services to, or otherwise present significant risk to the operation of, the financial system should target higher standards in their BCM than other participants. They should aim for reasonably consistent level of resilience
• Principle 4 - stresses the critical importance of BC plans addressing the
full range of internal and external communication issues an organisation may encounter in the event of a major operational disruption. It
specifically recognises that clear, regular communication during a major operational disruption is necessary to manage a crisis
and maintain public confidence.
High Level Principles of BC
Basel- II
6 © 2012, www.periculum.in Internal
Principle 5 - highlights cross-border communications during a major operational disruption. Given the deepening interdependencies of financial systems across national boundaries, this
principle advises to adopt communication protocols that address situations where cross border communication may be necessary. Principle 6 - emphasises the need to ensure that BC plans are effective and
to identify necessary modifications through periodic testing.
Principle 7 - incorporate BCM reviews into their frameworks for
assessing financial industry participants to ensure that participants are in fact implementing appropriate approaches to BCM that reflect the recovery objectives adopted in accordance with Principles 1 and 3
High Level Principles of BC
Basel- II
7 © 2012, www.periculum.in Internal
BCM Challenges in Indian Banking Industry (Considering following BCM Lifecycle)
8 © 2012, www.periculum.in Internal
BCM Challenges in Indian Banking Industry
• Know your Business - Banks business and strategic objectives must be clearly understood amongst the stake holders . Assets, geographies being served, people involved, premises available, information technology being used, markets and geographies to be served, product and service portfolios, key service providers, dependencies, etc.
• BCRA - Consider “right case scenarios” rather than “worst
case scenario”. Have atleast following steps :- Identify Assess Measure Treat Measure Sign-off on Residual Risk Progressively increase Risk Appetite • Includes both Risk Prevention and Risk Mitigation • Adopting and following an approved RA methodology • Can be part of Enterprise Risk Management of an Orgn
9 © 2012, www.periculum.in Internal
BCM Challenges in Indian Banking Industry
• BIA - “You cant improve what you cant measure” • Identify Critical Business Functions and assign them a recovery
priority • Obtaining correct measure of impact is a challenge. BIA must
consider both tangible and intangible impacts that include :- • Financial Impacts (direct or indirect) • People Impact including Customer impact • Impact on productivity/Service levels • Brand, Reputation, Regulatory & Legal impacts
10 © 2012, www.periculum.in Internal
BCM Challenges in Indian Banking Industry • BC Strategy - Preparing a fit for purpose BC or Resilience strategy
is a challenge – BC always trying to catch up with dynamics of
business growth
• Many a times outcomes of Orgn specific BCRA and BIA are not
considered. Very often, they have followiing gaps :-
• More of a template filling exercise.
• These should cover all key Business Units and functions
including service providers and key dependencies .
• Its geographic scope must include all locations, cities, countries
and properties where orgn has presence
• Fundamental premise - Follow Good Practice , Flexibility and
simplicity must be at the heart of BCM
• The strategy must consider both localised incidents that impacts a
single location / premises or a city-wide incident or statewide or
even a national /regional incident like terrorism or political unrest
11 © 2012, www.periculum.in Internal
BCM Challenges in Indian Banking Industry
Other important considerations include :-
• Technology Recovery Plan Considerations ( more
details in following slides)
• People Recovery Plans / HR Considerations
• Recovery considerations for outsourced functions
• BC Testing Considerations
• Building BC Culture
12 © 2012, www.periculum.in Internal
Technology Recovery Plan Considerations
• Core Banking System • Payment & Settlement Systems
• NEFT • RTGS • SWIFT
• ATMs • Other – ECS ( Electronic Clearance System), CTS (Cheque
Truncation System) , Netbanking , Mobile banking, Contact Centre, Internal Messaging etc
• Outsourced services
13 © 2012, www.periculum.in Internal
Core Banking System
• Gartner defines a core banking system as a back-end system that
processes daily banking transactions, and posts updates to accounts
and other financial records. Core banking systems typically include
deposit, loan and credit-processing capabilities, with interfaces to
general ledger systems and reporting tools.
• For a layman, Core Banking is synonymous with Running the Bank
• It is the heart of a modern financial service organization and is all
about providing the banking customers with the right products at the
right time through the right channels 24 hours a day, 7 days a
week through a multi location, multi branch network • While many banks run core banking in-house, there are some which
use outsourced service providers as well. There are several Systems
integrators like Accenture, IBM and HP which implement these core
banking packages at banks.
14 © 2012, www.periculum.in Internal
Top – 5 Core Banking Solution Vendors
1 - FIS | Fidelity National Information Services (FNIS)
Corebank, FIS Alltel Systematics, Sanchez Profile, Horizon
ACBS (Advanced Commercial Banking System), Kordoba,
ALLprofits, MiSER, BancPac, Metavante
2 Oracle Financial Services Software (formerly i-flex
Solutions) Flexcube; Microbanker; Finware
3 Infosys Technologies - Finacle
4 TEMENOS - T24; T24 for Microfinance and Community
Banking (MCB) formerly eMerge; GLOBUS; TEMENOS
CoreBanking (TCB)
5 - TCS FS - Tata Consultancy Services Financial Solutions -
formerly FNS BaNCS - TCS BaNCS (formerly FNS Bancs -
Financial Network Services B@NCS-24)
Source : http://www.inntron.com/core_banking.html
Logo and Trademarks belong to respective owners – used only for trg purpose.
15 © 2012, www.periculum.in Internal
Recovery Plan Considerations for Core Banking System
• Involve all aspects of CBS • Test progressively from modular to integrated CBS testing • Main challenge is that most IT DR managers are either unwillingness or
lack confidence to switch over operations from recovery site or DR Site.
• Involve service providers in complete recovery planning, testing, review and improvement
• Progressively ITDR must dovetail into holistic recovery and get driven by organisations BC/Resilience strategy – This aspect must be reviewed by BC managers.
16 © 2012, www.periculum.in Internal
Payment & Settlement
• Payment & Settlement System forms backbone of today’s Banking environment
• A robust and secure system of payment and settlement is one of the key challenges of a Banks BCM. Its coverage includes all instruments of payment and settlement and Electronic Funds Transfer mechanism, ATM, & Point of Sale system
• India would take necessary steps to comply with new international standards for payment, clearing and settlement systems as per RBI Guidelines
• CPSS and the Technical Committee of the International Organization of Securities Commissions (IOSCO), have already issued a draft for consideration with a proposal that national bodies would start introducing the new standards into their laws by the end of 2012.
17 © 2012, www.periculum.in Internal
Payment & Settlement
• Committee on Payment and Settlement Systems (CPSS) of BIS
• The Committee on Payment and Settlement Systems (CPSS) contributes to strengthening the financial market infrastructure through promoting sound and efficient payment and settlement systems. Incorporated in Basel – II as well.
• Created in 1990, CPSS serves (G-10) to monitor and analyse developments in domestic payment, settlement and clearing systems as well as in cross-border and multicurrency settlement schemes.
• CPSS recommends that central banks and other authorities review policies in light of the increasingly integrated nature of the global financial infrastructure.
• Lays down framework for analysing the risks of interdependencies, along with specific recommendations for the industry, including integrated BC testing practices along-with interdependent parties on a domestic and cross-border basis.
CPSS
18 © 2012, www.periculum.in Internal
NEFT
• National Electronic Funds Transfer (NEFT) is a nation-wide payment
system facilitating one-to-one funds transfer. Under this
Scheme, individuals, firms and corporates can electronically
transfer funds from any bank branch to any individual, firm or
corporate having an account with any other bank branch in the
country participating in the Scheme.
• For being part of the NEFT funds transfer network, a bank branch
has to be NEFT- enabled.
• Presently, NEFT operates in hourly batches - there are eleven
settlements from 9 am to 7 pm on week days (Monday through
Friday) and five settlements from 9 am to 1 pm on Saturdays
• There is no limit – either minimum or maximum – on the amount of
funds that could be transferred using NEFT. Per transaction is
limited to Rs.50,000/- for cash-based remittances
19 © 2012, www.periculum.in Internal
RTGS
• The acronym 'RTGS' stands for Real Time Gross Settlement, which
can be defined as the continuous (real-time) settlement of funds
transfers individually on an order by order basis (without netting).
• RTGS system is primarily meant for large value transactions. The
minimum amount to be remitted through RTGS is ` 2 lakh. There is
no upper ceiling for RTGS transactions.
• In RTGS, the beneficiary bank has to credit the the beneficiary's
account within two hours of receiving the funds transfer message.
• As on September 29, 2011, there are more than 78,000 RTGS
enabled bank branches.
20 © 2012, www.periculum.in Internal
RTGS & NEFT
• NEFT is an electronic fund transfer system that operates on a
Deferred Net Settlement (DNS) basis which settles transactions in
batches. In DNS, the settlement takes place with all transactions
received till the particular cut-off time. These transactions are netted
(payable and receivables) in NEFT whereas in RTGS the
transactions are settled individually. For example, currently, NEFT
operates in hourly batches - there are eleven settlements from 9 am
to 7 pm on week days and five settlements from 9 am to 1 pm on
Saturdays. Any transaction initiated after a designated settlement
time would have to wait till the next designated settlement time
Contrary to this, in the RTGS transactions are processed
continuously throughout the RTGS business hours
• Both the remitting and receiving must have core banking in place to
enter into RTGS transactions. Core Banking enabled banks and
branches are assigned an Indian financial system code (IFSC) for
RTGS and NEFT purposes.
21 © 2012, www.periculum.in Internal
Payment & Settlement
• India’s RTGS & NEFT are like any global financial system has a set of interlinked networks of markets, systems, and participants.
• Such a system should be resilient enough to withstand disruptions as potential impact of a major operational disruption may incapacitate the financial system.
• A holistic recovery plan incorporating all networked components and entities is a must for NEFT . Its testing should be carried out in a stringent manner so it gives a high level of continuity assurance
• In a networked environment, security is as strong as the weakest link
• SWIFT - Society for Worldwide Interbank Financial Telecommunication : Company HQ in Brussels, Belgium. Provides secure messaging services and interface software to wholesale financial entities. Demands cross-border coordination with connected financial entities. Robust and Resilient IT Infra.
RTGS & NEFT
22 © 2012, www.periculum.in Internal
Payment & Settlement
• RTGS and NEFT demands special emphasis on Technology Recovery as special IT equipment including switches, hardware, software solution and other network components are used.
• Enough redundancy should be present in the system architecture and
backup processes
• Integrated tests for RTGS/NEFT , remote / alternate / recovery site working should be periodically tested and proved.
• HR plans should specifically consider continuity, retention and succession of key staff having knowledge and skills to work on the system
• Capability and commitment of services providers and third parties should be fully ensured.
RTGS & NEFT
23 © 2012, www.periculum.in Internal
ATMs
• Automated Teller Machine is a computerized machine
that provides the customers of banks the facility of
accessing their account for dispensing cash and to carry
out other financial & non-financial transactions without
the need to actually visit their bank branch.
• ATMs primarily enables cash dispensing. In addition,
ATMs may have many services/facilities enabled by the
bank owning the ATM such as:
– Account information
– Cash Deposit
– Regular bills payment
– Purchase of Re-load Vouchers for Mobiles
– Mini/Short Statement
– Loan account enquiry etc
24 © 2012, www.periculum.in Internal
• ATM - Remember Client Perspective – “Any Time Money” and Anywhere too. Hence 24*7*365 operations across all locations ( Think MTPoD and RTO ) . Ensuring no disruption in key internal processes :- • ATM Reconciliation Process
Ensuring periodic and timely reconciliation in bank central operation process, should be priority no. 1. Addressing all interdependencies, periodic & integrated testing of recovery plans
• Cash Replenishment
Sound Internal process to ensure timely, safe & efficient replenishment is a must for continuous operations of any ATM. The task of cash replenishment may also be outsourced to a service provider.
• ATM Consumables
Printing consumables is also an important operations that need to be prepared properly. Ensuring a continuous supply chain is must.
There are other ATM risks during day to day Operations Interaction
ATMs
25 © 2012, www.periculum.in Internal
Key HR Recovery Challenge for Banks
• Succession of key appointments like Directors and Senior Manage ment Officers must comply with the articles / memorandum and bylaws of the company/Bank.
• Following key factors may be evaluated when selecting alternates :- • Long term business strategy of the company • Key areas where change or continuity is required • Key strengths and weaknesses of personnel and employees including
potential and past performance , and how they relate to strategy and needs of the organisation both in short and in long term
• How best to develop the abilities of personnel to match strategy and
needs • External talent, staffing options
Management Succession
26 © 2012, www.periculum.in Internal
Outsourced Functions
• Outsourcing is contracting with another company or person to do a particular function.
• Almost every organization outsources in some way for multiple reasons
• Normally, the function being outsourced is considered non-core to the business
• Managing continuity in outsourcing becomes more challenging especially when functional activities are being done in a different country (called off-shoring) , since that involves language, cultural and time zone differences
• Organisations & regulators are now looking more closely at social & political risks including financial stability at the off-shored location
• Un-coordinated BC arrangement between “offshored” and parent “send” locations gives rise to false BC assurance
Managing Continuity
27 © 2012, www.periculum.in Internal
Outsourced Functions
With a view to have effective BCM for outsourced functions, following must be considered :- • A realistic analysis of BC capability must be done before a function is outsourced • Depending on criticality of service provided, BC arrangement and their measure of
effectiveness must be incorporated in the SLAs • BIA at off-shored location must consider impact of local disruption on “send” site • If BC Strategy is “Revert to Send”, then its efficiency must be regularly tested • Organisations must think “Right Shoring” - Right location, right service levels,
acceptable risks and retaining critical mass of key capabilities to provide best possible customer experience.
• Both parties must participate atleast once a year for an end to end integrated BC tests
Managing Continuity
28 © 2012, www.periculum.in Internal
Emergency Powers
• Special times – special powers. Expect standard controls/checks and balances to be loosened. Expect higher financial powers
• Such powers must be excercised judiciously. With clear and visible intent.
• Quick & well informed management decision is key to successful incident handling.
• Organisation must provide for emergency powers to incident management teams to minimise losses
• Such powers should be pre-approved by the board and promulgated across the organisation. These must be able to withstand any scrutiny when crisis/incident is over
• Such powers must cover all function necessary for incident management and holistic business recovery
Need during BC Incidents
29 © 2012, www.periculum.in Internal
• Organisation must test the effectiveness of their BC plans.
• At the minimum all BC plans including incident management plans must be tested at-least once a year or incase of any major change in the orgn
• Testing should be both modular and integrated
• Testing is more about reviewing and improving. Its not about passing or failing.
• Testing provides opportunity for staff to gain familiarity with their business continuity roles and help them perform their expected activities.
• A good testing approach builds camaraderie across diverse functions in an organisation. It is a strong team building event
• All businesses/functions based out of a site are required to participate (depending on the exercise scenario)
• Outcomes of BC tests results brings out gaps in an orgn BC Plans . Such gaps can be covered with a focussed approach
• Test reports are key documents from Audit/Regulatory perspective
BC Challenges - Testing of BC Plans
Objectives and Benefits
30 © 2012, www.periculum.in Internal
BC Testing (Suggested Ground Rules)
• Integrated Tests/Exercise for BCM and conducted in a manner that they balance between realism (in test scenario) and at the same time ensuring minimum or Nil Business Impact. • BC should cover all businesses and functions of an organisation • Organisation must define Minimum staff participation (max can be upto 100% ) For example :-
• Evacuation exercise – All Present in the premises • BC Recovery exercise – 40 % (or as per recovery team size) etc.
• Process level participation – 100% (Depending on scenario) • Special consideration and involvement for outsourced functions • Any exemption to above be approved by Overseeing Committee
• Nominate external observers to ensure impartial/objective test reports
31 © 2012, www.periculum.in Internal
Major Challenge - Embedding BC Culture
• Arguably the most difficult and arduous element of a BCM System, at the same time one of the most essential too
• An organisation’s ability to respond to a B C incident , and its capacity to recover from a disruption depends directly on the awareness levels, understanding, skills and experience of its stakeholders including employees
• Key Qs that this element answers is ARE YOU PREPARED ? WILL YOU BE ABLE TO RESPOND ?
• In times of crisis, every employee of the organisation at levels must know, what is it that he or she suppose to do ?
• Organisation must move from “Document Centric” BCM to “Action Centric” BCM.
• There wont be time to refer to documents during crisis event…answer is train, practice, drill, test… with an aim to continuously improve and embed culture of BCM
Making BCM part of Bank’s DNA
32 © 2012, www.periculum.in Internal
Embedding BC Culture
• Demonstrated Management Commitment – Vision statement, Funds, resource
commitment and dedicated BC team within an Orgn.
• Making BCM a collaborative process, Business owned and business driven
• Developing and implementing a comprehensive :-
• Training and Awareness plan covering all stakeholders and focus group
• Audit Plan that includes BCM
• Modular and Integrated Testing Plan
• Change Management Process covering BC elements
• Integrate BCM in orgn rewards and recognition program
• Include BC roles and responsibilities in Job Description of employees
• Include external dependencies in BC testing and drills
• Include BC objectives in performance evaluation & appraisals
Activities Involved
33 © 2012, www.periculum.in Internal
Embedding BC Culture
Following are key considerations for BCM training and awareness program :-
• Cover all staff and focus groups including all business and support functions • Encourage participation of external service providers • Inclusion of BCM in Induction program for new joiners • Multimedia modes of awareness that includes
• Videos • Flyers • Email Newsletters • Road shows • Posters • Websites
• Conduct Special promotion weeks/events/workshops/seminar • Promote BC education and training courses
Organisations must monitor and measure effectiveness of Training and Awareness Program
Training & Awareness Program
34 © 2012, www.periculum.in Internal
Embedding BC Culture
Following are key considerations for BCM training and awareness program :-
• Cover all staff and focus groups including all business and support functions • Encourage participation of external service providers • Inclusion of BCM in Induction program for new joiners • Multimedia modes of awareness that includes
• Videos • Flyers • Email Newsletters • Road shows • Posters • Websites
• Conduct Special promotion weeks/events/workshops/seminar • Promote BC education and training courses
Organisations must monitor and measure effectiveness of Training and Awareness Program
Training & Awareness Program
35 © 2012, www.periculum.in Internal
Summary of Key Challenges • Approach and resources to building BC strategy – mostly template filling.
Use of isolated excel sheets, application. Lack of use of Integrated BC solutions (ERP approach)
• Technology recovery. Huge dependencies on external vendors and entities . Most incidents are not threatening IT incidents. But any incident of IT outage has a huge impact – both direct and indirect
• Realistic testing. Holistic approach. IT, Business , service providers work in isolation
• Lack of Industry synergy. Forum exist that includes foreign captive banks. But no real synergised effort either through Banking Association or through regulations
• Weak enforcement by central bank (RBI) . Many RBI guidelines and instructions exist but mechanism to enforce them and measure their effectiveness are inadequate
•
36 © 2012, www.periculum.in Internal
Remember what is the key driver for BCM ( Management Intent) - Is it Compliance/Highly regulatory environment of the financial industry ?
- Is it because your competitors are doing it ? - Is it another tick in the box ?
Or …
Do you really want to have a resilient Bank ?
Some Food for thought for banking industry …
37 © 2012, www.periculum.in Internal
Thank You
For feedback/suggestions : [email protected]
www.periculum.in