Business Continuity and Crisis Management

De Nederlandsche Bank Eurosysteem

Business Continuity and Crisis Management

Michael van Doeveren and Paul Osse Conference Financial Sector of Macedonia on Payments and Securities Settlement Systems

Ohrid 23 June 2008

De Nederlandsche Bank


Agenda

Introduction The Dutch situation DNB Assessment Framework Concepts of crisis management Arrangements and initiatives in the Netherlands

The Escalation Committee for Payments and Securities Government initiatives on Critical Infrastructure Protection:

Dutch Counterterrorism Alert System International context Concluding remarks Questions


What is Business Continuity?Business Continuity Management: a whole-of-

business approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption.

Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruption

Source: BIS 2005


BCP in an international contextThe American White Paper on Sound

Practises to strengthen the Resilience of the US Financial System

The Tripartite Standing Committee on Financial Stability

Bank of Japan resilience plansInitiatives of the EurosystemJoint Forum/Financial Stability

Forum/BIS/CPSS’ work


The Dutch situation

Small country, few large banks

DNB is both central bank and prudential supervisor for banks, pension funds and insurance companies

Financial core infrastructure for Payments and Securities, in NL defined as: Central bank CSD (Euroclear Netherlands) CCP (LCH.Clearnet SA) Stock exchange (NYSE Euronext Amsterdam) ACH (Equens Netherlands) Major banks (a.o. ABN AMRO, Fortis, ING, Rabobank)


DNB BCP Assessment Framework


DNB BCP Assessment Framework (1)

First version in 2004, new version in 2007; Drafted in cooperation with the financial institutions Commitment to use it on a high level Assessment Framework consists of

9 ‘principles’ Guidance note Human Factor Agreement between DNB and the financial sector for joint BCP initiatives

In line with international principles such as BIS Used by supervisor and overseer to assess the institutions

of the financial core infrastructure against these principles

http://www.intercede-us.com/oversight.jpg



1. BCP should be approved by the EB/senior management

2. Risk analyses of critical systems and activities should be made

3. Explicit attention should be paid to the human factor



4. Each institution should have a crisis organisation, including senior management

5. Single points of failure (SPOFs) should be identified

6. Critical processes and systems should be resumed as quickly as possible



7. A back-up site/secondary site should be available

8. Alternate systems and contingency procedures should be regularly tested and exercised

9. Each institutions should have a communication plan for all stakeholders


Guidance Note Human factor

Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factor

DNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required (specific in the extreme, highly specific, specific, not very specific, not specific)

Matrix with level of required knowledge and human factor strategy see www.dnb.nl – payments - BCP

http://www.dnb.nl/


GUIDANCE NOTE REGARDING IMPLEMENTATION CONTINUITY OF THE HUMAN FACTOR FOR CRITICAL SYSTEMS/ BUSINESS PROCESSES


Required Knowledge

Specific in the extreme. Highly specific. Specific. Not very specific. Not specific.


Ways of ensuring staff continuity

1. double staffing at another location

2. planned scheduling days off

3. shift work

4. use of staff from another location where a similar situation is operational

5. use of staff from another location where a similar situation is not operational

Required level of knowledge of systems/business processes

specific in the extreme (a)

red

highly specific (b)

specific (c)

not very specific (d) green

not specific (e)


Concepts of crisis management (for payments)


Concepts of crisis managementfor the payment system (1)

Basic assumption Payments can be regarded as what oil is for an engine Continuity of payments is essential for both the public

and the financial system.

Consequences Measures should be implemented that guarantee

business continuity of the payment system Implementation of a crisis management structure to

prevent contagion and limitation the risks as for as possible


Concepts of crisis managementfor the payment system (2)

Crisis management preconditions Involvement required of critical participants of the whole

payment system Focus the continuation of the operation of the whole

payment chain.

Implementation Formation of crises management team Prepare organisation. Discuss objectives, define concept

crisis management, investigate objects, invest existing measures, define effectiveness measures, investigate alternatives

Prepare and perform tests. Both internal and sector wide. (include suppliers of critical services and local and national government)


Arrangements and initiatives in the Netherlands

The Escalation Committee for Payments and Securities


Escalation Committee history: Why

Escalation Committee established around the euro- introduction in 1999

Stand-by at millennium To cooperate in case of problems

WHEN something could happen was rather clear

Today: The issue is back on the agenda Overall agreement that sector-wide coordination and cooperation is

needed to handle (operational) crises in payments and securities.

You need each other in times of crisis! WHEN is not clear Escalation Committee is Crisis management

organisation for payments and securities

http://images.google.nl/imgres?imgurl=http://www.vromans.org/johan/articles/euro3.gif&imgrefurl=http://www.vromans.org/johan/articles/Euro.html&start=6&h=341&w=343&sz=2&tbnid=JIL-qiNo9sYOhM:&tbnh=119&tbnw=120&hl=nl&prev=/images%3Fq%3Deuro%26gbv%3D1%26svnum%3D10%26hl%3Dnl%26sa%3DN


Escalation Committee - Who The Dutch financial core infrastructure:

Market infrastructures: Central bank, ACH, Stock Exchange, CSD, CCP

Major banks (a.o. ABN Amro, ING, Rabobank, Fortis)

Other members: Dutch banking association, representing other banks, scheme owner payment products

DNB is chairman and secretary, and linking pin ot other authorities

Members have decision-making mandate of their organisation for payments and securities issues

Escalation Committeeon

Payments andSecurities

of the core financialinfrastructure

ABNAmroING

Rabobank

Fortis

SNS

KasBank

BNG

LCH.Clearnet

NYSEEuronext

EquensNL

DNB

EuroclearNL

NVBOther banks

AFM MinFin

Public

ECB,NCB´s

Currence


Escalation Committee – What

Crisis management Respond to payments and securities sector-wide

(major) operational crises: procedures regarding (one voice) communication, decision making etc.

Members of the committee are linking pin to their own crisis organisations

´Sector BCM´ ´Peace time´ preparation for times of crises; plans, good

overview of critical processes for the sector, alternatives and possibilities in case of a crisis, communication, knowing each other

http://www.mellencompany.com/images/Info%20Services/cooperation.gif


Escalation Committee - When

When market infrastructures or banks have a crisis, might not meet their Recovery Time

Objectives (RTO) or when individual measures are

insufficient, this can have sector-wide impact. The chairperson of the Escalation Committee

needsto be notified.

When outside-in crises (flood, pandemic, etc) have

impact on more than one institution in the field of payments and securities, the Escalation Committee needs to assess the sector impact.


Escalation model

Crisismanagement

individual institutions

Escalation Committee crisismanagement

Alert Scaling

Executive crisismanagement

Impact forpayments and

securities

Activation

Chairperson Escalation Committee

Type of crisisLocal Global

Large

Small


Escalation Committee – How

“Red Booklet” contains information about: Crisis management, communication

and decision making procedures Wholesale, retail, securities

alternatives

However, not many viable alternatives: Possible alternatives based on rerouting of key processes:

CLS, TARGET1/2, EBA, correspondents Cash/ATM´s, mass payments, one-off

direct debit Bilateral accounts for OTC etc.

In practice: combination of emergency proceduresof the different parts of the chain

At the moment no viable alternative for SWIFT

Communication and trust is key!


Payment flows from andto the institutions

themselves and/or theirclients

EURO1 (EUR)

TARGET/local TARGETcomponents/TARGET2

(EUR)

SWIFT

CLS (EUR and non-EUR))

Correspondent Banking(EUR and non-EUR)

Institutions Transport Payment circuit/system

Example – Wholesale (1)

http://images.google.nl/imgres?imgurl=http://www.azizibank.af/Pictures/SWIFT.jpg&imgrefurl=http://www.azizibank.af/html/payment_remittances.html&start=36&h=463&w=468&sz=34&tbnid=iol_2VMZNO2TpM:&tbnh=127&tbnw=128&hl=nl&prev=/images%3Fq%3Dswift%2Bpayments%26start%3D20%26gbv%3D1%26svnum%3D10%26hl%3Dnl%26sa%3DN

http://www.ecb.int/paym/target/current/view/shared/img/target.jpg

http://images.google.nl/imgres?imgurl=http://www.theitjobboard.com/images/en/client/client_logo_2138179.jpg&imgrefurl=http://www.theitjobboard.com/jobs/5225320/graduate-analyst-programmer-x-3-job.htm%3Fcid%3D2138179%26aid%3D5225320&start=22&h=53&w=150&sz=4&tbnid=adAmiZRmcRGrLM:&tbnh=34&tbnw=96&hl=nl&prev=/images%3Fq%3DCLS%2Bcontinuous%2Blinked%2Bsettlement%26start%3D20%26gbv%3D1%26svnum%3D10%26hl%3Dnl%26sa%3DN

http://www.abe.org/


Example – Wholesale (2)

The following were regarded as the most important wholesale payments (per bank):

CLS incoming (and outgoing) payments MM and FX transactions Liquidity transfers to/from offices/agents abroad EBA settlement payments and liquidity swaps Payments for the clearing and settlement of securities Critical payments for clients (corporates, pension funds) ´Margin calls´ (collateral for securities clearing)

Broadly speaking, around 20-30 critical payments per bank per dayIn case of one bank’s failure, this can be processed manuallyIn case of TARGET2 failure, strict rules apply; only ‘very critical payments’

can be processed


Arrangements and initiatives in the Netherlands

Government project on critical infrastructure protection (CIP)


CIP in the Netherlands

Government project on critical infrastructure protection was started in 2004

In cooperation with the private sector, the government defined 12 infrastructures as critical: airports, public transport, energy, health care, etc.

Payments and securities processing is one of them

Follow up of the project in 2004, among others: Counterterrorism Alert System


Dutch Counterterrorism Alert System (1)

Set up by the government in 2005 to ‘alert’ critical infrastructures in the event of heightened terrorist threat

Measures to be taken quickly in order to minimise the risk and to limit the potential impact of terrorist acts.

Cooperation between the government and private sectors

More than 10 sectors are currently connected (a.o. airports, harbours, public transport, oil and gas, etc.)

Financial core infrastructure (including Netherlands Bankers´ Association representing the other banks) connected as of May 1, 2006


Dutch Counterterrorism Alert System (2)

Four levels of threat: standard, low, moderate, high

Each level comes with its own set of (additional) security measures, both for the sector and for the government

Government and sector agree together on the measures to be taken

Contacts with local authorities very important

Workshops, tests and exercises are organised per sector


Experiences Counterterrorism Alert System

Formalised (communication) procedures to inform the sector about threats

Increased cooperation and information sharing within the financial sector in the area of security and with other sectors (such as energy and telecom)

Improved contacts and cooperation with local authorities and other stakeholders (police, community, fire brigade, neighbour companies etc.): who is doing what and going where in times of crisis?


Exercising experienceThink BIG, start SMALL

For Escalation Committee and Counterterrorism Alert System exercises increase in complexity and depth:

Connectivity/communication tests: several times a year Crisis management workshops: Discussion, based on

scenario Table top exercises: simulation with ‘real play’ Large scale government exercise regarding ICT and

cybercrime Operational exercise where security measures are taken

for real Next step: complete market wide exercise?


International context for business continuity in payments and securities

“Dutch” market infrastructure is hardly Dutch anymore

This is due to the consolidation trend and the battle for efficiency

Not only for commercial institutions, but also for central banks

An operational crisis in Brussels/Frankfurt/Paris may impact the Dutch market more than a local crisis in Amsterdam


Increasing (need for) interaction & cooperation

Linked to ESCB crisis management

Co-ordinated communication with market infrastructures en major participants

Possible international solutions to “domestic” problems Central banks can help each other

Solving problems in cooperation


Concluding remarks

Regular assessments work!

Increase your level of resilience by Control – Top level commitment Coordination – Central bank/regulator roleCooperation – Financial core infrastructureCommunication – All stakeholders, both national and

international

Exercising keeps BCP alive

Human factor is key for everything


Questions

www.dnb.nl / payments / BCP

Documents

Business Continuity and Crisis Management