Financial Services

BUSINESS CONTINUITY MANAGEMENTFROM TACTICAL AND LOCAL PLANNING TO GLOBAL RESILIENCE AND ASSURANCE

AUTHORS

Alon Cliff-Tavor, Principal, Digital, Technology & Analytics

Wei Ying Cheah, Principal, Finance and Risk

ASIA PACIFIC RISK CENTER: FINANCE AND RISK SERIES

“The only thing harder than planning for an emergency is explaining why you didn’t” UNKNOWN

INTRODUCTION

Business Continuity Management (BCM) is a holistic process that enables institutions to

prepare for, and respond to, potential crisis situations that lead to disruptions in normal

operations. The main objectives of BCM are first, to develop Business Continuity Plans

(BCPs) to ensure continuation of critical functions in the event of a crisis; second, to

implement and practise these plans so they can be executed effectively, if and when a crisis

actually occurs; and third, to improve efficiency and effectiveness of these plans over time,

continually adapting to changing risks.

TRADITIONAL PERSPECTIVES

Many organizations that have developed BCPs have historically viewed this exercise in

silos. Typically, traditional BCPs cover an institution’s crisis response across the following

independent elements:

• Location: The risk of a specific location or facility becoming unusable due to weather, natural disaster, terror attack, power failure, etc.

• People: The risk that human resources are unable to fulfil their functions for any reason, including pandemic outbreak

• Technology (IT): The risk that a specific data center or another critical infrastructure component goes offline

• Liquidity: The risk of a liquidity shortage due to a variety of crisis scenarios

Exhibit 1: BCM Framework

NORMAL-TIME BCM RISK IDENTIFICATION AND MITIGATION

TRAINING AND TESTING

CRISIS MANAGEMENT PROCESS

KEY ENABLERS BCM PLANS

KEY ENABLERS

Scope andmandate

Governanceand

organization

Reporting

Crisis mgmt.organizational

structure

Crisis decisionmaking

Crisis assessment

Crisis monitoring

Incident monitoring and

escalation

Post crisis learning

Back-to-normaldecision making

Emergency response plan

Crisis management plan

Business continuity plan

IT contingency plan

Plandevelopment

Recoverystrategy

Business impactanalysis (BIA)

Risk identificationand assessment

Testing andexercising

Training andawareness

NORMAL TIME

CRISISTIME

Copyright © 2017 Oliver Wyman 3

Often, there seem to be very few coordination areas among these elements or between the

functions entrusted with them. Corporate real estate takes care of buildings, IT is responsible

for technology resilience, liquidity committees are dealing with their domain, and business

or governance management is dealing with other resources (or is supposed to be).

Over the last few years, we have witnessed several instances in which financial institutions

were subject to substantial business disruptions, for which they had, at best, only partial

solutions. Traditional BCM approaches have proven inadequate in times of genuine need.

However, we have learned important lessons from recent crisis events and from the

responses of our clients and other industry players.

SHORTCOMINGS IN TRADITIONAL BCM METHODS

1. BCM REQUIRES REASSESSMENT IN LIGHT OF MORE FREQUENT AND SEVERE CRISES

With climate change-related increases in frequency and severity of extreme weather events

caused by storms1, for example, we believe that institutions should dedicate time and

resources to re-evaluate their approaches to BCM. Recent crises have demonstrated that

traditional recovery strategies and alternate site locations are not fit for the severity of natural

disasters that have been encountered.

For instance, a North American regional bank struggled with its response to super-storm

Hurricane Sandy. Both Disaster Recovery (DR) sites for the bank were connected to the same

electricity grid, which was completely wiped out by the storm. As a result, despite being

geographically distant from one another, both DR sites went offline and were unusable.

This example emphasizes the importance of selecting DR sites that are both geographically

distant from one another and reliant on separate utilities and infrastructures.

This trend also raises concerns with regard to regulatory constraints in extreme crisis

events. For example, in Japan’s Triple Disaster in 2011, another bank’s entire operations

in the country went offline. Under such circumstances, the only continuity plan would be

to promptly assign critical functions and capabilities offshore. However, in this instance,

local regulations prohibited the offshoring of certain key critical functions, leaving the

institution unable to continue operations. This example highlights the importance of taking

regulatory constraints into account when developing BCPs. Furthermore, industry bodies

and individual institutions should lobby regulators to promote awareness of such matters,

and to persuade them to contemplate extreme circumstances in the development of any

legislation, well before crisis situations.

1 Global warming: The evolving risk landscape. Sep 2013.

Copyright © 2017 Oliver Wyman 4

2. BCM OFTEN IGNORES THE INTERCONNECTEDNESS OF GLOBAL BUSINESSES

Too often, we see business continuity planning being performed by local management at

the country, city or even facility level. This poses significant risks, as these localized BCPs

often ignore the regional or global significance of the location or facility for one or more

business lines.

For example, we have seen a large global institution fail to recognize the global

interconnectivity of its Germany-based facility, which played a critical and unique role in

Euro clearing and in trading specific asset types. This facility in Germany was responsible for

these functions globally, a fact that was not properly considered in the institution’s locally-

devised BCPs. It was only when the facility faced the grave risk of becoming unavailable for

a substantial period of time that the relevant business heads realized the mistake. The BCP

supported only local requirements. As a result, it was a woefully inadequate solution given

the global network’s degree of reliance on that particular facility.

Many institutions would benefit greatly from a shift in perspective, moving away from

preparing disaster recovery BCPs based on local priorities, to instead focusing on end-to-

end global resilience. These robust, global BCPs should be fully owned by global business

process owners at the appropriate level.

3. SCOPE OF BUSINESS CONTINUITY PLANNING SHOULD BE EXPANDED

We have identified three additional scenarios that should be included in a robust BCP with

enhanced scope, but all-too-often are not, in practice:

a. Loss of license: This scenario involves the risk of losing a key license, or having it restricted in certain respects due to regulatory and/or political threats. The most recent and well-known situation was an order from the New York Department of Financial Services to an emerging market bank in August 2012. With regulatory expectations at an all-time high, and regulators and governments pursuing strict measures to ensure compliance and punish any transgressions, we might see similar situations continue to evolve. It should be noted that merely the threat of losing a license could sometimes have severe consequences, as clients might rush to draw deposits, potentially creating a liquidity shortage.

b. Clients’ perspectives: A robust BCP should consider clients’ business continuity requirements and the institution’s ability, readiness and willingness to support clients in such situations. For example, institutions should consider how they might support a client that is experiencing prolonged power failures or an inability to access facilities, when the institution itself remains open for business. Furthermore, institutions should consider communication strategies for customers during catastrophic events. This customer focus can be a key differentiator against competitors during times of crisis.

Copyright © 2017 Oliver Wyman 5

c. Social and political unrest: While not completely new on the catalogue of possible scenarios, the probability of such scenarios is certainly rising in many parts of the world, as highlighted in the 2017 Global Risks Report by the World Economic Forum, supported by Oliver Wyman and MMC.2 Ensuring that scenarios relating to political upheaval, mass protests and strikes, and acts of terrorism, among others, are accounted for, is crucial in our view for a functioning BCM.

QUESTIONS TO CONSIDER

To address these shortcomings, there are a number of key areas within the BCM framework

and a list of questions that institutions should address:

FRAMEWORK COMPONENT KEY QUESTIONS TO CONSIDER SHORTCOMING MITIGATED

BCM governance Who owns business continuity and management? Are they the right people/function to take a holistic view of all evolving business needs (including potential disruptions due to regulation/liquidity events)?

How often do you conduct a thorough review of your BCP policies, procedures, guidelines and plans to ensure they continue to fit your business needs and realities?

Expansion in BCM scope

Reassessment of whether BCM is fit-for-purpose

BCM scope and mandate Do your BCM policy, procedures and guidelines:

• Take a business-focused view and are able to handle the consequences of an increasingly global business/ product eco-system in an increasingly regulated environment?

• Consider potentially providing support to clients in business continuity events?

Expansion in BCM scope + interconnectedness of global business

BCM risk identification and mitigation

As part of your normal-time BCM risk identification process, do you:

• Consider sufficiently severe scenarios?

• Account for new/emerging business continuity risks?

• Employ an eco-system lens (end-to-end process and data flow view) when examining the resilience of our infrastructure, so as to identify people, location, regulatory, technology, telecom and other dependencies and soft-spots, in order to formulate business and function resilience plans?

New/emerging or unusually severe crisis

BCM plans As part of your BCM plans, do you:

• Ensure your BCPs are able to cater for a wide range of scenarios including a large-scale/ unusually severe disturbance?

• Ensure your alternate sites do not suffer from the same weaknesses experienced by several institutions in recent years?

• Consider potential plans for a move to out-of-country, regional or global disaster recovery site approach?

When planning for continuity events and threats, are you taking a specific location and asset view or a truly broad, global, business-centric view?

New/emerging or unusually severe crisis

Interconnectedness of global busines

Training and testing Do those responsible for BCPs have the right knowledge, skills and access to assess and plan continuity from a holistic and strategic business perspective?

Do you conduct regular and robust training, including BCM simulations

Expansion in BCM scope + interconnectedness of global business

2 Marsh & McLennan Companies. Global Risks Report. Jan 2017

Copyright © 2017 Oliver Wyman 6

CONCLUSION

While the nature and timing of continuity events are never predictable, their

consequences – unavailability of systems, facilities, and people – and the impact of these

consequences on institutional processes, can generally be anticipated. Institutions should

focus on building robust, globally-focused plans to mitigate common crisis repercussions.

BCM training and testing of BCPs, coupled with proper governance, are critical to effective

crisis management.

Exhibit 2: Illustration of effective BCM in action

TIME

OPERATIONAL STATUS

No BCM

Effective BCM

100%

SHORTER RECOVER TIME

INCIDENT

MORE RESILIENTTO DISRUPTION

Copyright © 2017 Oliver Wyman 7

Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organization transformation.

For more information please contact the marketing department by email at info-FS@oliverwyman.com or by phone at one of the following locations:

ASIA PACIFIC

+65 6510 9700

AMERICAS

+1 212 541 8100

EMEA

+44 20 7333 8333

ABOUT

Marsh & McLennan Companies’ Asia Pacific Risk Center draws on the expertise of Marsh, Mercer, Guy Carpenter, and Oliver Wyman, along with top-tier research partners, to address the major threats facing industries, governments, and societies in the Asia Pacific region. We highlight critical risk issues, bring together leaders from different sectors to stimulate new thinking, and deliver actionable insights that help businesses and governments respond more nimbly to the challenges and opportunities of our time. Our regionally focused digital news hub, BRINK Asia, provides top executives and policy leaders up-to-the-minute insights, analysis, and informed perspectives on developing risk issues relevant to the Asian market.

For more information, please email the team at contactaprc@mmc.com.

Copyright © 2017 Oliver Wyman

All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect.

The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman.

www.oliverwyman.com