This document provides an overview of Alpha Bank Group's implementation of the ISO22301 business continuity standard and hints for successful implementation. Key points include:
- Alpha Bank Group is one of the largest banks in Greece with over 17,000 employees across various international subsidiaries.
- Alpha Bank's key operations in Greece and Romania have been certified under ISO22301, including over 1,300 employees.
- Successful implementation requires obtaining executive support, defining roles and responsibilities, conducting risk analysis, assessing business impact, developing continuity strategies and plans, and regularly testing plans through exercises.
- Hints are provided for each phase of implementation including project management, risk analysis, business impact analysis, developing continuity strategies and response plans,
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
Stelios Aronis ISO 22301 BCMS Implementation and Sharing of BCM Best Practices for an European Bank
1. 1
ISO22301 BCMS Implementation and Sharing of BCM Best Practices for an European Bank
Stelios Aronis, BCCLA
Head of Business Continuity
Alpha Bank Group
2. 2Alpha Bank Group Overview:
•Alpha Bank s.a. founded in 1879
•One of the largest banks in Greece:
17.655 Employees (Greece: 11.911, International: 5.744)
Over 1.000 service points (Branch Network)
One of the highest capital adequacy rations in Europe.
•International subsidiaries:
i.Albania
ii.Bulgaria
iii.Cyprus
iv.F.Y.R.O.M
v.Romania
vi.Serbia
vii.United Kingdom
•11 Subsidiaries in Greece (Investment Banking / Asset Management, Venture Capital, Leasing/Factoring, Insurance, Athens Hilton Hotel, etc)
•Recently acquired consumer banking business of Citibank International Plc in Greece, including Diners Club. Our Values: Quality at work, Quality in communication, Meritocracy, Moral Standards, CreativityOur Vision: To be a bank of reference in Southeastern EuropeOur Aim: To provide high-quality services and pioneering products
3. 3IS022301 –BCMS Certification:
•Alpha Bank s.a. (parent company):
Information Technology (including Data centers)
Financial Markets –Treasury
Back Office Operations: Funds Transfer operations / Cheques clearing / Treasury Back Office / Loans Administration / International Trade / Custody & Shareholders Registry / Cash Centers/ Alternative Networks Support / Private Banking Support.
•Alpha Supporting Services:IT Infrastructure management and operation for Alpha Bank Group Subsidiaries in Greece and Abroad
•Alpha Bank Romania:IT, Treasury, Back Office Operations (certification project in progress) Number of Personnel in sectors certified with ISO22301, exceeds 1300 people.
Same BCM Methodology and procedures are applied to all Units of the Alpha Bank Group
4. CRITICAL FUNCTIONSBUSINESS CONTINUITY PLANDISASTER RECOVERY PLAN
CRISIS MANAGEMENTEVACUATION PLAN
PEOPLE / RESOURCES
THREAT REMEDIATIONRISK ASSESSMENTCATASTROPHIC EVENTTELECOMMS DISRUPTIONFLOOD / EARTHQUAKEFIRE4HINTS ON SUCCESSFUL IMPLEMENTATION OF A BCMS
5. BCM METHODOLOGY –ISO22301
PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGY
PLAN
DEVELOPMENT
5
TESTING AND EXERCISING
PROGRAM MANAGEMENT
6. 6HINTS –PROJECT MANAGEMENT PHASEObtain Executive Management support and commitment:
BCM Project Sponsor: Alpha Bank’s COO, member of Executive Board
Project Steering Committee: Divisions’ Heads: Organization, Risk, IT, Information Security, International Network
ProjectManager: Head of Group BCM Office
Country Project Sponsor: IT & Operations Head (or COO) Resources:
Group BCM Office: Central Point of communication and support
Company BCM Offices/Coordinators(International Network)
Business Unit BCM Coordinators
External Consultants (optional)
7. 7HINTS –PROJECT MANAGEMENT PHASEProject Definition Document: Indicative contents:
Project Definition: Vision, Scope, Objectives, Deliverables
Project Organization: Roles and Stakeholders, Communication Plan to Stakeholders (frequency of reporting, meetings, etc), Responsibilities per Role
Project Plan / Milestones
Project Considerations / Risks:
Resourcing issues
Project Dependencies (e.g. centralized systems)
Country (local) Risks (e.g. premises availability)
Legal / Compliance Issues
8. BCM METHODOLOGY –ISO22301
PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGY
PLAN
DEVELOPMENT
8
TESTING AND EXERCISING
PROGRAM MANAGEMENT
9. 9HINTS –RISK ANALYSIS PHASERisk Management Process (based on ISO 31000): RISK IDENTIFICATIONRISK ANALYSISRISK EVALUATIONRISK ASSESSMENT: RISK TREATMENTAPPROVAL BY OPERATIONAL RISK COMMITTEE OR EXECUTIVE BOARD!!!
RCSA –Risk Control Self Assessment (BU Level)
Threat & Risk Assessment (Organization Level)
Premises & Physical Security
IT / Information Security / Data Backup
Critical Vendors / Service Providers (Outsourcing)
Personnel Awareness on emergency proceduresESTABLISH CONTEXTRe-evaluate residual risk after Risk Treatment Plan implementation
10. BCM METHODOLOGY –ISO22301PROJECT MANAGEMENT
RISK ANALYSIS AND REVIEW
BUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT10TESTING AND EXERCISINGPROGRAM MANAGEMENT
11. 11HINTS –BIA PHASE
•RTO (Recovery Time Objective)Definition: The maximum acceptable time interval within which an operation/business function must be resumed, so that there is no severe impact to the Organization.
•RTO Scale:
Same Day (1 or 8 hours)
Next Day (24 hours)
Within 3 Days
Within a Week
•METHODOLOGY:
Data Collection and impact assessment
Data Validation
I.Data Completion Check
II.RTO Validation against:
oGroup RTO in respective or similar activities (benchmark)
oPrevious year’s RTO of the respective Function / Activity
oIndustry RTO Benchmarks (provided by external consultants) (any RTO variations should be justified by the Business Units)
Final Confirmation by each Business Unit before formal issuance
12. 12HINTS –BIA PHASECritical Business functions (“same day” recovery)
•IT Infrastructure Management and Operations (Data Center)
•Funds Transfers / Payments(Incoming, Outgoing)
•LoansBackOffice
•International Trade
•Clearing(Cheques, Securities& Derivatives)
•Trading (Front Office, Back Office and Controls over Limits)
•Instant Credit (Loan Authorizations)
•Relationship Management (Corporate/Private Banking, Shipping, etc.)
•Customer Service / Help Desk
•Credit Cards: Lost & Stolen Declaration /Transactions Authorizations and Disputes Resolution
13. BCM METHODOLOGY –ISO22301PROJECT MANAGEMENT
RISK ANALYSIS AND REVIEW
BUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT13TESTING AND EXERCISINGPROGRAM MANAGEMENT
14. 14HINTS –B.C. STRATEGY PHASEHOT SITEWARM SITE / DISPLACEMENTCOLD SITE3 Days or more“Next Day” recovery
“Same Day” recovery
DEFINITIONS:
•HOT SITE: Fully equipped and preconfiguredfacilities which can be used for instant recovery of business operations
•WARM SITE:Equipped but not preconfigured facilities. PCs are installed but require configuration before use
•COLD SITE: Non equipped but “wired” empty space.
15. BCM METHODOLOGY –ISO22301
PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT15TESTING AND EXERCISINGPROGRAM MANAGEMENT
16. 16HINTS –PLAN DEVELOPMENT PHASEBCP GOVERNANCE: Emergency Management TeamInitial Response Team
D.R.
CoordinatorTECHNICAL TEAMS (Systems, Databases, Networks)
Business Recovery Teams
B.C. CoordinatorEmergency Support TeamEach team has specific roles and responsibilities that are documented in the Business Continuity Plan.
17. BCM METHODOLOGY –ISO22301PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT17TESTING AND EXERCISING
PROGRAM MANAGEMENT
18. 18
HINTS –EXERCISING AND TESTINGTesting Scenarios:
•Scenario1: Accessto premises is not feasible, but application and communication systems are intact
•Scenario 2: Accessto premises is not feasible and also the application and communication systemsare not available (DR also activated)
•Scenario 3: Premises are available for use, but application and communication systemsare not available (DR activation)
•Scenario 4: More than 20% of the Personnel is not available for a period more than a week(e.g. due to Pandemic)
•Scenario 5: Interruption in the operations of a critical service provider
Internal Audit to be present in tests as an independent observer
Record test details and results (use of template)
Update Senior Management regularly on test results /corrective actionsAvoid Disruptions Caused by Plan Misuse!!!! Key Points:
19. BCM METHODOLOGY –ISO22301PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT23TESTING AND EXERCISINGPROGRAM MANAGEMENT
20. 24HINTS –PROGRAM MANAGEMENTFOCUS ON CONTINIOUS IMPROVEMENT MAINTAINANCE & REVIEW
Perform Internal Audits (ensure objectivity)
Set goals / Monitor near misses
Review / improve the Plan and the BCMSCOMPETENCE & AWARENESS
Enhance BCM culture to the Organization
Train and Educate Personnel (use of external certification bodies )