This document discusses business continuity management (BCM) in the banking industry. It begins with key BCM concepts like having crisis management teams, conducting business impact analyses to determine priorities, creating business continuity plans, building alternative facilities, testing plans through exercises, and embedding BCM into the organization. It then discusses Nomura's BCM methodology in more detail, including establishing a crisis management team and emergency response plan. The document emphasizes that while BCM aims to prepare for consequences of disruptions, the causes themselves may be unpredictable. It also notes that disruptions can impact a bank's buildings, people, IT systems, suppliers, capital, and clients.
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014
1. BCM in Banking Industry
Willem A. Hoekstra, M, MBA, MBCI, BCCE
Regional head of BCM and Corporate Security
Asia ex Japan
Nomura International (Hong Kong)
8. • December 25, 1925
• Higher risk?
– 9/11?
– Global warming
– IT-dependency and integrated
global processes: small glitches
can have massive & immediate
financial impact
– Processes are ‘cutting-edge’,
more sensitive
– Media & communication much
faster Reputation loss in
minutes
Why Now?
8
9. Unless IT is your business,
Business Continuity is not (only) IT!
9
10. Can we meet the commitment to
our customers
10
11. BCM is not about predicting the cause of disruptions
but about preparing for the consequences
BCM is not about predicting the cause of disruptions
but about preparing for the consequences
11
BANK=
- Buildings
- People
- IT
- Suppliers
- Capital
- Clients
18. Black Swan theory
There are known knowns; there are things we know we
know.
We also know there are known unknowns; that is to say we
know there are some things we do not know.
But there are also unknown unknowns – there are things we
do not know we don't know. ”
—United States Secretary of Defense Donald Rumsfeld
The likelihood of
something very unlikely
happening is very likely
19. No business means: Impact
A. loss of revenues & loss of opportunities
19
21. • BCM is about continuity of Business, which requires
– Office
– People
– IT
– Capital
– Third parties
• BCM is not about predicting the cause, but preparing for the consequence. However…
• Impact can be financial
– Immediate loss
– Missed opportunities
• Impact can be non-financial
– Reputation
– Legal
– Regulatory / compliance
• Impact can be upstream / downstream: Dependencies
Recap: some principles
21
22. 1. Financial Sector is vital to society – National Financial Authorities
• MAS; HKMA; FSA; FAS; ECB; FED; Etc. etc. etc.
• ORM standards / Basle-III capital requirements
• Information Security standards
2. BCM as “Insurance policy”; or…
3. Resilience as quality attribute of banking services
Motivation to do BCM
25. 1. Crisis Management Team
The BCM Methodology
25
2. Setting Priorities
(Business Impact Analysis)
3. Plan a response
(Business Continuity Plan)
4. Build the facilities
(Alternative work space & IT-
DR)
5. Test & exercise
the plans and facilities
6. Embedding into the organization
26. • CMT
• The CMT plan
• The Command Center
• The CMT scenario exercise
• Emergency communication: the Call Tree
Step 1 Building a
Crisis Management Team (CMT)
26
27. An objective Analysis of all units:
1. What are the processes & activities
2. How much will it cost if you cannot do your activity
– Per timeslot
– Financial / non-financial
3. What are the minimal requirements to continue doing what you’re
doing
– Per timeslot
– Office space, people, IT, other
4. Dependencies
– Upwards & downwards
Based on consolidation of this, the time-critical priorities become
clear
Step 2 – Priorities.
The Business Impact Analysis (BIA)
27
29. • Business Continuity Plans: Practical ‘runbook’ specifying:
– Continuity Strategy
– Response organization and special mandates
– Communication procedures
– List of activities to be recovered first
– Invocation procedures of alternative facilities and DR
– Practicalities like Transportation options
– Cash provisions
– Emergency passwords, security & compliance waivers
– Resources and Systems that can be expected available in DR-mode
– Restoration plan: procedure to return to Business-as-Usual
• Evacuation and people safety plan
• Communication Plan
– Communication messages for the key stakeholders: clients, staff, authorities, shareholders, media, public
• Special plans – where applicable
– Pandemic diseases
– Earth quake
– Typhoon
– Monsoon
– Bank run
Step 3: Business Continuity Plan (BCP):
What are we going to do?
29
30. 30
BCP - I
• Facilities
– Alternate Site, perhaps Engage external service provider
– Split Site: Reciprocal arrangement (where possible) or
Service office rental
– Remote Working: Ability to work outside of SG premises
via remote access*
• People
– Backup Team, Formed from within the country or
regional / global
– Split Site, Staff working from the unaffected sites
– Rotating Shift Team, Staff working in rotating shift
• Vital Records
– Offsite Backup e.g. backup tapes sent offsite, copy files to
backup server, replicate hardcopy and send offsite
– Reconstruct From Source: Obtain source documents for
reconstruction
• IT Systems
– Data-Centre hosting: Disaster Recovery system
(hardware,software) at another location; Active-Active
Configuration, etc..
– Alternate Workaround Procedures: Continue to operate
around the system eg using hardcopy files, log trading
deals in the paper blotter, and transaction slips
• Dependencies
– Reduce Concentration Risk : Engage two or more service
providers capable of deliver the required service
– Switch to alternate service provider
– Take over the activities from the service provider
Continuity strategies
32. • In Hong Kong:
– Around 172 Work Area Recovery seats
– IT –DR of critical applications and data. Many
applications in Tokyo
• Other possible facilities:
– Remote-working
– Face masks
– Satellite phones
– Automated Call tree tools
– Mini-booklets
– etc
Step 4. Facilities
32
33. • Testing AND Exercise
• Component test, BU test and Business Integration Test
– Coordination with IT and Admin, plus end-users
– Test scenario, test script & test case development
– Monitor test findings & follow-up
5. Testing
33
34. • Awareness & training
• Sense-of-urgency
• Responsibility
• Organization
6. Embedding into the organization
34
35. 1. Crisis Management Team
The BCM Methodology
35
2. Setting Priorities
(Business Impact Analysis)
3. Plan a response
(Business Continuity Plan)
4. Build the facilities
(Alternative work space & IT-
DR)
5. Test & exercise
the plans and facilities
6. Embedding into the organization