This document discusses business continuity management (BCM) in the banking industry. It begins with key BCM concepts like having crisis management teams, conducting business impact analyses to determine priorities, creating business continuity plans, building alternative facilities, testing plans through exercises, and embedding BCM into the organization. It then discusses Nomura's BCM methodology in more detail, including establishing a crisis management team and emergency response plan. The document emphasizes that while BCM aims to prepare for consequences of disruptions, the causes themselves may be unpredictable. It also notes that disruptions can impact a bank's buildings, people, IT systems, suppliers, capital, and clients.

1. BCM in Banking Industry
Willem A. Hoekstra, M, MBA, MBCI, BCCE
Regional head of BCM and Corporate Security
Asia ex Japan
Nomura International (Hong Kong)

2. Table of contents
1.Concepts
2.Methodology

3. We ♥ Crises
Executive Summary
危
機

4. • 1. Concepts
The principles of Business Continuity Management

5. • BCM = ORM
• BCM = IT
• BCM = alternative seating /
Corporate Services
• BCM = Security
• BCM = IT Security
• BCM = BCP
• BCM = Evacuations
• BCM = Call tree
• BCM = Testing
• BCM = Crisis Management
• BCM = 2013
• BCM = $$$
• BCM = Corporate Communications
• BCM = Operations
• BCM = Avian Flu Pandemic
What is BCM
5

6. • Preparing a response
to unexpected
disruptions
BCM
6

7. BCM = 2013 ?
7

8. • December 25, 1925
• Higher risk?
– 9/11?
– Global warming
– IT-dependency and integrated
global processes: small glitches
can have massive & immediate
financial impact
– Processes are ‘cutting-edge’,
more sensitive
– Media & communication much
faster Reputation loss in
minutes
Why Now?
8

9. Unless IT is your business,
Business Continuity is not (only) IT!
9

10. Can we meet the commitment to
our customers
10

11. BCM is not about predicting the cause of disruptions
but about preparing for the consequences
BCM is not about predicting the cause of disruptions
but about preparing for the consequences
11
BANK=
- Buildings
- People
- IT
- Suppliers
- Capital
- Clients

12. Buildings
12

13. People
13

14. IT
14

15. IT
15

16. Capital
16

17. Third parties
17

18. Black Swan theory
There are known knowns; there are things we know we
know.
We also know there are known unknowns; that is to say we
know there are some things we do not know.
But there are also unknown unknowns – there are things we
do not know we don't know. ”
—United States Secretary of Defense Donald Rumsfeld
The likelihood of
something very unlikely
happening is very likely

19. No business means: Impact
A. loss of revenues & loss of opportunities
19

20. B. Non-financial impact:
loss of reputation, legal claims, regulatory problems
20
Nomura is a bank

21. • BCM is about continuity of Business, which requires
– Office
– People
– IT
– Capital
– Third parties
• BCM is not about predicting the cause, but preparing for the consequence. However…
• Impact can be financial
– Immediate loss
– Missed opportunities
• Impact can be non-financial
– Reputation
– Legal
– Regulatory / compliance
• Impact can be upstream / downstream: Dependencies
Recap: some principles
21

22. 1. Financial Sector is vital to society – National Financial Authorities
• MAS; HKMA; FSA; FAS; ECB; FED; Etc. etc. etc.
• ORM standards / Basle-III capital requirements
• Information Security standards
2. BCM as “Insurance policy”; or…
3. Resilience as quality attribute of banking services
Motivation to do BCM

23. 23

24. 2. Methodology
The profession of Business Continuity Management

25. 1. Crisis Management Team
The BCM Methodology
25
2. Setting Priorities
(Business Impact Analysis)
3. Plan a response
(Business Continuity Plan)
4. Build the facilities
(Alternative work space & IT-
DR)
5. Test & exercise
the plans and facilities
6. Embedding into the organization

26. • CMT
• The CMT plan
• The Command Center
• The CMT scenario exercise
• Emergency communication: the Call Tree
Step 1 Building a
Crisis Management Team (CMT)
26

27. An objective Analysis of all units:
1. What are the processes & activities
2. How much will it cost if you cannot do your activity
– Per timeslot
– Financial / non-financial
3. What are the minimal requirements to continue doing what you’re
doing
– Per timeslot
– Office space, people, IT, other
4. Dependencies
– Upwards & downwards
Based on consolidation of this, the time-critical priorities become
clear
Step 2 – Priorities.
The Business Impact Analysis (BIA)
27

28. 28
Online BIA

29. • Business Continuity Plans: Practical ‘runbook’ specifying:
– Continuity Strategy
– Response organization and special mandates
– Communication procedures
– List of activities to be recovered first
– Invocation procedures of alternative facilities and DR
– Practicalities like Transportation options
– Cash provisions
– Emergency passwords, security & compliance waivers
– Resources and Systems that can be expected available in DR-mode
– Restoration plan: procedure to return to Business-as-Usual
• Evacuation and people safety plan
• Communication Plan
– Communication messages for the key stakeholders: clients, staff, authorities, shareholders, media, public
• Special plans – where applicable
– Pandemic diseases
– Earth quake
– Typhoon
– Monsoon
– Bank run
Step 3: Business Continuity Plan (BCP):
What are we going to do?
29

30. 30
BCP - I
• Facilities
– Alternate Site, perhaps Engage external service provider
– Split Site: Reciprocal arrangement (where possible) or
Service office rental
– Remote Working: Ability to work outside of SG premises
via remote access*
• People
– Backup Team, Formed from within the country or
regional / global
– Split Site, Staff working from the unaffected sites
– Rotating Shift Team, Staff working in rotating shift
• Vital Records
– Offsite Backup e.g. backup tapes sent offsite, copy files to
backup server, replicate hardcopy and send offsite
– Reconstruct From Source: Obtain source documents for
reconstruction
• IT Systems
– Data-Centre hosting: Disaster Recovery system
(hardware,software) at another location; Active-Active
Configuration, etc..
– Alternate Workaround Procedures: Continue to operate
around the system eg using hardcopy files, log trading
deals in the paper blotter, and transaction slips
• Dependencies
– Reduce Concentration Risk : Engage two or more service
providers capable of deliver the required service
– Switch to alternate service provider
– Take over the activities from the service provider
Continuity strategies

31. 31
BCP - II

32. • In Hong Kong:
– Around 172 Work Area Recovery seats
– IT –DR of critical applications and data. Many
applications in Tokyo
• Other possible facilities:
– Remote-working
– Face masks
– Satellite phones
– Automated Call tree tools
– Mini-booklets
– etc
Step 4. Facilities
32

33. • Testing AND Exercise
• Component test, BU test and Business Integration Test
– Coordination with IT and Admin, plus end-users
– Test scenario, test script & test case development
– Monitor test findings & follow-up
5. Testing
33

34. • Awareness & training
• Sense-of-urgency
• Responsibility
• Organization
6. Embedding into the organization
34

35. 1. Crisis Management Team
The BCM Methodology
35
2. Setting Priorities
(Business Impact Analysis)
3. Plan a response
(Business Continuity Plan)
4. Build the facilities
(Alternative work space & IT-
DR)
5. Test & exercise
the plans and facilities
6. Embedding into the organization

36. Budget
36