This document provides an overview of Alpha Bank Group's implementation of the ISO22301 business continuity standard and hints for successful implementation. Key points include: - Alpha Bank Group is one of the largest banks in Greece with over 17,000 employees across various international subsidiaries. - Alpha Bank's key operations in Greece and Romania have been certified under ISO22301, including over 1,300 employees. - Successful implementation requires obtaining executive support, defining roles and responsibilities, conducting risk analysis, assessing business impact, developing continuity strategies and plans, and regularly testing plans through exercises. - Hints are provided for each phase of implementation including project management, risk analysis, business impact analysis, developing continuity strategies and response plans,

1. 1
ISO22301 BCMS Implementation and Sharing of BCM Best Practices for an European Bank
Stelios Aronis, BCCLA
Head of Business Continuity
Alpha Bank Group

2. 2Alpha Bank Group Overview:
•Alpha Bank s.a. founded in 1879
•One of the largest banks in Greece:
17.655 Employees (Greece: 11.911, International: 5.744)
Over 1.000 service points (Branch Network)
One of the highest capital adequacy rations in Europe.
•International subsidiaries:
i.Albania
ii.Bulgaria
iii.Cyprus
iv.F.Y.R.O.M
v.Romania
vi.Serbia
vii.United Kingdom
•11 Subsidiaries in Greece (Investment Banking / Asset Management, Venture Capital, Leasing/Factoring, Insurance, Athens Hilton Hotel, etc)
•Recently acquired consumer banking business of Citibank International Plc in Greece, including Diners Club. Our Values: Quality at work, Quality in communication, Meritocracy, Moral Standards, CreativityOur Vision: To be a bank of reference in Southeastern EuropeOur Aim: To provide high-quality services and pioneering products

3. 3IS022301 –BCMS Certification:
•Alpha Bank s.a. (parent company):
Information Technology (including Data centers)
Financial Markets –Treasury
Back Office Operations: Funds Transfer operations / Cheques clearing / Treasury Back Office / Loans Administration / International Trade / Custody & Shareholders Registry / Cash Centers/ Alternative Networks Support / Private Banking Support.
•Alpha Supporting Services:IT Infrastructure management and operation for Alpha Bank Group Subsidiaries in Greece and Abroad
•Alpha Bank Romania:IT, Treasury, Back Office Operations (certification project in progress) Number of Personnel in sectors certified with ISO22301, exceeds 1300 people.
Same BCM Methodology and procedures are applied to all Units of the Alpha Bank Group

4. CRITICAL FUNCTIONSBUSINESS CONTINUITY PLANDISASTER RECOVERY PLAN
CRISIS MANAGEMENTEVACUATION PLAN
PEOPLE / RESOURCES
THREAT REMEDIATIONRISK ASSESSMENTCATASTROPHIC EVENTTELECOMMS DISRUPTIONFLOOD / EARTHQUAKEFIRE4HINTS ON SUCCESSFUL IMPLEMENTATION OF A BCMS

5. BCM METHODOLOGY –ISO22301
PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGY
PLAN
DEVELOPMENT
5
TESTING AND EXERCISING
PROGRAM MANAGEMENT

6. 6HINTS –PROJECT MANAGEMENT PHASEObtain Executive Management support and commitment:
BCM Project Sponsor: Alpha Bank’s COO, member of Executive Board
Project Steering Committee: Divisions’ Heads: Organization, Risk, IT, Information Security, International Network
ProjectManager: Head of Group BCM Office
Country Project Sponsor: IT & Operations Head (or COO) Resources:
Group BCM Office: Central Point of communication and support
Company BCM Offices/Coordinators(International Network)
Business Unit BCM Coordinators
External Consultants (optional)

7. 7HINTS –PROJECT MANAGEMENT PHASEProject Definition Document: Indicative contents:
Project Definition: Vision, Scope, Objectives, Deliverables
Project Organization: Roles and Stakeholders, Communication Plan to Stakeholders (frequency of reporting, meetings, etc), Responsibilities per Role
Project Plan / Milestones
Project Considerations / Risks:
Resourcing issues
Project Dependencies (e.g. centralized systems)
Country (local) Risks (e.g. premises availability)
Legal / Compliance Issues

8. BCM METHODOLOGY –ISO22301
PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGY
PLAN
DEVELOPMENT
8
TESTING AND EXERCISING
PROGRAM MANAGEMENT

9. 9HINTS –RISK ANALYSIS PHASERisk Management Process (based on ISO 31000): RISK IDENTIFICATIONRISK ANALYSISRISK EVALUATIONRISK ASSESSMENT: RISK TREATMENTAPPROVAL BY OPERATIONAL RISK COMMITTEE OR EXECUTIVE BOARD!!!
RCSA –Risk Control Self Assessment (BU Level)
Threat & Risk Assessment (Organization Level)
Premises & Physical Security
IT / Information Security / Data Backup
Critical Vendors / Service Providers (Outsourcing)
Personnel Awareness on emergency proceduresESTABLISH CONTEXTRe-evaluate residual risk after Risk Treatment Plan implementation

10. BCM METHODOLOGY –ISO22301PROJECT MANAGEMENT
RISK ANALYSIS AND REVIEW
BUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT10TESTING AND EXERCISINGPROGRAM MANAGEMENT

11. 11HINTS –BIA PHASE
•RTO (Recovery Time Objective)Definition: The maximum acceptable time interval within which an operation/business function must be resumed, so that there is no severe impact to the Organization.
•RTO Scale:
Same Day (1 or 8 hours)
Next Day (24 hours)
Within 3 Days
Within a Week
•METHODOLOGY:
Data Collection and impact assessment
Data Validation
I.Data Completion Check
II.RTO Validation against:
oGroup RTO in respective or similar activities (benchmark)
oPrevious year’s RTO of the respective Function / Activity
oIndustry RTO Benchmarks (provided by external consultants) (any RTO variations should be justified by the Business Units)
Final Confirmation by each Business Unit before formal issuance

12. 12HINTS –BIA PHASECritical Business functions (“same day” recovery)
•IT Infrastructure Management and Operations (Data Center)
•Funds Transfers / Payments(Incoming, Outgoing)
•LoansBackOffice
•International Trade
•Clearing(Cheques, Securities& Derivatives)
•Trading (Front Office, Back Office and Controls over Limits)
•Instant Credit (Loan Authorizations)
•Relationship Management (Corporate/Private Banking, Shipping, etc.)
•Customer Service / Help Desk
•Credit Cards: Lost & Stolen Declaration /Transactions Authorizations and Disputes Resolution

13. BCM METHODOLOGY –ISO22301PROJECT MANAGEMENT
RISK ANALYSIS AND REVIEW
BUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT13TESTING AND EXERCISINGPROGRAM MANAGEMENT

14. 14HINTS –B.C. STRATEGY PHASEHOT SITEWARM SITE / DISPLACEMENTCOLD SITE3 Days or more“Next Day” recovery
“Same Day” recovery
DEFINITIONS:
•HOT SITE: Fully equipped and preconfiguredfacilities which can be used for instant recovery of business operations
•WARM SITE:Equipped but not preconfigured facilities. PCs are installed but require configuration before use
•COLD SITE: Non equipped but “wired” empty space.

15. BCM METHODOLOGY –ISO22301
PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT15TESTING AND EXERCISINGPROGRAM MANAGEMENT

16. 16HINTS –PLAN DEVELOPMENT PHASEBCP GOVERNANCE: Emergency Management TeamInitial Response Team
D.R.
CoordinatorTECHNICAL TEAMS (Systems, Databases, Networks)
Business Recovery Teams
B.C. CoordinatorEmergency Support TeamEach team has specific roles and responsibilities that are documented in the Business Continuity Plan.

17. BCM METHODOLOGY –ISO22301PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT17TESTING AND EXERCISING
PROGRAM MANAGEMENT

18. 18
HINTS –EXERCISING AND TESTINGTesting Scenarios:
•Scenario1: Accessto premises is not feasible, but application and communication systems are intact
•Scenario 2: Accessto premises is not feasible and also the application and communication systemsare not available (DR also activated)
•Scenario 3: Premises are available for use, but application and communication systemsare not available (DR activation)
•Scenario 4: More than 20% of the Personnel is not available for a period more than a week(e.g. due to Pandemic)
•Scenario 5: Interruption in the operations of a critical service provider
Internal Audit to be present in tests as an independent observer
Record test details and results (use of template)
Update Senior Management regularly on test results /corrective actionsAvoid Disruptions Caused by Plan Misuse!!!! Key Points:

19. BCM METHODOLOGY –ISO22301PROJECT MANAGEMENTRISK ANALYSIS AND REVIEWBUSINESS IMPACT ANALYSISBUSINESS CONTINUITY STRATEGYPLANDEVELOPMENT23TESTING AND EXERCISINGPROGRAM MANAGEMENT

20. 24HINTS –PROGRAM MANAGEMENTFOCUS ON CONTINIOUS IMPROVEMENT MAINTAINANCE & REVIEW
Perform Internal Audits (ensure objectivity)
Set goals / Monitor near misses
Review / improve the Plan and the BCMSCOMPETENCE & AWARENESS
Enhance BCM culture to the Organization
Train and Educate Personnel (use of external certification bodies )

21. 25THANK YOU FOR YOUR ATTENTION