Korean Banks Efforts To Prepare For Bcp.Effective Operational Risk Management
1. Banks’
Korean Banks’ Efforts to Prepare for BCP :
Effective Operational Risk Management
27th August 2007
Yeong Sik Ohn
Head of New Basel Accord Office,
Financial Supervisory Service
2. Table of Contents
1 BCP as a means to manage operational risk
2 Korean banks’ awareness and readiness of BCP
3 ‘Supervisory Guidelines for BCP’ by the FSS
4 Tasks ahead for Korean banks in building BCP
-1-
3. 1. BCP as a means to manage operational risk
◈ Business Continuity Planning [Management] :
A whole-of-business approach that includes policies,
standards, and procedures for ensuring that specified
operations can be maintained or recovered in a timely
fashion in the event of a disruption. Its purpose is to
minimise the operational, financial, legal, reputational and
other material consequences arising from a disruption
High-
High-level principles for business continuity (BCBS, August 2006)
BCP concept
DRP concept
Disaster
Business Part Other IT Part
Recovery Part
-2-
4. ◈ Operational Risk Management vs. BCP/BCM (1)
Loss Distribution of Operational Risk
Frequency
Bank’s
Expense BCP And
Coverage Insurance Capital
area Coverage Coverage area
area
Severity
Expected Loss Insurance
level Coverage level
-3-
5. ◈ Operational Risk Management vs. BCP/BCM (2)
ORM BCP/BCM
Firm-wide business - Disruption of Core
Scope businesses/Core activities
process
To minimise the - To minimise the impact to
Purpose operational risk businesses due to
operational disruptions
Identify, - Prevent, Prepare,
Process Response, Restore, Pilot
Assess/Measure,
Monitor, Report, Control test, maintain
-4-
6. banks’
2. Korean banks’ awareness and readiness of BCP
◈ Limited BCP focusing on IT Disaster Recovery Planning
- Only a few banks have firm-wide BCP
- Gap exists in awareness and capability of BCP among
business units
◈ Various kinds of Contingency plans different in scope,
purpose and procedure
- Fire Protection Plan, War Emergency Plan, Contingency
Plans in business unit level
- No control tower for all contingency plans
- The scarcity of the detailed guidelines and information
- The lack of prevention/preparation functions
-5-
7. (AS-
◈ Contingency Plans for Disaster (AS-IS)
1. Disaster Recovery Plan
- FSS require DRC (Disaster Recovery Center) (Jan. 2004)
- Focusing on IT system only
2. War Emergency Plan and Fire Protection Plan
- To protect tangible assets & people and to minimize loss
3. Contingency Plans in business unit level
- The different scope, purpose and method by the maker
-6-
8. (TO-
◈ BCP for Disaster (TO-BE)
BCP
War Emergency Plan
DRP Fire Protection Plan
Other Contingency Plans
-7-
9. BCP’
3. ‘Supervisory Guidelines for BCP’ by the FSS
◈ Governance for BCP
(Board and Senior Management)
- The ultimate Responsibility for Business Continuity Plan
and the effectiveness of BCP
(BCP Function)
- To manage the entire process of BCP
- To assist the Board and Senior Management
(Independent Review Function)
- To review the effectiveness of BCP and compliance
of all levels of staff
- To conduct periodic review of BCP : at least annually
-8-
10. ◈ BCP Development Steps
Risk
Analysis
Business
Testing Feedback Impact
Analysis
Business
BCM
Continuity
Strategy
Plan
-9-
11. ◈ Risk Analysis
- To identify the various potential risk factors and
the priority of order in the event of a disruption
- To assess the existing control means for risk factors
◈ Business Impact Analysis
- To identify critical business services and functions
to be delivered in the event of a disruption
- To determine the priority of order, Recovery Time
Objective, Recovery Point Objective and etc
- 10 -
12. ◈ BCM strategy Formulation
- To formulate recovery strategies for continuity of
critical business services and functions in the event
of a disruption
- including BCM Model, Alternate site, recovery personnel,
office facilities, technology requirements and etc
◈ Business Continuity Plan (BCP) Development
- To provide detailed guidance and procedures to respond
and manage a crisis
- including Crisis Management Plan (crisis management
team, crisis management process, communication
strategy), Business Resumption Process, Technology
recovery, Vital Record Management and etc.
- 11 -
13. ◈ Alternate Sites
- To establish the recovery sites for continuity of critical
business services/functions and technology recovery
- Alternate sites should be sufficiently distanced to avoid
being affected by the same disaster
◈ Testing
- To ensure that the BCP is operable
- To verify the awareness and preparedness of staff
- The scope of testing
ㆍstaff evacuation and communication arrangement
ㆍalternate sites, recovery services provided by vendors
ㆍlinkage of back-up IT systems, recovery of vital records
- To conduct testing of BCP at least annually
- 12 -
14. 4. Tasks ahead for Korean banks in building BCP
◈ Active involvement of the BOD and senior management
- Essential to Firm-wide BCP
◈ Linkage with the various kinds of contingency plans
- DRP, Fire Protection Plan, War Emergency Plan, etc
◈ Modifications through periodic testing
- Update their business continuity plan, as appropriate.
◈ BCP for other financial sectors
- Sharing experience with Security firms, insurance firms, etc
- 13 -