De Nederlandsche Bank Eurosysteem
Business Continuity and Crisis Management
Michael van Doeveren and Paul Osse Conference Financial Sector of Macedonia on Payments and Securities Settlement Systems
Ohrid 23 June 2008
De Nederlandsche Bank
De Nederlandsche Bank Eurosysteem
Agenda
Introduction The Dutch situation DNB Assessment Framework Concepts of crisis management Arrangements and initiatives in the Netherlands
The Escalation Committee for Payments and Securities Government initiatives on Critical Infrastructure Protection:
Dutch Counterterrorism Alert System International context Concluding remarks Questions
De Nederlandsche Bank Eurosysteem
What is Business Continuity?Business Continuity Management: a whole-of-
business approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption.
Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruption
Source: BIS 2005
De Nederlandsche Bank Eurosysteem
BCP in an international contextThe American White Paper on Sound
Practises to strengthen the Resilience of the US Financial System
The Tripartite Standing Committee on Financial Stability
Bank of Japan resilience plansInitiatives of the EurosystemJoint Forum/Financial Stability
Forum/BIS/CPSS’ work
De Nederlandsche Bank Eurosysteem
The Dutch situation
Small country, few large banks
DNB is both central bank and prudential supervisor for banks, pension funds and insurance companies
Financial core infrastructure for Payments and Securities, in NL defined as: Central bank CSD (Euroclear Netherlands) CCP (LCH.Clearnet SA) Stock exchange (NYSE Euronext Amsterdam) ACH (Equens Netherlands) Major banks (a.o. ABN AMRO, Fortis, ING, Rabobank)
De Nederlandsche Bank Eurosysteem
DNB BCP Assessment Framework
De Nederlandsche Bank Eurosysteem
DNB BCP Assessment Framework (1)
First version in 2004, new version in 2007; Drafted in cooperation with the financial institutions Commitment to use it on a high level Assessment Framework consists of
9 ‘principles’ Guidance note Human Factor Agreement between DNB and the financial sector for joint BCP initiatives
In line with international principles such as BIS Used by supervisor and overseer to assess the institutions
of the financial core infrastructure against these principles
De Nederlandsche Bank Eurosysteem
DNB BCP Assessment Framework (2)
1. BCP should be approved by the EB/senior management
2. Risk analyses of critical systems and activities should be made
3. Explicit attention should be paid to the human factor
De Nederlandsche Bank Eurosysteem
DNB BCP Assessment Framework (3)
4. Each institution should have a crisis organisation, including senior management
5. Single points of failure (SPOFs) should be identified
6. Critical processes and systems should be resumed as quickly as possible
De Nederlandsche Bank Eurosysteem
DNB BCP Assessment Framework (4)
7. A back-up site/secondary site should be available
8. Alternate systems and contingency procedures should be regularly tested and exercised
9. Each institutions should have a communication plan for all stakeholders
De Nederlandsche Bank Eurosysteem
Guidance Note Human factor
Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factor
DNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required (specific in the extreme, highly specific, specific, not very specific, not specific)
Matrix with level of required knowledge and human factor strategy see www.dnb.nl – payments - BCP
De Nederlandsche Bank Eurosysteem
GUIDANCE NOTE REGARDING IMPLEMENTATION CONTINUITY OF THE HUMAN FACTOR FOR CRITICAL SYSTEMS/ BUSINESS PROCESSES
De Nederlandsche Bank Eurosysteem
Required Knowledge
Specific in the extreme. Highly specific. Specific. Not very specific. Not specific.
De Nederlandsche Bank Eurosysteem
Ways of ensuring staff continuity
1. double staffing at another location
2. planned scheduling days off
3. shift work
4. use of staff from another location where a similar situation is operational
5. use of staff from another location where a similar situation is not operational
Required level of knowledge of systems/business processes
specific in the extreme (a)
red
highly specific (b)
specific (c)
not very specific (d) green
not specific (e)
De Nederlandsche Bank Eurosysteem
Concepts of crisis management (for payments)
De Nederlandsche Bank Eurosysteem
Concepts of crisis managementfor the payment system (1)
Basic assumption Payments can be regarded as what oil is for an engine Continuity of payments is essential for both the public
and the financial system.
Consequences Measures should be implemented that guarantee
business continuity of the payment system Implementation of a crisis management structure to
prevent contagion and limitation the risks as for as possible
De Nederlandsche Bank Eurosysteem
Concepts of crisis managementfor the payment system (2)
Crisis management preconditions Involvement required of critical participants of the whole
payment system Focus the continuation of the operation of the whole
payment chain.
Implementation Formation of crises management team Prepare organisation. Discuss objectives, define concept
crisis management, investigate objects, invest existing measures, define effectiveness measures, investigate alternatives
Prepare and perform tests. Both internal and sector wide. (include suppliers of critical services and local and national government)
De Nederlandsche Bank Eurosysteem
Arrangements and initiatives in the Netherlands
The Escalation Committee for Payments and Securities
De Nederlandsche Bank Eurosysteem
Escalation Committee history: Why
Escalation Committee established around the euro- introduction in 1999
Stand-by at millennium To cooperate in case of problems
WHEN something could happen was rather clear
Today: The issue is back on the agenda Overall agreement that sector-wide coordination and cooperation is
needed to handle (operational) crises in payments and securities.
You need each other in times of crisis! WHEN is not clear Escalation Committee is Crisis management
organisation for payments and securities
De Nederlandsche Bank Eurosysteem
Escalation Committee - Who The Dutch financial core infrastructure:
Market infrastructures: Central bank, ACH, Stock Exchange, CSD, CCP
Major banks (a.o. ABN Amro, ING, Rabobank, Fortis)
Other members: Dutch banking association, representing other banks, scheme owner payment products
DNB is chairman and secretary, and linking pin ot other authorities
Members have decision-making mandate of their organisation for payments and securities issues
Escalation Committeeon
Payments andSecurities
of the core financialinfrastructure
ABNAmroING
Rabobank
Fortis
SNS
KasBank
BNG
LCH.Clearnet
NYSEEuronext
EquensNL
DNB
EuroclearNL
NVBOther banks
AFM MinFin
Public
ECB,NCB´s
Currence
De Nederlandsche Bank Eurosysteem
Escalation Committee – What
Crisis management Respond to payments and securities sector-wide
(major) operational crises: procedures regarding (one voice) communication, decision making etc.
Members of the committee are linking pin to their own crisis organisations
´Sector BCM´ ´Peace time´ preparation for times of crises; plans, good
overview of critical processes for the sector, alternatives and possibilities in case of a crisis, communication, knowing each other
De Nederlandsche Bank Eurosysteem
Escalation Committee - When
When market infrastructures or banks have a crisis, might not meet their Recovery Time
Objectives (RTO) or when individual measures are
insufficient, this can have sector-wide impact. The chairperson of the Escalation Committee
needsto be notified.
When outside-in crises (flood, pandemic, etc) have
impact on more than one institution in the field of payments and securities, the Escalation Committee needs to assess the sector impact.
De Nederlandsche Bank Eurosysteem
Escalation model
Crisismanagement
individual institutions
Escalation Committee crisismanagement
Alert Scaling
Executive crisismanagement
Impact forpayments and
securities
Activation
Chairperson Escalation Committee
Type of crisisLocal Global
Large
Small
De Nederlandsche Bank Eurosysteem
Escalation Committee – How
“Red Booklet” contains information about: Crisis management, communication
and decision making procedures Wholesale, retail, securities
alternatives
However, not many viable alternatives: Possible alternatives based on rerouting of key processes:
CLS, TARGET1/2, EBA, correspondents Cash/ATM´s, mass payments, one-off
direct debit Bilateral accounts for OTC etc.
In practice: combination of emergency proceduresof the different parts of the chain
At the moment no viable alternative for SWIFT
Communication and trust is key!
De Nederlandsche Bank Eurosysteem
Payment flows from andto the institutions
themselves and/or theirclients
EURO1 (EUR)
TARGET/local TARGETcomponents/TARGET2
(EUR)
SWIFT
CLS (EUR and non-EUR))
Correspondent Banking(EUR and non-EUR)
Institutions Transport Payment circuit/system
Example – Wholesale (1)
De Nederlandsche Bank Eurosysteem
Example – Wholesale (2)
The following were regarded as the most important wholesale payments (per bank):
CLS incoming (and outgoing) payments MM and FX transactions Liquidity transfers to/from offices/agents abroad EBA settlement payments and liquidity swaps Payments for the clearing and settlement of securities Critical payments for clients (corporates, pension funds) ´Margin calls´ (collateral for securities clearing)
Broadly speaking, around 20-30 critical payments per bank per dayIn case of one bank’s failure, this can be processed manuallyIn case of TARGET2 failure, strict rules apply; only ‘very critical payments’
can be processed
De Nederlandsche Bank Eurosysteem
Arrangements and initiatives in the Netherlands
Government project on critical infrastructure protection (CIP)
De Nederlandsche Bank Eurosysteem
CIP in the Netherlands
Government project on critical infrastructure protection was started in 2004
In cooperation with the private sector, the government defined 12 infrastructures as critical: airports, public transport, energy, health care, etc.
Payments and securities processing is one of them
Follow up of the project in 2004, among others: Counterterrorism Alert System
De Nederlandsche Bank Eurosysteem
Dutch Counterterrorism Alert System (1)
Set up by the government in 2005 to ‘alert’ critical infrastructures in the event of heightened terrorist threat
Measures to be taken quickly in order to minimise the risk and to limit the potential impact of terrorist acts.
Cooperation between the government and private sectors
More than 10 sectors are currently connected (a.o. airports, harbours, public transport, oil and gas, etc.)
Financial core infrastructure (including Netherlands Bankers´ Association representing the other banks) connected as of May 1, 2006
De Nederlandsche Bank Eurosysteem
Dutch Counterterrorism Alert System (2)
Four levels of threat: standard, low, moderate, high
Each level comes with its own set of (additional) security measures, both for the sector and for the government
Government and sector agree together on the measures to be taken
Contacts with local authorities very important
Workshops, tests and exercises are organised per sector
De Nederlandsche Bank Eurosysteem
Experiences Counterterrorism Alert System
Formalised (communication) procedures to inform the sector about threats
Increased cooperation and information sharing within the financial sector in the area of security and with other sectors (such as energy and telecom)
Improved contacts and cooperation with local authorities and other stakeholders (police, community, fire brigade, neighbour companies etc.): who is doing what and going where in times of crisis?
De Nederlandsche Bank Eurosysteem
Exercising experienceThink BIG, start SMALL
For Escalation Committee and Counterterrorism Alert System exercises increase in complexity and depth:
Connectivity/communication tests: several times a year Crisis management workshops: Discussion, based on
scenario Table top exercises: simulation with ‘real play’ Large scale government exercise regarding ICT and
cybercrime Operational exercise where security measures are taken
for real Next step: complete market wide exercise?
De Nederlandsche Bank Eurosysteem
International context for business continuity in payments and securities
“Dutch” market infrastructure is hardly Dutch anymore
This is due to the consolidation trend and the battle for efficiency
Not only for commercial institutions, but also for central banks
An operational crisis in Brussels/Frankfurt/Paris may impact the Dutch market more than a local crisis in Amsterdam
De Nederlandsche Bank Eurosysteem
Increasing (need for) interaction & cooperation
Linked to ESCB crisis management
Co-ordinated communication with market infrastructures en major participants
Possible international solutions to “domestic” problems Central banks can help each other
Solving problems in cooperation
De Nederlandsche Bank Eurosysteem
Concluding remarks
Regular assessments work!
Increase your level of resilience by Control – Top level commitment Coordination – Central bank/regulator roleCooperation – Financial core infrastructureCommunication – All stakeholders, both national and
international
Exercising keeps BCP alive
Human factor is key for everything
De Nederlandsche Bank Eurosysteem
Questions
www.dnb.nl / payments / BCP