De Nederlandsche Bank Eurosyst eem Business Continuity Planning and Crisis Management & Principles for Financial Market Infrastructures Michael van Doeveren 4th Conference on Payments and Securities Settlement Ohrid, Republic of Macedonia 22 June 2011 De Nederlandsche Bank
38
Embed
Business Continuity Planning and Crisis Management & Principles for Financial Market Infrastructures
De Nederlandsche Bank. Business Continuity Planning and Crisis Management & Principles for Financial Market Infrastructures Michael van Doeveren 4th Conference on Payments and Securities Settlement Ohrid, Republic of Macedonia 22 June 2011. Introduction - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
De Nederlandsche Bank Eurosysteem
Business Continuity Planning and
Crisis Management & Principles for Financial Market Infrastructures
Michael van Doeveren 4th Conference on Payments and Securities Settlement Ohrid, Republic of Macedonia 22 June 2011
De Nederlandsche Bank
De Nederlandsche Bank Eurosysteem
Contents
Introduction DNB Assessment Framework Business Continuity
Planning Concepts of Crisis Management Arrangements and initiatives in the Netherlands Concluding remarks BCP FMI Principles
De Nederlandsche Bank Eurosysteem
What is Business Continuity?Business Continuity Management: a whole-of-
business approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption.
Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruption
Source: BIS 2005
De Nederlandsche Bank Eurosysteem
BCP in an international contextThe American White Paper on Sound
Practises to strengthen the Resilience of the US Financial System
The Tripartite Standing Committee on Financial Stability
Bank of Japan resilience plansInitiatives of the EurosystemJoint Forum/Financial Stability
Forum/BIS/CPSS’ work
De Nederlandsche Bank Eurosysteem
The Dutch situation
Small country, few large banks DNB is both central bank and prudential supervisor for banks,
pension funds and insurance companies Financial core infrastructure for Payments and Securities, in NL
defined as:Central bank CSDCCP Stock exchangeACH Major banks
De Nederlandsche Bank Eurosysteem
DNB BCP Assessment Framework (1)
First version in 2004, current version of 2007; Drafted in cooperation with the financial institutions Commitment to use it on a high level Assessment Framework consists of
9 ‘principles’ based on international standardsGuidance note Human Factor Agreement between DNB and the financial sector for joint BCP
initiatives In line with international principles such as BIS Used by supervisor and overseer to assess the institutions
of the financial core infrastructure against these principles
De Nederlandsche Bank Eurosysteem
DNB BCP Assessment Framework (2)
1. BCP should be approved by the EB/senior management
2. Risk analyses of critical systems and activities should be made
3. Explicit attention should be paid to the human factor
De Nederlandsche Bank Eurosysteem
DNB BCP Assessment Framework (3)
4. Each institution should have a crisis organisation, including senior management
5. Single points of failure (SPOFs) should be identified
6. Critical processes and systems should be resumed as quickly as possible
De Nederlandsche Bank Eurosysteem
DNB BCP Assessment Framework (4)
7. A back-up site/secondary site should be available
8. Alternate systems and contingency procedures should be regularly tested and exercised
9. Each institutions should have a communication plan for all stakeholders
De Nederlandsche Bank Eurosysteem
Guidance Note Human factor
Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factor
DNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required: specific in the extreme, highly specific, specific, not very specific, not specific
Matrix with level of required knowledge and human factor strategy see www.dnb.nl
Crisis managementRespond to payments and securities sector-wide
Operational crises: procedures regarding communication, decision making etc.
´Sector BCM´´Peace time´ preparation for times of crises; plans, good overview of critical processes for the sector, alternatives and possibilities in case of a crisis, communication, knowing each other
Example – Wholesale (2)The following were regarded as the most important wholesale payments (per
bank): CLS incoming (and outgoing) payments MM and FX transactions Liquidity transfers to/from offices/agents abroad EBA settlement payments and liquidity swaps Payments for the clearing and settlement of securities Critical payments for clients (corporates, pension funds) ´Margin calls´ (collateral for securities clearing)
Broadly speaking, around 20-30 critical payments per bank per dayIn case of one bank’s failure, this can be processed manuallyIn case of TARGET2 failure, strict rules apply; only ‘very critical payments’ can be
processed
De Nederlandsche Bank Eurosysteem
CIP in the Netherlands
Government project on critical infrastructure protection started in 2004
In cooperation with the private sector, the government defined 12 infrastructures as critical: airports, public transport, energy, health care, etc.
Payments and securities processing is one of them
Follow up of the project in 2004, among others: Counterterrorism Alert System
De Nederlandsche Bank Eurosysteem
Dutch Counterterrorism Alert System (1) Set up by the government in 2005 to ‘alert’ critical
infrastructures in the event of heightened terrorist threat
Measures to be taken quickly in order to minimise the risk and to limit the potential impact of terrorist acts.
Cooperation between the government and private sectors
More than 10 sectors are currently connected (a.o. airports, harbours, public transport, oil and gas, etc.)
Financial core infrastructure connected as of May 1, 2006
De Nederlandsche Bank Eurosysteem
Dutch Counterterrorism Alert System (2)
Four levels of threat: standard, low, moderate, high
Each level comes with its own set of (additional) security measures, both for the sector and for the government
Government and sector agree together on the measures to be taken
Contacts with local authorities very important Workshops, tests and exercises are
Increased cooperation and information sharing within the financial sector in the area of security and with other sectors
Improved contacts and cooperation with local authorities and other stakeholders (police, community, fire brigade, neighbour companies etc.)
De Nederlandsche Bank Eurosysteem
Exercising experienceThink BIG, start SMALL
For Crisis Management exercises increase in complexity
and depth:
Connectivity/communication tests: several times a year
Crisis management workshops: Discussion, based on
scenario
Table top exercises: simulation with ‘real play’
Large scale government exercise regarding ICT and
cybercrime
Operational exercise where security measures are taken
for real
Market wide exercises
De Nederlandsche Bank Eurosysteem
International context for business continuity in payments and securities
“Dutch” market infrastructure is hardly Dutch anymore
This is due to the consolidation trend and the battle for efficiency
Not only for commercial institutions, but also for central banks
An operational crisis in Brussels/Frankfurt/Paris may impact the Dutch market more than a local crisis in Amsterdam
De Nederlandsche Bank Eurosysteem
Increasing (need for) interaction & cooperation
Linked to ESCB crisis managementCo-ordinated communication with
market infrastructures en major participants
Possible international solutions to “domestic” problems
Central banks can help each otherSolving problems in cooperation
De Nederlandsche Bank Eurosysteem
Concluding remarks BCP
Regular assessments work!
Increase your level of resilience by Control – Top level commitment Coordination – Central bank/regulator roleCooperation – Financial core infrastructureCommunication – All stakeholders, both national and international
Exercising keeps BCP alive
Human factor is key for everything
De Nederlandsche Bank Eurosysteem
Principles for Financial Market Infrastructures (FMI)
Co-production of: BIS Committee on Payment and Settlement Systems Technical Committee of the International organization
of Securities Commission (IOSCO) FMI Principles replaces all older separate principles
for Systemically Important Payment Systems, Securities Settlement Systems and Retail Payment Systems
Report is for public market consultation until 29 July 2011
Final report will be publishes in 2012
De Nederlandsche Bank Eurosysteem
FMI Principles (1)
General organisationPrinciple 1: Legal basisPrinciple 2: governancePrinciple 3: Framework for the comprehensive
Central securities depositories and exchange-of-value settlement systems
Principle 11: Central securities depositoriesPrinciple 12: Exchange-of-value settlement
systems
De Nederlandsche Bank Eurosysteem
FMI Principles (4)
Default managementPrinciple 13: Participant-default rules and
proceduresPrinciple 14: Segregation and portability
De Nederlandsche Bank Eurosysteem
FMI Principles (5)
General business and operational riskmanagementPrinciple 15: General business riskPrinciple 16: Custody and investment riskPrinciple 17: Operational risk
De Nederlandsche Bank Eurosysteem
FMI Principles (6)
AccessPrinciple 18: Access and participantion
requirementsPrinciple 19: Tiered participation
arrangementsPrinciple 20: FMI links
De Nederlandsche Bank Eurosysteem
FMI Principles (7)
EfficiencyPrinciple 21: Efficiency and effectivenessPrinciple 22: Communication procedures and
standards
De Nederlandsche Bank Eurosysteem
FMI Principles (8)
TransparancyPrinciple 23: Disclosure of rules and
proceduresPrinciple 22: Disclosure of market data
De Nederlandsche Bank Eurosysteem
Responsibilities of central banks, market regulators and other authorities
Responsibility A: Regulation, supervision and oversight of FMIs
Responsibility B: Regulatory, supervisory, and oversight powers and resources
Responsibility C: Disclosure of objectives and policies with respect to FMIs
Responsibility D: Application of principles for FMIs Responsibility E: Cooperation with other authorities