Transcript Dia 1
De Nederlandsche Bank Business Continuity Planning and Crisis Management & Principles fo Financial Market Infrastructures Michael van Doeveren 4th Conference on Payments and Securities Settlement Ohrid, Republic of Macedonia 22 June 2011 De Nederlandsche Bank Eurosysteem Contents Introduction DNB Assessment Framework Business Continuity Planning Concepts of Crisis Management Arrangements and initiatives in the Netherlands Concluding remarks BCP FMI Principles De Nederlandsche Bank Eurosysteem What is Business Continuity? Business Continuity Management: a whole-ofbusiness approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption. Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruption Source: BIS 2005 De Nederlandsche Bank Eurosysteem BCP in an international context The American White Paper on Sound Practises to strengthen the Resilience of the US Financial System The Tripartite Standing Committee on Financial Stability Bank of Japan resilience plans Initiatives of the Eurosystem Joint Forum/Financial Stability Forum/BIS/CPSS’ work De Nederlandsche Bank Eurosysteem The Dutch situation Small country, few large banks DNB is both central bank and prudential supervisor for banks, pension funds and insurance companies Financial core infrastructure for Payments and Securities, in NL defined as: Central bank CSD CCP Stock exchange ACH Major banks De Nederlandsche Bank Eurosysteem DNB BCP Assessment Framework (1) First version in 2004, current version of 2007; Drafted in cooperation with the financial institutions Commitment to use it on a high level Assessment Framework consists of 9 ‘principles’ based on international standards Guidance note Human Factor Agreement between DNB and the financial sector for joint BCP initiatives In line with international principles such as BIS Used by supervisor and overseer to assess the institutions of the financial core infrastructure against these principles De Nederlandsche Bank Eurosysteem DNB BCP Assessment Framework (2) 1. BCP should be approved by the EB/senior management 2. Risk analyses of critical systems and activities should be made 3. Explicit attention should be paid to the human factor De Nederlandsche Bank Eurosysteem DNB BCP Assessment Framework (3) 4. Each institution should have a crisis organisation, including senior management 5. Single points of failure (SPOFs) should be identified 6. Critical processes and systems should be resumed as quickly as possible De Nederlandsche Bank Eurosysteem DNB BCP Assessment Framework (4) 7. A back-up site/secondary site should be available 8. Alternate systems and contingency procedures should be regularly tested and exercised 9. Each institutions should have a communication plan for all stakeholders De Nederlandsche Bank Eurosysteem Guidance Note Human factor Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factor DNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required: specific in the extreme, highly specific, specific, not very specific, not specific Matrix with level of required knowledge and human factor strategy see www.dnb.nl De Nederlandsche Bank Eurosysteem Required Knowledge Specific in the extreme. Highly specific. Specific. Not very specific. Not specific. De Nederlandsche Bank Eurosysteem Ways of ensuring staff continuity 1. double staffing at another location 2. planned scheduling days off 3. shift work 4. use of staff from another location where a similar situation is operational 5. use of staff from another location where a similar situation is not operational Required level of knowledge of systems/business processes specific in the extreme (a) red highly specific (b) specific (c) not very specific (d) green De Nederlandsche Bank not specific (e) Eurosysteem Concepts of crisis management for the payment system (1) Basic assumption Payments can be regarded as what oil is for an engine Continuity of payments is essential for both the public and the financial system. Consequences Measures should be implemented that guarantee business continuity of the payment system Implementation of a crisis management structure to prevent contagion and limitation the risks as for as possible De Nederlandsche Bank Eurosysteem Concepts of crisis management for the payment system (2) Crisis management preconditions Involvement required of critical participants of the whole payment system Focus the continuation of the operation of the whole payment chain. Implementation Formation of crises management team Prepare organisation. Discuss objectives, define concept crisis management, investigate objects, invest existing measures, define effectiveness measures, investigate alternatives Prepare and perform tests. Both internal and sector wide. De Nederlandsche Bank Eurosysteem Tripartite Crisis Management in the Netherlands Tripartite Crisis Management: Ministry of Finance, AFM, DNB Consultation Group (Board level) Advisory Groups: - Retail - Wholesale - Securities De Nederlandsche Bank Eurosysteem Crisis Management – What Crisis management Respond to payments and securities sectorwide Operational crises: procedures regarding communication, decision making etc. ´Sector BCM´ ´Peace time´ preparation for times of crises; plans, good overview of critical processes for the sector, alternatives and possibilities in case of a crisis, communication, knowing each other De Nederlandsche Bank Eurosysteem Escalation model Large e Ex cu tiv e cr is is m an em en t Global Local De Nederlandsche Bank Scaling Activation Alert ag C in Small t en em ag an m is is cr ee ee itt itt m m om om C C n n tio tio la a l t ca ca en ns Es Es em tio n ag titu so an s er m in i rp is al is u ha r C i vi d d Impact for payments and securities Eurosysteem Type of crisis Crisis Management – How Red Booklet” contains information about: Crisis management, communication and decision making procedures Wholesale, retail, securities alternatives However, not many viable alternatives: Possible alternatives based on rerouting of key processes: CLS, TARGET2, EBA, correspondents Cash/ATM´s, mass payments, one-off direct debit Bilateral accounts for OTC etc. In practice: combination of emergency procedures of the different parts of the chain At the moment no viable alternative for SWIFT Communication and trust is key! “ De Nederlandsche Bank Eurosysteem Example – Wholesale (1) Institutions Transport Payment circuit/system CLS (EUR and non-EUR)) Payment flows from and to the institutions themselves and/or their clients TARGET/local TARGET components/TARGET2 (EUR) SWIFT EURO1 (EUR) Correspondent Banking (EUR and non-EUR) De Nederlandsche Bank Eurosysteem Example – Wholesale (2) The following were regarded as the most important wholesale payments (per bank): CLS incoming (and outgoing) payments MM and FX transactions Liquidity transfers to/from offices/agents abroad EBA settlement payments and liquidity swaps Payments for the clearing and settlement of securities Critical payments for clients (corporates, pension funds) ´Margin calls´ (collateral for securities clearing) Broadly speaking, around 20-30 critical payments per bank per day In case of one bank’s failure, this can be processed manually In case of TARGET2 failure, strict rules apply; only ‘very critical payments’ can be processed De Nederlandsche Bank Eurosysteem CIP in the Netherlands Government project on critical infrastructure protection started in 2004 In cooperation with the private sector, the government defined 12 infrastructures as critical: airports, public transport, energy, health care, etc. Payments and securities processing is one of them Follow up of the project in 2004, among others: Counterterrorism Alert System De Nederlandsche Bank Eurosysteem Dutch Counterterrorism Alert System (1) Set up by the government in 2005 to ‘alert’ critical infrastructures in the event of heightened terrorist threat Measures to be taken quickly in order to minimise the risk and to limit the potential impact of terrorist acts. Cooperation between the government and private sectors More than 10 sectors are currently connected (a.o. airports, harbours, public transport, oil and gas, etc.) Financial core infrastructure connected as of May 1, 2006 De Nederlandsche Bank Eurosysteem Dutch Counterterrorism Alert System (2) Four levels of threat: standard, low, moderate, high Each level comes with its own set of (additional) security measures, both for the sector and for the government Government and sector agree together on the measures to be taken Contacts with local authorities very important Workshops, tests and exercises are organised per sector De Nederlandsche Bank Eurosysteem Experiences Counterterrorism Alert System Formalised (communication) procedures to inform the sector about threats Increased cooperation and information sharing within the financial sector in the area of security and with other sectors Improved contacts and cooperation with local authorities and other stakeholders (police, community, fire brigade, neighbour companies etc.) De Nederlandsche Bank Eurosysteem Exercising experience Think BIG, start SMALL For Crisis Management exercises increase in complexity and depth: Connectivity/communication tests: several times a year Crisis management workshops: Discussion, based on scenario Table top exercises: simulation with ‘real play’ Large scale government exercise regarding ICT and cybercrime Operational exercise where security measures are taken for real Market wide exercises De Nederlandsche Bank Eurosysteem International context for business continuity in payments and securities “Dutch” market infrastructure is hardly Dutch anymore This is due to the consolidation trend and the battle for efficiency Not only for commercial institutions, but also for central banks An operational crisis in Brussels/Frankfurt/Paris may impact the Dutch market more than a local crisis in Amsterdam De Nederlandsche Bank Eurosysteem Increasing (need for) interaction & cooperation Linked to ESCB crisis management Co-ordinated communication with market infrastructures en major participants Possible international solutions to “domestic” problems Central banks can help each other Solving problems in cooperation De Nederlandsche Bank Eurosysteem Concluding remarks BCP Regular assessments work! Increase your level of resilience by Control – Top level commitment Coordination – Central bank/regulator role Cooperation – Financial core infrastructure Communication – All stakeholders, both national and international Exercising keeps BCP alive Human factor is key for everything De Nederlandsche Bank Eurosysteem Principles for Financial Market Infrastructures (FMI) Co-production of: BIS Committee on Payment and Settlement Systems Technical Committee of the International organization of Securities Commission (IOSCO) FMI Principles replaces all older separate principles for Systemically Important Payment Systems, Securities Settlement Systems and Retail Payment Systems Report is for public market consultation until 29 July 2011 Final report will be publishes in 2012 De Nederlandsche Bank Eurosysteem FMI Principles (1) General organisation Principle 1: Legal basis Principle 2: governance Principle 3: Framework for the comprehensive management of risks De Nederlandsche Bank Eurosysteem FMI Principles (2) Credit and liquidity risk management Principle 4: Credit risk Principle 5: Collateral Principle 6: Margin Principle 7: Liquidity risk Principle 8: Settlement finality Principle 9: Money settlements Principle 10: Physical deliveries De Nederlandsche Bank Eurosysteem FMI Principles (3) Central securities depositories and exchangeof-value settlement systems Principle 11: Central securities depositories Principle 12: Exchange-of-value settlement systems De Nederlandsche Bank Eurosysteem FMI Principles (4) Default management Principle 13: Participant-default rules and procedures Principle 14: Segregation and portability De Nederlandsche Bank Eurosysteem FMI Principles (5) General business and operational risk management Principle 15: General business risk Principle 16: Custody and investment risk Principle 17: Operational risk De Nederlandsche Bank Eurosysteem FMI Principles (6) Access Principle 18: Access and participantion requirements Principle 19: Tiered participation arrangements Principle 20: FMI links De Nederlandsche Bank Eurosysteem FMI Principles (7) Efficiency Principle 21: Efficiency and effectiveness Principle 22: Communication procedures and standards De Nederlandsche Bank Eurosysteem FMI Principles (8) Transparancy Principle 23: Disclosure of rules and procedures Principle 22: Disclosure of market data De Nederlandsche Bank Eurosysteem Responsibilities of central banks, market regulators and other authorities Responsibility A: Regulation, supervision and oversight of FMIs Responsibility B: Regulatory, supervisory, and oversight powers and resources Responsibility C: Disclosure of objectives and policies with respect to FMIs Responsibility D: Application of principles for FMIs Responsibility E: Cooperation with other authorities De Nederlandsche Bank Eurosysteem