Transcript Dia 1
De Nederlandsche Bank
Business Continuity Planning and
Crisis Management & Principles fo
Financial Market Infrastructures
Michael van Doeveren
4th Conference on Payments and
Securities Settlement
Ohrid, Republic of Macedonia
22 June 2011
De Nederlandsche Bank
Eurosysteem
Contents
Introduction
DNB Assessment Framework Business Continuity
Planning
Concepts of Crisis Management
Arrangements and initiatives in the Netherlands
Concluding remarks BCP
FMI Principles
De Nederlandsche Bank
Eurosysteem
What is Business Continuity?
Business Continuity Management: a whole-ofbusiness approach, that includes policies,
standards, and procedures, to ensure (critical)
operations can be maintained, or restored in a
timely fashion, in the event of a disruption.
Its purpose is to minimise the financial, legal,
reputational and other material consequences
arising from disruption
Source: BIS 2005
De Nederlandsche Bank
Eurosysteem
BCP in an international context
The American White Paper on Sound
Practises to strengthen the Resilience of the
US Financial System
The Tripartite Standing Committee on
Financial Stability
Bank of Japan resilience plans
Initiatives of the Eurosystem
Joint Forum/Financial Stability
Forum/BIS/CPSS’ work
De Nederlandsche Bank
Eurosysteem
The Dutch situation
Small country, few large banks
DNB is both central bank and prudential supervisor for banks,
pension funds and insurance companies
Financial core infrastructure for Payments and Securities, in
NL defined as:
Central bank
CSD
CCP
Stock exchange
ACH
Major banks
De Nederlandsche Bank
Eurosysteem
DNB BCP Assessment Framework (1)
First version in 2004, current version of 2007;
Drafted in cooperation with the financial institutions
Commitment to use it on a high level
Assessment Framework consists of
9
‘principles’ based on international standards
Guidance
note Human Factor
Agreement
between DNB and the financial sector for joint BCP
initiatives
In line with international principles such as BIS
Used by supervisor and overseer to assess the institutions
of the financial core infrastructure against these principles
De Nederlandsche Bank
Eurosysteem
DNB BCP Assessment Framework (2)
1.
BCP should be approved by the EB/senior
management
2.
Risk analyses of critical systems and activities
should be made
3.
Explicit attention should be paid to the human
factor
De Nederlandsche Bank
Eurosysteem
DNB BCP Assessment Framework (3)
4. Each institution should have a crisis
organisation, including senior management
5.
Single points of failure (SPOFs) should be
identified
6.
Critical processes and systems should be
resumed as quickly as possible
De Nederlandsche Bank
Eurosysteem
DNB BCP Assessment Framework (4)
7. A back-up site/secondary site should be
available
8. Alternate systems and contingency procedures
should be regularly tested and exercised
9. Each institutions should have a communication
plan for all stakeholders
De Nederlandsche Bank
Eurosysteem
Guidance Note Human factor
Assessment showed that institutions have
problems with principle 3, paying explicit
attention to the human factor
DNB developed a ‘Guidance note human
factor’ to assess the human factor aspect for
critical systems and business processes,
depending on the level of knowledge that is
required: specific in the extreme, highly
specific, specific, not very specific, not specific
Matrix with level of required knowledge and
human factor strategy see www.dnb.nl
De Nederlandsche Bank
Eurosysteem
Required Knowledge
Specific in the extreme.
Highly specific.
Specific.
Not very specific.
Not specific.
De Nederlandsche Bank
Eurosysteem
Ways of ensuring staff
continuity
1. double
staffing at
another
location
2. planned
scheduling
days off
3. shift
work
4. use of staff
from another
location where a
similar situation
is operational
5. use of staff
from another
location where a
similar situation
is not
operational
Required level of
knowledge of
systems/business
processes
specific in the
extreme (a)
red
highly specific (b)
specific (c)
not very specific (d)
green
De Nederlandsche Bank
not specific (e)
Eurosysteem
Concepts of crisis management
for the payment system (1)
Basic assumption
Payments can be regarded as what oil is
for an engine
Continuity of payments is essential for
both the public and the financial system.
Consequences
Measures should be implemented that
guarantee business continuity of the
payment system
Implementation of a crisis management
structure to prevent contagion and
limitation the risks as for as possible
De Nederlandsche Bank
Eurosysteem
Concepts of crisis management
for the payment system (2)
Crisis management preconditions
Involvement required of critical participants of
the whole payment system
Focus the continuation of the operation of the
whole payment chain.
Implementation
Formation of crises management team
Prepare organisation. Discuss objectives, define
concept crisis management, investigate objects,
invest existing measures, define effectiveness
measures, investigate alternatives
Prepare and perform tests. Both internal and
sector wide.
De Nederlandsche Bank
Eurosysteem
Tripartite Crisis Management in
the Netherlands
Tripartite Crisis
Management: Ministry
of Finance, AFM, DNB
Consultation Group
(Board level)
Advisory Groups:
- Retail
- Wholesale
- Securities
De Nederlandsche Bank
Eurosysteem
Crisis Management – What
Crisis management
Respond to payments and securities sectorwide
Operational crises: procedures regarding
communication, decision making etc.
´Sector BCM´
´Peace time´ preparation for times of crises;
plans, good overview of critical processes for
the sector, alternatives and possibilities in case
of a crisis, communication, knowing each other
De Nederlandsche Bank
Eurosysteem
Escalation model
Large
e
Ex
cu
tiv
e
cr
is
is
m
an
em
en
t
Global
Local
De Nederlandsche Bank
Scaling
Activation
Alert
ag
C
in
Small
t
en
em
ag
an
m
is
is
cr
ee
ee
itt
itt
m
m
om
om
C
C
n
n
tio
tio
la
a
l
t
ca
ca
en ns
Es
Es
em tio
n
ag titu
so
an s
er
m in
i rp
is al
is u
ha
r
C i vi d
d
Impact for
payments and
securities
Eurosysteem
Type of crisis
Crisis Management – How
Red Booklet” contains information about:
Crisis management, communication
and decision making procedures
Wholesale, retail, securities
alternatives
However, not many viable alternatives:
Possible alternatives based on rerouting of
key processes:
CLS, TARGET2, EBA, correspondents
Cash/ATM´s, mass payments, one-off
direct debit
Bilateral accounts for OTC etc.
In practice: combination of emergency
procedures
of the different parts of the chain
At the moment no viable alternative for
SWIFT
Communication and trust is key!
“
De Nederlandsche Bank
Eurosysteem
Example – Wholesale (1)
Institutions
Transport
Payment circuit/system
CLS (EUR and non-EUR))
Payment flows from and
to the institutions
themselves and/or their
clients
TARGET/local TARGET
components/TARGET2
(EUR)
SWIFT
EURO1 (EUR)
Correspondent Banking
(EUR and non-EUR)
De Nederlandsche Bank
Eurosysteem
Example – Wholesale (2)
The following were regarded as the most important wholesale payments (per
bank):
CLS incoming (and outgoing) payments
MM and FX transactions
Liquidity transfers to/from offices/agents abroad
EBA settlement payments and liquidity swaps
Payments for the clearing and settlement of securities
Critical payments for clients (corporates, pension funds)
´Margin calls´ (collateral for securities clearing)
Broadly speaking, around 20-30 critical payments per bank per day
In case of one bank’s failure, this can be processed manually
In case of TARGET2 failure, strict rules apply; only ‘very critical payments’ can be
processed
De Nederlandsche Bank
Eurosysteem
CIP in the Netherlands
Government project on critical infrastructure
protection started in 2004
In cooperation with the private sector, the
government defined 12 infrastructures as
critical: airports, public transport, energy,
health care, etc.
Payments and securities processing is one
of them
Follow up of the project in 2004, among
others: Counterterrorism Alert System
De Nederlandsche Bank
Eurosysteem
Dutch Counterterrorism Alert System
(1)
Set up by the government in 2005 to ‘alert’
critical infrastructures in the event of
heightened terrorist threat
Measures to be taken quickly in order to
minimise the risk and to limit the potential
impact of terrorist acts.
Cooperation between the government and
private sectors
More than 10 sectors are currently
connected (a.o. airports, harbours, public
transport, oil and gas, etc.)
Financial core infrastructure connected as
of May 1, 2006
De Nederlandsche Bank
Eurosysteem
Dutch Counterterrorism Alert System
(2)
Four levels of threat: standard, low,
moderate, high
Each level comes with its own set of
(additional) security measures, both for the
sector and for the government
Government and sector agree together on
the measures to be taken
Contacts with local authorities very
important
Workshops, tests and exercises are
organised per sector
De Nederlandsche Bank
Eurosysteem
Experiences Counterterrorism
Alert System
Formalised (communication)
procedures to inform the sector about
threats
Increased cooperation and
information sharing within the financial
sector in the area of security and with
other sectors
Improved contacts and cooperation
with local authorities and other
stakeholders (police, community, fire
brigade, neighbour companies etc.)
De Nederlandsche Bank
Eurosysteem
Exercising experience
Think BIG, start SMALL
For Crisis Management exercises increase in complexity
and depth:
Connectivity/communication tests: several times a year
Crisis management workshops: Discussion, based on
scenario
Table top exercises: simulation with ‘real play’
Large scale government exercise regarding ICT and
cybercrime
Operational exercise where security measures are
taken for real
Market wide exercises
De Nederlandsche Bank
Eurosysteem
International context for business
continuity in payments and securities
“Dutch” market infrastructure is
hardly Dutch anymore
This is due to the consolidation
trend and the battle for efficiency
Not only for commercial
institutions, but also for central
banks
An operational crisis in
Brussels/Frankfurt/Paris may
impact the Dutch market more
than a local crisis in Amsterdam
De Nederlandsche Bank
Eurosysteem
Increasing (need for) interaction &
cooperation
Linked to ESCB crisis management
Co-ordinated communication with
market infrastructures en major
participants
Possible international solutions to
“domestic” problems
Central banks can help each other
Solving problems in cooperation
De Nederlandsche Bank
Eurosysteem
Concluding remarks BCP
Regular assessments work!
Increase your level of resilience by
Control
– Top level commitment
Coordination
– Central bank/regulator role
Cooperation
– Financial core infrastructure
Communication – All stakeholders, both national
and
international
Exercising keeps BCP alive
Human factor is key for everything
De Nederlandsche Bank
Eurosysteem
Principles for Financial Market
Infrastructures (FMI)
Co-production of:
BIS Committee on Payment and Settlement Systems
Technical Committee of the International organization
of Securities Commission (IOSCO)
FMI Principles replaces all older separate principles
for Systemically Important Payment Systems,
Securities Settlement Systems and Retail Payment
Systems
Report is for public market consultation until 29 July
2011
Final report will be publishes in 2012
De Nederlandsche Bank
Eurosysteem
FMI Principles (1)
General organisation
Principle 1: Legal basis
Principle 2: governance
Principle 3: Framework for the comprehensive
management of risks
De Nederlandsche Bank
Eurosysteem
FMI Principles (2)
Credit and liquidity risk management
Principle 4: Credit risk
Principle 5: Collateral
Principle 6: Margin
Principle 7: Liquidity risk
Principle 8: Settlement finality
Principle 9: Money settlements
Principle 10: Physical deliveries
De Nederlandsche Bank
Eurosysteem
FMI Principles (3)
Central securities depositories and exchangeof-value settlement systems
Principle 11: Central securities depositories
Principle 12: Exchange-of-value settlement
systems
De Nederlandsche Bank
Eurosysteem
FMI Principles (4)
Default management
Principle 13: Participant-default rules and
procedures
Principle 14: Segregation and portability
De Nederlandsche Bank
Eurosysteem
FMI Principles (5)
General business and operational risk
management
Principle 15: General business risk
Principle 16: Custody and investment risk
Principle 17: Operational risk
De Nederlandsche Bank
Eurosysteem
FMI Principles (6)
Access
Principle 18: Access and participantion
requirements
Principle 19: Tiered participation
arrangements
Principle 20: FMI links
De Nederlandsche Bank
Eurosysteem
FMI Principles (7)
Efficiency
Principle 21: Efficiency and effectiveness
Principle 22: Communication procedures and
standards
De Nederlandsche Bank
Eurosysteem
FMI Principles (8)
Transparancy
Principle 23: Disclosure of rules and
procedures
Principle 22: Disclosure of market data
De Nederlandsche Bank
Eurosysteem
Responsibilities of central banks, market
regulators and other authorities
Responsibility A: Regulation, supervision and
oversight of FMIs
Responsibility B: Regulatory, supervisory, and
oversight powers and resources
Responsibility C: Disclosure of objectives and policies
with respect to FMIs
Responsibility D: Application of principles for FMIs
Responsibility E: Cooperation with other authorities
De Nederlandsche Bank
Eurosysteem