De Nederlandsche Bank Business Continuity Planning and
Crisis Management & Principles for
Financial Market Infrastructures
Michael van Doeveren
4th Conference on Payments and
Securities Settlement
Ohrid, Republic of Macedonia
22 June 2011
De Nederlandsche Bank
Eurosysteem
Introduction
DNB Assessment Framework Business Continuity
Planning
Concepts of Crisis Management
Arrangements and initiatives in the Netherlands
Concluding remarks BCP
FMI Principles
De Nederlandsche Bank
Eurosysteem
Business Continuity Management: a whole-ofbusiness approach, that includes policies, standards, and procedures, to ensure (critical) operations can be maintained, or restored in a timely fashion, in the event of a disruption.
Its purpose is to minimise the financial, legal, reputational and other material consequences arising from disruption
Source: BIS 2005
De Nederlandsche Bank
Eurosysteem
The American White Paper on Sound
Practises to strengthen the Resilience of the
US Financial System
The Tripartite Standing Committee on
Financial Stability
Bank of Japan resilience plans
Initiatives of the Eurosystem
Joint Forum/Financial Stability
Forum/BIS/CPSS’ work
De Nederlandsche Bank
Eurosysteem
Small country, few large banks
DNB is both central bank and prudential supervisor for banks, pension funds and insurance companies
Financial core infrastructure for Payments and Securities, in
NL defined as:
Central bank
CSD
CCP
Stock exchange
ACH
Major banks
De Nederlandsche Bank
Eurosysteem
First version in 2004, current version of 2007;
Drafted in cooperation with the financial institutions
Commitment to use it on a high level
Assessment Framework consists of
9 ‘principles’ based on international standards
Guidance note Human Factor
Agreement between DNB and the financial sector for joint BCP initiatives
In line with international principles such as BIS
Used by supervisor and overseer to assess the institutions of the financial core infrastructure against these principles
De Nederlandsche Bank
Eurosysteem
1.
2.
3.
BCP should be approved by the EB/senior management
Risk analyses of critical systems and activities should be made
Explicit attention should be paid to the human factor
De Nederlandsche Bank
Eurosysteem
4 . Each institution should have a crisis organisation, including senior management
5.
Single points of failure (SPOFs) should be identified
6.
Critical processes and systems should be resumed as quickly as possible
De Nederlandsche Bank
Eurosysteem
DNB BCP Assessment Framework (4)
7. A back-up site/secondary site should be available
8. Alternate systems and contingency procedures should be regularly tested and exercised
9. Each institutions should have a communication plan for all stakeholders
De Nederlandsche Bank
Eurosysteem
Assessment showed that institutions have problems with principle 3, paying explicit attention to the human factor
DNB developed a ‘Guidance note human factor’ to assess the human factor aspect for critical systems and business processes, depending on the level of knowledge that is required: specific in the extreme, highly specific, specific, not very specific, not specific
Matrix with level of required knowledge and human factor strategy see www.dnb.nl
De Nederlandsche Bank
Eurosysteem
Specific in the extreme.
Highly specific.
Specific.
Not very specific.
Not specific
.
De Nederlandsche Bank
Eurosysteem
Ways of ensuring staff continuity
1. double staffing at another location
2. planned scheduling days off
3. shift work
4. use of staff from another location where a similar situation is operational
5. use of staff from another location where a similar situation is not operational
Required level of knowledge of systems/business processes specific in the extreme (a) highly specific (b) specific (c) not very specific (d) not specific (e) green red
De Nederlandsche Bank
Eurosysteem
Basic assumption
Payments can be regarded as what oil is for an engine
Continuity of payments is essential for both the public and the financial system.
Consequences
Measures should be implemented that guarantee business continuity of the payment system
Implementation of a crisis management structure to prevent contagion and limitation the risks as for as possible De Nederlandsche Bank
Eurosysteem
Concepts of crisis management for the payment system (2)
Crisis management preconditions
Involvement required of critical participants of the whole payment system
Focus the continuation of the operation of the whole payment chain.
Implementation
Formation of crises management team
Prepare organisation. Discuss objectives, define concept crisis management, investigate objects, invest existing measures, define effectiveness measures, investigate alternatives
Prepare and perform tests. Both internal and sector wide.
De Nederlandsche Bank
Eurosysteem
Tripartite Crisis
Management: Ministry of Finance, AFM, DNB
Consultation Group
(Board level)
Advisory Groups:
- Retail
- Wholesale
- Securities
De Nederlandsche Bank
Eurosysteem
Crisis Management – What
Crisis management
Respond to payments and securities sectorwide
Operational crises: procedures regarding communication, decision making etc.
´Sector BCM´
´Peace time´ preparation for times of crises; plans, good overview of critical processes for the sector, alternatives and possibilities in case of a crisis, communication, knowing each other
De Nederlandsche Bank
Eurosysteem
Large
Impact for payments and securities
Small ind
C ivid ris ism ua l in an stit ag em utio
Es ca lati en ns on
C om m
C ha irp ers on
E sc ala t tio n C om m itte e itte e c ris ism an ag em en t
Ex ec utiv e c ris ism an ag em en t
Alert Activation
Type of crisis
Scaling
Local Global
De Nederlandsche Bank
Eurosysteem
“
Red Booklet” contains information about:
Crisis management, communication and decision making procedures
Wholesale, retail, securities alternatives
However, not many viable alternatives:
Possible alternatives based on rerouting of key processes:
CLS, TARGET2, EBA, correspondents
Cash/ATM ´s, mass payments, one-off direct debit
Bilateral accounts for OTC etc.
In practice: combination of emergency procedures of the different parts of the chain
At the moment no viable alternative for
SWIFT
Communication and trust is key!
De Nederlandsche Bank
Eurosysteem
Institutions Transport Payment circuit/system
CLS (EUR and non-EUR))
TARGET/local TARGET components/TARGET2
(EUR)
Payment flows from and to the institutions themselves and/or their clients
SWIFT
EURO1 (EUR)
Correspondent Banking
(EUR and non-EUR)
De Nederlandsche Bank
Eurosysteem
The following were regarded as the most important wholesale payments (per bank):
CLS incoming (and outgoing) payments
MM and FX transactions
Liquidity transfers to/from offices/agents abroad
EBA settlement payments and liquidity swaps
Payments for the clearing and settlement of securities
Critical payments for clients (corporates, pension funds)
´Margin calls´ (collateral for securities clearing)
Broadly speaking, around 20-30 critical payments per bank per day
In case of one bank’s failure, this can be processed manually
In case of TARGET2 failure, strict rules apply; only ‘very critical payments’ can be processed
De Nederlandsche Bank
Eurosysteem
CIP in the Netherlands
Government project on critical infrastructure protection started in 2004
In cooperation with the private sector, the government defined 12 infrastructures as critical: airports, public transport, energy, health care, etc.
Payments and securities processing is one of them
Follow up of the project in 2004, among others: Counterterrorism Alert System
De Nederlandsche Bank
Eurosysteem
Set up by the government in 2005 to ‘alert’ critical infrastructures in the event of heightened terrorist threat
Measures to be taken quickly in order to minimise the risk and to limit the potential impact of terrorist acts.
Cooperation between the government and private sectors
More than 10 sectors are currently connected (a.o. airports, harbours, public transport, oil and gas, etc.)
Financial core infrastructure connected as of May 1, 2006
De Nederlandsche Bank
Eurosysteem
Four levels of threat: standard, low, moderate, high
Each level comes with its own set of
(additional) security measures, both for the sector and for the government
Government and sector agree together on the measures to be taken
Contacts with local authorities very important
Workshops, tests and exercises are organised per sector
De Nederlandsche Bank
Eurosysteem
Formalised (communication) procedures to inform the sector about threats
Increased cooperation and information sharing within the financial sector in the area of security and with other sectors
Improved contacts and cooperation with local authorities and other stakeholders (police, community, fire brigade, neighbour companies etc.)
De Nederlandsche Bank
Eurosysteem
For Crisis Management exercises increase in complexity and depth:
Connectivity/communication tests: several times a year
Crisis management workshops: Discussion, based on scenario
Table top exercises: simulation with ‘real play’
Large scale government exercise regarding ICT and cybercrime
Operational exercise where security measures are taken for real
Market wide exercises
De Nederlandsche Bank
Eurosysteem
International context for business continuity in payments and securities
“Dutch” market infrastructure is hardly Dutch anymore
This is due to the consolidation trend and the battle for efficiency
Not only for commercial institutions, but also for central banks
An operational crisis in
Brussels/Frankfurt/Paris may impact the Dutch market more than a local crisis in Amsterdam
De Nederlandsche Bank
Eurosysteem
Linked to ESCB crisis management
Co-ordinated communication with market infrastructures en major participants
Possible international solutions to
“domestic” problems
Central banks can help each other
Solving problems in cooperation
De Nederlandsche Bank
Eurosysteem
Concluding remarks BCP
Regular assessments work!
Increase your level of resilience by
Control – Top level commitment
Coordination
Cooperation
– Central bank/regulator role
– Financial core infrastructure
Communication – All stakeholders, both national and international
Exercising keeps BCP alive
Human factor is key for everything
De Nederlandsche Bank
Eurosysteem
Principles for Financial Market
Infrastructures (FMI)
Co-production of:
BIS Committee on Payment and Settlement Systems
Technical Committee of the International organization of Securities Commission (IOSCO)
FMI Principles replaces all older separate principles for Systemically Important Payment Systems,
Securities Settlement Systems and Retail Payment
Systems
Report is for public market consultation until 29 July
2011
Final report will be publishes in 2012
De Nederlandsche Bank
Eurosysteem
General organisation
Principle 1: Legal basis
Principle 2: governance
Principle 3: Framework for the comprehensive management of risks
De Nederlandsche Bank
Eurosysteem
Credit and liquidity risk management
Principle 4: Credit risk
Principle 5: Collateral
Principle 6: Margin
Principle 7: Liquidity risk
Principle 8: Settlement finality
Principle 9: Money settlements
Principle 10: Physical deliveries
De Nederlandsche Bank
Eurosysteem
Central securities depositories and exchangeof-value settlement systems
Principle 11: Central securities depositories
Principle 12: Exchange-of-value settlement systems
De Nederlandsche Bank
Eurosysteem
Default management
Principle 13: Participant-default rules and procedures
Principle 14: Segregation and portability
De Nederlandsche Bank
Eurosysteem
General business and operational risk management
Principle 15: General business risk
Principle 16: Custody and investment risk
Principle 17: Operational risk
De Nederlandsche Bank
Eurosysteem
Access
Principle 18: Access and participantion requirements
Principle 19: Tiered participation arrangements
Principle 20: FMI links
De Nederlandsche Bank
Eurosysteem
Efficiency
Principle 21: Efficiency and effectiveness
Principle 22: Communication procedures and standards
De Nederlandsche Bank
Eurosysteem
Transparancy
Principle 23: Disclosure of rules and procedures
Principle 22: Disclosure of market data
De Nederlandsche Bank
Eurosysteem
Responsibilities of central banks, market regulators and other authorities
Responsibility A: Regulation, supervision and oversight of FMIs
Responsibility B: Regulatory, supervisory, and oversight powers and resources
Responsibility C: Disclosure of objectives and policies with respect to FMIs
Responsibility D: Application of principles for FMIs
Responsibility E: Cooperation with other authorities
De Nederlandsche Bank
Eurosysteem