willem a. hoekstra business continuity management in banking industry world continuity congress...
DESCRIPTION
Willem A. Hoekstra, Regional head of BCM and Corporate Security Asia ex Japan, Nomura International (Hong Kong) shares his experiences with the delegates about concepts and methodology of BCM in industry banking during the World Continuity Congress (WCC) Singapore 22 April 2014 at Carlton Hotel. Copyright 2014 @ World Continuity Congress www.worldcontinuitycongress.com BCM Institute www.bcm-institute.org Read more of Willem Hoekstra @ http://www.bcmpedia.org/wiki/Willem_HoekstraTRANSCRIPT
![Page 1: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/1.jpg)
BCM in Banking Industry
Willem A. Hoekstra, M, MBA, MBCI, BCCERegional head of BCM and Corporate SecurityAsia ex JapanNomura International (Hong Kong)
![Page 2: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/2.jpg)
Table of contents
1.Concepts2.Methodology
![Page 3: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/3.jpg)
We ♥ Crises
Executive Summary
危機
![Page 4: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/4.jpg)
• 1. ConceptsThe principles of Business Continuity Management
![Page 5: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/5.jpg)
• BCM = ORM• BCM = IT• BCM = alternative seating /
Corporate Services• BCM = Security• BCM = IT Security• BCM = BCP• BCM = Evacuations• BCM = Call tree• BCM = Testing• BCM = Crisis Management• BCM = 2013• BCM = $$$• BCM = Corporate Communications• BCM = Operations• BCM = Avian Flu Pandemic
What is BCM
5
![Page 6: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/6.jpg)
• Preparing a response to unexpected disruptions
BCM
6
![Page 7: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/7.jpg)
BCM = 2013 ?
7
![Page 8: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/8.jpg)
• December 25, 1925• Higher risk?
– 9/11?– Global warming– IT-dependency and integrated
global processes: small glitches can have massive & immediate financial impact
– Processes are ‘cutting-edge’, more sensitive
– Media & communication much faster Reputation loss in minutes
Why Now?
8
![Page 9: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/9.jpg)
Unless IT is your business, Business Continuity is not (only) IT!
9
![Page 10: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/10.jpg)
Can we meet the commitment to our customers
10
![Page 11: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/11.jpg)
BCM is not about predicting the cause of disruptionsbut about preparing for the consequences
BCM is not about predicting the cause of disruptionsbut about preparing for the consequences
11
BANK=- Buildings
- People
- IT
- Suppliers
- Capital
- Clients
![Page 12: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/12.jpg)
Buildings
12
![Page 13: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/13.jpg)
People
13
![Page 14: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/14.jpg)
IT
14
![Page 15: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/15.jpg)
IT
15
![Page 16: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/16.jpg)
Capital
16
![Page 17: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/17.jpg)
Third parties
17
![Page 18: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/18.jpg)
Black Swan theory
There are known knowns; there are things we know we know.We also know there are known unknowns; that is to say we know there are some things we do not know.But there are also unknown unknowns – there are things we do not know we don't know. ”
—United States Secretary of Defense Donald Rumsfeld
The likelihood of something very unlikely happening is very likely
![Page 19: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/19.jpg)
No business means: ImpactA. loss of revenues & loss of opportunities
19
![Page 20: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/20.jpg)
B. Non-financial impact: loss of reputation, legal claims, regulatory problems
20
Nomura is a bank
![Page 21: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/21.jpg)
• BCM is about continuity of Business, which requires– Office– People– IT– Capital– Third parties
• BCM is not about predicting the cause, but preparing for the consequence. However…
• Impact can be financial– Immediate loss– Missed opportunities
• Impact can be non-financial– Reputation– Legal– Regulatory / compliance
• Impact can be upstream / downstream: Dependencies
Recap: some principles
21
![Page 22: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/22.jpg)
1. Financial Sector is vital to society – National Financial Authorities• MAS; HKMA; FSA; FAS; ECB; FED; Etc. etc. etc.• ORM standards / Basle-III capital requirements• Information Security standards
2. BCM as “Insurance policy”; or…3. Resilience as quality attribute of banking services
Motivation to do BCM
![Page 23: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/23.jpg)
23
![Page 24: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/24.jpg)
2. Methodology
The profession of Business Continuity Management
![Page 25: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/25.jpg)
1. Crisis Management Team
The BCM Methodology
25
2. Setting Priorities(Business Impact Analysis)
3. Plan a response(Business Continuity Plan)
4. Build the facilities(Alternative work space & IT-
DR)
5. Test & exercisethe plans and facilities
6. Embedding into the organization
![Page 26: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/26.jpg)
• CMT• The CMT plan• The Command Center• The CMT scenario exercise• Emergency communication: the Call Tree
Step 1 Building a Crisis Management Team (CMT)
26
![Page 27: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/27.jpg)
An objective Analysis of all units:1. What are the processes & activities2. How much will it cost if you cannot do your activity
– Per timeslot– Financial / non-financial
3. What are the minimal requirements to continue doing what you’re doing– Per timeslot– Office space, people, IT, other
4. Dependencies– Upwards & downwards
Based on consolidation of this, the time-critical priorities become clear
Step 2 – Priorities. The Business Impact Analysis (BIA)
27
![Page 28: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/28.jpg)
28
Online BIA
![Page 29: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/29.jpg)
• Business Continuity Plans: Practical ‘runbook’ specifying:– Continuity Strategy– Response organization and special mandates– Communication procedures– List of activities to be recovered first– Invocation procedures of alternative facilities and DR– Practicalities like Transportation options– Cash provisions– Emergency passwords, security & compliance waivers– Resources and Systems that can be expected available in DR-mode– Restoration plan: procedure to return to Business-as-Usual
• Evacuation and people safety plan• Communication Plan
– Communication messages for the key stakeholders: clients, staff, authorities, shareholders, media, public• Special plans – where applicable
– Pandemic diseases– Earth quake– Typhoon– Monsoon– Bank run
Step 3: Business Continuity Plan (BCP):What are we going to do?
29
![Page 30: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/30.jpg)
30
BCP - I
• Facilities– Alternate Site, perhaps Engage external service provider– Split Site: Reciprocal arrangement (where possible) or
Service office rental– Remote Working: Ability to work outside of SG premises
via remote access* • People
– Backup Team, Formed from within the country or regional / global
– Split Site, Staff working from the unaffected sites– Rotating Shift Team, Staff working in rotating shift
• Vital Records– Offsite Backup e.g. backup tapes sent offsite, copy files to
backup server, replicate hardcopy and send offsite– Reconstruct From Source: Obtain source documents for
reconstruction• IT Systems
– Data-Centre hosting: Disaster Recovery system (hardware,software) at another location; Active-Active Configuration, etc..
– Alternate Workaround Procedures: Continue to operate around the system eg using hardcopy files, log trading deals in the paper blotter, and transaction slips
• Dependencies– Reduce Concentration Risk : Engage two or more service
providers capable of deliver the required service– Switch to alternate service provider– Take over the activities from the service provider
Continuity strategies
![Page 31: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/31.jpg)
31
BCP - II
![Page 32: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/32.jpg)
• In Hong Kong:– Around 172 Work Area Recovery seats– IT –DR of critical applications and data. Many
applications in Tokyo
• Other possible facilities:– Remote-working– Face masks– Satellite phones– Automated Call tree tools– Mini-booklets– etc
Step 4. Facilities
32
![Page 33: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/33.jpg)
• Testing AND Exercise• Component test, BU test and Business Integration Test
– Coordination with IT and Admin, plus end-users– Test scenario, test script & test case development– Monitor test findings & follow-up
5. Testing
33
![Page 34: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/34.jpg)
• Awareness & training• Sense-of-urgency• Responsibility• Organization
6. Embedding into the organization
34
![Page 35: Willem A. Hoekstra Business Continuity Management in Banking Industry World Continuity Congress Singapore 2014](https://reader038.vdocument.in/reader038/viewer/2022110118/554dddcdb4c905cc0e8b521e/html5/thumbnails/35.jpg)
1. Crisis Management Team
The BCM Methodology
35
2. Setting Priorities(Business Impact Analysis)
3. Plan a response(Business Continuity Plan)
4. Build the facilities(Alternative work space & IT-
DR)
5. Test & exercisethe plans and facilities
6. Embedding into the organization