| De Nederlandsche Bank publishes business continuity assessment framework
Over the past year De Nederlandsche Bank has been working with other organisations and firms active within the Netherlands’ financial markets to draw up a business continuity planning assessment framework which will help firms benchmark their business continuity management activities. Amongst others, the framework will be used by Interpay, stock exchange institutions, other market participants and De Nederlandsche Bank itself. As well as being highly significant for the resilience of the Netherlands’ financial system the publication of the framework is expected to have an impact across much of Europe. The framework will be introduced to other countries operating within the Euro-zone so that a ‘level playing field’ for business continuity planning can be established. The assessment framework will be incorporated into the Euro system and a conference to discuss this will be held in Frankfurt in early 2005. The assessment framework is based on the following ten criteria [taken verbatim from the report]: 1. Each institution must have a business continuity plan approved by the management board or senior management, which defines the strategy, business continuity objectives and critical operating processes and describes adequate continuity measures. Naturally, the security and protection of the staff takes precedence. The plan should be updated at least annually and more often if far-reaching changes are made to the organisation, operating processes or systems. The plan should specify the maximum acceptable time during which operating processes and systems are unable to function. It should also deal with the international dimension of the organisation and the consequences of, for example, outsourcing. It is advisable to consider having the BCP plan assessed by the internal audit department. Annexe 2 contains an indicative list of relevant subjects that should be elaborated in a business continuity plan. 2. Each institution should have made a risk analysis of possible catastrophic events and, above all, their impact on essential systems and processes. In this connection, catastrophic event scenarios can be classified in the following categories: technical and organisational failure, deliberate human acts (terrorism, physical violence and cyber attacks) and natural disasters. This approach is in keeping with the current government projects on vital infrastructures and crisis management. In addition, acceptable residual risks should be indicated. 3. The business continuity plans should be transparent, in that they should show what measures have been taken to minimise the potential problem created by the human factor in the continuation of the operating processes and how the deployment of (other) staff can be organised after a catastrophic event. This applies both to the ICT and the business. It involves, in particular, an obligation on the part of the organisation to use its best endeavours, since this is a difficult condition to fulfil. Many of the institutions are considering the idea that part of the staff should always be off site (e.g. free). 4. Each institution should have a crisis organisation in order to be able to act in the event of an emergency. The crisis organisation should be controlled by the management board or senior management. 5. Each institution should make an analysis of the extent to which it is dependent on basic facilities (electricity, telecom, etc.) and external providers and how the back-up for them is organised. Single points of failure should be identified. This may be an organisational unit or the fact that only a single employee or a few employees have essential knowledge. Consideration should also be given to possible alternatives in order to safeguard the continuity of key facilities. 6. The essential operating processes and systems should be resumed as quickly as possible. In this connection, a longer recovery period can apply to participants outside the core infrastructure. 7. Each institution should be able to switch its essential systems to a different centre which is at a sufficient distance from the primary site. What constitutes a sufficient distance depends on the risk profile. A time horizon for the expected outage or repair time should be adopted in this connection. In addition, there should be an assessment of the risks that are run in the case of a move to a back-up facility and in what circumstances these risks can be limited by repairing and restarting the system at the primary site. 8. Alternate systems and continuity and contingency procedures should be regularly tested. This involves testing of both the ICT systems and the staff (e.g. moving the business to a back-up site). Depending on the importance of the system and the business, this should be done at least once a year. If desired, agreements can be made for organising end-to-end testing of the entire chain (internally and externally). In addition, tests can be conducted of moves from primary site to secondary site and from secondary site to secondary site (however, this requires broad coordination within the core infrastructure). 9. Each institution should have a communication plan setting out how the communication to all stakeholders can be organised as effectively as possible in the event of a catastrophe (including the preparation of contact lists and messages). 10. A business continuity strategy and plan should be made for the core infrastructure of the payment and securities settlement system as a whole. This standard is a collective responsibility of the institutions that form the core infrastructure (and is not therefore a separate responsibility). At this level, back-up procedures should be practised at least once a year and, where appropriate, end-to-end tests and cross-tests can be conducted. In addition, a crisis communication structure should be present (escalation committee) in order to take effective action immediately. Moreover, consideration should be given at sector level to the legal basis of emergency powers.
•Date:
1st February 2005 • Region: W.Europe •Type:
Article •Topic:
Financial sector |
