Why business continuity is (so) important?
Achieving and maintaining financial stability depends on the smooth functioning of the payment systems and securities settlement systems. Due to financial market integration and systems' connections, risk can migrate from one system to another due to contagious risk and as a result a domino effect could export the risk world wide.
The financial stability can be jeopardized when a critical bank or whole banking sector faces operational disruptions caused e.g. by natural disaster(s), difficulties and/or malfunction of information technology equipments, fraud, power outages and management failures.
What is business continuity (BC)?
It is a state of uninterrupted operational procedures of the business, at a minimum agreed level, during the business hours.
Aim
The aim of a system's business continuity management is to seek to ensure that the agreed service levels are achieved and maintained, even in the event that the system fails to carry out its normal business.
Principles of business continuity
Board of directors and systems operators should review and endorse the business continuity strategy and monitoring mechanism in order to ensure that plans are consistent with overall business objectives, risk management strategy and budgetary arrangements.
From among all of the functions supporting the settlement process and performed by systems operators, critical functions should be identified and the processes within these functions categorized and prioritized according to their criticality.
Business continuity objectives for systems should be clearly defined and aim at the recovery and resumption of critical functions within the same settlement day in order to ensure that all pending transactions are completed on the scheduled settlement date in all envisaged scenarios.
The system operator and, where relevant, the participants and infrastructure service providers should plan arrangements to ensure continuity of the service in a number of plausible scenarios, including major disasters (e.g. earthquake, flood and fire), outages or disruptions covering a wide area, terrorist attacks, labor strike, internal and external fraud and management failures. These scenarios should be documented regularly in the form of a Business Impact Analysis (BIA), which involves assessing possible threats, the likelihood that they will occur, and the financial or operational impact on the system.
System's business continuity arrangements should include, as a minimum, a secondary processing site. System operators should consider performing daily operations from a/the secondary site and all participants' contingency facilities should be tested from the site on regular basis, including first all critical participants.
Not all operational and other staff identified as critical (management, IT support, etc.) during the BIA should be in the same place at the same time. This applies to computer operators as well as system control staff and management.
System operators should establish contingency procedures and bilateral arrangements for performing critical functions in the event of a total failure of the IT&C networks.
The technical failure of critical participants in the system may induce systemic risk.
System operator should establish crisis management teams and well-structured formal procedures to manage a crisis and internal/external crisis communications.
The exchange of information and communication are essential in crisis.
Contact lists of critical personnel (both at operational and crisis management level) of critical participants at least, authorities and third-party providers of critical infrastructure and functions/services, including contacts at their secondary location, should be up-to-date, reviewed regularly and readily available at both the primary and the secondary location.
Each party involved in a business continuity plan shall effectively communicate, both internally and externally, using tested secured communication methods based on clear and accurate information flows.
All elements of business continuity plans should be tested on a regular basis; this testing should involve both the system's participants and any other party which would be affected by the arrangements.
Regular testing is an important component of business continuity management, as it contributes to ensuring that plans are effective, reachable, cost-efficient and updated.
Business continuity awareness and knowledge together with co-operation among relevant domestic authorities and co-ordination of business continuity plans across the public and private sectors jointly with co-operation across national borders incorporates optimum approach in order to mitigate operational risk in financial markets within wide areas.
Contact us: +40 311 32 37 00.