BCM Challenges in Indian Banking Industry Challenges in Indian Banking Industry • BC Strategy -...

© 2012, www.periculum.in 1 Internal © 2012, www.periculum.in

BCM – Challenges in Indian

Banking Industry

Director, Periculum Technology & Consulting Services Jan’ 2012

By – Brijendra Yadava

2 © 2012, www.periculum.in Internal

• Relevance of BCM in Banking Sector

• Basel –II – high level principles of BC - Summary

• Challenges in Indian Banking Industry with focus on :-

• Technology recovery considerations in banking sector, esp :-

• Core Banking System

• Payment & Settlement Systems

• ATMs

Agenda


• Business Continuity Management (BCM) is particularly relevant to banking sector as :-

• It operates in high risk environments • Is part of crucial financial sector where capability to operate

continuously is essential, both for the Bank and for its stakeholders including customers

• Growing BC Risks and challenges - Terrorism, Global Warming, Arab unrest, Financial turmoil– Impact is long-term and wider

• Regulatory pressure • Financial Sector particularly vulnerable as they are clustered in high

profile business districts, have highly interdependent supply chain and strategic importance impacts global economy + Financial stability

• BC exercises becoming more complicated, more coordinated and more connected…

• Financial sector itself is becoming more connected and increasingly cooperative realising the importance of taking an industry-wide approach and benefits of knowledge-sharing amongst themselves

Objectives & Importance

Relevance in Financial Industry


• High level Principles of Business Continuity, by Joint Forum of Basel Committee on Banking Supervision ( Basel –II ), August 2006

• Special focus, cooperation and expectations from financial industry

• Intends to promote resilience across national boundaries

• Principles are neither prescriptive nor directive, one size doesn’t fit all, have a BC practise that’s proportionate to business risks

• 7 High level Principles. Mostly banking regulator/auditor’s perspective

• Principle 1 - Sound BCM applies to all financial authorities and financial

industry participants and that the ultimate responsibility for BCM rests with an organisation’s board of directors and senior management.

• Principle 2 - Organisations should explicitly consider and plan for major operational disruptions in light of increasing frequency of such events.

High Level Principles of BC - Summary

Basel- II


• Principle 3 - Participants should develop recovery objectives that reflect the risk they represent to the operation of the

financial system. Financial industry participants that provide critical services to, or otherwise present significant risk to the operation of, the financial system should target higher standards in their BCM than other participants. They should aim for reasonably consistent level of resilience

• Principle 4 - stresses the critical importance of BC plans addressing the

full range of internal and external communication issues an organisation may encounter in the event of a major operational disruption. It

specifically recognises that clear, regular communication during a major operational disruption is necessary to manage a crisis

and maintain public confidence.

High Level Principles of BC

Basel- II


Principle 5 - highlights cross-border communications during a major operational disruption. Given the deepening interdependencies of financial systems across national boundaries, this

principle advises to adopt communication protocols that address situations where cross border communication may be necessary. Principle 6 - emphasises the need to ensure that BC plans are effective and

to identify necessary modifications through periodic testing.

Principle 7 - incorporate BCM reviews into their frameworks for

assessing financial industry participants to ensure that participants are in fact implementing appropriate approaches to BCM that reflect the recovery objectives adopted in accordance with Principles 1 and 3

High Level Principles of BC

Basel- II


BCM Challenges in Indian Banking Industry (Considering following BCM Lifecycle)


BCM Challenges in Indian Banking Industry

• Know your Business - Banks business and strategic objectives must be clearly understood amongst the stake holders . Assets, geographies being served, people involved, premises available, information technology being used, markets and geographies to be served, product and service portfolios, key service providers, dependencies, etc.

• BCRA - Consider “right case scenarios” rather than “worst

case scenario”. Have atleast following steps :- Identify Assess Measure Treat Measure Sign-off on Residual Risk Progressively increase Risk Appetite • Includes both Risk Prevention and Risk Mitigation • Adopting and following an approved RA methodology • Can be part of Enterprise Risk Management of an Orgn



• BIA - “You cant improve what you cant measure” • Identify Critical Business Functions and assign them a recovery

priority • Obtaining correct measure of impact is a challenge. BIA must

consider both tangible and intangible impacts that include :- • Financial Impacts (direct or indirect) • People Impact including Customer impact • Impact on productivity/Service levels • Brand, Reputation, Regulatory & Legal impacts


BCM Challenges in Indian Banking Industry • BC Strategy - Preparing a fit for purpose BC or Resilience strategy

is a challenge – BC always trying to catch up with dynamics of

business growth

• Many a times outcomes of Orgn specific BCRA and BIA are not

considered. Very often, they have followiing gaps :-

• More of a template filling exercise.

• These should cover all key Business Units and functions

including service providers and key dependencies .

• Its geographic scope must include all locations, cities, countries

and properties where orgn has presence

• Fundamental premise - Follow Good Practice , Flexibility and

simplicity must be at the heart of BCM

• The strategy must consider both localised incidents that impacts a

single location / premises or a city-wide incident or statewide or

even a national /regional incident like terrorism or political unrest



Other important considerations include :-

• Technology Recovery Plan Considerations ( more

details in following slides)

• People Recovery Plans / HR Considerations

• Recovery considerations for outsourced functions

• BC Testing Considerations

• Building BC Culture


Technology Recovery Plan Considerations

• Core Banking System • Payment & Settlement Systems

• NEFT • RTGS • SWIFT

• ATMs • Other – ECS ( Electronic Clearance System), CTS (Cheque

Truncation System) , Netbanking , Mobile banking, Contact Centre, Internal Messaging etc

• Outsourced services


Core Banking System

• Gartner defines a core banking system as a back-end system that

processes daily banking transactions, and posts updates to accounts

and other financial records. Core banking systems typically include

deposit, loan and credit-processing capabilities, with interfaces to

general ledger systems and reporting tools.

• For a layman, Core Banking is synonymous with Running the Bank

• It is the heart of a modern financial service organization and is all

about providing the banking customers with the right products at the

right time through the right channels 24 hours a day, 7 days a

week through a multi location, multi branch network • While many banks run core banking in-house, there are some which

use outsourced service providers as well. There are several Systems

integrators like Accenture, IBM and HP which implement these core

banking packages at banks.


Top – 5 Core Banking Solution Vendors

1 - FIS | Fidelity National Information Services (FNIS)

Corebank, FIS Alltel Systematics, Sanchez Profile, Horizon

ACBS (Advanced Commercial Banking System), Kordoba,

ALLprofits, MiSER, BancPac, Metavante

2 Oracle Financial Services Software (formerly i-flex

Solutions) Flexcube; Microbanker; Finware

3 Infosys Technologies - Finacle

4 TEMENOS - T24; T24 for Microfinance and Community

Banking (MCB) formerly eMerge; GLOBUS; TEMENOS

CoreBanking (TCB)

5 - TCS FS - Tata Consultancy Services Financial Solutions -

formerly FNS BaNCS - TCS BaNCS (formerly FNS Bancs -

Financial Network Services B@NCS-24)

Source : http://www.inntron.com/core_banking.html

Logo and Trademarks belong to respective owners – used only for trg purpose.

http://www.inntron.com/core_banking.html


Recovery Plan Considerations for Core Banking System

• Involve all aspects of CBS • Test progressively from modular to integrated CBS testing • Main challenge is that most IT DR managers are either unwillingness or

lack confidence to switch over operations from recovery site or DR Site.

• Involve service providers in complete recovery planning, testing, review and improvement

• Progressively ITDR must dovetail into holistic recovery and get driven by organisations BC/Resilience strategy – This aspect must be reviewed by BC managers.


Payment & Settlement

• Payment & Settlement System forms backbone of today’s Banking environment

• A robust and secure system of payment and settlement is one of the key challenges of a Banks BCM. Its coverage includes all instruments of payment and settlement and Electronic Funds Transfer mechanism, ATM, & Point of Sale system

• India would take necessary steps to comply with new international standards for payment, clearing and settlement systems as per RBI Guidelines

• CPSS and the Technical Committee of the International Organization of Securities Commissions (IOSCO), have already issued a draft for consideration with a proposal that national bodies would start introducing the new standards into their laws by the end of 2012.



• Committee on Payment and Settlement Systems (CPSS) of BIS

• The Committee on Payment and Settlement Systems (CPSS) contributes to strengthening the financial market infrastructure through promoting sound and efficient payment and settlement systems. Incorporated in Basel – II as well.

• Created in 1990, CPSS serves (G-10) to monitor and analyse developments in domestic payment, settlement and clearing systems as well as in cross-border and multicurrency settlement schemes.

• CPSS recommends that central banks and other authorities review policies in light of the increasingly integrated nature of the global financial infrastructure.

• Lays down framework for analysing the risks of interdependencies, along with specific recommendations for the industry, including integrated BC testing practices along-with interdependent parties on a domestic and cross-border basis.

CPSS


NEFT

• National Electronic Funds Transfer (NEFT) is a nation-wide payment

system facilitating one-to-one funds transfer. Under this

Scheme, individuals, firms and corporates can electronically

transfer funds from any bank branch to any individual, firm or

corporate having an account with any other bank branch in the

country participating in the Scheme.

• For being part of the NEFT funds transfer network, a bank branch

has to be NEFT- enabled.

• Presently, NEFT operates in hourly batches - there are eleven

settlements from 9 am to 7 pm on week days (Monday through

Friday) and five settlements from 9 am to 1 pm on Saturdays

• There is no limit – either minimum or maximum – on the amount of

funds that could be transferred using NEFT. Per transaction is

limited to Rs.50,000/- for cash-based remittances


RTGS

• The acronym 'RTGS' stands for Real Time Gross Settlement, which

can be defined as the continuous (real-time) settlement of funds

transfers individually on an order by order basis (without netting).

• RTGS system is primarily meant for large value transactions. The

minimum amount to be remitted through RTGS is ` 2 lakh. There is

no upper ceiling for RTGS transactions.

• In RTGS, the beneficiary bank has to credit the the beneficiary's

account within two hours of receiving the funds transfer message.

• As on September 29, 2011, there are more than 78,000 RTGS

enabled bank branches.


RTGS & NEFT

• NEFT is an electronic fund transfer system that operates on a

Deferred Net Settlement (DNS) basis which settles transactions in

batches. In DNS, the settlement takes place with all transactions

received till the particular cut-off time. These transactions are netted

(payable and receivables) in NEFT whereas in RTGS the

transactions are settled individually. For example, currently, NEFT

operates in hourly batches - there are eleven settlements from 9 am

to 7 pm on week days and five settlements from 9 am to 1 pm on

Saturdays. Any transaction initiated after a designated settlement

time would have to wait till the next designated settlement time

Contrary to this, in the RTGS transactions are processed

continuously throughout the RTGS business hours

• Both the remitting and receiving must have core banking in place to

enter into RTGS transactions. Core Banking enabled banks and

branches are assigned an Indian financial system code (IFSC) for

RTGS and NEFT purposes.



• India’s RTGS & NEFT are like any global financial system has a set of interlinked networks of markets, systems, and participants.

• Such a system should be resilient enough to withstand disruptions as potential impact of a major operational disruption may incapacitate the financial system.

• A holistic recovery plan incorporating all networked components and entities is a must for NEFT . Its testing should be carried out in a stringent manner so it gives a high level of continuity assurance

• In a networked environment, security is as strong as the weakest link

• SWIFT - Society for Worldwide Interbank Financial Telecommunication : Company HQ in Brussels, Belgium. Provides secure messaging services and interface software to wholesale financial entities. Demands cross-border coordination with connected financial entities. Robust and Resilient IT Infra.

RTGS & NEFT



• RTGS and NEFT demands special emphasis on Technology Recovery as special IT equipment including switches, hardware, software solution and other network components are used.

• Enough redundancy should be present in the system architecture and

backup processes

• Integrated tests for RTGS/NEFT , remote / alternate / recovery site working should be periodically tested and proved.

• HR plans should specifically consider continuity, retention and succession of key staff having knowledge and skills to work on the system

• Capability and commitment of services providers and third parties should be fully ensured.

RTGS & NEFT


ATMs

• Automated Teller Machine is a computerized machine

that provides the customers of banks the facility of

accessing their account for dispensing cash and to carry

out other financial & non-financial transactions without

the need to actually visit their bank branch.

• ATMs primarily enables cash dispensing. In addition,

ATMs may have many services/facilities enabled by the

bank owning the ATM such as:

– Account information

– Cash Deposit

– Regular bills payment

– Purchase of Re-load Vouchers for Mobiles

– Mini/Short Statement

– Loan account enquiry etc


• ATM - Remember Client Perspective – “Any Time Money” and Anywhere too. Hence 24*7*365 operations across all locations ( Think MTPoD and RTO ) . Ensuring no disruption in key internal processes :- • ATM Reconciliation Process

Ensuring periodic and timely reconciliation in bank central operation process, should be priority no. 1. Addressing all interdependencies, periodic & integrated testing of recovery plans

• Cash Replenishment

Sound Internal process to ensure timely, safe & efficient replenishment is a must for continuous operations of any ATM. The task of cash replenishment may also be outsourced to a service provider.

• ATM Consumables

Printing consumables is also an important operations that need to be prepared properly. Ensuring a continuous supply chain is must.

There are other ATM risks during day to day Operations Interaction

ATMs


Key HR Recovery Challenge for Banks

• Succession of key appointments like Directors and Senior Manage ment Officers must comply with the articles / memorandum and bylaws of the company/Bank.

• Following key factors may be evaluated when selecting alternates :- • Long term business strategy of the company • Key areas where change or continuity is required • Key strengths and weaknesses of personnel and employees including

potential and past performance , and how they relate to strategy and needs of the organisation both in short and in long term

• How best to develop the abilities of personnel to match strategy and

needs • External talent, staffing options

Management Succession


Outsourced Functions

• Outsourcing is contracting with another company or person to do a particular function.

• Almost every organization outsources in some way for multiple reasons

• Normally, the function being outsourced is considered non-core to the business

• Managing continuity in outsourcing becomes more challenging especially when functional activities are being done in a different country (called off-shoring) , since that involves language, cultural and time zone differences

• Organisations & regulators are now looking more closely at social & political risks including financial stability at the off-shored location

• Un-coordinated BC arrangement between “offshored” and parent “send” locations gives rise to false BC assurance

Managing Continuity


Outsourced Functions

With a view to have effective BCM for outsourced functions, following must be considered :- • A realistic analysis of BC capability must be done before a function is outsourced • Depending on criticality of service provided, BC arrangement and their measure of

effectiveness must be incorporated in the SLAs • BIA at off-shored location must consider impact of local disruption on “send” site • If BC Strategy is “Revert to Send”, then its efficiency must be regularly tested • Organisations must think “Right Shoring” - Right location, right service levels,

acceptable risks and retaining critical mass of key capabilities to provide best possible customer experience.

• Both parties must participate atleast once a year for an end to end integrated BC tests

Managing Continuity


Emergency Powers

• Special times – special powers. Expect standard controls/checks and balances to be loosened. Expect higher financial powers

• Such powers must be excercised judiciously. With clear and visible intent.

• Quick & well informed management decision is key to successful incident handling.

• Organisation must provide for emergency powers to incident management teams to minimise losses

• Such powers should be pre-approved by the board and promulgated across the organisation. These must be able to withstand any scrutiny when crisis/incident is over

• Such powers must cover all function necessary for incident management and holistic business recovery

Need during BC Incidents


• Organisation must test the effectiveness of their BC plans.

• At the minimum all BC plans including incident management plans must be tested at-least once a year or incase of any major change in the orgn

• Testing should be both modular and integrated

• Testing is more about reviewing and improving. Its not about passing or failing.

• Testing provides opportunity for staff to gain familiarity with their business continuity roles and help them perform their expected activities.

• A good testing approach builds camaraderie across diverse functions in an organisation. It is a strong team building event

• All businesses/functions based out of a site are required to participate (depending on the exercise scenario)

• Outcomes of BC tests results brings out gaps in an orgn BC Plans . Such gaps can be covered with a focussed approach

• Test reports are key documents from Audit/Regulatory perspective

BC Challenges - Testing of BC Plans

Objectives and Benefits


BC Testing (Suggested Ground Rules)

• Integrated Tests/Exercise for BCM and conducted in a manner that they balance between realism (in test scenario) and at the same time ensuring minimum or Nil Business Impact. • BC should cover all businesses and functions of an organisation • Organisation must define Minimum staff participation (max can be upto 100% ) For example :-

• Evacuation exercise – All Present in the premises • BC Recovery exercise – 40 % (or as per recovery team size) etc.

• Process level participation – 100% (Depending on scenario) • Special consideration and involvement for outsourced functions • Any exemption to above be approved by Overseeing Committee

• Nominate external observers to ensure impartial/objective test reports


Major Challenge - Embedding BC Culture

• Arguably the most difficult and arduous element of a BCM System, at the same time one of the most essential too

• An organisation’s ability to respond to a B C incident , and its capacity to recover from a disruption depends directly on the awareness levels, understanding, skills and experience of its stakeholders including employees

• Key Qs that this element answers is ARE YOU PREPARED ? WILL YOU BE ABLE TO RESPOND ?

• In times of crisis, every employee of the organisation at levels must know, what is it that he or she suppose to do ?

• Organisation must move from “Document Centric” BCM to “Action Centric” BCM.

• There wont be time to refer to documents during crisis event…answer is train, practice, drill, test… with an aim to continuously improve and embed culture of BCM

Making BCM part of Bank’s DNA


Embedding BC Culture

• Demonstrated Management Commitment – Vision statement, Funds, resource

commitment and dedicated BC team within an Orgn.

• Making BCM a collaborative process, Business owned and business driven

• Developing and implementing a comprehensive :-

• Training and Awareness plan covering all stakeholders and focus group

• Audit Plan that includes BCM

• Modular and Integrated Testing Plan

• Change Management Process covering BC elements

• Integrate BCM in orgn rewards and recognition program

• Include BC roles and responsibilities in Job Description of employees

• Include external dependencies in BC testing and drills

• Include BC objectives in performance evaluation & appraisals

Activities Involved



Following are key considerations for BCM training and awareness program :-

• Cover all staff and focus groups including all business and support functions • Encourage participation of external service providers • Inclusion of BCM in Induction program for new joiners • Multimedia modes of awareness that includes

• Videos • Flyers • Email Newsletters • Road shows • Posters • Websites

• Conduct Special promotion weeks/events/workshops/seminar • Promote BC education and training courses

Organisations must monitor and measure effectiveness of Training and Awareness Program

Training & Awareness Program


Summary of Key Challenges • Approach and resources to building BC strategy – mostly template filling.

Use of isolated excel sheets, application. Lack of use of Integrated BC solutions (ERP approach)

• Technology recovery. Huge dependencies on external vendors and entities . Most incidents are not threatening IT incidents. But any incident of IT outage has a huge impact – both direct and indirect

• Realistic testing. Holistic approach. IT, Business , service providers work in isolation

• Lack of Industry synergy. Forum exist that includes foreign captive banks. But no real synergised effort either through Banking Association or through regulations

• Weak enforcement by central bank (RBI) . Many RBI guidelines and instructions exist but mechanism to enforce them and measure their effectiveness are inadequate

•


Remember what is the key driver for BCM ( Management Intent) - Is it Compliance/Highly regulatory environment of the financial industry ?

- Is it because your competitors are doing it ? - Is it another tick in the box ?

Or …

Do you really want to have a resilient Bank ?

Some Food for thought for banking industry …


Thank You

For feedback/suggestions : [email protected]

www.periculum.in

mailto:[email protected]

http://www.periculum.in/

BCM Challenges in Indian Banking Industry Challenges in Indian Banking Industry • BC Strategy -...

Documents

Transcript of BCM Challenges in Indian Banking Industry Challenges in Indian Banking Industry • BC Strategy -...