1

ISO22301 BCMS Implementation and Sharing of BCM Best Practices for an European Bank

Stelios Aronis, BCCLA

Head of Business Continuity

Alpha Bank Group

2

Alpha Bank Group Overview:

• Alpha Bank s.a. founded in 1879

• One of the largest banks in Greece:

17.655 Employees (Greece: 11.911, International: 5.744)

Over 1.000 service points (Branch Network)

One of the highest capital adequacy rations in Europe.

• International subsidiaries:

i. Albania

ii. Bulgaria

iii. Cyprus

iv. F.Y.R.O.M

v. Romania

vi. Serbia

vii. United Kingdom

• 11 Subsidiaries in Greece (Investment Banking / Asset Management,

Venture Capital, Leasing/Factoring, Insurance, Athens Hilton Hotel, etc)

• Recently acquired consumer banking business of Citibank International

Plc in Greece, including Diners Club.

Our Values: Quality at work,

Quality in communication, Meritocracy,

Moral Standards, Creativity

Our Vision: To be a bank of reference in Southeastern Europe

Our Aim: To provide high-quality services and pioneering

products

3

IS022301 – BCMS Certification:

• Alpha Bank s.a. (parent company):

Information Technology (including Data centers)

Financial Markets – Treasury

Back Office Operations: Funds Transfer operations / Cheques clearing / Treasury Back Office

/ Loans Administration / International Trade / Custody & Shareholders Registry / Cash Centers /

Alternative Networks Support / Private Banking Support.

• Alpha Supporting Services: IT Infrastructure management and operation for Alpha

Bank Group Subsidiaries in Greece and Abroad

• Alpha Bank Romania: IT, Treasury, Back Office Operations (certification project in

progress)

Number of Personnel in sectors certified with ISO22301, exceeds 1300 people.

Same BCM Methodology and procedures are applied to all Units of the Alpha Bank Group

CRITICAL FUNCTIONS BUSINESS CONTINUITY PLAN

DISASTER RECOVERY PLAN

CRISIS MANAGEMENT

EVACUATION PLAN

PEOPLE / RESOURCES

THREAT REMEDIATION RISK ASSESSMENT

CATASTROPHIC EVENT TELECOMMS DISRUPTION

FLOOD / EARTHQUAKEFIRE

4

HINTS ON SUCCESSFUL IMPLEMENTATION OF A BCMS

BCM METHODOLOGY – ISO22301

PROJECT MANAGEMENT

RISK ANALYSIS AND

REVIEW

BUSINESS IMPACT

ANALYSIS

BUSINESS CONTINUITY

STRATEGY

PLAN

DEVELOPMENT

5

TESTING AND

EXERCISING

PROGRAM

MANAGEMENT

6

HINTS – PROJECT MANAGEMENT PHASE

Obtain Executive Management support and commitment:

BCM Project Sponsor: Alpha Bank’s COO, member of Executive Board

Project Steering Committee: Divisions’ Heads: Organization, Risk, IT, Information Security,

International Network

Project Manager: Head of Group BCM Office

Country Project Sponsor: IT & Operations Head (or COO)

Resources:

Group BCM Office: Central Point of communication and support

Company BCM Offices/Coordinators (International Network)

Business Unit BCM Coordinators

External Consultants (optional)

7

HINTS – PROJECT MANAGEMENT PHASE

Project Definition Document:

Indicative contents:

Project Definition: Vision, Scope, Objectives, Deliverables

Project Organization: Roles and Stakeholders, Communication Plan to Stakeholders (frequency of

reporting, meetings, etc), Responsibilities per Role

Project Plan / Milestones

Project Considerations / Risks:

Resourcing issues

Project Dependencies (e.g. centralized systems)

Country (local) Risks (e.g. premises availability)

Legal / Compliance Issues

BCM METHODOLOGY – ISO22301

PROJECT MANAGEMENT

RISK ANALYSIS AND

REVIEW

BUSINESS IMPACT

ANALYSIS

BUSINESS CONTINUITY

STRATEGY

PLAN

DEVELOPMENT

8

TESTING AND

EXERCISING

PROGRAM

MANAGEMENT

9

HINTS – RISK ANALYSIS PHASE

Risk Management Process (based on ISO 31000):

RISK IDENTIFICATION

RISK ANALYSIS

RISK EVALUATION

RISK ASSESSMENT:

RISK TREATMENT

APPROVAL BY OPERATIONAL RISK COMMITTEE OR EXECUTIVE BOARD!!!

RCSA – Risk Control Self Assessment (BU Level)

Threat & Risk Assessment (Organization Level)

Premises & Physical Security

IT / Information Security / Data Backup

Critical Vendors / Service Providers (Outsourcing)

Personnel Awareness on emergency procedures

ESTABLISH CONTEXT

Re-evaluate residual

risk after Risk

Treatment Plan

implementation

BCM METHODOLOGY – ISO22301

PROJECT MANAGEMENT

RISK ANALYSIS AND

REVIEW

BUSINESS IMPACT

ANALYSIS

BUSINESS CONTINUITY

STRATEGY

PLAN

DEVELOPMENT

10

TESTING AND

EXERCISING

PROGRAM

MANAGEMENT

11

HINTS – BIA PHASE

• RTO (Recovery Time Objective) Definition: The maximum acceptable time interval within which an

operation/business function must be resumed, so that there is no severe impact to the Organization.

• RTO Scale:

Same Day (1 or 8 hours)

Next Day (24 hours)

Within 3 Days

Within a Week

• METHODOLOGY:

Data Collection and impact assessment

Data Validation

I. Data Completion Check

II. RTO Validation against:

o Group RTO in respective or similar activities (benchmark)

o Previous year’s RTO of the respective Function / Activity

o Industry RTO Benchmarks (provided by external consultants)

(any RTO variations should be justified by the Business Units)

Final Confirmation by each Business Unit before formal issuance

12

HINTS – BIA PHASE

Critical Business functions (“same day” recovery)

• IT Infrastructure Management and Operations (Data Center)

• Funds Transfers / Payments (Incoming, Outgoing)

• Loans Back Office

• International Trade

• Clearing (Cheques, Securities & Derivatives)

• Trading (Front Office, Back Office and Controls over Limits)

• Instant Credit (Loan Authorizations)

• Relationship Management (Corporate/Private Banking, Shipping, etc.)

• Customer Service / Help Desk

• Credit Cards: Lost & Stolen Declaration /Transactions Authorizations

and Disputes Resolution

BCM METHODOLOGY – ISO22301

PROJECT MANAGEMENT

RISK ANALYSIS AND

REVIEW

BUSINESS IMPACT

ANALYSIS

BUSINESS CONTINUITY

STRATEGY

PLAN

DEVELOPMENT

13

TESTING AND

EXERCISING

PROGRAM

MANAGEMENT

14

HINTS – B.C. STRATEGY PHASE

HOT SITE

WARM SITE / DISPLACEMENT

COLD SITE

3 Days or more

“Next Day” recovery

“Same Day” recovery

DEFINITIONS:

• HOT SITE: Fully equipped and preconfigured facilities which can be used for instant recovery of business operations

• WARM SITE: Equipped but not preconfigured facilities. PCs are installed but require configuration before use

• COLD SITE: Non equipped but “wired” empty space.

BCM METHODOLOGY – ISO22301

PROJECT MANAGEMENT

RISK ANALYSIS AND

REVIEW

BUSINESS IMPACT

ANALYSIS

BUSINESS CONTINUITY

STRATEGY

PLAN

DEVELOPMENT

15

TESTING AND

EXERCISING

PROGRAM

MANAGEMENT

16

HINTS – PLAN DEVELOPMENT PHASE

BCP GOVERNANCE: Emergency

Management Team

Initial Response Team

D.R.Coordinator

TECHNICAL TEAMS (Systems, Databases, Networks)

Business Recovery Teams

B.C. CoordinatorEmergency

Support Team

Each team has specific roles and responsibilities that are documented in

the Business Continuity Plan.

BCM METHODOLOGY – ISO22301

PROJECT MANAGEMENT

RISK ANALYSIS AND

REVIEW

BUSINESS IMPACT

ANALYSIS

BUSINESS CONTINUITY

STRATEGY

PLAN

DEVELOPMENT

17

TESTING AND

EXERCISING

PROGRAM

MANAGEMENT

18

HINTS – EXERCISING AND TESTING

Testing Scenarios:

• Scenario1: Access to premises is not feasible, but application and communication systems

are intact

• Scenario 2: Access to premises is not feasible and also the application and communication

systems are not available (DR also activated)

• Scenario 3: Premises are available for use, but application and communication systems are

not available (DR activation)

• Scenario 4: More than 20% of the Personnel is not available for a period more than a week

(e.g. due to Pandemic)

• Scenario 5: Interruption in the operations of a critical service provider

Internal Audit to be present in tests as an independent observer

Record test details and results (use of template)

Update Senior Management regularly on test results /corrective actions

Avoid Disruptions Caused by Plan Misuse!!!!

Key Points:

BCM METHODOLOGY – ISO22301

PROJECT MANAGEMENT

RISK ANALYSIS AND

REVIEW

BUSINESS IMPACT

ANALYSIS

BUSINESS CONTINUITY

STRATEGY

PLAN

DEVELOPMENT

23

TESTING AND

EXERCISING

PROGRAM

MANAGEMENT

24

HINTS – PROGRAM MANAGEMENT

FOCUS ON CONTINIOUS IMPROVEMENT

MAINTAINANCE & REVIEW

Perform Internal Audits (ensure objectivity)

Set goals / Monitor near misses

Review / improve the Plan and the BCMS

COMPETENCE & AWARENESS

Enhance BCM culture to the Organization

Train and Educate Personnel (use of

external certification bodies )

25

THANK YOU FOR YOUR ATTENTION