Stelios Aronis ISO 22301 BCMS Implementation and Sharing of BCM Best Practices for an European Bank
-
Upload
bcm-institute -
Category
Presentations & Public Speaking
-
view
416 -
download
1
Transcript of Stelios Aronis ISO 22301 BCMS Implementation and Sharing of BCM Best Practices for an European Bank
1
ISO22301 BCMS Implementation and Sharing of BCM Best Practices for an European Bank
Stelios Aronis, BCCLA
Head of Business Continuity
Alpha Bank Group
2
Alpha Bank Group Overview:
• Alpha Bank s.a. founded in 1879
• One of the largest banks in Greece:
17.655 Employees (Greece: 11.911, International: 5.744)
Over 1.000 service points (Branch Network)
One of the highest capital adequacy rations in Europe.
• International subsidiaries:
i. Albania
ii. Bulgaria
iii. Cyprus
iv. F.Y.R.O.M
v. Romania
vi. Serbia
vii. United Kingdom
• 11 Subsidiaries in Greece (Investment Banking / Asset Management,
Venture Capital, Leasing/Factoring, Insurance, Athens Hilton Hotel, etc)
• Recently acquired consumer banking business of Citibank International
Plc in Greece, including Diners Club.
Our Values: Quality at work,
Quality in communication, Meritocracy,
Moral Standards, Creativity
Our Vision: To be a bank of reference in Southeastern Europe
Our Aim: To provide high-quality services and pioneering
products
3
IS022301 – BCMS Certification:
• Alpha Bank s.a. (parent company):
Information Technology (including Data centers)
Financial Markets – Treasury
Back Office Operations: Funds Transfer operations / Cheques clearing / Treasury Back Office
/ Loans Administration / International Trade / Custody & Shareholders Registry / Cash Centers /
Alternative Networks Support / Private Banking Support.
• Alpha Supporting Services: IT Infrastructure management and operation for Alpha
Bank Group Subsidiaries in Greece and Abroad
• Alpha Bank Romania: IT, Treasury, Back Office Operations (certification project in
progress)
Number of Personnel in sectors certified with ISO22301, exceeds 1300 people.
Same BCM Methodology and procedures are applied to all Units of the Alpha Bank Group
CRITICAL FUNCTIONS BUSINESS CONTINUITY PLAN
DISASTER RECOVERY PLAN
CRISIS MANAGEMENT
EVACUATION PLAN
PEOPLE / RESOURCES
THREAT REMEDIATION RISK ASSESSMENT
CATASTROPHIC EVENT TELECOMMS DISRUPTION
FLOOD / EARTHQUAKEFIRE
4
HINTS ON SUCCESSFUL IMPLEMENTATION OF A BCMS
BCM METHODOLOGY – ISO22301
PROJECT MANAGEMENT
RISK ANALYSIS AND
REVIEW
BUSINESS IMPACT
ANALYSIS
BUSINESS CONTINUITY
STRATEGY
PLAN
DEVELOPMENT
5
TESTING AND
EXERCISING
PROGRAM
MANAGEMENT
6
HINTS – PROJECT MANAGEMENT PHASE
Obtain Executive Management support and commitment:
BCM Project Sponsor: Alpha Bank’s COO, member of Executive Board
Project Steering Committee: Divisions’ Heads: Organization, Risk, IT, Information Security,
International Network
Project Manager: Head of Group BCM Office
Country Project Sponsor: IT & Operations Head (or COO)
Resources:
Group BCM Office: Central Point of communication and support
Company BCM Offices/Coordinators (International Network)
Business Unit BCM Coordinators
External Consultants (optional)
7
HINTS – PROJECT MANAGEMENT PHASE
Project Definition Document:
Indicative contents:
Project Definition: Vision, Scope, Objectives, Deliverables
Project Organization: Roles and Stakeholders, Communication Plan to Stakeholders (frequency of
reporting, meetings, etc), Responsibilities per Role
Project Plan / Milestones
Project Considerations / Risks:
Resourcing issues
Project Dependencies (e.g. centralized systems)
Country (local) Risks (e.g. premises availability)
Legal / Compliance Issues
BCM METHODOLOGY – ISO22301
PROJECT MANAGEMENT
RISK ANALYSIS AND
REVIEW
BUSINESS IMPACT
ANALYSIS
BUSINESS CONTINUITY
STRATEGY
PLAN
DEVELOPMENT
8
TESTING AND
EXERCISING
PROGRAM
MANAGEMENT
9
HINTS – RISK ANALYSIS PHASE
Risk Management Process (based on ISO 31000):
RISK IDENTIFICATION
RISK ANALYSIS
RISK EVALUATION
RISK ASSESSMENT:
RISK TREATMENT
APPROVAL BY OPERATIONAL RISK COMMITTEE OR EXECUTIVE BOARD!!!
RCSA – Risk Control Self Assessment (BU Level)
Threat & Risk Assessment (Organization Level)
Premises & Physical Security
IT / Information Security / Data Backup
Critical Vendors / Service Providers (Outsourcing)
Personnel Awareness on emergency procedures
ESTABLISH CONTEXT
Re-evaluate residual
risk after Risk
Treatment Plan
implementation
BCM METHODOLOGY – ISO22301
PROJECT MANAGEMENT
RISK ANALYSIS AND
REVIEW
BUSINESS IMPACT
ANALYSIS
BUSINESS CONTINUITY
STRATEGY
PLAN
DEVELOPMENT
10
TESTING AND
EXERCISING
PROGRAM
MANAGEMENT
11
HINTS – BIA PHASE
• RTO (Recovery Time Objective) Definition: The maximum acceptable time interval within which an
operation/business function must be resumed, so that there is no severe impact to the Organization.
• RTO Scale:
Same Day (1 or 8 hours)
Next Day (24 hours)
Within 3 Days
Within a Week
• METHODOLOGY:
Data Collection and impact assessment
Data Validation
I. Data Completion Check
II. RTO Validation against:
o Group RTO in respective or similar activities (benchmark)
o Previous year’s RTO of the respective Function / Activity
o Industry RTO Benchmarks (provided by external consultants)
(any RTO variations should be justified by the Business Units)
Final Confirmation by each Business Unit before formal issuance
12
HINTS – BIA PHASE
Critical Business functions (“same day” recovery)
• IT Infrastructure Management and Operations (Data Center)
• Funds Transfers / Payments (Incoming, Outgoing)
• Loans Back Office
• International Trade
• Clearing (Cheques, Securities & Derivatives)
• Trading (Front Office, Back Office and Controls over Limits)
• Instant Credit (Loan Authorizations)
• Relationship Management (Corporate/Private Banking, Shipping, etc.)
• Customer Service / Help Desk
• Credit Cards: Lost & Stolen Declaration /Transactions Authorizations
and Disputes Resolution
BCM METHODOLOGY – ISO22301
PROJECT MANAGEMENT
RISK ANALYSIS AND
REVIEW
BUSINESS IMPACT
ANALYSIS
BUSINESS CONTINUITY
STRATEGY
PLAN
DEVELOPMENT
13
TESTING AND
EXERCISING
PROGRAM
MANAGEMENT
14
HINTS – B.C. STRATEGY PHASE
HOT SITE
WARM SITE / DISPLACEMENT
COLD SITE
3 Days or more
“Next Day” recovery
“Same Day” recovery
DEFINITIONS:
• HOT SITE: Fully equipped and preconfigured facilities which can be used for instant recovery of business operations
• WARM SITE: Equipped but not preconfigured facilities. PCs are installed but require configuration before use
• COLD SITE: Non equipped but “wired” empty space.
BCM METHODOLOGY – ISO22301
PROJECT MANAGEMENT
RISK ANALYSIS AND
REVIEW
BUSINESS IMPACT
ANALYSIS
BUSINESS CONTINUITY
STRATEGY
PLAN
DEVELOPMENT
15
TESTING AND
EXERCISING
PROGRAM
MANAGEMENT
16
HINTS – PLAN DEVELOPMENT PHASE
BCP GOVERNANCE: Emergency
Management Team
Initial Response Team
D.R.Coordinator
TECHNICAL TEAMS (Systems, Databases, Networks)
Business Recovery Teams
B.C. CoordinatorEmergency
Support Team
Each team has specific roles and responsibilities that are documented in
the Business Continuity Plan.
BCM METHODOLOGY – ISO22301
PROJECT MANAGEMENT
RISK ANALYSIS AND
REVIEW
BUSINESS IMPACT
ANALYSIS
BUSINESS CONTINUITY
STRATEGY
PLAN
DEVELOPMENT
17
TESTING AND
EXERCISING
PROGRAM
MANAGEMENT
18
HINTS – EXERCISING AND TESTING
Testing Scenarios:
• Scenario1: Access to premises is not feasible, but application and communication systems
are intact
• Scenario 2: Access to premises is not feasible and also the application and communication
systems are not available (DR also activated)
• Scenario 3: Premises are available for use, but application and communication systems are
not available (DR activation)
• Scenario 4: More than 20% of the Personnel is not available for a period more than a week
(e.g. due to Pandemic)
• Scenario 5: Interruption in the operations of a critical service provider
Internal Audit to be present in tests as an independent observer
Record test details and results (use of template)
Update Senior Management regularly on test results /corrective actions
Avoid Disruptions Caused by Plan Misuse!!!!
Key Points:
BCM METHODOLOGY – ISO22301
PROJECT MANAGEMENT
RISK ANALYSIS AND
REVIEW
BUSINESS IMPACT
ANALYSIS
BUSINESS CONTINUITY
STRATEGY
PLAN
DEVELOPMENT
23
TESTING AND
EXERCISING
PROGRAM
MANAGEMENT
24
HINTS – PROGRAM MANAGEMENT
FOCUS ON CONTINIOUS IMPROVEMENT
MAINTAINANCE & REVIEW
Perform Internal Audits (ensure objectivity)
Set goals / Monitor near misses
Review / improve the Plan and the BCMS
COMPETENCE & AWARENESS
Enhance BCM culture to the Organization
Train and Educate Personnel (use of
external certification bodies )