About Us  |  Search  | FAQ  | Contact Us
Business Continuity Management
Home
Banking
STP
Risk Management
BCM
CLS
Human Resources
e-commerce
Features
Smarts Cards
Interviews
Optimise CRM
Data Warehousing
Disaster Recovery
Swift Messaging
Securities
M-commerce
Africa
Finance
BPM & Workflow
Capital Markets
Global Custody
Outsourcing
 

Page last updated
February 15, 2003




ISSN No:1470-5494 All rights reserved. No part or portion of this publication may be reproduced or transmitted in any form without the express, prior and written permission of the publisher. Whilst every effort has been made to ensure accuracy, the publisher accepts no responsibility for any person acting as a result of the content herein.

 

 

I

Trends & Developments in Business Continuity Management for the Banking Community

www.guardianit.com

With increasing globalisation, together with regulatory pressures, banks and financial services companies were always amongst the ranks of early adopters when it came to realising the importance of business continuity planning in the protection of key functions. There can't be many who would not agree on the critical nature of banking operations; for example, without the treasury department you cannot manage client or corporate funds, inabilities to trade lead to liquidity problems and lack of access to the market denies the necessary information essential for predicting trends and setting future policy.

But after many years of investing in business continuity, what are the current considerations for today's banking community vis-à-vis contingency planning?

In answer to this question, it is worth considering:

n Business continuity management approaches

n Specific issues for the trading environment

n Regulatory pressures

n Post-September 11th

The value of business continuity
A disaster can be defined as "Any unplanned and unforeseen event, which makes the facility (or system) inoperable or inaccessible". But there is an important differentiation between a disaster and a crisis. A crisis is something that disrupts without making systems or facilities inoperable. Of course, a crisis might also arise due to industrial action, threat of takeover, public disclosure of confidential / sensitive information or any number of other causes.

Equally, there is a difference between Disaster Recovery and Business Continuity, the former is IT-centric, the latter a business-led, holistic approach that acknowledges the fact that there is more to recovering a business than recreating its technology.

For those that think insurance is the answer to incidents that severely disrupt business, think again. Insurance has its place, but business interruption insurance is needed in tandem with BCP. Insurance covers quantifiable losses, not erosion of brand value, lifetime value of lost customers, and so on, which can be far more significant. Business continuity can impact the costs of acquiring insurance, a good and recognised business continuity programme can serve as a means of improving insurance terms or of getting cover.

Clearly prevention serves better than cure, and resilience is therefore as important as recovery. Resilience is preventative, whilst recovery is a reactive process with the objective of containing effects and minimising impacts through rapidly re-establishing the status prior to the incident. And business continuity management must embrace both. There is much to be gained for BC through the reduction of business interruption risk. Ultimately, it can improve operational efficiency.

Effective business continuity management should cover incident response, crisis management and PR and business continuity planning. Response to disaster or interruption can be broken down into three distinct phases; the emergency response phase, the business continuity phase and the recovery phase. Any continuity strategies should reflect this disaster lifecycle and have the necessary processes, procedures and documents incorporated into the organisation's business continuity plan.

When considering the merits of in-house v external solutions, it is worth considering what the core principles of the business are. Syndicated or shared subscription disaster recovery services have the advantage of focus, cost and available expertise. For operations; e.g. fixed income, derivatives and equities; in need of time-critical or dedicated resources, mirrored or dedicated offerings are available. Solutions can and should be tailored to suit both budgets and required recovery timescales.

Ongoing, rigorous and regular testing of recovery provision is vital. You may think that it's not often that you'll require your treasury function to work 'as normal' from a recovery location, but it does happen. Two years ago, a North American bank had to relocate 200 staff following a power failure, with their traders operational within 30 minutes of invocation. On arrival they discovered that their permissioning requirements had changed since their most recent test; only 3 month's before! Organisations constantly change, plans must reflect this, and testing ensures they are relevant and workable ahead of any 'acid test'.

As well as the management benefits of well maintained business continuity plans, it is worth noting that failure to do so may lead to an auditor's qualifying statement, which could impact on stock and bond ratings, loss of credibility and questions from investors. Business continuity planning really is important.

The Trading environment issues and technological impacts
As well as the operational impacts illustrated above that the loss of the trading environment can bring, it is helpful for the organisation to be able to quantify the impact of not being able to trade. When costs of downtime are understood, they can be used to help implementing the most appropriate recovery strategies (see tables 1 & 2, Source Datamation).

By having the correct provision, some companies can continue trading within seconds or minutes of invocation.

Other factors impacting choice of disaster recovery provision include the ongoing refresh of technology and increased use of the Internet which has seen a greater volumes of deals occurring more quickly; a growing trend for spread-betting and the movement of on-line brokerages from fledgling to fully-listed status; a mark of the standing and impact of these companies.

Regulation and compliance
The Financial sector continues to be heavily regulated and business continuity plans are required. The financial markets have an increasing focus upon this area as settlement times reduce, leaving less time to identify and rectify trade failures. Un-rectified trade failures will have a knock-on effect upon other banks that could lead to a requirement for the regulator or central bank to intervene and provide support or risk a domino effect damaging market confidence and leading to financial meltdown worldwide. Business continuity really is that important.

The Turnbull Committee's corporate governance report (following in the tradition of earlier Cadbury and Greenbury reports) focuses upon risk management and requires companies listed on the London Stock Exchange to make a statement about risk management and its position within annual statutory Reports and Accounts. Business continuity is mentioned. Failure to meet the auditor's expectations could result in unqualified accounts or, in extremis, de-listing.

The FSA is also interested in developing prudent standards for business continuity, effectively raising the bar for contingency planning. With senior FSA appointments being made with this in mind, it is clear that a new level of commitment to the importance of pro-active and relevant business continuity arrangements is being made.

Finally, the recently developed Second Basle Accord has made significant changes to the original accord in a bid to address the developments in the industry that could impact their members' profiles.

Basle's three mutually reinforcing pillars enable banks to more effectively manage their operational risks ; with financial incentives for doing so that may raise the liquidity of complying organisations. Basle may prove too cumbersome to be widely adopted, but if the incentives applied work, it may serve to make operational risk management a corporate necessity and take risk management into a new phase.

We could therefore speculate that we could be heading towards the day when business continuity providers may need to be 'certified suppliers of disaster recovery to trading rooms' before they can provide such services. It is not unlikely that such an approach would be driven by the regulators.

Post September 11th
In the immediate aftermath of the terrorist activities in the US, several large financial institutions were effectively out of the market for up to 3 weeks. The de-stabilising effect this had meant the US central government had to pump some $70billion into the stock market to ensure its continued liquidity. An act unlikely to occur if yours is the only organisation affected by a disaster!

In the UK, Sept 11th had the effect of pushing business continuity up the value-chain becoming a board-level agenda item. Many companies questioned the wisdom of having premises on the edge of the Square Mile, fearing that anything that would impact their front and back office operations, could also affect their recovery centres. Others mused about alternative means of dispersing personnel across work areas with centralised and high profile locations falling from grace. For the first time, many financial houses were viewing alternative recovery premises in outer; or outside of; London as attractive proposals.

Of course, time and factors such as economic slowdown, an appreciation of the costs involved in developing/expanding out-of-London recovery locations; and the complexities involved in finding suitable real-estate combined with a cooling of emotion have enabled more measured responses to occur. With most London-based recovery locations sited 2-5 miles outside the Square Mile, and numerous in supply the chances are that should a serious large-scale event occur in the City, that the recovery locations would remain available.

And given the UK's long history of living with organised terrorism, our inherent resilience and risk management profiles are historically far better than our US counterparts. Third party providers are also in the habit of mapping risks to ensure that risk ratios are not exceeded and that client resilience is not compromised. Such an approach enables the support of multiple concurrent invocations without having to turn anyone away.

When all is said and done, Business Continuity should not be one-off project, but something that once established is maintained to ensure its currency, effectiveness and operational viability. Such a culture of 'embedded Business Continuity Management' should ensure long-term success and business survival when it counts.

Guardian iT offers its clients a total solution for all their business continuity requirements. From traditional disaster recovery and consulting to high availability, SAN and data management services, Guardian can provide a comprehensive solution. Headquartered in the UK, the company is also active in Belgium, Denmark, Finland, France, Germany, Japan, Luxembourg, Norway, South Africa, Sweden and Switzerland, and provides consulting services on a global basis. Guardian iT plc employs over 300 staff to support more than 4,000 clients from over 35 locations worldwide. With more than seventeen years experience, the Company has recovered over 500 disaster invocations and averted more than 2,000 others with 100% success.

Robin Gaddum
Managing Consultant
Guardian Consulting

Adrian Jenkins
Global Strategic Accounts Director
Guardian iT

 

 

 

 

 


Board strategy
BCM Solutions
Business Continuity Management
ISDA & OTC
Your BCM

 

 
 

 

Home  |  About Us  |  Search  | FAQ  | Contact Us