Business Continuity

Business Continuity Risk Management

Thilak Jayasena Pathirage BCP Project Office
March, 2009

7 March 2012

SBK BCP Strategy

Presentation Outline
The Need for Business Continuity Management (BCM) BCM Strategy Project Governance and structures Progress as of Today Implementation Critical Success Factors
SBK BCP Strategy

7 March 2012

Life is not a matter of having good cards, but of playing a poor hand well.

Robert Louis Stevenson

7 March 2012

SBK BCP Strategy

Why we need BCM?

Business Survival Integrated Risk Management in Bank

Good governance Regulatory pressure Sound capital adequacy requirements Mission achievement Business Continuity and resilience

BCM Standards/Regulations
NFPA 1600, British Standard 25999, SOX,BS ISO/IEC 27001:2005, HB 221:2004,HB 292-2006, HIPAA and so on.
SBK BCP Strategy

7 March 2012

BCM Strategy
Vision Leading the way to secure the Banks information assets to provide continuous customer services. Mission To manage Business Continuity and operational recovery risks by providing Bank-wide direction and leadership.
SBK BCP Strategy

7 March 2012

Definition
BCP is a process designed to reduce the organizations business risk arising from an unexpected disruption of the critical functions / operations (manual or automated) necessary for the survival of the organization This includes the critical functions / operations and supporting resources (human / material) and the assurance of the continuity of critical operations at the minimum level. BCP team was formulated and project launched on march 2008
7 March 2012
SBK BCP Strategy

was
6

BCM Strategy
People
Business Strategy

Process Technology
Resource Management Process Optimization

Best Results Come From Alignment & Optimization

Organization

Processes

Landscape Architecture

Local

Planning Activity Prioritization

Technology

Deployment Planning

Business Continuity Components

7 March 2012
SBK BCP Strategy

BCM Strategy Building Resilience

Not Just React and Recovery

Prevent

React

7 March 2012

SBK BCP Strategy

BCM Project Governance

Intergraded Risk Management BCM Policy BCM Steering Committee BCM Role and Responsibilities BCP Project Team BCM Methodology Project Plan Best Practice and standards

7 March 2012

SBK BCP Strategy

BCP Project Governance

Risk Manager

Board Appointed RM Committee BCM Steering Committee

BCM Project Manager Technical Management

Business Continuity Planning Coordinator (BCPC)

Business Recovery Programme Manager (RPM) Business Unit Recovery Coordinator (URC)

For each Business Unit

7 March 2012
SBK BCP Strategy

10

BCM Policy
Provides the strategic directions and operational framework for the Bank Implementing BCM Policy is a strategic decision which must be considered for the long term survival of the Bank. BCM Role and Responsibilities Business units heads are responsible for business recovery and ensure the detailed Business Continuity Plans are in place in their areas of business Ownership by the senior Management

Sponsorship- Board of directors and Risk Management Committee

7 March 2012

SBK BCP Strategy

11

Six Phases of BCP Project

Project Planning 1

Identify Business Activities 2

Vulnerability (Risk) Assessment & BIA

Recovery Strategies

Business Continuity Plan

Training and Implementation

6 Project Management and Reporting

7 March 2012
SBK BCP Strategy

12

BCP Project Progress

Completed In progress

Plan Test and Validation

Project Planning

Business Impact Analysis

Risk Assessment & Mitigation

Strategy Development

Develop Business Continuity Plan

Plan Implementation & Approval

Training

Maintenance Procedures Development

Project Management and Reporting

BCP is a Process and Journey

7 March 2012
SBK BCP Strategy

13

Branch BCP
3 Model Branches Model BCP will be provided to all Conduct BIA Conduct Risk Assessment Design Recovery Strategy BC Plan Development Exercising Update and Maintenance Will provide a monitoring tool through intranet Yet to decide
7 March 2012
SBK BCP Strategy

14

Aligning to the Business and Cost Justification

Cost, Time and Resources (Rs. 5.3) Tools Used Business Impact Analysis Risk Assessment

7 March 2012

SBK BCP Strategy

15

BIA Business Impact Analysis

Primary Objective - Identify the time criticality of each business process of each business unit

Identify the degree of criticality of each business process over time, based on the respective impacts the organization could suffer due to an interruption to a given business process

7 March 2012

SBK BCP Strategy

16

BIA- Business Impact Analysis

Identify and/or validated 29 SBUs business functions and prioritized Mission Critical Business Identify Inter-dependencies Establish Mission and Service Priorities Quantify impacts on business functions in terms of Financial - cost and loss of disruption Operational - maximum down time for each process
7 March 2012
SBK BCP Strategy

17

BIA Results
etermined Recovery Time Objective (RTO)

Maximum Tolerable Down Time: -Maximum number of hours/days each business process can afford to take for recovery, following an interruption. It also involves the identification of which business functions need to be given priority, when resuming business operations

Recovery Point Objective (RPO)

Amount of data that each business function is willing to lose if a disruption occurs

7 March 2012

SBK BCP Strategy

18

RTO Calculation
Financial Impact

RTO of the business unit

Operational Impact

Final RTO of the Business Unit

Dependent units RTO

7 March 2012

SBK BCP Strategy

19

Fi n al RTO

IT C ESD T RY SCC IT ENG CCL FCBU GAMP IT C ASD IT - P SD T SV KP Y BOR CRC RRC FCC BRL(SWIFT ) SLI IFS (SCD) e-banking HR SVS SAU Region IV Millenium Credit s Import Export ACT 0

0 0 0 0.5 0.5 1 3 4 4 4 4 4 4 4 4 4 4 4 4 4 24 24 24 24 24 24 24 6 12 Ti me 18 24

Business Unit RTO

Please not that we have excluded CCH & OPS from the graph to improve the clarity. Final RTO of OPS 7 Days Final RTO of CCH 7 Days

RTO Range (Hours)

No. of Business Units

0-1 2-4 24<

6 14 9

7 March 2012

SBK BCP Strategy

20

What are Our Business Recovery Needs?

Freshness mths wks days hrs mins secs I lost no data but it took me a week to get back up and running

RPO

Im up and running in seconds, but Ive lost a days data

What are our Business Recovery needs?

RTO
secs mins hrs days wks mths Downtime
21

Zero
7 March 2012

Aligning the Recovery Strategy Strategy to Business SBK BCP

Recovery Strategy Development

7 March 2012

SBK BCP Strategy

22

Recovery Strategy Development

Risk Assessment Identified the risks and possible mitigation actions BIA
-

Recover Business units and business functions

Identified the recovery priorities of business units - Identified the RTOs of business units - Identified the RTOs of business functions of business units

Strategy

Meet RTOs Cost effective Practical Simple

7 March 2012

SBK BCP Strategy

23

What was Our Methodology?

Discussion & Quality Review with Business Unit Heads on BIA & RA Questionnaires

Project Planning Identifying critical business activities

Distribution of Questionnaires to Business Unit Heads to carry out Business Impact Analysis & Risk Assessment (BIA & RA)

Testing & Training (In Progress)

Business Impact Analysis & Risk Assessment

7 March 2012

Approved BCP Document delivered to Business Units

Recovery Strategy Development

SBK BCP Strategy

Calculation of Recovery Time Objective (RTO) & Recovery Point Objective (RPO) 24

Key Components of the Strategy

Policy Location Personnel Electrical & Communication equipment / services Computer Equipment Furniture and office equipment Vital Records Power Requirements Office Technology
7 March 2012
SBK BCP Strategy

25

Core Areas of the Recovery Strategies

Decisions been made

Alternative Site options for Business Recovery People already identified by the business units Vital Documents- decided by unit level IT Recovery Strategy- Cost approved by Board LKR 3.0 Mio.
SBK BCP Strategy

7 March 2012

26

Business Recovery Strategy

Strategic Location Options
(a) Seylan Bank Branch Network

Business Units to move

Consumer Finance Unit (CFU), International Imports Dept. (IMP), Settlement & Collection Dept. (SCD), Foreign Currency Centre (FCC), Retail Remittance Centre (RRC), Seylan Remittance Centre (SRC), Region IV Credits Dept (R IV Credits), Millennium Credits Dept. (MLN Credits), Kollupitiya Branch (KPY), Boralesgamuwa Branch (BOR) and Gampola Branch (GMP). Treasury Dept. (TRY), Accounts Dept. (ACT), Foreign Currency Banking Unit (FCBU), Human Resources Dept. (HRD), Staff Advances Unit (SAU), Central Cash Dept(CCH), and International Exports Dept. (EXP) Technical Services Dept. (TSV) and Services Dept. (SVS) IT Depts., Business Relations Dept. (BRL) and Central Clearing Dept. (CCL)

(b) First City Office Training Centre (c) Ceylinco Seylan Towers (d) Disaster Recovery (DR) Site Borella (e) Building space available at Moratuwa.(2nd Floor)

Units to be identified to relocate at Moratuwa. * Seylan Card Centre (SCC), Electronic Banking (ECM), Operations Dept. (OPS), Business Continuity Planning Command Centre , Human Resources Dept. (HRD), Foreign Currency Banking Unit (FCBU), Technical Services Dept. (TSV), Services Dept. (SVS).
SBK BCP Strategy

7 March 2012

27

IT Recovery Strategy Implementation

Existing capability

Kapiti System - Core Banking System Kastle System - Treasury Operations Cashier System - Front Office system SWIFT - Society for Worldwide Inter Bank Financial Telecommunication ITM System - Credit/Debit Card system and ATMs SLIPS- Sri Lanka Inter Bank Payment System Seylan Clearing - Seylan Inter Branch Cheque Clearing System Firewall - Security System Active Directory - User Domain Controller

7 March 2012

SBK BCP Strategy

28

IT Recovery Strategy Implementation

New capability : To be built

VAP (VISA Access Point) - VISA Debit/Credit card MS ISA (proxy - Access for Internet Banking Services and Remittances Trend Micro- Internet Content Filtering System MS Exchange- E mail facility Eximbills /Citrix - International Trade Finance Pawning System Cheque Imaging and Truncation- CIT Payment gateway!!

7 March 2012

SBK BCP Strategy

29

BCP Testing and Training

BCP awareness and training-Completed Test Plan for Scenario Simulation Submitted by E and Y

7 March 2012

SBK BCP Strategy

30

BCP Testing Strategy and Plans

1. Structured Walkthrough Completed 2. Simulation Test Scenario To be implemented (Seek Board approval) E & Y is planning for 3 Units to be completed by 30 June 2010 All unit have to be done Scenarios Data and communication Failure Restriction of Access Routes Pandemic disaster 3. Functional Drill testing To be implemented with Board Approval E and Y is planning 4. Full Operational testing - To be implemented with Board Approval E and Y is planning
7 March 2012
SBK BCP Strategy

31

Key Decisions
Approval of BCM Policy BIA Results and BC Plan- Approved by the Board in principle Appointment of DR Coordination from ITC A senior person to be nominated Board approval for the IT Recovery Strategy Approved by Board Approval for Testing- in progress
32

7 March 2012

SBK BCP Strategy

BCM Maturity Assessment

7 March 2012

SBK BCP Strategy

33

BCM Maturity Model

Where is your organization on the maturity spectrum? Where do you want your organization to be? How can IT lead the way, involve others, without bearing all the responsibility and cost?
SBK BCP Strategy

7 March 2012

34

BCM Maturity Model

7 March 2012

SBK BCP Strategy

35

Success Factors
Board Sponsorship Top Management support and participation A annual budget allocation for running and maintenance of the BCM program Testing must be consistently conducted in a manner that encourages improvement and preparedness. A maintenance program must be implemented to ensure adequacy and completeness of the BCM elements. Objective Annual Review

7 March 2012

SBK BCP Strategy

36

We are Prepared
7 March 2012
SBK BCP Strategy

37

Thank you

7 March 2012

SBK BCP Strategy

38