OPERATIONAL RISK– this is any risk that is neither credit risk nor market…
OPERATIONAL RISK– this is any risk that is neither credit risk nor market risk. pt2
Business continuity management - the ability to anticipate and plan
for potential operational crises reduces the harm of unexpected losses.
Basel's guidence on continuity:
banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption.
the bank should look through each of its processes and identify which are critical and also those that rely on third-party vendors or third parties. What this means is that for every third party used there should, if possible, be an alternative supplier.
Banks should periodically review their disaster recovery and business continuity plans so they are consistent with the bank’s current operations and business strategies. Moreover, these plans should be tested periodically to ensure that the bank would be able to execute the plans in the unlikely event of a severe business disruption’.
Potential events that typically lend themselves to continuity planning are:
Natural disasters (floods, earthquakes, tsunamis, hurricanes ....)
Civil unrest, terrorist actions, police intervention
Adverse weather (snow, storms, ice, flooding, stifling temperatures ....)
A contingency plan needs to be drawn up, maintained,
tested and checked regularly.
Business continuity policy
Technology & Systems Disasters
(1) One or more of the applications that the firm uses to process its business is lost, as a result of either a software or hardware failure. The failure is in one of the firm’s own systems, and it is the only firm affected.
(2) An external application, upon which the firm is dependent (such as one provided by an exchange or clearing house system or an information provider’s system), is lost, as a result of either a software or hardware failure. Other user firms with which the firm trades are also dependent on this application.
(3) The firm is the victim of an event such as fire, flood, criminal or terrorist-related activity, and has lost access to one of its key buildings. Other neighbouring businesses may also be affected.
Risk assessment of range of possible disasters, including natural, technical and human threats.
(3) Procedures that are agreed with the firm’s insurers are included in the plans.
(2) Local authority and emergency services plans are taken into account by the firm.
(1) Planning considers wide area destruction involving significant loss of staff.
is the process of regaining access to the systems, data, hardware and software necessary to resume critical business operations after a natural or human-induced disaster.
A disaster recovery plan (DRP)
should also include plans for coping with the unexpected or sudden loss of key personnel. DRP is part of the larger process of business continuity planning.
Management must be committed to recovery planning. Planning committee should be appointed
Objectives of DRP
Protect the organisation in the event that all (or
part) of its operations and/or computer services are rendered unusable
Minimising decision making during a disaster
Providing a standard for testing the plan
Guaranteeing the reliability of standby systems
Minimising the risk of delays
Providing a sense of security
Business continuity plans (BCP)
are concerned with ensuring that the firm is able to recover from an emergency such as utility disruptions, software failures and hardware failures – some of the key operational risk events as defined in Basel II.
An outline of the plan’s contents should be prepared to guide the development of the detailed procedures.
The procedures should allow for a regular review of the plan by key personnel within the organisation.
Specific responsibilities should be assigned to the appropriate team for each functional area of the company.
The procedures should include methods for maintaining and updating the plan to reflect any significant internal, external or systems changes.
Should be in a standard format for consistancy
It is essential that the plan be thoroughly tested and evaluated on a regular basis. This is important because:
Determining the feasibility and compatibility of back-up facilities and procedures
Identifying areas in the plan that need modification
Providing training to the team managers and team members
Demonstrating the ability of the organisation to recover
Providing motivation for maintaining and updating the disaster recovery plan
The tests will provide the organisation with the assurance that all necessary steps are included in the plan.
Benefits of this approach are:
Helps to organise the detailed procedures
Identifies all major steps before the writing begins
Identifies redundant procedures that only need to be written once
Provides a ‘road map’ for developing the procedures
The outline can ultimately be used for the table of contents after final revision
Once the disaster recovery plan has been written and tested, the plan should be approved by senior management.
Objectives of DRP
ensure that the firm will recover at least as quickly as its stakeholders expect and ideally quicker than the competition
manage the event rather than letting the event manage the firm.
The control and command centre
Location of the control centre has to be carefully considered
The control centre is the central decision-making unit with the authority to make decisions.
Try to think the unthinkable.
Try to obtain someone independent to review your plan.
Ensure that managers and critical employees have at least two different methods of communication.
Test your plan fully on a regular basis – cutting corners will invalidate the test.
There should be multiple plans according to the seriousness of the crisis & consideration for who is key according to the type of crisis
Mistakes made @ 9/11
Firms generally had designed business continuity plans, although there was still evidence of a lack of belief in their importance at senior level.
Testing of plans was rarely completely integrated.
The business analysis was often inadequate.
Many plans did not take into account a major disaster.
They were not fully effective.
Some could not be found.
Staff did not know what to do.
Some firms took longer to recover than was really necessary.