320 likes | 580 Views
Market infrastructures‘ business continuity: Eurosystem roles and activities. Dieter REICHWEIN Directorate General Payment Systems and Market Infrastructure European Central Bank. The sixth international payment system conference, Budapest, 14 November 2007. Introduction Standard setting
E N D
Market infrastructures‘ business continuity: Eurosystem roles and activities Dieter REICHWEIN Directorate General Payment Systems and Market Infrastructure European Central Bank The sixth international payment system conference, Budapest, 14 November 2007
Introduction Standard setting Fostering co-operation and information sharing Leading by example in the design of own systems Simulation exercises Outline
Market infrastructures‘ business continuity: Eurosystem roles and activities 1. Introduction
Guaranteeing the continued operation of all core business activities in the event of sustained and severe disruptions Dealing with unexpected and unpredictable events Process that requires permanent review and improvement Possible trade-off between costs of business arrangements of individual players and the expected benefits 1. Introduction What is business continuity?
The smooth functioning of market infrastructures is crucial for the functioning of the entire financial system, including The implementation of the monetary policy of the central bank Financial stability Through network effects and the backbone function of major infrastructures, shocks can be transmitted From infrastructures to participants (and vice versa) Between different market segments (e.g. payments and securities) 1. Introduction Why is business continuity of market infrastructures crucial?
Changed operational conditions Move towards real-time processing Increased operational complexity (interdependencies within and between market segments and geographical regions) New types of threats (e.g. terrorist attacks) Shortcomings of existing BC plans – continuous learning curve Too narrow scope of scenarios considered Lack of consideration of dependence on third-party service providers Lack of compatibility of individual plans 1. Introduction Why has the importance of business continuity increased?
Complex and consolidating market infrastructure Role of investment cycles Bigger infrastructures may have the possibility to invest more in business continuity (e.g. TARGET1 vs. TARGET2) Up until now strong national dimension of existing policies, practices and plans 1. Introduction Euro area specificities in the field of business continuity
Eurosystem objective in the field of business continuity Ensure the existence of adequate and co-ordinated business continuity strategies and plans of the various actors (central banks, market infrastructures, critical participants and third-party service providers) 1. Introduction Reasons for Eurosystem involvement in business continuity • Statutory responsibilities • Existing externalities (individual costs vs. benefit for society) • Co-ordination needs due to system interdependencies and European / global dimension of the issue
1. Introduction Eurosystem measures / activities • Ensure that existing standards and policies adequately reflect new threats and requirements • Fostering co-operation and information sharing • Leading by example • Preparing and co-ordinating simulation exercises
Market infrastructures‘ business continuity: Eurosystem roles and activities 1I. Standard setting
Develop policies and standards, as far as possible in co-operation with the market (through round tables, public consultation etc.), that ensure an adequate level of infrastructure protection Consistent enforcement at national levels (also to ensure a level playing-field for market infrastructures across Europe) 1I. Standard-setting Euro area objectives Situation in different fields • Payment systems: BC Oversight Expectations for SIPS, June 2006 • SWIFT: G10 High-level Expectations, June 2007 • Securities settlement systems: ESCB/CESR not yet finalised
Aimed at establishing a common framework in the euro area for the implementation of Core Principle VII that adequately reflects new threats and requirements in the field of business continuity Implementation of the Expectations: SIPS: by mid 2009 Critical participants: by mid 2010 Eurosystem to review implementation progress 1I. Standard-setting Business Continuity Oversight Expectations for SIPS (I)
1I. Standard-setting Business Continuity Oversight Expectations for SIPS (II) • Four main elements: • Definition of BC objectives and strategies • To be reviewed and approved at board level • Identification of critical functions (including outsourced functions) • Recovery and resumption of critical functions within the same settlement day („good practice“: within 2 hours; settlement of a limited number of critical payments should be possible at any time)
1I. Standard-setting • Developing business continuity plans • Ensure continuity of the service in a variety of plausible scenarios including major disasters, outages or disruptions covering a wide area • Consider scenarios where the primary site, critical functions and/or staff remain unavailable for more than a day • Ensure a different risk profile of and an appropriate geographic separation between the primary and the secondary site • Identify external dependencies and highlight any remaining single points of failure • Critical participants should also have a second processing site and same recovery time objectives as SIPS
1I. Standard-setting • Communication and crisis management • Clear procedures to respond to a crisis event • Establishment of a multi-discipline and multi-skilled Crisis Management Team (CMT) responsible for maintaining the crisis management plan (CMP) • Testing and regular updating business continuity plans • Update plans at least every 12 months • Good practice: participation in industry-wide testing
SWIFT is expected to: (i) to ensure that its critical services are available, reliable and resilient by implementing appropriate policies and procedures, and devoting sufficient resources, and that (ii) business continuity management and disaster recovery plans support the timely resumption of its critical services in the event of an outage. 1I. Standard-setting High level expectations for SWIFT, June 2007: • Developed by G10 SWIFT Co-operative Oversight Group • Primary focus on operational risk • The five high level expectations cover: • Risk identification and management • Information security • Reliability and resilience • Technology planning • Communication with users
1I. Standard-setting Situation in the field of securities settlement • Currently no harmonised standards in the EU available due to blocking of the ESCB/CESR work that tried to adapt the existing CPSS/IOSCO Standards to the EU environment • However, following initiatives of the ECB and the European Commission and discussion at the level of ECOFIN, the work is now being resumed with the objective to further clarify the scope, legal basis and content of the standards • Proposal on the way forward to be made in spring 2008
1I. Standard-setting Some general experience / feedback from the market • Public authorities to take the lead in setting standards, but preferably in co-operation with the market • Lack of knowledge in the market on existing standards and initiatives at national, euro area, EU and global levels • Existing standards show significant differences in terms of: • General approach (high-level vs. checklist; compulsary vs. “good practice” etc.) • Scope, structure and level of detail • Terminology and definitions (e.g. critical participant) • Issue of multi-country players
Market infrastructures‘ business continuity: Eurosystem roles and activities III. Fostering co-operation and information sharing
III. Fostering co-operation and information sharing Eurosystem objectives • Ensure availability of all relevant (static) information to all parties concerned through the development of an effective information sharing network • Ensure effective crisis communication between public authorities and with the market participants • Cover all relevant market segments and geographical levels (euro area / EU; global)
III. Fostering co-operation and information sharing Development of an information sharing network (I) • First step: compilation of the relevant information: • Collate existing standards, guidelines, best practices etc. at national, EU and G10 level; including conducting a consistency check of terminology (list of critical terms) and content of the standards, not with the aim of harmonising but to explain national peculiarities • Identify critical market infrastructures, service-providers / utilities and participants, including in particular those operating in various countries • Collate business continuity related contact groups etc. • Information dissemination approach: „need to know“ - basis
III. Fostering co-operation and information sharing Development of an information sharing network (II) • Development of a public BC domain on the websites of the ECB and the NCBs - for making non-confidential information on BC available to all relevant stakeholders, e.g.: • Explanation of the role of the Eurosystem/ESCB in BC • National, EU and G10 standards and initiatives • Glossary of major BC terms • Links to the relevant BC public domains of the other NCBs/ECB • Use of a restricted BC domain - for sharing information of more confidential nature among central banks / public authorities
III. Fostering co-operation and information sharing Ensuring effective crisis communication (I) • Need to define procedures and mechanisms ensuring clear and accurate information flows, both internally and externally • Who communicates with whom, in which situation, on what and using which communication channels? • Feedback from market participants at ECB conference on BC, September 2006: • At national level, market players generally know the contact points at their national authorities • Most infromation will flow via the existing national structures • Public authorities to take care of cross-market and cross-country communication
III. Fostering co-operation and information sharing Ensuring effective crisis communication (II) • Crisis communication cascade at Eurosystem / ESCB level • Each central bank acts as contact point for other central banks as far as contacts with both other national authorities and with market infrastructures for which they act as (lead) overseer are concerned • Similar communication network at G10 level • Memorandum of Understanding for information sharing between overseers and banking supervisors
Market infrastructures‘ business continuity: Eurosystem roles and activities 1V. Leading by example in the design of own systems
IV. Leading by example • Development of TARGET2: significant improvement inter alia in business continuity terms due to new design concept • Two regions / four sites • Recovery and resumption objective • 2 hours for regional desaster • < 1 hour for other scenarios • Minimum service level through independent Contigency Module • Requirements for (critical) participants regarding system security and business continuity
Market infrastructures‘ business continuity: Eurosystem roles and activities V. Simulation exercises
V. Simulation exercises Activities at the level of individual infrastructures • The BC Oversight Expectations for SIPS require regular testing of BC plans, inter alia to: • Validate the effectiveness of the BC strategy • Verify that arrangements are viable in practice • Ensure continued readiness • Familiarise staff with the operation of the plan and their responsibilities • Evaluate co-ordination needs with external service providers
V. Simulation exercises Activities at national levels in the EU (I) • In 2006 – 2007, cross-system simulation exercises have been conducted in various EU countries • Exercises have been organised by • BC working groups, including the central banks, other public authorities and major market players • The national central bank • Other public authorities
V. Simulation exercises Activities at national levels in the EU (II) • Stated objectives of the exercises were, inter alia, to: • Test the national crisis communication infrastructure • Optimise individual participants crisis management and BC organisation • Test the interoperability of individual BC plans • Test the availability of decision-makers and ensure their awareness of their roles • Check availability of secondary site • Frequency of tests depends on what is going to be tested • Ideas in various countries to increase complexity, frequency and/or number of involved players etc. in future exercises
V. Simulation exercises Activities at European level (I) • No simulation exercises involving market participants have been conducted so far • However, Eurosystem has started work on preparing such an exercise with the objectives of e.g.: • Checking the interoperability of BC plans on a wider scale • Better understanding existing interdependencies across infrastructures and market segments • To be based on current set up of existing BC arrangements and organisational and communication structures
V. Simulation exercises Activities at European level (II) • Possible start with a rather simple exercise and gradual widening of the scenarios to be considered in terms of • Impacted or failed parties • Type of failure(s) (premeses, staff, IT, utility service) • Time, duration and geographical reach • Discussions started at Eurosystem level; subsequently market players to be involved • First exercise involving market players possibly in 2008/2009 • Significant time for planning and preparation needed • Priorisation of the tests needs to consider national initiatives as well as major ESCB projects and events (e.g. TARGET2)