190 likes | 207 Views
Learn about Business Continuity Management (BCM) at Magyar Nemzeti Bank, Hungary's central bank. Explore its history, concept, organization, database maintenance, testing, and real-world application. Discover key practices and tools to manage operational risks effectively.
E N D
Business Continuity: The sixth international payment system conference MNB, Budapest 14 November, 2007
Business Continuity Management at the MNB Péter Rajczy Integrated Risk Management Magyar Nemzeti Bank the central bank of Hungary
Introduction • Operational risks in the central bank • Financial and reputational losses • Impact on the financial system of the country • Risk management: Avoiding risk events / mitigating impacts • Business Continuity Management: a special tool to manage certain types of risks (system disruption, external events etc.
Questions to discuss: • 1. A Historical Outline: BCM in the MNB • 2. Concept and Foundation • 3. Organisation and Responsibilities • 4. Maintenance of BCP/DRP database • 5. BCP in the minds and in the practice • 6. BCP at the Splitsite – the Immediate Backup Centre • 7. The Key Personnel Project • 8. Logistics Centre: Planning the Future
A historical outline: BCM in the MNB • 2002: KPMG. Interviews, presentation and first steps: building up the bankwide system of BCM • 2003: BCP data maintenance and testing: the great supply disruption test • 2004: Overall revision of BCP/DRP data • business activities & resources, interdependencies, BIA – BCP’s – tests • 2005: First split site testing, training of local BCP officers • 2006-7: Running a robust BCM; key persons • 2008: BCP in the new split site: the Logistic Centre
2. Concept and Foundation • BCM as a part of the integrated ORM • Initial database and BIA: setting up the boundary conditions – what is the Worst Case Scenario (system downtime, missing key persons, buildings) • Data acquisition and integrity • The role of the Crisis Management Committee
3. Organisation and Responsibilities • Starting with top-down sponsorship • maintaining data integrity, management of testing • Department-based planning: bottom-up. Responsibility of the local BCP officers • Crisis management: • Crisis Management Commitee (CMC): decision about relocating business to split site • Local Crisis Group (LCG) leader: activating single BCP’s
4. Maintenance of the BCP/DRP Database: the ÜFO • a relational database to store basic parameters for business activities, IT resources etc. • maintenance: Central BCP Manager • data input: Local BCP Officers • storing documents • report queries • BCP/DRP print-outs • test print-outs
4. Maintenance of the BCP/DRP database(continued 2) • Structure of the database: • basic tables (organisation, personnel, formulas etc) • business activities (data, priorities, impact scaling etc) • resources (IT, Human, External, Others) • dependency scales • action plans (BCP, DRP) • documents of certification (tests)
4. Maintenance of the BCP/DRP database(continued 3) • Functions of the database: • updating data • Central BCP Administration: basic tables • local BCP Officers: BCP/DRP action plans • central BCP Officers: coordination • business impact analysis (BIA) • data management • reports: BCP/DRP sheets, activity/risk matrices • other queries, look-ups • activity logging, integrity checks
4. Maintenance of the BCP/DRP database (continued 4) • Business Impact Analysis • rating business activities by: • priority • targeted recovery time (TRT) • dependency scale from resources • rating resources by • operational reliability (downrisk) • maximal tolerated downtime (MTD) • output: a list of recommended BCP’s
4. Maintenance of the BCP/DRP database (continued 4) • Business Continuity & Disaster Recovery Plans • Basic data • Preparation phase • Response phase • Alternative working process • Phase of recovery • Phase of making checks
4. Maintenance of the BCP/DRP Database (continued 5) • Testing a BCP • responsibility of the Local Crisis Group • depth of the tests: • desktop check • test in a simulated environment • live test • scope of the test • elementary: including one department • integrated: with cooperation of several departments • surveillance of test status (Central BC P Manager)
5. BCP in the minds and in the practice • BCP: Is it a burden for everybody? • „Personal plans” vs bankwide BCP/DRP framework: to be better prepared for the unexpected • transparency of the network of responsibilities • Side-effects: • lessons we learned during tests • realizing the need of controlled data update • Risks of data integrity disruption
6. BCP and the Splitsite – the Immediate Backup Centre • Broadening the boundary conditions: business continuity in case of major IT disruptions or physical shocks • Remote site access in case of crisis • operating the communication in crisis situation (telephone cascade) • preparation of the Crisis Management Committee’s decisions • transport supply • error detection and helpdesk service at the remote site
6. BCP and the Splitsite (continued) • Crisis Managing Committee (CMC) • Taking decisions about: • Starting work at an alternative site • Giving instructions to deviate from a BCP • Efficiency of the informatical background - „warming up” • Doing business in an unusual environment (training rutines)
7. The Key Personnel Project • Demonstrations, strike of transport workers, some food health cases • Avian flu issues • 2007: need to expand BCP boundary conditions to loss of key personnel • Definition of Key Local Crisis Group: responsibility of the LCG leader • Central administration in the ÜFO
8.The Logistics Centre: Planning The Future • Plans to dislocate key functions wich demand high security and availability (e.g. cash transport, note processing) • Dislocating secondary (hot) site for data storing • Establishing secondary IT (hot) site serving critical business processes • Secondary site for continuing critical business processes in case of major disruption (Business Continuity Plan for missing site)