1 / 21

Business Continuity: the Italian Experience

Business Continuity: the Italian Experience. Ravenio Parrini Payment System Oversight Office Banca d’Italia Budapest , 14 November 2007. Index. 1 Business continuity initiatives in Italy 2 Specific rules issued by Banca d’Italia 3 CODISE: the National Joint Working Group 4 Summing up.

renee
Download Presentation

Business Continuity: the Italian Experience

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Business Continuity: the Italian Experience Ravenio ParriniPayment System Oversight OfficeBanca d’ItaliaBudapest, 14 November 2007

  2. Index 1 Business continuity initiatives in Italy 2Specific rules issued by Banca d’Italia 3CODISE: theNational Joint Working Group 4 Summing up

  3. Italian experience on BC.. September 2003: National black-out In few seconds time the national power line system collapsed.. • people trapped in lift • traffic lights switched off • mobile network down • congestion in public switched telephone network • national railway system blocked • fuel pump stations blocked • …. BC is an issue to take into account !!

  4. (1. “BC: initiatives in Italy”) Business Continuity (BC) key issues: • major operational disruptions can result from unpredictable events (September 11th, National black-out); • growing complexity of financial market infrastructures; • Interdependency(cross-systems, cross-operators, cross-countries): no one is an island… • Business Continuity of financial systems as a public good.

  5. (1. “BC: initiatives in Italy”) The Italian Framework: two-layers approach • Single infrastructure/institution: i.e. increase the resilience of the single operator as a component of the overall national system; promote a common level in Business Continuity; … single financial operators are the “first line of defense” in a crisis situation. • National level coordination: i.e. a coordinating function with tasks of assessing the requirements, organizing tests, managing crisis; In addition…. • a policy based on cooperation between authorities and financial operators • inclusion of individual business continuity planswithin the scope of the scrutiny by the competent supervisory authorities Implementation - A national contact list - The Joint Working Group (CODISE) - Three Supervisory Guidelines on BC

  6. Index 1 Business continuity initiatives in Italy 2Specific rules issued by Banca d’Italia 3CODISE: theNational Joint Working Group 4 Summing up

  7. 2. Specific rules issued by Banca d’Italia At the end of 2004, after the public consultation, Banca d’Italia issued a set of Business Continuity Guidelines. (…. see www.bancaditalia.it) Guidelines have been designed primarily for the three financial sectors: Banking sector, Payment System infrastructures, Market infrastructures; Some requirements…: • Scope: services/operators (identified by CODISE analysis) and major banks; • BCP to be endorsed by the senior level management; • scenarios to be faced: disaster, cyber-attack, provider unavailability(as agreed in the CODISE WG); • recovery objectives (RTO): 2-4 hours for vital services; • back-up sites: different risk profile, staff duplication/relocation; • emergency procedures: role/responsibility, crises teams, utilities back-up, …

  8. (2. “Specific rules …”) BCP Assessment of Payment System Infrastructures Financial operators BCPs are evaluated to verify compliance to Banca d’Italia BC guidelines. Assessment is based on: • bilateral meetings with financial operators; • evaluation of periodical documentation received by Banca d’italia; • a set of ToR (Term of Reference) derived from BC guidelines and used in evaluating operator’s BCP documents. ToRs: a 35-items check list. A “rating” for each item: • A (Fully observed); • B (Broadly observed); • C (Partially observed); • D (Not observed); ToRs used to measure operator’s improvements in BC.

  9. (2. “Specific rules …”) TIME FRAME Financial stakeholders in the scope of guidelines had to: By end 2004: • Produce Business Continuity Plan (BCP) endorsed by senior management; • Communicate the BCP to Banca d’Italia By end 2006: • Implement the BCP; Every 6 months: • Report to Banca d’Italia regarding BCP completed phases

  10. 2006 2004 (2. “Specific rules …”) Operator improvements in 2004-2006 • focus on Services(protecting Assets is not enough..) • more emphasis on Resiliency(soundness – resist at disasters - is not enough… get ready to recover from “scratch”..), staff management, emergency procedures; • plan forLarge Crisis scenarios (managing risks from day-by-day operations is not enough… the objective is the company survival in case of disaster) Financial Operator MISSION SERVICES Trading, Clearing, Settlement, .. ASSETS: Buildings; Staff , ICT

  11. How Resiliency Soundness 2006 2004 2004 2006 ASSETS SERVICES What Expected losses Stress losses (Disaster) Against What Improvements in 2004-2006 BCP elements: a 3D puzzle.. Alternative Sites Staff relocation TLC recovery ICT duplication Disaster Recovery Incident Management Crisis team Alternative procedures Stack-holders coordination Contingency solutions Interdependencies reduction Physical sec. Logical sec Reliability (MTBF) High Availability Quality Maintenance Risk Analisys Audit Certifications costs survival

  12. Index 1 Business continuity initiatives in Italy 2Specific rules issued by Banca d’Italia 3CODISE: theNational Joint Working Group 4 Summing up

  13. 3 - The national Joint Working Group (CODISE) CODISE includes both authorities (all major supervisory functions) and major financial system representatives: • coordinated by Banca d’Italia and Consob (stock exchange commission) with the presence of a representative of the Italian Government • Operators of main market infrastructures, major banking group, major payment systems service providers. CODISE task: “to define the steps towards the System’s Business Continuity” , with the aim of limiting systemic risk

  14. (3. “CODISE: the National …”) • CODISE : Main Objectives Scenario to face: large disruption(low probability, but large impact….) Critical objectives to cover: • liquidity issues (assure liquidity availability in case of crisis); • trading, clearing and settlement infrastructures (resiliency of..) • public confidence • link with cross-border systems

  15. (3. “CODISE: the National …”) • The “CODISE” National Contact List Immediate low-cost intervention: in the first quarter of 2003, a National Contact List for Financial Business Continuity was set up. A contact list among CODISE members: each member declares its own crisis manger as “contact point“ to be called in case of crisis; (each list-entry is composed by Company name, Contact point name, phone/fax numbers, e-mail addresses, alternative numbers). The list is updated and activated by Banca d’Italia. Periodical test (~ once a year) are carried out in order to assure “fresh data” stored in the list.

  16. (3. “CODISE: the National …”) • CODISE Workplan • Identification of relevant services • Selection of scenarios • Impact analysis • Implementation of emergency plans • Test and improvement of plans Main achievements of CODISE analysis • “Vital” services (i.e: operations to be completed before end-of-day): • 8 financial services, 5 operators involved (trading, clearing, settlement – cash/securities) • National ATM networks, 3 major providers involved • Scenarios (to be considered in developing BCP): • Regional Disaster • Cyber attack • Unavailability of an infrastructure/provider. • Interdependency among financial operators(a cross-map of maximum tolerate outage among major operators); • Crisis procedures (simple crisis communication procedure based on national contact list)

  17. (3. “CODISE: the National …”) CRISIS COORDINATION: liaison with ECB structures. A new role for CODISE: the joint group was set up as a forum among Italian operators to share info and to plan common initiatives on BC. NOW is becoming also the “local crisis team” for coordination at EU level. Coordination Structure • ECB-PSSC is the European Crisis Team (teleconference among PSSC members); • The italian PSSC member is also the Chairman of CODISE (Central Manager for Payment Systems and Treasury Operations of Banca d’Italia) and plays the role of national Crisis Coordinator (CC). • Two scenarious: • Failure in an EU country: PSSC teleconference allows PSSC members to share info; the italian member (CC) can decide to activate CODISE contact list to share info and to take local initiatives. • Failure in Italy: the italian Crisis Coordinator (CC) activates the CODISE contact list for local initiatives; he contacts ECB-PSSC group to share info and coordinate initiatives

  18. (3. “CODISE: the National …”) National contact list Crisis Coordination: operation failure in EU PSSC National crisis coordination committee (country “A”) CODISE National crisis coordination committees (EU countries) Foreign operator failure (country “A”) Italian financial system

  19. Index 1 Business continuity initiatives in Italy 2 CODISE: theNational Joint Working Group 3 Specific rules issued by Banca d’Italia 4 Summing up

  20. Summing up… • Main achievements: • Common “Resilience Level” among major financial operators. • “Open debate” on BC among authorities and financial operators. • A simple coordination/communication procedure in case of crisis. • Next steps: • more detailed crisis management procedures at national level; • multi-years exercise plan with a growing complexity.

  21. REFERENCES… Italian BC guidelines • Payment system infrastructures: • http://www.bancaditalia.it/sispaga_tesor/ssp/infrastrutture/bi/linee/Linee_guida_SSP_en.pdf • Market infrastructures • http://www.bancaditalia.it/banca_mercati/supervisione/normativa/linee/guidelines/Guidelines_for_business_continuity.pdf • Banking sector • http://www.bancaditalia.it/vigilanza/banche/normativa/disposizioni/provv/requisiti_processi_rilevanza_sistemica.pdf Financial-Related Documents • High-level principles for business continuity (2005) (web site http://www.bis.org/). • Business Continuity Oversight Expectations for Systemically Important Payment Systems (2006) (web site: http://www.ecb.int/). • Interagency Paper on Sound Practices to Strengthen the Resilience of the U. S. Financial System (2002) – web site http://www.sec.gov/). Relevant Web Sites • http://www.thebci.org/ • http://www.business-continuity.com/ • http://www.survive.com/ • www.bsi-global.com • – see also BS7799, ISO 27001 (information security standards).

More Related