1 Remarks by ALASTAIR CLARK EXECUTIVE DIRECTOR, BANK OF ENGLAND Contingency Planning and Disaster Recovery for the Financial Services Sector Conference Questions to be addressed in contingency planning and disaster recovery 29 January 2002
2 2 Introduction The question of contingency planning and disaster recovery has, unfortunately, acquired a higher profile and a higher priority since the events of 11 September. This is true not just in relation to financial services our focus today but also for transport, power, water, telecommunications and so on. It is an issue for firms, for infrastructure providers both public and private, and for the public authorities. In these brief remarks I certainly cannot cover all of the territory. But I will try to map out some of the main questions which, at least as we see things in the Bank, need to be addressed. I am sure later speakers will pick up on the various themes and discuss in more detail what is being done, and how far we, collectively, have been able to come up with satisfactory responses. And I would emphasise that this is very much a joint public/private sector task. The public sector has a major contribution to make but much of the work inevitably falls to the private sector. Background Perhaps the first point to make is that, although 11 September has greatly increased the attention paid to contingency planning, it is not of course a new issue. It has been a long-standing part of good business practice in mitigating operational risk; and regulators have routinely monitored and assessed the robustness of firms facilities and systems, and their capacity to withstand shocks. But recent experience, as well as providing an all-too-graphic illustration of the kind of problems which can arise, has also raised questions about the basis on which these assessments have typically been made. In particular, it has raised questions about robustness in the face of disruption affecting many parts of the financial system at once. A second point now widely recognised, I believe, but worth repeating is that despite the scale of the destruction on 11 September, the US and the global financial systems for the most part responded very well. Much of the credit must go to individuals and private firms, but it also belongs to the US public authorities and especially to the Federal Reserve. There is much to learn from what did and what did not function effectively in New York, and those lessons are now being absorbed. That said, we clearly need to guard against simply fighting the last war. The nature of any future incident is very likely to be different. A third observation is that the - sometimes derided - preparations for Y2K proved fortuitously to be of value in the quite different context of 11 September. Although the nature of the Y2K threat, the predictability of its timing, and so on, all distinguished it from what happened on 11 September,
3 3 there were nevertheless some important similarities. Both involved actual or potential disruption of firms and market infrastructure; both were accompanied by uncertainties about the exact nature of the threat; both involved the wider economy not just the financial sector; both raised issues about the coordination of public and private sector action; and both raised the question of what central banks and regulators needed to do to maintain market functioning. Although Y2K turned out, for whatever reason, to be a bit of a non-event, the preparations nevertheless ensured that many of these questions had received serious consideration. One final point. 11 September demonstrated that wider financial problems, not just operational problems, can arise in the aftermath of a major incident. These included, for example, the sudden withdrawal of insurance cover, and the sudden downturn in air traffic with the associated cash flow and credit issues for airlines. Both demanded an urgent response. Increasingly, too, there is a question of just where the financial hit from a major incident will be felt, given the growing capacity of markets to slice up and redistribute risk. And beyond all this, of course, there was and still is uncertainty about the wider impact on economic prospects nationally and internationally. Some specific issues So much for general background. Let me talk briefly about some more specific issues we have identified in our own post-11 September discussions. I say our own discussions because the public authorities in the UK - as in most other countries I am sure - have been conducting a thorough review of contingency arrangements. For the financial sector, this work falls mainly to the Treasury, the Bank and the FSA and it has been coordinated through the so-called tripartite Standing Committee, set up as part of the new institutional arrangements introduced in 1997 for maintaining financial stability. The first issue which has emerged as perhaps the single most important concern is communication. Communication here means communication about who is doing what to increase the robustness of the financial system in anticipation of a problem; but also, and crucially, it means communication amongst relevant firms, regulators, service providers, central banks and finance ministries after an incident has occurred. There are important sub-issues about the mechanics of communication how it is to be maintained if normal channels have been disrupted? What, for example, are the relative strengths and weaknesses of telephone land lines versus mobile networks? What part might satellite phones play? And what about internet and links, which had a critical role in New York. But communication also raises the question of what information is likely to be useful. The potential range here is too wide to try to be specific and comprehensive in
4 4 advance. But it certainly includes, for example, information about how to get in touch with key people, about the immediate financial position of firms, and about who has the necessary powers, and discretion to exercise them, in circumstances of crisis. Much work is underway to provide answers to these questions, even if only in a provisional way, through a so-called information clearing house. There are plans to launch a prototype, probably based on a web site, in the near future. A second important message coming out of 11 September was the need to consider continuity of staffing as well as continuity of physical systems. Most directly to put it brutally this is the question of how to continue operations if key personnel are killed or incapacitated, or if, for some reason, they cannot be contacted. This issue arose in a stark form for several firms on 11 September. There is probably no entirely satisfactory strategy to cope with this threat; the expense and the motivational difficulties of maintaining shadow management and operational capability are probably too great. Nevertheless there are some approaches which, at least for major international firms, may provide some degree of protection. They may, for example, be able to switch activity from one financial centre to another where staff in both are involved in similar if not identical areas of business. Whatever the approach, perhaps the real point is that the need to address this issue is now much more widely recognised. A third key consideration, and in many ways the most obvious, is the adequacy or otherwise of physical contingency plans, which typically depend at least in part on maintaining remote back-up sites. The issues here are complex. All regulated firms certainly all major market participants are required by their regulators to demonstrate that they have realistic arrangements for coping with various kinds of operational risk, of which destruction or inaccessibility of key operational sites is clearly one example. Ensuring, so far as possible, that these arrangements work not just in principle but also in practice is essential. There were some cases after 11 September where back-up sites or systems did not, for a variety of reasons, operate as planned. But as well as these issues relevant to individual firms, there is a question about whether the financial system as a whole is likely to prove robust. How far might the plans of individual firms, which taken on their own look entirely sensible, turn out to be inadequate or inconsistent when looked at in aggregate. Might the whole, so to speak, be less than the sum of the parts? One aspect of this is the issue of co-dependencies single points of failure affecting many different parts of the system. In the context of contingency sites, this would arise if, for example, several different firms had contracted with a single supplier for access to a particular site which clearly could not, however, be occupied by all of them at once. Choosing a contingency site also gives rise to the dilemma of whether it is best located close to the
5 5 primary site more easily accessible but more likely to be affected by an event which takes out the primary site or remote and prospectively therefore inaccessible even if it remains intact. My fourth point is that many of the same issues arise in relation to public infrastructure, such as transport, power, water, telecommunications and so on. The relevant suppliers - who are actually now for the most part in the private sector - have also been reviewing their contingency arrangements, including the question of how far their facilities are vulnerable to single points of failure. One of the key challenges is to make sure that consumers have access to relevant information about this infrastructure, while recognising the confidentiality and sensitivity of some of that information and its potential value to terrorists. The experience in New York demonstrated, however, how vital the maintenance or restoration of infrastructure services was to the functioning of Wall Street. In the UK, the Corporation of London has played a very helpful role in bringing together the public infrastructure suppliers relevant to the City and, in conjunction with the management company, to Canary Wharf. Judith Mayhew will, I know, be explaining this more fully later today. A fifth issue is what sort of contingency it is sensible or realistic to plan for in other words, how big an event contingency arrangements should be designed to handle. At one end of the spectrum, there are clearly incidents which may be highly disruptive and damaging for individual firms but which are unlikely to have any significant knock-on effects. For contingencies at that level, any response is very largely a matter for the individual firm. At the other end of the spectrum, there are contingencies which are prospectively so damaging that maintenance of the financial system, or at least the financial system in anything but a rudimentary form, is unlikely to figure high on the list of priorities. This would most obviously be the case with, say, a nuclear attack. What point to aim for between these two extremes is perhaps impossible to say? There may, however, be a slightly different approach - namely to focus on the elements, the building blocks, of a response applicable in a wide range of circumstances, rather than on a particular scenario. It may then, nevertheless, be sensible to test out these building blocks in the face of different possible scenarios, to see at what points and in what ways the contingency arrangements are likely to come under strain. Drawing once more on the experience of 11 September, my sixth point is the need for clear guidance to be given on the practical aspects of market functioning in circumstances of crisis, and on what adjustments to normal practice are acceptable. In New York in many cases these adjustments were discussed and agreed by the relevant market associations and notified to the regulators. This approach has many attractions, because practitioners specialising in a particular area are much more likely than anyone else to know what is important, and what will work and what will not. Market
6 6 associations need; however, to have sufficient standing so that their conclusions, even if not binding in a strictly legal sense, are nevertheless accepted in practice. This approach also, of course, requires that market associations with the relevant capacity exist for each of the major markets, whether for foreign exchange, equities, government bonds or whatever. In London, we are in the middle of a programme of discussions with market associations on how they might handle 11 September-type market dislocation, with a view to supplementing existing procedures or, where necessary, putting new procedures in place. Since the public sector and specifically the Bank is a participant in a number of these markets, this is an exercise in which we are closely involved. Finally, while I have mentioned the general issue of public/private sector cooperation and will not say any more about it now, there is one additional issue relevant especially to central banks. One of the reasons why financial markets were able to keep going so well after 11 September was the Fed s policy of providing very large amounts of liquidity to banks which found that their normal payment flows were disrupted. Without this, there is no doubt that the financial and economic repercussions of the attack would have been much more serious. The arrangements for providing this liquidity raise a number of issues, however, for example where firms operate in a variety of currencies in a number of different countries but also and more generally assessing the risks associated with unsecured lending. Lending on this basis became almost unavoidable on 11 September given that the assets which would normally be used as collateral were unavailable with the disruption to the custody and securities handling machinery. These are judgements which can probably only be made on a case-by-case basis in the circumstances of the time. But with the amounts prospectively involved, they are judgements which central banks, and indeed other market participants, are bound to take extremely seriously. Closing remarks Let me finish with just a couple of additional observations. First, I think we are all aware of the need to move beyond analysis and discussion to action. And there has been a good deal of action by various of the parties involved in contingency planning. Keeping everyone in touch with what is going on is, however, a challenge in itself and one of which the Bank, the Treasury and the FSA are all very well aware. That is part of the motivation for the information clearing house idea. It is also one of the reasons why John Trundle and I from the Bank, and tomorrow Paul Wright from the FSA, are pleased to be able to talk to groups such as this. Whatever the technique, the strengthening of communication channels between firms, and between the private sector and public sector, is essential. And it is also essential, in the financial sector
7 7 perhaps as much as in any other, that the international aspects of contingency planning are recognised. Second, some of the issues raised are, however, technically or in terms of the prospective cost/benefit balance, difficult to call and further work is needed before any sort of plan can sensibly be decided. There is no point in diverting effort into a half-baked proposal which quickly turn out to be inadequate or unworkable. That is a major part of what we are involved in now. Some of the results will I am sure be discussed in the next two days; others will no doubt be the basis for similar conferences in future!