De Nederlandsche Bank N.V. May 2011 Assessment Framework for Financial Core Infrastructure Business Continuity Management
Contents INTRODUCTION... 3 BUSINESS CONTINUITY MANAGEMENT STANDARDS... 5 1. STRATEGY / POLICY... 5 2. BUSINESS IMPACT ANALYSIS / RISK ANALYSIS... 6 3. SCENARIOS / MEASURES... 7 4. TESTING / MONITORING... 8 5. MANAGEMENT AND MAINTENANCE... 9 6. CRISIS MANAGEMENT AND COMMUNICATIONS... 9 2
Introduction In 2004, the Assessment Framework for Business Continuity Planning (BCP) was launched as a framework for banks and market infrastructures. In 2006, this range of criteria was supplemented with guidelines for the continuity of the human factor for criticial systems / operational processes. In 2010 the framework was reviewed in light of the further development of standards by standardisation institutes,1 market best practices and the development and review of norms by financial authorities.2 This latest review has led to the present Assessment Framework for Financial Core Infrastructure (FCI) Business Continuity Management (BCM).3 This framework is in alignment with the continuity element in a number of international assessment frameworks4 of these financial authorities. It was drafted in supplementation to these international frameworks because the FCI for payment and securities systems includes both financial market infrastructures (FMIs such as clearing and settlement firms) and banks, whereas the international frameworks regard either (part of the) FMIs or (part of the) banks. De Nederlandsche Bank (DNB) and the Netherlands Authority for the Financial Markets (AFM) employ this Assessment Framework to determine to what extent its standards are adhered to by the institutions that make up the FCI. Compliance with the standards in this Assessment Framework for FCI Business Continuity Management does not relieve institutions from the obligation to comply with international assessment frameworks (such as those of the BIS/IOSCO), where they apply to e.g. specific systems. As the FCI consists partly of institutions providing payment and securities settlement systems and partly of institutions participating in such systems, the providers of systems may impose requirements on participants in terms of security and of business continuity. Participants must be alert to this and meet such requirements. Business continuity is linked with several related fields of expertise: information security, physical security, crisis management and, in a broader sense, (operational) risk management. In the business continuity process, these relationships must be taken into account and policy and measures must be in alignment. Yet while the subject of crisis management will be explicity reflected in the standards of this Assessment Framework, other related fields of expertise will not. 1 Such as BS 25999 of the British Standards Institute 2 Such as the European Central Bank (ECB), the Committee on Payment and Settlements Systems (CPSS) of the Bank for International Settlements (BIS), the International Organization of Securities Commissions (IOSCO), the Basel Committee on Banking Supervision (BCBS) and the Joint Forum (which represents the BCBS, the IOSCO en de International Association of Insurance Supervisors (IAIS)). 3 The scope of the FCI includes institutions responsible for the principal transaction flows and principal payment and securities settlement systems in the Netherlands. They include market infrastructures as well as participants in these infrastructures. 4 CPSS Core principles for systemically important payment systems, CPSS/IOSCO Recommendations for securities settlement systems, CPSS/IOSCO Recommendations for central counterparties, BCBS / Joint Forum High Level Principles for Business Continuity, ECB Business continuity expectations for systemically important payment systems. 3
They are dealt with on a supra-institutional level by several consultation structures created and run by the Dutch financial sector itself. Specifically for business continuity, the Platform Business Continuity Vitale Infrastructuur Financiële sector (BC VIF) has been set up to discuss policy issues and share experiences in the field of business continuity and the protection of critical infrastructures. Within this Platform, the FCI institutions discuss issues such as the application of best practices, and formulate joint criteria for critical service providers. As regards supra-institutional operational crises in payment and/or securities systems, a Tripartiet Crisismanagement Orgaan (TCO) was set up in which DNB, the AFM and the Ministry of Finance participate. In this crisis management structure, the institutions participating in the FCI are represented in a consultative body and three advisory committees. The rest of this document discusses the actual norms: (1) strategy and policies in business continuity management; (2) business impact and risk analyses; (3) scenarios and measures; (4) testing and monitoring; (5) management and maintenance; and (6) crisis management and communications. 4
Business Continuity Management Standards 1. Strategy / policy Every institution must have a board-approved business continuity policy and business continuity plan (BCP) in place5. The policy and plan combine to form an essential element in the institution s overarching operational risk management framework, with which they must be in line. The BCP identifies the critical operating processes and associated systems, and lays down the strategy, policy principles and objectives regarding the continuity of these critical operating processes. Identification of the critical operational processes must be based on a business impact analysis (BIA). The plan must furthermore specify and explain the maximum acceptable timespan during which operating processes and systems may be inoperative. This timespan determines the recovery time objective or RTO, which is the time needed to restore the processes and systems to working order. Apart from the RTO, the BCP must also define the objective for the maximum acceptable data loss (Recovery Point Objective). Based on an analysis, threat scenarios must be drawn up describing various potential disruptions of operating processes, taking account of both external and internal threats. These scenarios should also provide for measures to safeguard realisation of the service levels agreed with the stakeholders and laid down in the relevant service level agreements. The measures must be based on a risk analysis. The plan must address specific aspects such as the organisation s international dimension and the consequences of, e.g., outsourcing or offshoring. Where institutions participate in clearing and/or settlement systems reference must be made to the requirements to be met in this context by the participants. The plan must also identify the national and international assessment frameworks and standards6 that must be satisfied. Keeping the plan up to date is a continuous process involving periodical formalisation, as per policy, and ad hoc formalisation in the event of far-reaching changes in the organisation, operating processes or systems. An institution s business continuity management must be assessed by an independent party such as an internal or external auditor. 5 Policy and plan may consist of a coherent set of documents. 6 Examples are the BIS, CPSS and IOSCO principles and recommendations. 5
2. Business impact analysis / risk analysis Business impact analysis / critical operating processes and systems Every institution must perform a business impact analysis to determine the consequences of complete or partial malfunctioning of an operating process. Such an analysis results in an inventory of critical operating processes and systems / resources. The analysis should include not only the impact of the malfunctioning process on the institution, but also the impact on the payment and securities systems of which the process / system concerned forms part. The extent to which other institutions depend on the proper functioning of a process counts towards its degree of criticality. The business impact analysis must be kept up to date and performed after every implementation of a new process / system or every major change. Risk analysis / scenarios and measures Every institution must have performed a risk analysis, identifying per critical process / system the direct and underlying possible causes of its malfunctioning. Next, an inventory is made for each of the threat scenarios identifying what measures are in place or what measures might be taken to mitigate the risk (probability and impact). Finally, the residual risks accepted by the board must be documented. These steps are summarised in Table 1. TABLE 1 Steps of a risk analysis Why is the process unavailable? (Partial) unavailability of (and/or) People IT systems7 Communications8 Buildings9 What is the cause? What controls / measures are available? Natural calamities (fire, storm, earthquake, flood etc.) Technical failure (hardware / software malfunction, power cut etc.) Organisational failure (human error, sickness etc.) Wilful malice (sabotage, terrorism, cybercrime etc.) Measure / control categories: Preventive Detective Corrective Response What residual risks remain? List of accepted residual risks One element of such a risk analysis is the identification of single points of failure. These may not only be of a technological nature but may also relate to an organisational unit or to the concentration of essential knowledge in one or very few staff members. The risk analysis must be kept up to date and be repeated after every implementation of a new process / system or every major change. The risk analysis outcome must be endorsed 7 Including data/information. 8 Includes both voice and data communication facilities. 9 Includes infrastructural facilities such as power and water. 6
at least anually by the management, whether or not any changes have been made to processes or systems. Dependence on service providers / participants The risk analysis must concern itself explicitly with the organisation s dependence on utilities and basic facilities (power, gas, water, telecommunications) and external service providers; the specific risks which such dependence implies for the continuity of critical processes; and the measures taken against each such risk to ensure continuity. The BCP must specify clearly what agreements have been made with the service providers concerned, the form and manner in which information on the measures of the service providers and their performance vis-à-vis the service level agreements is available, and how guarantees are obtained with respect to implementation and operation of these measures. Such specification may be in the form of references to the relevant contracts and service level agreements. The institution must also have contemplated possible alternatives to safeguard the continuity of utilities and basic facilities. The Financial Market Infrastructures (FMI) consist of institutions that manage clearing and settlement systems in which other FMIs and/or financial institutions participate, or that provide other infrastructural services. Such FMIs must, in their risk analysis, explicitly consider the risks to their systems arising from the activities of participants. Based on the analysis, participants in a system must be bound to operational requirements corresponding to the importance of each participant in that system. 3. Scenarios / measures The risk analysis yields an overview of the risks and mitigating measures for several scenarios. Certain aspects need explicit attention. Human factor The BCP must make clear in what way the human factor has been accounted for.10 The human factor should pose as little difficulty as possible in the continuation of business processes and IT support systems. The BCP must set forth whether and how the deployment of (other) employees after a calamity may be organised. Maximum tolerable period of disruption The measures in respect of the various scenarios must aim to ensure that critical operating processes and systems can be resumed within the applicable RTOs. The RTO for each process must be in line with the terms of the applicable service level agreement. For certain processes (e.g. clearing and settlement) the possible existence of (inter)national regulatory requirements must be taken on board. 10 Note: this Assessment Framework does not regard the emergency response plans that aim to bring personnel to safety in a calamity situation. 7
Alternative premises Every institution must be able to move its critical processes and systems from its primary location to one or more alternative locations. In many cases, there are several alternative locations, often with ICT set apart from the business. The alternative locations must have different risk profiles as compared to the primary location. Measures ensuring adherence to the RTO must take into account the time needed to take the relocation decision. Also taken into account must be employees transfer time to the alternative location. An institution must also have elaborated recovery plans describing the activities that need to be undertaken to return to the normal situation. Aspects to be considered in determining locations risk profiles are: 1. The composition and capacity of the infrastructure in the alternative sites must be sufficient to allow the operation of critical processes to be taken over from the primary sites. 2. Sufficient numbers of personnel must be able to be deployed on the alternative locations to ensure continued operations within the RTO. 3. The distance between and access to the locations must take into account the risk of traffic congestions, obstruction resulting from natural disasters (which may impact both locations simultaneously) and the time needed to move from one location to another. 4. disruption of utilities and basic facilities (power, water, telecommunications) must where possible be capable of being circumvented, or else the likelihood of disruption must be mitigated to an acceptable level. 4. Testing / monitoring The continuity measures in the BCP must be tested regularly. This includes testing the emergency relocation of processes and systems under several different scenarios, including large-scale disruptions and the switchover from the primary to one or more alternative sites. Testing should involve the relocation of both IT systems and business processes. Service providers must be involved regularly in such tests, and in the case of FMIs, so should critical participants. Depending on the importance of a business process or system, measures must be tested at least once a year. The test results must be recorded in reports mentioning identified deficiencies and points for attention, appointing a unique problem owner and stating a resolution period. The BCP must include a testing calendar stating the testing schedule and describing a procedure for the way the test results are to be incorporated in the BCP. The relevant institutions must implement an incident management process (detection, escalation, analysis and monitoring of incidents). After all, incidents may also provide an indication that measures need to be reviewed. 8
5. Management and maintenance Business continuity is a responsibility of the process owner. The institution must ensure that responsibility for business continuity management is allocated explicitly within its hierarchy. Sufficient capacity must be made available to fulfil this responsibility. The resulting business continuity organisation must be documented including a clear description and delineation of duties concerning the management and maintenance of the business continuity plan. Maintenance includes keeping abreast of developments in national and international standards and assessment frameworks, of (international) legislation and of changes taking place within the organisation and in service level agreements. 6. Crisis management and communications Every institution needs to have a crisis management organisation in place whose mandate enables it to take decisions and activate measures in case of an operational calamity. The crisis management organisation reports to the board. The organisation and its associated plans and procedure must be clearly documented. Every institution must have a communications plan describing the way in which, in case of a calamity, communications to all stakeholders are to be organised as adequately as possible. Stakeholders include, in any case, clients, staff, the other FCI institutions, regulators and the media. The crisis management organisation, procedures and communications plans for the individual institutions must mesh with the organisation, procedures and agreements in the context of operational sector crisis management as applicable to the Financial Core Infrastructure. The crisis management organisation, procedures and communications plans of individual institutions must be tested regularly (in accordance with policy) but at least once a year. The test results must be recorded in reports mentioning identified deficiencies and points for attention, appointing a unique problem owner and stating a resolution period. At the sector level, this must happen at least once every three years, with participation by all institutions belonging to the FCI. 9