Business Continuity Management February 2013
INDEX Strategic Vision SGCN Policy Vision Progress Objectives Main definitions Corporate Governance Business Impact Analysis (BIA) Strategies Audits and specific checkups Tests and exercises program Prevention, containment, recovery Business objective times (RPO, RTO, MTPD) Continuity measures BSI, KPMG, Surveillance Committee High Management (Management) and Participants Committee 2011 and 2012 Program Fulfillment of tests and exercises Training program 2
Business Continuity Management. Continuity view Vision The Operational Continuity is a Strategic axis for the development of the Company. DCV s goal is to be the last component of the financial system to stop operating and the first to recover, regardless of the event or calamity. To protect the life and physical integrity of the Company s employees and of the people who are in our premises at the moment of an occurrence of an incident. Operational Risk Management Business Continuity Management System SGCN BCP Probability DRP- CMP Normal impact feasible risks High impact unlikely risks Impact 3
Business Continuity Management. DCV and GCN progress DCV Progress GCN Progress Foundation of DCV Registros Dematerialization DVP, FLI Operations Custody and Registry of IRF Transactions Foundation of DCV Custody and Registration of IRV Transactions Custody and Registry of IIF Transactions Contingency procedures tests Start of efforts toward operational continuity Contingency plan for all resources and critical services Y2K Plan Business Continuity Plan (BCP) New methodology. The merger is created. BCP Updating and Maintenance BS 25999 Standard is issued Intraday Clearing House Reformulation toward a SGCN Production Sites are moved to TIER III. Distribution of offices in two buildings. Incorporation of DRP+CMP Site in USA Work Plan according to BS25999 Standard ACSDA Leadership Forum (ALF) SADE Web Agreement with DTCC Euroclear Forward Mila Electronic Position Certificate 4
INDEX Strategic vision SGCN Policy Vision Progress Objectives Main definitions Corporate Governance Business Impact Analysis (BIA) Strategies Audits and specific checkups Tests and exercises program Prevention, Containment, recovery Business objective times (RPO, RTO, MTPD) Continuity measures BSI, KPMG, Surveillance Committee High Management (Management) and Participants Committee 2011 and 2012 Program Fulfillment of tests and exercises Training Program 5
Business Continuity Management. SGCN policy Objectives To structure a formal work frame in order to secure the availability of critical processes and the compliance with the governmental and contractual regulations that govern the services provided by DCV. To provide guidelines regarding the principal roles and responsibilities of the business continuity management. To provide the necessary tools for the application of the business continuity program and management, in order to ensure the recovery of DCV critical services, safeguarding the protection and security of the people, assets and critical processes of the business. 6
Business Continuity Management. SGCN policy Main definitions DCV shall safeguard the security and integrity of all the people who are in DCV premises, as well as those employees who, being outside the company premises, are providing services thereto. The business continuity management must be aligned with the guidelines and requirements central to the fulfillment of the governing law, and according to the BS 25999 standard. Continuity issues shall be disclosed and incorporated within DCV culture with the purpose of keeping the personnel informed and trained. An Annual Business Continuity Program shall be set, which establishes planning activities, implementation, revision and updating of the business impact analysis, plans and procedures, tests execution and other related issues. 7
INDEX Strategic vision SGCN policy Vision Progress Objectives Main definitions Corporate Governance Business Impact Analysis (BIA) Strategies Audits and specific checkups Tests and exercises program Prevention, Containment, recovery Business objective times (RPO, RTO, MTPD) Continuity measures BSI, KPMG, Surveillance Committee High Management (Management) and Participants Committee 2011 and 2012 program Fulfillment of tests and exercises Training program 8
Business Continuity Management. Corporate governance Board Risk Committee IT Committee Audit and Risk Committee Information Security Operational Risk Business Continuity Organizational and Functional Structure Operational Continuity Plan Disaster Recovery and Crisis Management Processes Owners Emergency Committees Spokesman Crisis Management Committee (CMC) Installations Recovery Committee (IRC) Personnel Support Committee (PSC) TICs Recovery Committee (TRC) Standard Communications Committee (SCC) 9
INDEX Strategic vision SGCN policy Vision Progress Objectives Main definitions Corporate governance Business Impact Analysis (BIA) Strategies Audits and specific checkups Tests and exercises program Prevention, containment, recovery Business objective times (RPO, RTO, MTPD) Continuity measures BSI, KPMG, Surveillance Committee High Management (Management) and Participants Committee 2011 and 2012 program Fulfillment of the tests and exercises Training program 10
Business Continuity Management. Business Impact Analysis (BIA) BIA Summary Identification of critical processes of the business. (Priority, objective times, frequencies, components dependence). Identification of Components (Critical Nature, Classification: Premises, Human Resources, IT) Proceso Trans ferencia Trans ferencia Subproceso Transferencias ente Depositante RTO (horas) Identification of scenarios that have an impact on the business, such as a threat to collaborators integrity, to the continuity of critical processes and regulatory compliance. Nivel de criticidad de componentes Process Sub-Process Imagen Financiero Normativo Impacto Inherente Registro Central de Emisiones Inscripción y Registro Valores 3,2 3,2 3,2 alto Administración de RRHH Desvinculación 2,4 2,4 2,4 moderado Control de Ingresos y pagos Cobro y Administración BIA de Ingresos 2,8 2,8 2,8 alto Custodia Depósito desmaterial con archivos 4 4 4 extremo Conciliación y Rendición a Emisores Rendición de Dividendo 3,2 3,2 3,2 alto Activities According to Time Traspaso entre Cuentas de depositante Tesorería Internacional Compra 2 Mirna Fernández Identification of Threats. (Classification: natural, Human Resources, ICTs, etc) Dueño del Subproceso 0-15 minutos 15-30 minutos 30-60 minutos 60-90 minutos 90-120 minutos 2-4 horas 2 Mirna Fernández Medi o Alto Muy Al to 2 Mirna Fernández Custodia Colocación de CFM 2 al 8 2 Mirna Fernández Medi o Frente a cualquier incidente o contingencia la acción a seguir es notificar a la MAU Insignificante Frente a cualquier incidente o contingencia la acción a seguir es notificar a la MAU La MAU reporta el evento de interrupción al gestor de incidentes, quien valida y evalúa si corresponde a un IOC interesadas y activa el Plan de Acción respectivo. La MAU reporta el evento de interrupción al gestor de incidentes, quien valida y evalúa si corresponde a un IOC interesadas y activa el Plan de Acción respectivo. Insignificante Medi o Alto Frente a cualquier incidente o contingencia la acción a seguir es notificar a la MAU Alto Alto Muy Alto Muy Alto Muy Alto La MAU reporta el evento de interrupción al gestor de incidentes, quien valida y evalúa s al CMC y otras partes interesadas y activa el Plan de Acció 11
Strategic vision Vision Progress SGCN policy Objectives Main definitions Corporate Governance Business Impact Analysis (BIA) Strategies Audits and specific checkups Tests and exercises program Prevention, containment, recovery Business objective times (RPO, RTO, MTPD) Continuity measures BSI, KPMG, Surveillance Committee High Management (Management) and Participants Committee 2011 and 2012 program Fulfillfment of the tests and exercises Training Program 12
Business Continuity Management. Strategies Containment Strategy (impact) Recovery Strategy (shares) Continuity Procedures Disaster Recovery Plan Crisis Management Plan The Company defines factors for both the external scope related to suppliers and amenities, and for premises, internal resources, IT, and people infrastructure that may affect the critical services. People. Protect skills and knowledge. Benefits, executives succession, duplicity of key functions. Facilities. Reduce the non-availability impact. Alternate administrative site, power unit, telecommuting. Technology. Safeguard or reestablish the IT infrastructre. Technological redundancy, information backup, vital records. Suppliers. Inventory of suppliers that support the activities. Identification of critical suppliers, contract provisions. Risk management Capacity management Incidents management Problems management Business continuity management system Prevention Strategy (Probability) 13
Business Continuity Management. Strategies Business Objective Times Business Incident Time LIne Recovered Business Recovered Step n Step 2 Step 1 DCV s goal is to be the last component of the financial system to stop operating, and the first to recover, regardless of the incident or calamity. Objective Point of Recovery Information Loss. Last backup or data replication Objective Time of Recovery Execution of alternate procedures for the recovery of the services Maximum Tolerable Interruption Period Maximum acceptable level of data loss in an unplanned event Period of time wherein the services would not be available before the operational units are significantly affected. Period after which the viability of an organization is irrevocably threatened if a product or service cannot be restored. Punto objetivo de recuperación (RPO) para los servicios críticos es de treinta segundos. Tiempo Objetivo de Recuperación (RTO) para los servicios críticos del DCV es de dos horas. Máximo Período de Interrupción Tolerable (MTPD) tiende a ser de veinticuatro horas. 14
Business Continuity Management. Strategies Continuity Measures Operational Aspects Administrative offices backup. Buildings (Burgos-Huérfanos). All critical functions must be duplicated. Human Resources backup. Technological Aspects Distribution of production sites toward TIER III category housing. All critical components must be duplicated. The services provided by DCV to its users cannot be conceived without the availability of the computer systems built for that purpose, given the volume and risk involved. Procedimientos del Plan de continuidad Duplicated Components Burgos Human Resources Offices IT Prod. 1 Prod. 2 Sites Huérfanos 15
INDEX Strategic vision SGCN Policy Vision Progress Objectives Main definitions Corporate Governance Business Impact Analysis (BIA) Strategies Audits and Specific Checkups Tests and exercises program Prevention, containment, recovery Business objective times (RPO, RTO, MTPD) Continuity measures BSI, KPMG, Surveilance Committee Senior Management (Management) and Participant Committee 2011 and 2012 program Fulfillment of the tests and exercises Training Program 16
Business Continuity Management. Audits and Reviews External Audits BSI Audit Date of execution Jul 2012 Objective: Planning and design revision Date of execution: Oct 2012. Objective: SGCN implementation, effectiveness and efficiency. Specific Checkups Senior Management Date of execution: Aug. And Dec. 2013. Objective: Revision of SGCN main milestones. Each one of the deliverables, and the action plan of DCV is information with internal classification. KPMG Audit Execution date: Nov. 2012 and Nov. 2013 Objective: SGCN implementation, effectiveness and efficiency. Participants Date of execution: during the year Objective: compliance with the 2020 regulation. Surveillance Committee Audit Date of execution: Sep. 2013 Objective: SGCN implementation, effectiveness and efficiency. Audits and Checkups Time Line BSI Audit BSI Audit 2012 JUL AUG OCT NOV DEC 2013 JAN BSI Checkup Management Committee Review Surveillance Committee Internal Audit KPMG Internal Audit Management Committee 17 Review 17
INDEX Strategic vision SGCN policy Vision Progress Objectives Main definitions Corporate governance Business Impact Analysis (BIA) Strategies Audits and specific checkups Tests and Exercises Program Prevention, containment, recovery Business objective times (RPO, RTO, MTPD) Continuity measures BSI, KPMG, Surveillance Committee High Management (Management) and Participants Committee 2011 and 2012 program Completion of the tests and exercises Training program 18
Business Continuity Management. 2011 Tests Program The Business Continuity Plan tests program of 2011 is presented along with the most significant tests and deviations. Expected v/s Actual Fulfillment of the Program Program Fulfillment Progress Dic 100% 100% Dic 100% Nov 66% 93% Nov 66% 34% Oct 85% Oct 55% 55% 45% Sep 46% 68% Sep 46% 54% Ago 36% 53% Ago 36% 64% Jul 29% 46% Jul 29% 71% Jun 35% 28% Jun 28% 72% May 22% 15% New 2012 tests program Ma y 15% 85% 15% Abr In search 7% of the continuous improvement of the SGCN, and Abr as prescribed 7% by the regulation, 93% the test program is Mar 7% 7% Ma r 7% 93% reformulated toward an exercise program. The alternating of the Production Sites, evacuation exercises and a test that activates different responses 0% 20% 40% 60% 80% 100% Cumplimiento Real Programa Presupuestado independently (DRP+CMP) is considered for this year 2012. Program deviations. Use of alternate offices. Complementary test due to restructuring. Back-up power. Complementary test due to restructuring. Compliance at Dec 2011 0% 20% 40% 60% 80% 100% Cubierto Significant Tests Performed. Production Site Alternating. Disaster Recovery Plan and Crisis Management. Burgos Evacuation Plan. Environmental and Prevention Controls. Client Operations in DCV Premises No Cubierto 19
Business Continuity Management. Exercise results. 2012 Exercises Production Sites Alternation. Evacuation of Premises DRP+CMP The objectives, results, and deviations are classified as internal use information. 20
INDEX Strategic vision SGCN policy Vision Progress Objectives Main definitions Corporate governance Business Impact Analysis(BIA) Strategies Audits and specific checkups Tests and exercises program Prevention, containment, recovery Business objective times (RPO, RTO, MTPD) Continuity measures BSI, KPMG, Surveillance Committee High Management (Management) and Participants Committee 2011 and 2012 program Fuifillment of the tests and exercises Training Program 21
Business Continuity Management. Training Program. Program Fulfillment Take over the level of development of the global competences Individual Interviews BS25999 sensitization Understanding Courses Preferences Style Poll Alignment May May 100% Emergency Committee 15% of personnel 90% Critical Personnel 80% Floor Leaders 18% of personnel 9% of personnel BS25999 Training and Sensitization Knowledge Knowledge Tests May Training Emergency Leadership Psychoprevention Work Safety Techniques Sep - Nov 22
Business Continuity Management February 2013
Business Continuity Management. Documentation Change Control Previous Version Date of Update Maintenance Blog Reason Change Description Performed by N/A 11-feb- 2013 Document Creation Document originates in order to present SGCN primary milestones. André Medel 1 14-feb- 2013 Revision Approval and Minor issues are revised and corrected. It is sent to be published on the web site. Claudio Herrera and André Medel 24 c-info-0134-gfp-rop-20130214-01