BUSINESS CONTINUITY MANAGEMENT

Similar documents
THE ROLE OF THE BOARD IN RISK MANAGEMENT

TACKLING MARKET FRAGMENTATION IN GLOBAL BANKING DOUGLAS J. ELLIOTT

NOT SOFR AWAY: LIBOR TRANSITION BEGINS

HANDLE WITH CARE POINT OF VIEW A DIAGNOSIS OF THE CHALLENGES IN CORPORATE CLAIMS MANAGEMENT. Financial Services

Financial Services SOLVENCY II UNDER STARTER S ORDERS

REINSURANCE ESCAPING FROM THE BEARS. Financial Services

Commodity Hedging the advent of a new paradigm

Financial Services. Solvency II. Briefing note

The Crisis and Asset Management: A Catalyst for Change

RETURN ON RISK MANAGEMENT. Financial Services

STRUCTURED CAPITAL STRATEGIES

Financial Services. Point of View. UK SME Pricing. Put Your Underwriters Back in the Box. Author Christopher Sandilands, ACII, Senior Manager

2017 VANTAGESCORE MARKET STUDY REPORT. AUTHOR Peter Carroll, Partner

INSURTECH CAUGHT ON THE RADAR

2018 VANTAGESCORE MARKET STUDY REPORT. AUTHORS Peter Carroll, Partner Cosimo Schiavone, Principal

Financial Services. Bad bank strategy. It s harder this time

Lloyd s City Risk Index

Reshaping the risk-reward balance in compensation

Global Risk & Trading Practice SEPARATING THE WHEAT FROM THE CHAFF

THE STATE OF INTEREST RATE RISK MANAGEMENT

INSURANCE INSIGHTS POWERFUL SWELL OR CAUGHT IN A RIP? CHINA S INSURANCE INDUSTRY PLOTS ITS COURSE TO EMBRACE INSURTECH

CLIENT BRIEFING AUGUST AUTHORS Jim Fields Partner. Martin Graf Partner

REPORTING CLIMATE RESILIENCE: THE CHALLENGES AHEAD

P&C insurance core transformation: Exploring the possibilities

MEDICARE ADVANTAGE INSIGHTS

DISASTER RECOVERY PLANNING. To print to A4, print at 75%.

Attracting and managing corporate deposits

REPUTATION RISK ON THE RISE

TRANSFORMERS THE HIDDEN COMPANIES NEED TO IMPROVE THEIR ABILITY TO IDENTIFY AND PREPARE FOR EMERGING RISKS. Alex Wittenberg

Islamic finance. Building 150 financial institutions by Financial Services

Natural catastrophes: business risks and preparedness A research programme sponsored by Zurich Insurance Group Executive summary March 1st 2013

MAXIMISING VALUE FROM THE IN-FORCE BOOK

Lloyd s Asia. Underwriting human progress

New Zealand Survey of Risk The Seventh Marsh Risk Report

Global Risks Report 2017

Putting a price on political risk

Lloyd s Asia. Underwriting human progress. Lloyds Global Brochure - ASIA_154x233_V6.indd 1 22/08/ :51

Navigating uncertainty through enhanced business insight

Unmasking True Performance Through Corporate RAROC

Making the most of TARP: The Supporting Role of Fannie and Freddie

GETTING THE MOST OUT OF AXIS

Business Continuity Planning. A guide to loss prevention

Interview. Patrick Liedtke. A conversation with. Secretary General, The Geneva Association. Financial Services. with Bernhard Kotanko,

The Global Risk Landscape. RMS models quantify the impacts of natural and human-made catastrophes for the global insurance and reinsurance industry.

Index Administration Services (IAS) FX BENCHMARK STATEMENT

Financial Risk. Operational Risk. Strategic Risk. Compliance Risk. Chapter 2 Risk management. What is risk?

MARSH & McLENNAN COMPANIES REPORTS FIRST QUARTER 2018 RESULTS

Paper Series on Risk Management in Financial Institutions. Questionnaire Survey on Business Continuity Management (November 2008)

DIFFERENT STROKES FOR DIFFERENT FOLKS

TRIUMPH OF RISK MANAGEMENT OVER PSYCHIATRY

UK 2015 Cyber Risk Survey Report

THE EVOLUTION AND BENEFITS OF GLOBAL HIGH YIELD

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

GETTING THE MOST OUT OF AXIS

Long-term Gas Contracts

From Risk to Resilience: Find (& Overcome) Your Company s Weakest Link THE RISK INSTITUTE RESEARCH TRANSLATION SERIES

Section II: Vulnerability Assessment and Mitigation

ASX CLEAR OPERATING RULES Guidance Note 10

Disrupt and grow Global CEO Outlook

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

WHOLESALE RISK INSIGHT FOCUSSING ON RISK ISSUES IN WHOLESALE, WAREHOUSING AND DISTRIBUTION. WHOLESALE Risk Insight

Richard Myers Edelman MMC REPORTS FIRST QUARTER 2008 RESULTS

Stress Testing Your Financial Model

January 23, Yours sincerely, (Mrs. Tarisa Watanagase) Governor

AUSTRACLEAR REGULATIONS Guidance Note 10

Senior Supervisors Group:

Borders vs. Barriers Navigating uncertainty in the US business environment. Executive summary

Modeling Extreme Event Risk

European Banks Underestimate the Challenges of BCBS 239 Implementation

Actionable Intelligence December 2017

Big Data - Transforming Risk and Insurance. Driving Change

Accenture Business Journal for India Digital Insurance: How new technologies are changing the rules of the game for a traditional industry

Momentum Growth Optimiser

How to review an ORSA

SMALL BUSINESS. Guide to Business. Continuity Planning. Ensure your business continues to operate in the event of a disruption.

DO YOU TRUST YOUR STRATEGIC COMPASS? WHY IT S TIME TO TAKE A RENEWED LOOK AT FUNDS TRANSFER PRICING PRACTICES

Moderator: Sean Michael Hayward FSA,MAAA. Presenters: Joshua S Y Chee FSA Sean Michael Hayward FSA,MAAA Michael Porcelli FSA,MAAA

MMC REPORTS SECOND QUARTER 2009 RESULTS. Continued Strong Performance in Risk and Insurance Services

Sendai Cooperation Initiative for Disaster Risk Reduction

NAIC CIPR Spring Event on Pandemics

Remote Advice in Life Insurance: A New Route to the Customer

Main Street Report Q1 2018

Financial Services ASIA PACIFIC RISK CENTER: FINANCE AND RISK SERIES PERSPECTIVES ON RECOVERY AND RESOLUTION PLANNING IN ASIA PACIFIC

THE IMPACT OF LARGE LOSSES IN THE GLOBAL POWER INDUSTRY

Next-Gen Contract Management

Property Insurance Market Update

MAXIMIZING VALUE IN VOLATILE COMMODITY MARKETS

Unlocking the potential of Finance for insurers

LIQUIDITY INSIGHTS. Best practices for managing your cash investments. Cash deposits carry counterparty risk too

IT Risk in Credit Unions - Thematic Review Findings

What does the WEF Global Risks Report have to do with my Risk Management program? GRM016 Speakers:

June 24, Re: Solicitation for Comment on the Study and Report to Congress on Natural Catastrophes and Insurance. Dear Director McRaith:

Climate Risk Management For A Resilient Asia-pacific Dr Cinzia Losenno Senior Climate Change Specialist Asian Development Bank

SECTOR ASSESSMENT (SUMMARY): FINANCE (DISASTER RISK MANAGEMENT) 1. Sector Performance, Problems, and Opportunities

IN UTILITIES YOU DON T HAVE TO BUY BIG TO SCORE

Catastrophe Risk Engineering Solutions

Point of View. Data Quality: The Truth Isn t Out There. Financial Services

FINANCIAL CRIME RISK MANAGEMENT IN AUSTRALIA

EExtreme weather events are becoming more frequent and more costly.

IPD PAN EUROPEAN QUARTERLY TRANSACTION LINKED INDICATORS

Transcription:

Financial Services AUTHORS Alon Cliff-Tavor, Principal, Digital, Technology & Analytics Wei Ying Cheah, Principal, Finance and Risk ASIA PACIFIC RISK CENTER: FINANCE AND RISK SERIES BUSINESS CONTINUITY MANAGEMENT FROM TACTICAL AND LOCAL PLANNING TO GLOBAL RESILIENCE AND ASSURANCE

The only thing harder than planning for an emergency is explaining why you didn t UNKNOWN

INTRODUCTION Business Continuity Management (BCM) is a holistic process that enables institutions to prepare for, and respond to, potential crisis situations that lead to disruptions in normal operations. The main objectives of BCM are first, to develop Business Continuity Plans (BCPs) to ensure continuation of critical functions in the event of a crisis; second, to implement and practise these plans so they can be executed effectively, if and when a crisis actually occurs; and third, to improve efficiency and effectiveness of these plans over time, continually adapting to changing risks. Exhibit 1: BCM Framework KEY ENABLERS NORMAL-TIME BCM RISK IDENTIFICATION AND MITIGATION BCM PLANS Scope and mandate Risk identification and assessment Business impact analysis (BIA) Recovery strategy Plan development Emergency response plan NORMAL TIME Governance and organization Crisis management plan Business continuity plan TRAINING AND TESTING IT contingency plan Reporting Training and awareness Testing and exercising KEY ENABLERS CRISIS MANAGEMENT PROCESS CRISIS TIME Crisis mgmt. organizational structure Incident monitoring and escalation Crisis monitoring Crisis assessment Crisis decision making Back-to-normal decision making Post crisis learning TRADITIONAL PERSPECTIVES Many organizations that have developed BCPs have historically viewed this exercise in silos. Typically, traditional BCPs cover an institution s crisis response across the following independent elements: Location: The risk of a specific location or facility becoming unusable due to weather, natural disaster, terror attack, power failure, etc. People: The risk that human resources are unable to fulfil their functions for any reason, including pandemic outbreak Technology (IT): The risk that a specific data center or another critical infrastructure component goes offline Liquidity: The risk of a liquidity shortage due to a variety of crisis scenarios Copyright 2017 Oliver Wyman 3

Often, there seem to be very few coordination areas among these elements or between the functions entrusted with them. Corporate real estate takes care of buildings, IT is responsible for technology resilience, liquidity committees are dealing with their domain, and business or governance management is dealing with other resources (or is supposed to be). Over the last few years, we have witnessed several instances in which financial institutions were subject to substantial business disruptions, for which they had, at best, only partial solutions. Traditional BCM approaches have proven inadequate in times of genuine need. However, we have learned important lessons from recent crisis events and from the responses of our clients and other industry players. SHORTCOMINGS IN TRADITIONAL BCM METHODS 1. BCM REQUIRES REASSESSMENT IN LIGHT OF MORE FREQUENT AND SEVERE CRISES With climate change-related increases in frequency and severity of extreme weather events caused by storms 1, for example, we believe that institutions should dedicate time and resources to re-evaluate their approaches to BCM. Recent crises have demonstrated that traditional recovery strategies and alternate site locations are not fit for the severity of natural disasters that have been encountered. For instance, a North American regional bank struggled with its response to super-storm Hurricane Sandy. Both Disaster Recovery (DR) sites for the bank were connected to the same electricity grid, which was completely wiped out by the storm. As a result, despite being geographically distant from one another, both DR sites went offline and were unusable. This example emphasizes the importance of selecting DR sites that are both geographically distant from one another and reliant on separate utilities and infrastructures. This trend also raises concerns with regard to regulatory constraints in extreme crisis events. For example, in Japan s Triple Disaster in 2011, another bank s entire operations in the country went offline. Under such circumstances, the only continuity plan would be to promptly assign critical functions and capabilities offshore. However, in this instance, local regulations prohibited the offshoring of certain key critical functions, leaving the institution unable to continue operations. This example highlights the importance of taking regulatory constraints into account when developing BCPs. Furthermore, industry bodies and individual institutions should lobby regulators to promote awareness of such matters, and to persuade them to contemplate extreme circumstances in the development of any legislation, well before crisis situations. 1 Global warming: The evolving risk landscape. Sep 2013. Copyright 2017 Oliver Wyman 4

2. BCM OFTEN IGNORES THE INTERCONNECTEDNESS OF GLOBAL BUSINESSES Too often, we see business continuity planning being performed by local management at the country, city or even facility level. This poses significant risks, as these localized BCPs often ignore the regional or global significance of the location or facility for one or more business lines. For example, we have seen a large global institution fail to recognize the global interconnectivity of its Germany-based facility, which played a critical and unique role in Euro clearing and in trading specific asset types. This facility in Germany was responsible for these functions globally, a fact that was not properly considered in the institution s locallydevised BCPs. It was only when the facility faced the grave risk of becoming unavailable for a substantial period of time that the relevant business heads realized the mistake. The BCP supported only local requirements. As a result, it was a woefully inadequate solution given the global network s degree of reliance on that particular facility. Many institutions would benefit greatly from a shift in perspective, moving away from preparing disaster recovery BCPs based on local priorities, to instead focusing on end-toend global resilience. These robust, global BCPs should be fully owned by global business process owners at the appropriate level. 3. SCOPE OF BUSINESS CONTINUITY PLANNING SHOULD BE EXPANDED We have identified three additional scenarios that should be included in a robust BCP with enhanced scope, but all-too-often are not, in practice: a. Loss of license: This scenario involves the risk of losing a key license, or having it restricted in certain respects due to regulatory and/or political threats. The most recent and well-known situation was an order from the New York Department of Financial Services to an emerging market bank in August 2012. With regulatory expectations at an all-time high, and regulators and governments pursuing strict measures to ensure compliance and punish any transgressions, we might see similar situations continue to evolve. It should be noted that merely the threat of losing a license could sometimes have severe consequences, as clients might rush to draw deposits, potentially creating a liquidity shortage. b. Clients perspectives: A robust BCP should consider clients business continuity requirements and the institution s ability, readiness and willingness to support clients in such situations. For example, institutions should consider how they might support a client that is experiencing prolonged power failures or an inability to access facilities, when the institution itself remains open for business. Furthermore, institutions should consider communication strategies for customers during catastrophic events. This customer focus can be a key differentiator against competitors during times of crisis. Copyright 2017 Oliver Wyman 5

c. Social and political unrest: While not completely new on the catalogue of possible scenarios, the probability of such scenarios is certainly rising in many parts of the world, as highlighted in the 2017 Global Risks Report by the World Economic Forum, supported by Oliver Wyman and MMC. 2 Ensuring that scenarios relating to political upheaval, mass protests and strikes, and acts of terrorism, among others, are accounted for, is crucial in our view for a functioning BCM. QUESTIONS TO CONSIDER To address these shortcomings, there are a number of key areas within the BCM framework and a list of questions that institutions should address: FRAMEWORK COMPONENT KEY QUESTIONS TO CONSIDER SHORTCOMING MITIGATED BCM governance Who owns business continuity and management? Are they the right people/function to take a holistic view of all evolving business needs (including potential disruptions due to regulation/liquidity events)? Expansion in BCM scope How often do you conduct a thorough review of your BCP policies, procedures, guidelines and plans to ensure they continue to fit your business needs and realities? Reassessment of whether BCM is fitfor-purpose BCM scope and mandate BCM risk identification and mitigation BCM plans Training and testing Do your BCM policy, procedures and guidelines: Take a business-focused view and are able to handle the consequences of an increasingly global business/ product eco-system in an increasingly regulated environment? Consider potentially providing support to clients in business continuity events? As part of your normal-time BCM risk identification process, do you: Consider sufficiently severe scenarios? Account for new/emerging business continuity risks? Employ an eco-system lens (end-to-end process and data flow view) when examining the resilience of our infrastructure, so as to identify people, location, regulatory, technology, telecom and other dependencies and soft-spots, in order to formulate business and function resilience plans? As part of your BCM plans, do you: Ensure your BCPs are able to cater for a wide range of scenarios including a large-scale/ unusually severe disturbance? Ensure your alternate sites do not suffer from the same weaknesses experienced by several institutions in recent years? Consider potential plans for a move to out-of-country, regional or global disaster recovery site approach? When planning for continuity events and threats, are you taking a specific location and asset view or a truly broad, global, business-centric view? Do those responsible for BCPs have the right knowledge, skills and access to assess and plan continuity from a holistic and strategic business perspective? Do you conduct regular and robust training, including BCM simulations Expansion in BCM scope + interconnectedness of global business New/emerging or unusually severe crisis New/emerging or unusually severe crisis Interconnectedness of global busines Expansion in BCM scope + interconnectedness of global business 2 Marsh & McLennan Companies. Global Risks Report. Jan 2017 Copyright 2017 Oliver Wyman 6

CONCLUSION While the nature and timing of continuity events are never predictable, their consequences unavailability of systems, facilities, and people and the impact of these consequences on institutional processes, can generally be anticipated. Institutions should focus on building robust, globally-focused plans to mitigate common crisis repercussions. BCM training and testing of BCPs, coupled with proper governance, are critical to effective crisis management. Exhibit 2: Illustration of effective BCM in action OPERATIONAL STATUS 100% INCIDENT MORE RESILIENT TO DISRUPTION SHORTER RECOVER TIME Effective BCM No BCM TIME Copyright 2017 Oliver Wyman 7

Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organization transformation. For more information please contact the marketing department by email at info-fs@oliverwyman.com or by phone at one of the following locations: ASIA PACIFIC +65 6510 9700 AMERICAS +1 212 541 8100 EMEA +44 20 7333 8333 www.oliverwyman.com ABOUT Marsh & McLennan Companies Asia Pacific Risk Center draws on the expertise of Marsh, Mercer, Guy Carpenter, and Oliver Wyman, along with top-tier research partners, to address the major threats facing industries, governments, and societies in the Asia Pacific region. We highlight critical risk issues, bring together leaders from different sectors to stimulate new thinking, and deliver actionable insights that help businesses and governments respond more nimbly to the challenges and opportunities of our time. Our regionally focused digital news hub, BRINK Asia, provides top executives and policy leaders up-to-the-minute insights, analysis, and informed perspectives on developing risk issues relevant to the Asian market. For more information, please email the team at contactaprc@mmc.com. Copyright 2017 Oliver Wyman All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect. The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback