TERMS OF REFERENCE FOR DRAFTING OF A BUSINESS CONTINUITY PLAN (BCP) FOR EBID April 2018 1
I. BRIEF PRESENTATION OF EBID 1. The ECOWAS Bank for Investment and Development (EBID) is an international financial institution of which the fifteen (15) Member States of ECOWAS, namely Benin, Burkina-Faso, Cabo Verde, Côte d'ivoire, the Gambia, Ghana, Guinea, Guinea-Bissau, Liberia, Mali, Niger, Nigeria, Senegal, Sierra Leone and Togo are shareholders. It emerged from the transformation of the ECOWAS Fund for Cooperation, Compensation and Development (ECOWAS Fund) as decided at the twenty-second Meeting of the Authority of Heads of State and Government held in December 1999. 2. The new entity comprises two operational windows of which one is dedicated to the private sector while the other is dedicated to the public sector. 3. The Authorized capital of EBID is one billion (1 000 000 000) units of account (UA) comprising one million (1 000 000) shares of a nominal value of one thousand units of account. 4. As its corporate object stipulated in its Articles of Association, EBID shall: a. grant loans and provide guarantees for the financing of investment projects and programmes relating to the economic and social development of Member States, participate in the capital of public and private or public companies and carry out all other investments with special priority to: i. projects or programmes which by their nature or scope concern at least two Regional Members States, especially projects to establish regional integration, enhancing infrastructure and all other development projects in both the public and private sectors; ii. iii. projects or programmes aimed at strengthening the economies of the least developed Member States of the Community, and reconstructing countries which experienced serious armed conflicts or socio-political crises; projects or programmes which contribute towards making the economies of the Community more complementary, and special programmes and projects designed to fight poverty and social inequality; b. mobilize resources within and outside the Community, for the financing of such investment projects and programmes; c. provide such technical assistance as may be needed in the Community for the study, preparation, financing and execution of development projects or programmes; 2
d. receive and manage, in conformity with Protocol A/P1/7/96 of 27 July 1996 relating to the Conditions Governing Application of the ECOWAS Community Levy and by virtue of any other relevant provision, the portion of the resources of the Levy meant for the financing of Community development activities; e. manage all Community Special Funds relevant to its object; f. undertake any commercial, industrial or agricultural activity where such an activity is secondary to its object or necessary for the recovery of its debts. 5. For its governance, EBID has: a Board of Governors (General Meeting) which is the highest decision-making organ comprising the representatives (Ministers of Finance) of the ECOWAS Member States; a Board of Directors appointed by the Board of Governors; A Management (a President and two Vice-Presidents) responsible for the dayto-day running of the Bank. II. BACKGROUND 6. The sustainability of any Firm certainly depends on its economic and financial performance. However, in a global environment that is increasingly complex, marked by threats of all kinds, security issues have become unavoidable issue bothering on the continuity and development strategies of firms. 7. A broad range of threats which may include socio-political, structural crisis or cyberattacks targeting vital information system resources, or even natural disasters, terrorists attacks, etc. of which the nature and scope may disrupt and even jeopardize the operations of enterprises require that henceforth, strategies and measures that are indispensable as much as the productive investment, the growth or the drive to conquer market shares be put in place. 8. Hence, for the purpose of preparing a Business Continuity Plan that seeks to preserve the physical integrity of employees through a plan for geographical fallback, to safeguard and recover the computer resources, by limiting the risks of loss of vital resources, also, give customer relations the assurances of continuity and ability to resume activity in all circumstances and within a short interval has become a fundamental concern of all leaders of public and private corporate enterprises. EBID is no exemption to this rule and intends to put in place a Business Continuity Plan that meets highest standards. 3
III. CONTENTS OF THE MISSION 9. In connection with its mission, the Bank must guarantee the continuity of its activity, in case of information system impairment or of its office, among others. 10. The activities and organization of the Bank have grown significantly in recent years and new risks have emerged and must be taken into account in the management of its information system. In line with its concern to align with best international standards, EBID intends to draft its BCP in accordance with standards set by ISO 22301 relating to management of Business Continuity. 11. In this regard, EBID is inviting proposals from consultancy firms, with a view to Drafting of a Business Continuity Plan (BCP) in accordance with ISO 22301 standard. IV. OBJECTIVES OF THE MISSION 12. The BCP must describe the continuity strategy to be adopted to address, by order of priority, the risks identified and outlined according to their gravity and the likelihood of occurrence. 13. In this regard, the Consultant would have to: 1) Carry out Business Impact Assessment; 2) Develop a risk map of the risks faced by EBID in the course of its activities (threats and vulnerabilities having impact on the activities of the Bank and those of its partners) which clearly shows the level of severity, the probability of occurrence, etc.; 3) Identify the needs for continuity of key activities in the event of disaster, and advise on their criticality in the light of the various departments and /or divisions of the Bank; the Consultant will have to propose the responses to be provided to each identified situation, in line with the risk mapping; 4) Determine the financial, regulatory, operational and reputational impact of unavailability of services on the critical business activities (likely impact, scale and justify the resources to be committed to this, in order to meet the potential continuity requirements); 5) Provide technical assistance and advice for identification of business recovery sites for EBID in the sub-region, based on the various scenarios; 6) Provide a technical assistance plan for implementation of a parallel information system back-up center where data and applications could be saved in real time or in accordance with an acceptable frequency which anticipates any possibility of data loss; 4
7) Prepare a crisis management plan and a communication plan in a crisis situation; this plan must provide detailed profile of the stakeholders, their roles and responsibilities before, during and after the crises, as well as the procedures in line with good practice (ITIL, COBIT, etc.); 8) Identify the training needs for stakeholders of the BCP, for steering it and for sustaining it in operational conditions; 9) Support EBID in implementing the BCP («Call Tree Test», fire evacuation exercise, crisis management test; business recovery site test, data recovery test). V. DELIVRABLES 14. The Consultant shall submit a Business Continuity Plan in different volumes, as follows: 1) Volume 1: A Risk Mapping that would enable EBID to understand the threats and vulnerabilities having impact on the critical activities. This mapping must be detailed in a manner as to enable EBID understand the impact which such event could engender on its activities; 2) Volume 2: A Business Impact Assessment outlining the following key stages: a) Identification of activities and critical processes of EBID; b) Analysis of impact that could arise if there is a shutdown of these activities and of critical processes and determining the trend of this impact in the event of prolonged shutdown; c) Identifying and examining of any other critical activity that is contingent on suppliers, services providers and other stakeholders of EBID; d) Estimation of the target time for restoring the identified activities after a disaster; e) Estimation of resources (human, technical, logistical, suppliers) which each identified critical activity requires for its resumption; 3) Vol. 3: A Crisis Management Plan comprising: a. A proposal of typical organization of BCP stakeholders and their role in the Plan; b. A communication plan in a crisis situation; 4) Vol. 4: A strategic risk management plan for each identified critical activity with measures that enable: a. Reducing the probability of occurence of activity shutdown; b. Avoiding sudden business shutdown; c. Limiting the impact of a shutdown on the activities of EBID; 5
5) Vol. 5: A Business Recovery Site Plan comprising preparation of criteria for choosing of business recovery sites for EBID in the sub-region, based on the different scenarios; 6) Vol. 6: A Technology Recovery Plan comprising among others: a) A matrix of Bank data, classifying them by importance and clearly showing critical data; b) A back-up and recovery policy (for data in real time or according to the acceptable frequency and the software); c) A detailed sheet on installation, configuration and disaster recovery of each server (operational system, users access, etc.); d) A detailed sheet on installation, setting and disaster recovery for each software; e) The Terms of Reference (ToR) for choosing and putting in place of sites (local and remote) for data and software back-up and replication; 7) Vol. 7: The detailed procedures of the following tests: a) Call Tree Test; b) Fire Evacuation Exercice; c) Crisis Management Test; d) Business Recovery Site Test; e) Technology Recovery Site Test; 8) Vol. 8: A training plan for stakeholders of the BCP relating to its management and sustenance under operational conditions; 9) Vol. 9: A continuous improvement plan of the BCP comprising: a) Exercises and tests to be carried out periodically, in consonance with the perimeter of the Business continuity management system (BCMS) that allows a review of the adequacy of the Plan to exigencies linked to EBID s activities; b) A definition of the monitoring and evaluation measures to be carried out with a view to guaranteeing sustainability of the activity situation; c) A revision policy of the BCP to ensure adequacy and efficiency; d) An internal audit plan of the BCP taking into account analysis of the business, evaluation of risks and mitigation measures for these risks; 10) All other documents or deliverables which the Consultant shall deem pertinent. 15. The deliverables shall be submitted in five (5) physical copies and in electronic medium in French and in English. 16. The Consultant shall submit a provisional version of each deliverable of his mission to EBID within the timeframe agreed in the contract and shall make an oral presentation of his assignment. 17. Within eight (8) working days following receipt of the provisional versions, EBID shall make its written observations on these versions and submit these to the Consultant; 18. Within eight (8) days following receipt of EBID s observations, the Consultant shall submit the final documents to EBID in the form and quantity required in the contract. 6
VI. TIME FRAME OF THE MISSION 19. The present mission shall be executed within sixty (60) calendar days (this duration does not include the timeframe for implementation). VII. PROFILE OF THE CONSULTANT 20. The Consultant (preferably a firm) must meet the following conditions: a) Have a confirmed experience of at least five (5) years in preparing manual of procedures; b) Have a sound experience and proven knowledge of the banking environment; c) Have a sound experience on missions relating to preparation of Business Continuity manual ; d) Have proven advanced qualifications (minimum Master s degree) in corporate management, business administration, law, management or any other equivalent certificate (submit CV of the staff dedicated to the mission); e) A sound experience on similar contract with financial institutions operating in ECOWAS countries would be an advantage; f) Have proven skills (training and implementation) in familiarity with ISO 22301 (or current similar standards) and ability to diagnose information systems. VIII. MODALITIES FOR EXECUTION OF THE MISSION 21. The practical modalities for execution of the above-stated mission shall be defined in a contract to be signed between the successful Consultant and EBID. IX. OBLIGATION OF EBID 22. EBID shall provide the Consultant with all information required for carrying out its mission. X. EVALUATION CRITERIA 23. Proposals from bidders shall be assessed in line with the following criteria: a) General qualifications and skills for the assignment to be carried out: 20%; b) ISO22301 or similar certification: 10%; c) Experience in the preparation of manuals of procedures: 10%; d) Specific experience in the assignment described in the terms of reference: 30%; e) Methodology: 30%. 7
24. Only technical offers that would have obtained 75% or more points shall have their financial offers examined. 25. The Consultant shall bear all medical insurance costs and all medical costs during execution of his services as well as all transport and accommodation costs necessary for the mission. 26. The Consultant shall take all steps with a view to obtaining visas and / or residence permit he will need to carry out his assignment and fulfill his obligations related to the contract. The Bank shall provide assistance to the Consultant in his initiatives whenever this shall be necessary. XI. SUBMISSION OF OFFERS 27. The bids shall be submitted in ONE (1) sealed envelope containing TWO (2) DISTINCT ENVELOPES: 1) One envelope N 1 containing three printed versions of the technical proposal/offer (original + two [2] copies), the administrative documents (documents attesting to the legal existence of the firm, up-to-date payment of social security contributions and tax obligations) as well as every information deemed indispensable for execution of the contract, except financial proposal/offer; 2) One envelope N 2 containing three printed versions of the financial offer expressed in US dollars (original + two [2] copies). The financial offers shall be expressed less of tax. The bidder shall ensure that his financial offer is valid for at least ninety (90) days, with effect from the deadline for receiving of the submissions as indicated here-above. 28. The service provider is advised to note that the copy marked «Original» of both the technical offer and the financial offer shall take precedence over all other versions of the document. 29. The sealed envelope bid containing the two numbered envelopes shall bear the following inscriptions: «Bid for drafting of a Business Continuity Plan (BCP) for EBID», «To be opened only in session. 30. The deadline for submission of tenders has been fixed at May 15, 2018, at 3.00 p.m. GMT. All bids must be submitted at the following address: ECOWAS BANK FOR INVESTMENT AND DEVELOPMENT 128, Bd. du 13 janvier, BP 2704, Lomé Togo Tél: +(228) 22 21 68 64 Fax: +(228) 22 21 86 84 31. Bids are not to be submitted by electronic mail. 32. EBID shall only acknowedge proposals/bids submitted within the specified time and date mentioned above. 8
33. EBID reserves the right not to give any response to the present invitation to tender. 34. For further information or clarification, the bidders are requested to contact either of the following persons at least five working days before the deadline mentioned above for the submission of tenders,: a) Jean Luc Assah: jassah@bidc-ebid.org; or b) Mensan Amégavie: mamegavie@bidc-ebid.org. 9