1

Business Continuity:

The sixth international payment system

conference MNB, Budapest

14 November, 2007

2

Business Continuity Management at the MNB

Péter Rajczy Integrated Risk Management

Magyar Nemzeti Bankthe central bank of Hungary

3

Introduction

• Operational risks in the central bank • Financial and reputational losses• Impact on the financial system of the

country• Risk management: Avoiding risk events /

mitigating impacts• Business Continuity Management: a

special tool to manage certain types of risks (system disruption, external events etc.

4

Questions to discuss:

• 1. A Historical Outline: BCM in the MNB• 2. Concept and Foundation• 3. Organisation and Responsibilities• 4. Maintenance of BCP/DRP database• 5. BCP in the minds and in the practice• 6. BCP at the Splitsite – the Immediate

Backup Centre• 7. The Key Personnel Project• 8. Logistics Centre: Planning the Future

5

1. A historical outline: BCM in

the MNB• 2002: KPMG. Interviews, presentation and

first steps: building up the bankwide system of BCM

• 2003: BCP data maintenance and testing: the great supply disruption test

• 2004: Overall revision of BCP/DRP data– business activities & resources,

interdependencies, BIA – BCP’s – tests

• 2005: First split site testing, training of local BCP officers

• 2006-7: Running a robust BCM; key persons• 2008: BCP in the new split site: the Logistic

Centre

6

2. Concept and Foundation

• BCM as a part of the integrated ORM

• Initial database and BIA: setting up the boundary conditions – what is the Worst Case Scenario (system downtime, missing key persons, buildings)

• Data acquisition and integrity• The role of the Crisis Management

Committee

7

3. Organisation and Responsibilities

• Starting with top-down sponsorship– maintaining data integrity, management of testing

• Department-based planning: bottom-up. Responsibility of the local BCP officers

• Crisis management:– Crisis Management Commitee (CMC):

decision about relocating business to split site

– Local Crisis Group (LCG) leader: activating single BCP’s

8

4. Maintenance of the BCP/DRP Database:

the ÜFO• a relational database to store basic

parameters for business activities, IT resources etc.

• maintenance: Central BCP Manager• data input: Local BCP Officers• storing documents• report queries• BCP/DRP print-outs• test print-outs

9

4. Maintenance of the BCP/DRP

database: the ÜFO (continued)

10

4. Maintenance of the BCP/DRP database

(continued 2)

• Structure of the database:– basic tables (organisation,

personnel, formulas etc)– business activities (data, priorities,

impact scaling etc)– resources (IT, Human, External,

Others)– dependency scales– action plans (BCP, DRP)– documents of certification (tests)

11

4. Maintenance of the BCP/DRP

database

(continued 3)• Functions of the database:– updating data

• Central BCP Administration: basic tables• local BCP Officers: BCP/DRP action plans• central BCP Officers: coordination

– business impact analysis (BIA)– data management

• reports: BCP/DRP sheets, activity/risk matrices

• other queries, look-ups• activity logging, integrity checks

12

4. Maintenance of the BCP/DRP database

(continued 4)• Business Impact Analysis

– rating business activities by:• priority• targeted recovery time (TRT)• dependency scale from resources

– rating resources by• operational reliability (downrisk) • maximal tolerated downtime (MTD)

– output: a list of recommended BCP’s

13

4. Maintenance of the BCP/DRP database

(continued 4)

• Business Continuity & Disaster Recovery Plans– Basic data– Preparation phase– Response phase – Alternative working process– Phase of recovery– Phase of making checks

14

4. Maintenance of the BCP/DRP Database

(continued 5)

• Testing a BCP– responsibility of the Local Crisis Group – depth of the tests:

• desktop check• test in a simulated environment• live test

– scope of the test• elementary: including one department• integrated: with cooperation of several

departments

– surveillance of test status (Central BC P Manager)

15

5. BCP in the minds and in the practice

• BCP: Is it a burden for everybody? • „Personal plans” vs bankwide BCP/DRP

framework: to be better prepared for the unexpected

• transparency of the network of responsibilities

• Side-effects: – lessons we learned during tests– realizing the need of controlled data

update• Risks of data integrity disruption

16

6. BCP and the Splitsite – the Immediate Backup Centre

• Broadening the boundary conditions: business continuity in case of major IT disruptions or physical shocks

• Remote site access in case of crisis– operating the communication in crisis

situation (telephone cascade)– preparation of the Crisis Management

Committee’s decisions– transport supply– error detection and helpdesk service

at the remote site

17

6. BCP and the Splitsite

(continued) • Crisis Managing Committee (CMC)• Taking decisions about:

– Starting work at an alternative site– Giving instructions to deviate from a

BCP• Efficiency of the informatical

background - „warming up”• Doing business in an unusual

environment (training rutines)

18

7. The Key Personnel Project

• Demonstrations, strike of transport workers, some food health cases

• Avian flu issues• 2007: need to expand BCP

boundary conditions to loss of key personnel

• Definition of Key Local Crisis Group: responsibility of the LCG leader

• Central administration in the ÜFO

19

8. The Logistics Centre:

Planning The Future • Plans to dislocate key functions wich

demand high security and availability (e.g. cash transport, note processing)

• Dislocating secondary (hot) site for data storing

• Establishing secondary IT (hot) site serving critical business processes

• Secondary site for continuing critical business processes in case of major disruption (Business Continuity Plan for missing site)