banca ditalia - eurosistema 1 business continuity: the italian experience ravenio parrini payment...

BANCA D’ITALIA - Eurosistema

1

Business Continuity:the Italian Experience

Ravenio ParriniRavenio ParriniPayment System Oversight OfficePayment System Oversight Office

Banca d’ItaliaBanca d’Italia

Budapest, 14 November 2007


2

1 Business continuity initiatives in Italy

2 Specific rules issued by Banca d’Italia

3 CODISE: the National Joint Working Group

4 Summing up

Index


3

September 2003: National black-out

In few seconds time the national power line system collapsed.. • people trapped in lift • traffic lights switched off• mobile network down• congestion in public switched telephone network• national railway system blocked

• fuel pump stations blocked •…. BC is an issue to take into account !!

Italian experience on BC..


4

Business Continuity (BC) key issues:

– major operational disruptions can result from unpredictable events (September 11th, National black-out);

– growing complexity of financial market infrastructures;

– Interdependency (cross-systems, cross-operators,

cross-countries): no one is an island…– Business Continuity of financial systems as a

public good.

(1. “BC: initiatives in Italy”)


5

The Italian Framework: two-layers approach

1. Single infrastructure/institution: i.e. increase the resilience of the single operator as a component of the overall national system; promote a common level in Business Continuity; … single financial operators are the “first line of defense” in a crisis situation.

2. National level coordination: i.e. a coordinating function with tasks of assessing the requirements, organizing tests, managing crisis;

In addition…. – a policy based on cooperation between authorities and financial operators– inclusion of individual business continuity plans within the scope of the scrutiny by the

competent supervisory authorities

Implementation- A national contact list- The Joint Working Group (CODISE)- Three Supervisory Guidelines on BC

(1. “BC: initiatives in Italy”)


6




4 Summing up

Index


7

2. Specific rules issued by Banca d’ItaliaAt the end of 2004, after the public consultation, Banca d’Italia issued a set of Business Continuity Guidelines. (…. see www.bancaditalia.it)

Guidelines have been designed primarily for the three financial sectors: Banking sector, Payment System infrastructures, Market infrastructures;

Some requirements…:– Scope: services/operators (identified by CODISE analysis) and major banks;

– BCP to be endorsed by the senior level management;

– scenarios to be faced: disaster, cyber-attack, provider unavailability (as agreed in the CODISE WG);

– recovery objectives (RTO): 2-4 hours for vital services;

– back-up sites: different risk profile, staff duplication/relocation;

– emergency procedures: role/responsibility, crises teams, utilities back-up, …


8

BCP Assessment of Payment System Infrastructures

Financial operators BCPs are evaluated to verify compliance to Banca d’Italia BC guidelines.

Assessment is based on:- bilateral meetings with financial operators;- evaluation of periodical documentation received by Banca d’italia;- a set of ToR (Term of Reference) derived from BC guidelines and used in evaluating operator’s BCP documents.

ToRs: a 35-items check list. A “rating” for each item:- A (Fully observed);- B (Broadly observed);- C (Partially observed);- D (Not observed);

ToRs used to measure operator’s improvements in BC.

(2. “Specific rules …”)


9

TIME FRAME

Financial stakeholders in the scope of guidelines had to:

By end 2004:

Produce Business Continuity Plan (BCP) endorsed by senior management;

Communicate the BCP to Banca d’Italia

By end 2006: Implement the BCP;

Every 6 months: Report to Banca d’Italia regarding BCP completed

phases



10

Operator improvements in 2004-2006 focus on Services (protecting Assets is not enough..)

more emphasis on Resiliency (soundness – resist at disasters - is not enough… get

ready to recover from “scratch”..), staff management, emergency procedures;

plan for Large Crisis scenarios (managing risks from day-by-day operations is not enough… the objective is the company survival in case of disaster)


ASSETS: Buildings; Staff , ICT

Financial Operator

SERVICESMISSION

Trading, Clearing, Settlement, ..

2004

2006


11

Physical sec.

Logical sec

Reliability (MTBF)

High Availability

Quality

Maintenance

Alternative Sites

Staff relocation

TLC recovery

ICT duplication

Disaster Recovery

Risk Analisys

Audit

Certifications

Incident Management

Crisis team

Alternative procedures

Stack-holders coordination

Contingency solutions

Interdependencies reduction

Resiliency

ASSETS SERVICES

Soundness

Expected losses

Stress losses (Disaster)

What

How

Against What

200420042006

2006co

sts

surviva

l

Improvements in 2004-2006


12




4 Summing up

Index


13

3 - The national Joint Working Group (CODISE)

CODISE includes both authorities (all major supervisory functions) and major financial system representatives:– coordinated by Banca d’Italia and Consob (stock exchange

commission) with the presence of a representative of the Italian Government

– Operators of main market infrastructures, major banking group, major payment systems service providers.

CODISE task: “to define the steps towards the System’s Business Continuity” , with the aim of limiting systemic risk


14

CODISE : Main Objectives

Scenario to face: large disruption (low probability, but large impact….)

Critical objectives to cover:– liquidity issues (assure liquidity availability in case of crisis);

– trading, clearing and settlement infrastructures (resiliency of..)

– public confidence

– link with cross-border systems

(3. “CODISE: the National …”)


15

• The “CODISE” National Contact List

Immediate low-cost intervention: in the first quarter of 2003, a National Contact List for Financial Business Continuity was set up.

A contact list among CODISE members: each member declares its own crisis manger as “contact point“ to be called in case of crisis; (each list-entry is composed by Company name, Contact point name, phone/fax numbers, e-mail addresses, alternative numbers).

The list is updated and activated by Banca d’Italia.

Periodical test (~ once a year) are carried out in order to assure “fresh data” stored in the list.



16

• CODISE Workplan– Identification of relevant services– Selection of scenarios– Impact analysis – Implementation of emergency plans– Test and improvement of plans

Main achievements of CODISE analysis “Vital” services (i.e: operations to be completed before end-of-day):

– 8 financial services, 5 operators involved (trading, clearing, settlement – cash/securities)– National ATM networks, 3 major providers involved

Scenarios (to be considered in developing BCP): – Regional Disaster– Cyber attack– Unavailability of an infrastructure/provider.

Interdependency among financial operators (a cross-map of maximum tolerate outage among major operators);

Crisis procedures (simple crisis communication procedure based on national contact list)



17

CRISIS COORDINATION: liaison with ECB structures.

A new role for CODISE: the joint group was set up as a forum among Italian operators to share info and to plan common initiatives on BC.

NOW is becoming also the “local crisis team” for coordination at EU level.

Coordination Structure

– ECB-PSSC is the European Crisis Team (teleconference among PSSC members);

– The italian PSSC member is also the Chairman of CODISE (Central Manager for Payment Systems and Treasury Operations of Banca d’Italia) and plays the role of national Crisis Coordinator (CC).

– Two scenarious:

1.Failure in an EU country: PSSC teleconference allows PSSC members to share info; the italian member (CC) can decide to activate CODISE contact list to share info and to take local initiatives.

2.Failure in Italy: the italian Crisis Coordinator (CC) activates the CODISE contact list for local initiatives; he contacts ECB-PSSC group to share info and coordinate initiatives



18

Crisis Coordination: operation failure in EU

National contact list

Foreign operator failure

(country “A”)

PSSC

Italian financial system

National crisis coordination committee

(country “A”)

National crisis coordination committees

(EU countries)

CODISE



19




4 Summing up

Index


20

Summing up…

Main achievements:– Common “Resilience Level” among major

financial operators.– “Open debate” on BC among authorities and

financial operators.– A simple coordination/communication procedure

in case of crisis.

Next steps:– more detailed crisis management procedures at

national level;– multi-years exercise plan with a growing

complexity.


21

REFERENCES… Italian BC guidelinesItalian BC guidelines• Payment system infrastructures: Payment system infrastructures:

– http://www.bancaditalia.it/sispaga_tesor/ssp/infrastrutture/bi/linee/http://www.bancaditalia.it/sispaga_tesor/ssp/infrastrutture/bi/linee/Linee_guida_SSP_en.pdfLinee_guida_SSP_en.pdf

• Market infrastructuresMarket infrastructures– http://www.bancaditalia.it/banca_mercati/supervisione/normativa/linee/http://www.bancaditalia.it/banca_mercati/supervisione/normativa/linee/

guidelines/Guidelines_for_business_continuity.pdfguidelines/Guidelines_for_business_continuity.pdf• Banking sector Banking sector

– http://www.bancaditalia.it/vigilanza/banche/normativa/disposizioni/provv/http://www.bancaditalia.it/vigilanza/banche/normativa/disposizioni/provv/requisiti_processi_rilevanza_sistemica.pdfrequisiti_processi_rilevanza_sistemica.pdf

Financial-Related DocumentsFinancial-Related Documents• High-level principles for business continuity (2005) (High-level principles for business continuity (2005) (web site web site http://www.bis.org/).).• Business Continuity Oversight Expectations for Systemically Important Payment Business Continuity Oversight Expectations for Systemically Important Payment

Systems (2006) Systems (2006) (web site: (web site: http://www.ecb.int/).).• Interagency Paper on Sound Practices to Strengthen the Resilience of the U. S. Interagency Paper on Sound Practices to Strengthen the Resilience of the U. S.

Financial System (2002) Financial System (2002) – web site – web site http://www.sec.gov/).).

Relevant Web SitesRelevant Web Sites• http://www.thebci.org/• http://www.business-continuity.com/ http://www.business-continuity.com/ • http://www.survive.com/ • www.bsi-global.com• – – see also BS7799, ISO 27001 (information security standards).see also BS7799, ISO 27001 (information security standards).

banca ditalia - eurosistema 1 business continuity: the italian experience ravenio parrini payment...

Documents

banca ditalia eurosistema

banca ditalia bc guidelines

business continuity

index slide

overall national system

financial sectors

operators improvements

operators bcp documents