CAYMAN ISLANDS MONETARY AUTHORITY XXIII Annual Conference of the Caribbean Group of Banking Supervisors BVI May 19th – 21st 2005 02/12/2018
CAYMAN ISLANDS MONETARY AUTHORITY Disaster Recovery and Operational Risk – Are we truly prepared? Malcolm Eden, Deputy Head – Banking Supervision Cayman Islands Monetary Authority m.eden@cimoney.com.ky Ph: 345-949-7089 The topic of this paper is Disaster Recovery and Operational Risk – Are we truly prepared? and will focus on issues as they relate to Banking Regulators and Licensees. 02/12/2018
Disclaimer The views expressed in this paper are those of the writer and do not necessarily reflect those of the Cayman Islands Monetary Authority 02/12/2018
Presentation Summary/Overview Introduction Operational Risk Management Basel Principles on Operational Risk Management Licensees Operational Risk Concerns Business Continuity Management Disaster Recovery Plans Mitigation of Risk through Insurance Our Regulatory Responsibility Conclusion 02/12/2018
Introduction Caribbean dependence on tourism and international financial services Caribbean susceptible to natural disasters 5 02/12/2018
Introduction Disaster Recovery and Operational Risk gaining greater prominence Cayman and the Ivan experience Hurricane Ivan, September 11th – 13th 2004 Sixth most intense hurricane in Atlantic Basin Category 5 Hurricane, sustained wind speeds of 165 mph, minimum recorded central pressure of 910 millibars Total impact of Disaster CI$2.8 billion (183% of GDP) 90% of structures destroyed or damaged Approximately 10,000 cars estimated destroyed 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction 02/12/2018
Introduction Number of factors not taken into account prior to Ivan Disaster Recovery Plans should be sufficiently robust Survey sent to CGBS members Goal is to review key elements of a sound disaster recovery plan for both Regulators and Licensees in the context of operational risk 02/12/2018
Operational Risk Management DRPs are a critical subset of an effective Operational Risk Management Strategy Basel Definition of Operational risk: “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events” - Operational Risk includes internal fraud, external fraud, business disruption and systems failures, and damage to physical assets 02/12/2018
Operational Risk Management Increase in the awareness of Op Risk and management thereof by Regulators and Licensees over past five years Op Risk being viewed more as a stand alone risk category Banks expected to have an appropriate Op Risk management strategy 02/12/2018
Basel Principles on Op Risk Management Op Risk is distinct, and must be managed Op Risk should be subject to audit Senior management responsibility Identify and assess for all existing and new material products, activities, processes etc. Op Risk profiles and material exposures to losses to be monitored and reported continuously 02/12/2018
Basel Principles on Op Risk Management Continually updating of policies, processes, procedures etc. There should be contingency and business continuity plans Banking supervisors to require that banks have an effective Op Risk management framework Supervisors to conduct regular independent evaluation Banks to make public disclosure 02/12/2018
Key elements of a Sound Op Risk Management Strategy Stage 1. Stage 2. Stage 3. Stage 4. Stage 5. Op Risk identification Op Risk assessment Op Risk control procedure development and implementation Op Risk monitoring Op Risk control/mitigation. 02/12/2018
Licensees’ Op Risk Concerns Primary operational risks identified: IT, systems and process failures External and internal fraud Disasters Failure of utilities service Change in regulatory regime 02/12/2018
Business Continuity Management Definition BCM is “a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities” 02/12/2018
Business Continuity Management 02/12/2018
Business Continuity Management A disaster recovery plan is at the core of good BCM A sound disaster recovery plan involves five broad phases: Conceptualization and Risk Analysis Disaster Recovery Plan Creation Training Testing and Validation Audit and Maintenance 02/12/2018
Disaster Recovery Plans Creating a DRP requires a proactive organization-wide effort There should be a project timeline Each plan should account for emergency management, books and records backup and recovery, identification and backup of all mission critical systems, staff well being, regulatory reporting, communications with other regulators etc. 02/12/2018
Disaster Recovery Plans Be as comprehensive as possible in the development of the plan Risk management processes of banks were found to be relatively robust (based on survey) Key deficiencies identified in DRPs through CIMA’s survey include plans not being tested, limited end-user involvement, significant focus on IT, plans not frequently updated, plans being too generic and alternative facilities no being adequately equipped 02/12/2018
Mitigation of risk through insurance Common element in good BCM is the use of insurance Risks with insurance: Payment uncertainty Delayed payment Counterparty risk 02/12/2018
Our Regulatory Responsibility As per Basel Core Principle 13, banking supervisors must be satisfied that banks have in place a comprehensive risk management process The review of licensees disaster preparedness must form a part of our supervisory procedures Survey of CGBS members revealed that all members have in place some program for monitoring and assessing operational risk as it relates to their licensees 02/12/2018
Our Regulatory Responsibility Additional factors that regulators should consider include: Regulators have two different sets of “clients” or customers The assistance that regulators will be called upon to give may be well outside the realm of a regulator’s normal duties 02/12/2018
Conclusion Business continuity planning and disaster recovery should be made a priority The environment that we operate in makes us highly susceptible to countless events that could result in severe business interruption that could de-stabilize our financial systems 02/12/2018