1 Business Continuity: The sixth international payment system conference MNB, Budapest 14 November, 2007

2 Business Continuity Management at the MNB Péter Rajczy Integrated Risk Management Magyar Nemzeti Bank the central bank of Hungary

3 Introduction Operational risks in the central bank Financial and reputational losses Impact on the financial system of the country Risk management: Avoiding risk events / mitigating impacts Business Continuity Management: a special tool to manage certain types of risks (system disruption, external events etc.

4 Questions to discuss: 1. A Historical Outline: BCM in the MNB 2. Concept and Foundation 3. Organisation and Responsibilities 4. Maintenance of BCP/DRP database 5. BCP in the minds and in the practice 6. BCP at the Splitsite – the Immediate Backup Centre 7. The Key Personnel Project 8. Logistics Centre: Planning the Future

5 1.A historical outline: BCM in the MNB 2002: KPMG. Interviews, presentation and first steps: building up the bankwide system of BCM 2003: BCP data maintenance and testing: the great supply disruption test 2004: Overall revision of BCP/DRP data –business activities & resources, interdependencies, BIA – BCP’s – tests 2005: First split site testing, training of local BCP officers : Running a robust BCM; key persons 2008: BCP in the new split site: the Logistic Centre

6 2. Concept and Foundation BCM as a part of the integrated ORM Initial database and BIA: setting up the boundary conditions – what is the Worst Case Scenario (system downtime, missing key persons, buildings) Data acquisition and integrity The role of the Crisis Management Committee

7 3. Organisation and Responsibilities Starting with top-down sponsorship –maintaining data integrity, management of testing Department-based planning: bottom-up. Responsibility of the local BCP officers Crisis management: –Crisis Management Commitee (CMC): decision about relocating business to split site –Local Crisis Group (LCG) leader: activating single BCP’s

8 4. Maintenance of the BCP/DRP Database: the ÜFO a relational database to store basic parameters for business activities, IT resources etc. maintenance: Central BCP Manager data input: Local BCP Officers storing documents report queries BCP/DRP print-outs test print-outs

9 4. Maintenance of the BCP/DRP database: the ÜFO (continued)

10 4. Maintenance of the BCP/DRP database (continued 2) Structure of the database: –basic tables (organisation, personnel, formulas etc) –business activities (data, priorities, impact scaling etc) –resources (IT, Human, External, Others) –dependency scales –action plans (BCP, DRP) –documents of certification (tests)

11 4. Maintenance of the BCP/DRP database (continued 3) Functions of the database: –updating data Central BCP Administration: basic tables local BCP Officers: BCP/DRP action plans central BCP Officers: coordination –business impact analysis (BIA) –data management reports: BCP/DRP sheets, activity/risk matrices other queries, look-ups activity logging, integrity checks

12 4. Maintenance of the BCP/DRP database (continued 4) Business Impact Analysis –rating business activities by: priority targeted recovery time (TRT) dependency scale from resources –rating resources by operational reliability (downrisk) maximal tolerated downtime (MTD) –output: a list of recommended BCP’s

13 4. Maintenance of the BCP/DRP database (continued 4) Business Continuity & Disaster Recovery Plans –Basic data –Preparation phase –Response phase –Alternative working process –Phase of recovery –Phase of making checks

14 4. Maintenance of the BCP/DRP Database (continued 5) Testing a BCP –responsibility of the Local Crisis Group –depth of the tests: desktop check test in a simulated environment live test –scope of the test elementary: including one department integrated: with cooperation of several departments –surveillance of test status (Central BC P Manager)

15 5. BCP in the minds and in the practice BCP: Is it a burden for everybody? „Personal plans” vs bankwide BCP/DRP framework: to be better prepared for the unexpected transparency of the network of responsibilities Side-effects: –lessons we learned during tests –realizing the need of controlled data update Risks of data integrity disruption

16 6. BCP and the Splitsite – the Immediate Backup Centre Broadening the boundary conditions: business continuity in case of major IT disruptions or physical shocks Remote site access in case of crisis –operating the communication in crisis situation (telephone cascade) –preparation of the Crisis Management Committee’s decisions –transport supply –error detection and helpdesk service at the remote site

17 6. BCP and the Splitsite (continued) Crisis Managing Committee (CMC) Taking decisions about: –Starting work at an alternative site –Giving instructions to deviate from a BCP Efficiency of the informatical background - „warming up” Doing business in an unusual environment (training rutines)

18 7. The Key Personnel Project Demonstrations, strike of transport workers, some food health cases Avian flu issues 2007: need to expand BCP boundary conditions to loss of key personnel Definition of Key Local Crisis Group: responsibility of the LCG leader Central administration in the ÜFO

19 8. The Logistics Centre: Planning The Future Plans to dislocate key functions wich demand high security and availability (e.g. cash transport, note processing) Dislocating secondary (hot) site for data storing Establishing secondary IT (hot) site serving critical business processes Secondary site for continuing critical business processes in case of major disruption (Business Continuity Plan for missing site)