Presentation on theme: "BANCA DITALIA - Eurosistema 1 Business Continuity: the Italian Experience Ravenio Parrini Payment System Oversight Office Banca dItalia Ravenio Parrini."— Presentation transcript:
BANCA DITALIA - Eurosistema 1 Business Continuity: the Italian Experience Ravenio Parrini Payment System Oversight Office Banca dItalia Ravenio Parrini Payment System Oversight Office Banca dItalia Budapest, 14 November 2007
BANCA DITALIA - Eurosistema 2 1 Business continuity initiatives in Italy 2 Specific rules issued by Banca dItalia 3 CODISE: the National Joint Working Group 4 Summing up Index
BANCA DITALIA - Eurosistema 3 September 2003: National black-out In few seconds time the national power line system collapsed.. people trapped in lift traffic lights switched off mobile network down congestion in public switched telephone network national railway system blocked fuel pump stations blocked …. BC is an issue to take into account !! Italian experience on BC..
BANCA DITALIA - Eurosistema 4 Business Continuity (BC) key issues: –major operational disruptions can result from unpredictable events (September 11 th, National black-out); –growing complexity of financial market infrastructures; –Interdependency (cross-systems, cross-operators, cross-countries) : no one is an island… –Business Continuity of financial systems as a public good. (1. BC: initiatives in Italy)
BANCA DITALIA - Eurosistema 5 The Italian Framework: two-layers approach 1.Single infrastructure/institution: i.e. increase the resilience of the single operator as a component of the overall national system; promote a common level in Business Continuity; … single financial operators are the first line of defense in a crisis situation. 2.National level coordination: i.e. a coordinating function with tasks of assessing the requirements, organizing tests, managing crisis ; In addition…. –a policy based on cooperation between authorities and financial operators – inclusion of individual business continuity plans within the scope of the scrutiny by the competent supervisory authorities Implementation -A national contact list -The Joint Working Group (CODISE) -Three Supervisory Guidelines on BC (1. BC: initiatives in Italy)
BANCA DITALIA - Eurosistema 6 1 Business continuity initiatives in Italy 2 Specific rules issued by Banca dItalia 3 CODISE: the National Joint Working Group 4 Summing up Index
BANCA DITALIA - Eurosistema 7 2. Specific rules issued by Banca dItalia At the end of 2004, after the public consultation, Banca dItalia issued a set of Business Continuity Guidelines. (…. see www.bancaditalia.it) Guidelines have been designed primarily for the three financial sectors: Banking sector, Payment System infrastructures, Market infrastructures; Some requirements…: –Scope: services/operators (identified by CODISE analysis) and major banks; –BCP to be endorsed by the senior level management; –scenarios to be faced: disaster, cyber-attack, provider unavailability (as agreed in the CODISE WG); –recovery objectives (RTO): 2-4 hours for vital services; –back-up sites: different risk profile, staff duplication/relocation; –emergency procedures: role/responsibility, crises teams, utilities back- up, …
BANCA DITALIA - Eurosistema 8 BCP Assessment of Payment System Infrastructures Financial operators BCPs are evaluated to verify compliance to Banca dItalia BC guidelines. Assessment is based on: - bilateral meetings with financial operators; - evaluation of periodical documentation received by Banca ditalia; - a set of ToR (Term of Reference) derived from BC guidelines and used in evaluating operators BCP documents. ToRs: a 35-items check list. A rating for each item: -A (Fully observed); -B (Broadly observed); -C (Partially observed); -D (Not observed); ToRs used to measure operators improvements in BC. (2. Specific rules …)
BANCA DITALIA - Eurosistema 9 TIME FRAME Financial stakeholders in the scope of guidelines had to: By end 2004 : Produce Business Continuity Plan (BCP) endorsed by senior management; Communicate the BCP to Banca dItalia By end 2006 : Implement the BCP; Every 6 months : Report to Banca dItalia regarding BCP completed phases (2. Specific rules …)
BANCA DITALIA - Eurosistema 10 Operator improvements in 2004-2006 focus on Services (protecting Assets is not enough..) more emphasis on Resiliency (soundness – resist at disasters - is not enough… get ready to recover from scratch..), staff management, emergency procedures ; plan for Large Crisis scenarios (managing risks from day-by-day operations is not enough… the objective is the company survival in case of disaster) (2. Specific rules …) ASSETS: Buildings; Staff, ICT Financial Operator SERVICES MISSION Trading, Clearing, Settlement,.. 2004 2006
BANCA DITALIA - Eurosistema 11 Physical sec. Logical sec Reliability (MTBF) High Availability Quality Maintenance Alternative Sites Staff relocation TLC recovery ICT duplication Disaster Recovery Risk Analisys Audit Certifications Incident Management Crisis team Alternative procedures Stack-holders coordination Contingency solutions Interdependencies reduction Resiliency ASSETS SERVICES Soundness Expected losses Stress losses (Disaster) What How Against What 2004 2006 costs survival Improvements in 2004-2006
BANCA DITALIA - Eurosistema 12 1 Business continuity initiatives in Italy 2 Specific rules issued by Banca dItalia 3 CODISE: the National Joint Working Group 4 Summing up Index
BANCA DITALIA - Eurosistema 13 3 - The national Joint Working Group (CODISE) CODISE includes both authorities (all major supervisory functions) and major financial system representatives: –coordinated by Banca dItalia and Consob (stock exchange commission) with the presence of a representative of the Italian Government –Operators of main market infrastructures, major banking group, major payment systems service providers. CODISE task: to define the steps towards the Systems Business Continuity, with the aim of limiting systemic risk
BANCA DITALIA - Eurosistema 14 CODISE : Main Objectives Scenario to face: large disruption (low probability, but large impact….) Critical objectives to cover: –liquidity issues (assure liquidity availability in case of crisis); –trading, clearing and settlement infrastructures (resiliency of..) –public confidence –link with cross-border systems (3. CODISE: the National …)
BANCA DITALIA - Eurosistema 15 The CODISE National Contact List Immediate low-cost intervention: in the first quarter of 2003, a National Contact List for Financial Business Continuity was set up. A contact list among CODISE members: each member declares its own crisis manger as contact point to be called in case of crisis; ( each list-entry is composed by Company name, Contact point name, phone/fax numbers, e-mail addresses, alternative numbers). The list is updated and activated by Banca dItalia. Periodical test (~ once a year) are carried out in order to assure fresh data stored in the list. (3. CODISE: the National …)
BANCA DITALIA - Eurosistema 16 CODISE Workplan –Identification of relevant services –Selection of scenarios –Impact analysis –Implementation of emergency plans –Test and improvement of plans Main achievements of CODISE analysis Vital services (i.e: operations to be completed before end-of-day): – 8 financial services, 5 operators involved (trading, clearing, settlement – cash/securities) – National ATM networks, 3 major providers involved Scenarios (to be considered in developing BCP): –Regional Disaster –Cyber attack –Unavailability of an infrastructure/provider. Interdependency among financial operators (a cross-map of maximum tolerate outage among major operators); Crisis procedures (simple crisis communication procedure based on national contact list) (3. CODISE: the National …)
BANCA DITALIA - Eurosistema 17 CRISIS COORDINATION: liaison with ECB structures. A new role for CODISE: the joint group was set up as a forum among Italian operators to share info and to plan common initiatives on BC. NOW is becoming also the local crisis team for coordination at EU level. Coordination Structure –ECB-PSSC is the European Crisis Team (teleconference among PSSC members); –The italian PSSC member is also the Chairman of CODISE (Central Manager for Payment Systems and Treasury Operations of Banca dItalia) and plays the role of national Crisis Coordinator (CC). –Two scenarious: 1.Failure in an EU country: PSSC teleconference allows PSSC members to share info; the italian member (CC) can decide to activate CODISE contact list to share info and to take local initiatives. 2.Failure in Italy: the italian Crisis Coordinator (CC) activates the CODISE contact list for local initiatives; he contacts ECB-PSSC group to share info and coordinate initiatives (3. CODISE: the National …)
BANCA DITALIA - Eurosistema 18 Crisis Coordination: operation failure in EU National contact list Foreign operator failure (country A) PSSC Italian financial system National crisis coordination committee (country A) National crisis coordination committees (EU countries) CODISE (3. CODISE: the National …)
BANCA DITALIA - Eurosistema 19 1 Business continuity initiatives in Italy 2 CODISE: the National Joint Working Group 3 Specific rules issued by Banca dItalia 4 Summing up Index
BANCA DITALIA - Eurosistema 20 Summing up… Main achievements: –Common Resilience Level among major financial operators. –Open debate on BC among authorities and financial operators. –A simple coordination/communication procedure in case of crisis. Next steps: –more detailed crisis management procedures at national level; –multi-years exercise plan with a growing complexity.
BANCA DITALIA - Eurosistema 21 REFERENCES… Italian BC guidelines Payment system infrastructures:Payment system infrastructures: –http://www.bancaditalia.it/sispaga_tesor/ssp/infrastrutture/bi/linee/Linee_guida _SSP_en.pdf http://www.bancaditalia.it/sispaga_tesor/ssp/infrastrutture/bi/linee/Linee_guida _SSP_en.pdfhttp://www.bancaditalia.it/sispaga_tesor/ssp/infrastrutture/bi/linee/Linee_guida _SSP_en.pdf Market infrastructuresMarket infrastructures –http://www.bancaditalia.it/banca_mercati/supervisione/normativa/linee/guidelin es/Guidelines_for_business_continuity.pdf http://www.bancaditalia.it/banca_mercati/supervisione/normativa/linee/guidelin es/Guidelines_for_business_continuity.pdfhttp://www.bancaditalia.it/banca_mercati/supervisione/normativa/linee/guidelin es/Guidelines_for_business_continuity.pdf Banking sectorBanking sector –http://www.bancaditalia.it/vigilanza/banche/normativa/disposizioni/provv/requis iti_processi_rilevanza_sistemica.pdf http://www.bancaditalia.it/vigilanza/banche/normativa/disposizioni/provv/requis iti_processi_rilevanza_sistemica.pdfhttp://www.bancaditalia.it/vigilanza/banche/normativa/disposizioni/provv/requis iti_processi_rilevanza_sistemica.pdf Financial-Related Documents High-level principles for business continuity (2005) (web site http://www.bis.org/).High-level principles for business continuity (2005) (web site http://www.bis.org/).http://www.bis.org/ Business Continuity Oversight Expectations for Systemically Important Payment Systems (2006) (web site: http://www.ecb.int/).Business Continuity Oversight Expectations for Systemically Important Payment Systems (2006) (web site: http://www.ecb.int/).http://www.ecb.int/ Interagency Paper on Sound Practices to Strengthen the Resilience of the U. S. Financial System (2002) – web site http://www.sec.gov/).Interagency Paper on Sound Practices to Strengthen the Resilience of the U. S. Financial System (2002) – web site http://www.sec.gov/).http://www.sec.gov/ Relevant Web Sites http://www.thebci.org/http://www.thebci.org/http://www.thebci.org/ http://www.business-continuity.com/http://www.business-continuity.com/http://www.business-continuity.com/ http://www.survive.com/http://www.survive.com/http://www.survive.com/ www.bsi-global.comwww.bsi-global.comwww.bsi-global.com – see also BS7799, ISO 27001 (information security standards).– see also BS7799, ISO 27001 (information security standards).