Академический Документы
Профессиональный Документы
Культура Документы
2
DBS is a leading financial services group in Asia
Operates over 280 branches across 18 markets
Headquartered and listed in Singapore, with a growing presence in three key
Asian regions:
Greater China
South East Asia
South Asia
Well capitalized; top long-term credit rating in APAC
4
Sources of crisis
DBS1
incidents such as technology incidents having enterprise-wide impact on essential banking
services, natural disasters with wide geographical area impact, safety-at-risk incidents (e.g.
terrorism) and other events leading to significant business disruption...
UOB2
The Group has a business continuity and crisis management programme in place to ensure
prompt recovery of critical business functions should there be unforeseen events
OCBC3
2015 was a challenging year for banks. Financial markets were volatile due to several factors,
including slow global economic growth, the collapse in oil pricesincreased expectations from
regulators on capital, liquidity and compliance requirements
Source: Company
Notes:
(1)Annual Report 2015, page 101
(2)Annual Report 2015, page 102
(3)Annual Report 2015, page 62
5
Q1. Identify major crises the bank should prepare for. Explain.
6
Political / Legal
Increase in expected standards from regulators after recent events
BSI
MAS directs BSI Bank to shut down in Singapore
...serious breaches of anti-money laundering requirements, poor management oversight of the banks operations, and gross
MAS decision to withdraw BSI Banks status as a merchant bank takes into account the repetitive lapses as well as the
MAS AML/CFT regime comprises four key elements, namely, strict regulation, rigorous supervision, effective
enforcement, and close cross-border co-operation.
Source: Investopedia 10
Economic
14
Technology
Which leads to:
Loss of customer data
Financial loss
Legal liability
Loss of trust
PWC survey:
Of the 175 bosses (of financial institutions) polled by PwC, 79% said they were concerned
or extremely concerned about cyber threats affecting their companys growth prospects.
This compares to 61% of chief executives across all industries who said they were worried
about online attacks
20
PRINCIPLE 1: BOARD OF DIRECTORS AND SENIOR MANAGEMENT SHOULD BE
RESPONSIBLE FOR THEIR INSTITUTIONS BUSINESS CONTINUITY MANAGEMENT.
Senior management should demonstrate that they have sufficient awareness of the
risks, mitigating measures and state of readiness by way of an attestation to the Board
of directors.
21
PRINCIPLE 1: BOARD OF DIRECTORS AND SENIOR MANAGEMENT SHOULD BE
RESPONSIBLE FOR THEIR INSTITUTIONS BUSINESS CONTINUITY MANAGEMENT
ASSESSMENT
Complied with this guideline
22
PRINCIPLE 2: INSTITUTIONS SHOULD EMBED BUSINESS CONTINUITY
MANAGEMENT INTO THEIR BUSINESS-AS- USUAL OPERATIONS, INCORPORATING
SOUND PRACTICES.
Units are responsible for the day-to-day management of operational risk in their
products, processes, systems and activities in accordance with the various frameworks
and policies. - DBS Annual Report 2015 pg 100
23
PRINCIPLE 2: INSTITUTIONS SHOULD EMBED BUSINESS CONTINUITY
MANAGEMENT INTO THEIR BUSINESS-AS- USUAL OPERATIONS, INCORPORATING
SOUND PRACTICES.
24
PRINCIPLE 2: INSTITUTIONS SHOULD EMBED BUSINESS CONTINUITY
MANAGEMENT INTO THEIR BUSINESS-AS- USUAL OPERATIONS, INCORPORATING
SOUND PRACTICES.
ASSESSMENT
Incorporated most of the guidelines.
Limited information on budget of BCM, succession plans, training programmes
Should include external parties in their BCM (E.g. IBM, DBSs outsourcing vendor)
25
PRINCIPLE 3: INSTITUTIONS SHOULD TEST THEIR BUSINESS CONTINUITY PLAN
REGULARLY, COMPLETELY, AND MEANINGFULLY.
Exercises are conducted annually, simulating varying scenarios to test the BCPs and
crisis management protocol.
ASSESSMENT
26
PRINCIPLE 3: INSTITUTIONS SHOULD TEST THEIR BUSINESS CONTINUITY PLAN
REGULARLY, COMPLETELY, AND MEANINGFULLY.
The crisis management structure encompasses an incident management process from
the point of incident to crisis declaration and activation of the relevant committees or
teams to manage the crisis
ASSESSMENT
ASSESSMENT
ASSESSMENT
Should have included outsourcing vendor (IBM) in its BCM and review their
ability to meet the service and support criteria set by the bank
29
PRINCIPLE 6: INSTITUTIONS SHOULD PLAN FOR WIDE-AREA DISRUPTIONS.
ASSESSMENT
- Banks segmentise the different branches as based on the location and amount of
transactions to be taken place
- Outage of services in 2010 Extension of bank operating hours
30
PRINCIPLE 7: INSTITUTIONS SHOULD PRACTISE A SEPARATION POLICY TO
MITIGATE CONCENTRATION RISK OF CRITICAL BUSINESS FUNCTIONS.
Decentralising the critical business functions in order to mitigate the risk of losing
multiple critical business functions from a single-zone disruption
ASSESSMENT
New initiative: Inclusion of cloud-based services (Amazon Cloud) for its services (first
31
of which for financial instruments)
Overall assessment
- Has sufficiently complied with the BCM guidelines
- Continuous improvement for the better through new initiatives - Cloud services
32
3. What measures should the bank take to reduce the likelihood and
impact of IT systems failure that can result in a banking service
downtime?
- Implement a disaster response & recovery plan
a) Perform scenario analysis
b) Establish recovery objectives and Recovery Time Objective (RTO) in accordance with
governmental regulations eg. MAS Notice 644
c) Inform customers of downtime ASAP
33
3. What measures should the bank take to reduce the likelihood and
impact of IT systems failure that can result in a banking service
downtime?
- Proper implementation of disaster response plan
Include employees from various departments in the design of the response plan
Inform staff with regards to their roles in carrying out the response plan
Conduct rehearsals on a regular basis (eg. once every year)
Periodic reviews of disaster response plan and ways to improve it
34
- Hire an In-house IT support team
- Greater familiarity with banks IT system
- Able to resolve IT issues faster
- Systems Availability
- Develop built-in redundancies to ensure that failures in any particular area does not disable the
entire network
- Ensure there are spares/backups to replace failed components
- Regularly conduct maintenance & analysis of IT systems
- Ensure that IT systems are running properly
- IT system reviews to identify any potential weaknesses that can be exploited
35
Cyberattacks
36
Measures to prevent Cyber attacks
Type of Measures Measures Effect
Preventive - Work with Internet Service Providers to detect and Reduces likelihood
prevent any DDoS attacks
- Scale up bandwidth to better cope with increased
website traffic
Preventive - Set up firewalls and configure routers to detect and Reduces likelihood and
Detective block unauthorised traffic impact
37
Internal Causes of
IT Systems Failure
38
Measures to prevent internal sabotage of IT systems
Type of Measures Measures Effect
Preventive - Intrusion detection and prevention systems to guard Reduces likelihood and
Detective against network intrusion attacks impact
- Monitoring of activities by staff, especially in in critical
IT systems
User Access - Restrict employee access to IT functions which are Reduces likelihood
Management relevant to their work via username & password
Preventive - Inform staff of IT systems guidelines eg. Dos & Donts Reduces likelihood
- Implement penalties on employees who breach said
guidelines
39
4. Drawing from the Marks & Spencers the Manchester Experience,
discuss how the bank should prepare for, respond to, and manage a
similar crisis.
Crisis: Terrorism
40
4 key learning points from the Manchester Experience
41
SS540 PDCA Cycle BCM Implementation
42
1. Plan - Prepare for
Establish objectives & processes
Business Impact Analysis: identifies the impacts of loss or interruption over time
M&S: Small change/phone cards for people to call their families . Gave Money for locksmiths
Establish a helpline for staff and their family to keep in contact
Establish an ongoing crisis support team for each branch
Emergency box containing key documentation and resources, such as cash and medical
supplies
44
2. Do - Prepare for
People Recovery strategies
M&S: Major incident management exercise for its corporate team in London
simulating the loss of one Computer Centre
Hold evacuation drills 4 times a year to simulate different scenarios and damage
level assessments to increase crisis preparedness
Highlight the importance of such drills to the employees
M&S: Had a predetermined secondary evacuation point which staff vacated to after
the first option was unavailable. However, they did not have a third option when the
second one was cordoned off
45
2. Do - Prepare for
Press Recovery strategies
M&S: Media were seeking information about the situation, especially how they are
handling people issues.
Operations Manager to contact people in charge to add message to website.
Hold press conferences/social media releases after the crisis to assuage stakeholders
negative sentiments and provide prompt updates on the situation.
M&S: Store manager had to undergo media training 3 hours prior to the interview with
Good Morning Britain Programme on TV
Provide regular media training workshops for staffs annually to prepare and handle
interviews/media coverage during a crisis
may affect corporate reputation as well
46
2. Do - Prepare for
Product Recovery strategies
M&S: Divert calls for the affected stores to helpline at the customer ordering centre at
Warrington
Alternative telecommunication links at recovery sites with regular testing
Address customers queries promptly, find out what services were disrupted.
Upholds their reputation even during times of crisis
M&S: Required staff to go back to work on the 3rd day of the incident at the nearest
store to them to ensure that operations were ongoing.
Communicate the recovery plan to other branches
Sharing of staff information between branches
Clear guidelines for staff relocation and job duties
47
2. Do - Prepare for
Product Recovery strategies
M&S: Within almost a month, M&S Chairman announced that they will open 2 sites in
Manchester to re-establish trading position.
The quick response gave the opportunity to focus the efforts to get the Manchester
team together again
Ensure a robust data protection IT systems and proper data backup to recover
data
48
2. Do - Prepare for
Premise Recovery strategies
Create a clear map of the premise, e.g. location of cash & documents
Timely recovery of important data and prevent leakage of confidential
information.
M&S: Have different branches and warehouses elsewhere so it still can satisfy its
delivery orders
49
3. Check - Respond to
Monitor & measure process and outcomes against policies, objectives and
requirements for the products
50
3. Check - Respond to
Lessons learnt from M&S
2 people went missing while moving the staff from one evacuation point to another
Staff did not followed instructions or not prepared well for crisis situation
The evacuation plan may not be clear enough
The 2nd evacuation point was caught up within the wider police cordon and one was
too near to the building
2 evacuation plans are not sufficient
Assembly areas not thoroughly assessed, resulting in disruption
The store manager had to go through a 3 hour training for media interviews
Insufficient training, prevent timely updates of the situation
Result in bad reputation and low confidence in critical stakeholders
52
4. Act - Manage
Improve process performance
2 people went missing while moving the staff from one evacuation point to another
Divide people into smaller groups & appoint people to do headcounts
Buddy system get people be responsible for each other
The 2nd evacuation point was caught up within the wider police cordon and one was too near to
the building
Predetermine sufficient evacuation points after thorough assessment
e.g. Large assembly areas if there are large volume of people; not too near to bombing
sites and stay out of police cordon
The store manager had to go through a 3 hour training for media interviews
Regular media training workshops to handle interviews during a crisis
Should involve all staff, not just the store manager
54
55