IMPLEMENTING BUSINESS CONTINUITY:

A BANK OF ENGLAND PERSPECTIVE

STEPHEN P COLLINSBANK OF ENGLAND

FOR AN EFFECTIVE CONTINGENCY PLAN, YOU NEED TO:

• Understand your business – what are the key activities?• Assess the impact – on your institution and on others – of

not being able to carry them out.• Establish recovery time objectives – the point where loss of

a key activity becomes critical to the business.• Estimate what is required to provide an acceptable level of

service, eg:- minimum staffing levels over time- minimum work-station and telephony requirements over

time- minimum PC and server requirements over time- application requirements over time

EFFECTIVE PLANNING

RESILIENCE MEASURES

• Planning• Testing/Exercising• Contingency Sites• IT Resilience• Split-Site Working• Remote Access• BlackBerries

SCENARIO PLANNING

What are we planning for ?

Five possible types of event:

• SERVICES : Loss of power, water, sewage to Bank locations• COMMUNICATIONS : Loss or severe degradation of public

and/or private telephone networks, including mobile networks• SYSTEMS : Acute systems failure (eg successful virus attack)• STAFF : Significant numbers of staff unable/unwilling to travel

to work (eg transport disruption, civil emergency, flu pandemic)• PREMISES : Loss of access to single or multiple Bank locations

(eg fire/ flood/ bomb/ something worse)

HIERARCHY OF PLANS• Bank of England uses an integrated 3-tier structure of business continuity

plans– High level plan

• Used by executive and senior management: provides an outline plan of action, assigns responsibilities, identifies key people, and sets out who will be involved in the recovery process. Written and maintained by Business Continuity Division.

– Core and Crisis Function checklists• Each function has an individual Action Summary checklist which

briefly sets out the key actions required to cover each function. These are brief, cut across areas, and are in note format. Set format, but maintained by lead areas.

– Local area plans• These set out what each area needs to do in the aftermath of an

operational disruption, and who is responsible. Covers both core/ crisis functions and other functions. Are more detailed and cover a longer time frame. We do not impose any set format for these plans.

Business Continuity planning – structure and ownership

High Level Plan

Core and crisis functions action checklists

Local area plans

Business Continuity Division

BCD and local areas

Drafting and testing responsibilitiesPlan ownership

Executive Team

Local Area management

All Staff

WHY TEST?

• To check the assumptions implicit in your plan

• To check that all parties have sufficient knowledge of the plan, and that the plan is adequately documented

• To check that proposed actions are achievable

• To check business resilience

• To check that strategies, technology are appropriate

• To generate confidence in the plan

WHAT SHOULD YOU TEST?• Processes, not individuals• Communication strategies

– External interaction (customers, media, etc)– Contacting staff

• Plan content– Logical, realistic, no assumptions

• Interdependencies– Internal & external, including links with civil authorities

• Technology solutions– Component level, data centres, data restoration

• Alternative locations– Recovery sites, reciprocal arrangements

GENERIC FORMS OF TESTS

• Review of local area plans (do they complement or conflict?). Undertaken by a third party.

• Tabletop walk-through. Undertaken by the people mentioned in the plan – talk-through a given scenario. Focus on training, familiarisation with roles, procedures, responsibilities. But no need to arrange elaborate facilities or communications.

• Simulation. Uses a predefined scenario. May be announced or unannounced. As realistic as possible. Takes place in real time. May bring in “players” to act the roles of external bodies. May test facilities, communications, systems. All decisions and actions generate real responses and consequences from other players

• Tests of kit, individual processes, premises.

Types of tests used at the Bank of England

• Phone cascades

• Desk-top scenario walk-throughs

• ‘Acted-out’ exercises (testing crisis functions)

• ‘Real-time’ scenario-based crisis management exercises (both internal and market-wide)

• Connectivity (kit) tests

• ‘Invacuation’ and ‘evacuation’ tests

• Live working from contingency sites

MARKET WIDE EXERCISE - HISTORY

• Annual exercise to test the resilience of financial sector.

• First MWE in 2003

• Previous scenarios have included floods, and bombs – desktop and live-exercise simulation.

• Human influenza pandemic.

• 70 UK firms took part with some 4,000 participants.

• Largest ever business continuity exercise.

• 6 week “rising tide” scenario covering several months in exercise time.

– Starting at WHO stage 4 (limited human-to-human transmission) to stage 6 (widespread, worldwide impact.)

MWE 2006

THE TRIPARTITE AUTHORITIES

HM TREASURY

BANK OF ENGLAND

FINANCIAL SERVICES AUTHORITY

GOVERNMENT/EMERGENCY SERVICES

TRIPARTITE AUTHORITIES

FINANCIAL PRIVATE SECTOR

AllFirms Counterparties

Exchanges Markets

Clearing Houses Payment Systems

Settlement systems

Standing Committee

FSA liaison

BoEliaison

CMBCG

Tripartite Press Group

MMLG FXJSC Other groups

Gold

FSC website/Teleconference

Members/Participants

DMOHMT

COBR

BCSub-Group

SCHEMATIC OF TRIPARTITE/MARKET LIAISONFOR CRISIS MANAGEMENT

• Tripartite elements -

• Tripartite/market elements -

• Wider government elements -

• Tripartite/government elements -

• Tripartite/market info. exchange -

• Tripartite/wider government links -

• Tripartite info. to market -

GLOSSARY

• BC Sub-Group – Business Continuity Sub-Group of the Tripartite Sub-Committee

• FSA – Financial Services Authority• BoE – Bank of England• HMT – Her Majesty’s Treasury• DMO – Debt Management Office• COBRA – Cabinet Office Briefing Room• Gold – Strategic Planning Committee• FSC – Financial Sector Continuity Website (www.fsc.gov.uk) • CMBCG – Cross Market Business Continuity Group• MMLG – Money Markets Liaison Group• FXJSC – Foreign Exchange Joint Standing Committee