BCM Challenges in Indian Banking Industry - DRI-India

BCM – Challenges in IndianBanking IndustryBy – Brijendra YadavaDirector, Periculum Technology & Consulting ServicesJan’ 2012© 2012, www.periculum.inInternal1

Objectives & ImportanceRelevance in Financial Industry• Business Continuity Management (BCM) is particularly relevant tobanking sector as :-• It operates in high risk environments• Is part of crucial financial sector where capability to operatecontinuously is essential, both for the Bank and for its stakeholdersincluding customers• Growing BC Risks and challenges - Terrorism, Global Warming, Arabunrest, Financial turmoil– Impact is long-term and wider• Regulatory pressure• Financial Sector particularly vulnerable as they are clustered in highprofile business districts, have highly interdependent supply chain andstrategic importance impacts global economy + Financial stability• BC exercises becoming more complicated, more coordinated and moreconnected…• Financial sector itself is becoming more connected and increasinglycooperative realising the importance of taking an industry-wideapproach and benefits of knowledge-sharing amongst themselves© 2012, www.periculum.in Internal3

High Level Principles of BCBasel- IIPrinciple 5 - highlights cross-border communications during amajor operational disruption. Given the deepeninginterdependencies of financial systems across national boundaries, thisprinciple advises to adopt communication protocols that address situationswhere cross border communication may be necessary.Principle 6 - emphasises the need to ensure that BC plans are effective andto identify necessary modifications through periodic testing.Principle 7 - incorporate BCM reviews into their frameworks forassessing financial industry participants to ensure that participants are infact implementing appropriate approaches to BCM that reflect the recoveryobjectives adopted in accordance with Principles 1 and 3© 2012, www.periculum.in Internal6

BCM Challenges in Indian Banking Industry(Considering following BCM Lifecycle)© 2012, www.periculum.in Internal7

BCM Challenges in Indian Banking Industry• Know your Business - Banks business and strategic objectivesmust be clearly understood amongst the stake holders .Assets, geographies being served, people involved, premisesavailable, information technology being used, markets andgeographies to be served, product and service portfolios, keyservice providers, dependencies, etc.• BCRA - Consider “right case scenarios” rather than “worstcase scenario”. Have atleast following steps :- Identify Assess Measure Treat Measure Sign-off onResidual Risk Progressively increase Risk Appetite• Includes both Risk Prevention and Risk Mitigation• Adopting and following an approved RA methodology• Can be part of Enterprise Risk Management of an Orgn© 2012, www.periculum.in Internal8

BCM Challenges in Indian Banking Industry• BC Strategy - Preparing a fit for purpose BC or Resilience strategyis a challenge – BC always trying to catch up with dynamics ofbusiness growth• Many a times outcomes of Orgn specific BCRA and BIA are notconsidered. Very often, they have followiing gaps :-• More of a template filling exercise.• These should cover all key Business Units and functionsincluding service providers and key dependencies .• Its geographic scope must include all locations, cities, countriesand properties where orgn has presence• Fundamental premise - Follow Good Practice , Flexibility andsimplicity must be at the heart of BCM• The strategy must consider both localised incidents that impacts asingle location / premises or a city-wide incident or statewide oreven a national /regional incident like terrorism or political unrest© 2012, www.periculum.in Internal10

BCM Challenges in Indian Banking IndustryOther important considerations include :-• Technology Recovery Plan Considerations ( moredetails in following slides)• People Recovery Plans / HR Considerations• Recovery considerations for outsourced functions• BC Testing Considerations• Building BC Culture© 2012, www.periculum.in Internal11

Technology Recovery Plan Considerations• Core Banking System• Payment & Settlement Systems• NEFT• RTGS• SWIFT• ATMs• Other – ECS ( Electronic Clearance System), CTS (ChequeTruncation System) , Netbanking , Mobile banking, ContactCentre, Internal Messaging etc• Outsourced services© 2012, www.periculum.in Internal12

Core Banking System• Gartner defines a core banking system as a back-end system thatprocesses daily banking transactions, and posts updates to accountsand other financial records. Core banking systems typically includedeposit, loan and credit-processing capabilities, with interfaces togeneral ledger systems and reporting tools.• For a layman, Core Banking is synonymous with Running the Bank• It is the heart of a modern financial service organization and is allabout providing the banking customers with the right products at theright time through the right channels 24 hours a day, 7 days aweek through a multi location, multi branch network• While many banks run core banking in-house, there are some whichuse outsourced service providers as well. There are several Systemsintegrators like Accenture, IBM and HP which implement these corebanking packages at banks.© 2012, www.periculum.in Internal13

Top – 5 Core Banking Solution Vendors1 - FIS | Fidelity National Information Services (FNIS)Corebank, FIS Alltel Systematics, Sanchez Profile, HorizonACBS (Advanced Commercial Banking System), Kordoba,ALLprofits, MiSER, BancPac, Metavante2 Oracle Financial Services Software (formerly i-flexSolutions) Flexcube; Microbanker; Finware3 Infosys Technologies - Finacle4 TEMENOS - T24; T24 for Microfinance and CommunityBanking (MCB) formerly eMerge; GLOBUS; TEMENOSCoreBanking (TCB)5 - TCS FS - Tata Consultancy Services Financial Solutions -formerly FNS BaNCS - TCS BaNCS (formerly FNS Bancs -Financial Network Services B@NCS-24)Source : http://www.inntron.com/core_banking.htmlLogo and Trademarks belong to respective owners – used only for trg purpose.© 2012, www.periculum.in Internal14

Recovery Plan Considerations for Core Banking System• Involve all aspects of CBS• Test progressively from modular to integrated CBS testing• Main challenge is that most IT DR managers are either unwillingness orlack confidence to switch over operations from recovery site or DR Site.• Involve service providers in complete recovery planning, testing, reviewand improvement• Progressively ITDR must dovetail into holistic recovery and get drivenby organisations BC/Resilience strategy – This aspect must be reviewedby BC managers.© 2012, www.periculum.in Internal15

Payment & Settlement• Payment & Settlement System forms backbone of today’s Bankingenvironment• A robust and secure system of payment and settlement is one of the keychallenges of a Banks BCM. Its coverage includes all instruments ofpayment and settlement and Electronic Funds Transfer mechanism,ATM, & Point of Sale system• India would take necessary steps to comply with new internationalstandards for payment, clearing and settlement systems as per RBIGuidelines• CPSS and the Technical Committee of the International Organization ofSecurities Commissions (IOSCO), have already issued a draft forconsideration with a proposal that national bodies would startintroducing the new standards into their laws by the end of 2012.© 2012, www.periculum.in Internal16

CPSSPayment & Settlement• Committee on Payment and Settlement Systems (CPSS) of BIS• The Committee on Payment and Settlement Systems (CPSS) contributes tostrengthening the financial market infrastructure through promoting sound andefficient payment and settlement systems. Incorporated in Basel – II as well.• Created in 1990, CPSS serves (G-10) to monitor and analyse developments indomestic payment, settlement and clearing systems as well as in cross-borderand multicurrency settlement schemes.• CPSS recommends that central banks and other authorities review policies inlight of the increasingly integrated nature of the global financial infrastructure.• Lays down framework for analysing the risks of interdependencies, along withspecific recommendations for the industry, including integrated BC testingpractices along-with interdependent parties on a domestic and cross-borderbasis.© 2012, www.periculum.in Internal17

NEFT• National Electronic Funds Transfer (NEFT) is a nation-wide paymentsystem facilitating one-to-one funds transfer. Under thisScheme, individuals, firms and corporates can electronicallytransfer funds from any bank branch to any individual, firm orcorporate having an account with any other bank branch in thecountry participating in the Scheme.• For being part of the NEFT funds transfer network, a bank branchhas to be NEFT- enabled.• Presently, NEFT operates in hourly batches - there are elevensettlements from 9 am to 7 pm on week days (Monday throughFriday) and five settlements from 9 am to 1 pm on Saturdays• There is no limit – either minimum or maximum – on the amount offunds that could be transferred using NEFT. Per transaction islimited to Rs.50,000/- for cash-based remittances© 2012, www.periculum.in Internal18

RTGS• The acronym 'RTGS' stands for Real Time Gross Settlement, whichcan be defined as the continuous (real-time) settlement of fundstransfers individually on an order by order basis (without netting).• RTGS system is primarily meant for large value transactions. Theminimum amount to be remitted through RTGS is ` 2 lakh. There isno upper ceiling for RTGS transactions.• In RTGS, the beneficiary bank has to credit the the beneficiary'saccount within two hours of receiving the funds transfer message.• As on September 29, 2011, there are more than 78,000 RTGSenabled bank branches.© 2012, www.periculum.in Internal19

RTGS & NEFT• NEFT is an electronic fund transfer system that operates on aDeferred Net Settlement (DNS) basis which settles transactions inbatches. In DNS, the settlement takes place with all transactionsreceived till the particular cut-off time. These transactions are netted(payable and receivables) in NEFT whereas in RTGS thetransactions are settled individually. For example, currently, NEFToperates in hourly batches - there are eleven settlements from 9 amto 7 pm on week days and five settlements from 9 am to 1 pm onSaturdays. Any transaction initiated after a designated settlementtime would have to wait till the next designated settlement timeContrary to this, in the RTGS transactions are processedcontinuously throughout the RTGS business hours• Both the remitting and receiving must have core banking in place toenter into RTGS transactions. Core Banking enabled banks andbranches are assigned an Indian financial system code (IFSC) forRTGS and NEFT purposes.© 2012, www.periculum.in Internal20

RTGS & NEFTPayment & Settlement• India’s RTGS & NEFT are like any global financial system has a set ofinterlinked networks of markets, systems, and participants.• Such a system should be resilient enough to withstand disruptions aspotential impact of a major operational disruption may incapacitate thefinancial system.• A holistic recovery plan incorporating all networked components and entitiesis a must for NEFT . Its testing should be carried out in a stringent manner soit gives a high level of continuity assurance• In a networked environment, security is as strong as the weakest link• SWIFT - Society for Worldwide Interbank Financial Telecommunication :Company HQ in Brussels, Belgium. Provides secure messaging services andinterface software to wholesale financial entities. Demands cross-bordercoordination with connected financial entities. Robust and Resilient IT Infra.© 2012, www.periculum.in Internal21

RTGS & NEFTPayment & Settlement• RTGS and NEFT demands special emphasis on Technology Recovery asspecial IT equipment including switches, hardware, software solutionand other network components are used.• Enough redundancy should be present in the system architecture andbackup processes• Integrated tests for RTGS/NEFT , remote / alternate / recovery siteworking should be periodically tested and proved.• HR plans should specifically consider continuity, retention andsuccession of key staff having knowledge and skills to work on the system• Capability and commitment of services providers and third partiesshould be fully ensured.© 2012, www.periculum.in Internal22

ATMs• Automated Teller Machine is a computerized machinethat provides the customers of banks the facility ofaccessing their account for dispensing cash and to carryout other financial & non-financial transactions withoutthe need to actually visit their bank branch.• ATMs primarily enables cash dispensing. In addition,ATMs may have many services/facilities enabled by thebank owning the ATM such as:– Account information– Cash Deposit– Regular bills payment– Purchase of Re-load Vouchers for Mobiles– Mini/Short Statement– Loan account enquiry etc© 2012, www.periculum.in Internal23

ATMs• ATM - Remember Client Perspective – “Any Time Money” and Anywhere too.Hence 24*7*365 operations across all locations ( Think MTPoD and RTO ) . Ensuringno disruption in key internal processes :-• ATM Reconciliation ProcessEnsuring periodic and timely reconciliation in bank central operation process,should be priority no. 1. Addressing all interdependencies, periodic &integrated testing of recovery plans• Cash ReplenishmentSound Internal process to ensure timely, safe & efficient replenishment is amust for continuous operations of any ATM. The task of cash replenishmentmay also be outsourced to a service provider.• ATM ConsumablesPrinting consumables is also an important operations that need to be preparedproperly. Ensuring a continuous supply chain is must.There are other ATM risks during day to day Operations Interaction© 2012, www.periculum.in Internal24

Key HR Recovery Challenge for BanksManagement Succession• Succession of key appointments like Directors and Senior Manage mentOfficers must comply with the articles / memorandum and bylaws of thecompany/Bank.• Following key factors may be evaluated when selecting alternates :-• Long term business strategy of the company• Key areas where change or continuity is required• Key strengths and weaknesses of personnel and employees includingpotential and past performance , and how they relate to strategy andneeds of the organisation both in short and in long term• How best to develop the abilities of personnel to match strategy andneeds• External talent, staffing options© 2012, www.periculum.in Internal25

Managing ContinuityOutsourced Functions• Outsourcing is contracting with another company or person to do aparticular function.• Almost every organization outsources in some way for multiple reasons• Normally, the function being outsourced is considered non-core to thebusiness• Managing continuity in outsourcing becomes more challenging especiallywhen functional activities are being done in a different country (called offshoring), since that involves language, cultural and time zone differences• Organisations & regulators are now looking more closely at social &political risks including financial stability at the off-shored location• Un-coordinated BC arrangement between “offshored” and parent “send”locations gives rise to false BC assurance© 2012, www.periculum.in Internal26

Managing ContinuityOutsourced FunctionsWith a view to have effective BCM for outsourced functions, following must beconsidered :-• A realistic analysis of BC capability must be done before a function is outsourced• Depending on criticality of service provided, BC arrangement and their measure ofeffectiveness must be incorporated in the SLAs• BIA at off-shored location must consider impact of local disruption on “send” site• If BC Strategy is “Revert to Send”, then its efficiency must be regularly tested• Organisations must think “Right Shoring” - Right location, right service levels,acceptable risks and retaining critical mass of key capabilities to provide bestpossible customer experience.• Both parties must participate atleast once a year for an end to end integrated BCtests© 2012, www.periculum.in Internal27

Need during BC IncidentsEmergency Powers• Special times – special powers. Expect standard controls/checks andbalances to be loosened. Expect higher financial powers• Such powers must be excercised judiciously. With clear and visible intent.• Quick & well informed management decision is key to successful incidenthandling.• Organisation must provide for emergency powers to incident managementteams to minimise losses• Such powers should be pre-approved by the board and promulgated acrossthe organisation. These must be able to withstand any scrutiny whencrisis/incident is over• Such powers must cover all function necessary for incident managementand holistic business recovery© 2012, www.periculum.in Internal28

BC Challenges - Testing of BC PlansObjectives and Benefits• Organisation must test the effectiveness of their BC plans.• At the minimum all BC plans including incident management plans must betested at-least once a year or incase of any major change in the orgn• Testing should be both modular and integrated• Testing is more about reviewing and improving. Its not about passing or failing.• Testing provides opportunity for staff to gain familiarity with their businesscontinuity roles and help them perform their expected activities.• A good testing approach builds camaraderie across diverse functions in anorganisation. It is a strong team building event• All businesses/functions based out of a site are required to participate(depending on the exercise scenario)• Outcomes of BC tests results brings out gaps in an orgn BC Plans . Such gaps canbe covered with a focussed approach• Test reports are key documents from Audit/Regulatory perspective© 2012, www.periculum.in Internal29

BC Testing(Suggested Ground Rules)• Integrated Tests/Exercise for BCM and conducted in a manner that they balancebetween realism (in test scenario) and at the same time ensuring minimum or NilBusiness Impact.• BC should cover all businesses and functions of an organisation• Organisation must define Minimum staff participation (max can be upto 100% )For example :-• Evacuation exercise – All Present in the premises• BC Recovery exercise – 40 % (or as per recovery team size) etc.• Process level participation – 100% (Depending on scenario)• Special consideration and involvement for outsourced functions• Any exemption to above be approved by Overseeing Committee• Nominate external observers to ensure impartial/objective test reports© 2012, www.periculum.in Internal30

Major Challenge - Embedding BC CultureMaking BCM part of Bank’s DNA• Arguably the most difficult and arduous element of a BCM System, at the same timeone of the most essential too• An organisation’s ability to respond to a B C incident , and its capacity to recoverfrom a disruption depends directly on the awareness levels, understanding, skillsand experience of its stakeholders including employees• Key Qs that this element answers is ARE YOU PREPARED ? WILL YOU BE ABLE TORESPOND ?• In times of crisis, every employee of the organisation at levels must know, what is itthat he or she suppose to do ?• Organisation must move from “Document Centric” BCM to “Action Centric” BCM.• There wont be time to refer to documents during crisis event…answer is train,practice, drill, test… with an aim to continuously improve and embed culture ofBCM© 2012, www.periculum.in Internal31

Activities InvolvedEmbedding BC Culture• Demonstrated Management Commitment – Vision statement, Funds, resourcecommitment and dedicated BC team within an Orgn.• Making BCM a collaborative process, Business owned and business driven• Developing and implementing a comprehensive :-• Training and Awareness plan covering all stakeholders and focus group• Audit Plan that includes BCM• Modular and Integrated Testing Plan• Change Management Process covering BC elements• Integrate BCM in orgn rewards and recognition program• Include BC roles and responsibilities in Job Description of employees• Include external dependencies in BC testing and drills• Include BC objectives in performance evaluation & appraisals© 2012, www.periculum.in Internal32

Embedding BC CultureTraining & Awareness ProgramFollowing are key considerations for BCM training and awareness program :-• Cover all staff and focus groups including all business and support functions• Encourage participation of external service providers• Inclusion of BCM in Induction program for new joiners• Multimedia modes of awareness that includes• Videos• Flyers• Email Newsletters• Road shows• Posters• Websites• Conduct Special promotion weeks/events/workshops/seminar• Promote BC education and training coursesOrganisations must monitor and measure effectiveness of Training and AwarenessProgram© 2012, www.periculum.in Internal33

Embedding BC CultureTraining & Awareness ProgramFollowing are key considerations for BCM training and awareness program :-• Cover all staff and focus groups including all business and support functions• Encourage participation of external service providers• Inclusion of BCM in Induction program for new joiners• Multimedia modes of awareness that includes• Videos• Flyers• Email Newsletters• Road shows• Posters• Websites• Conduct Special promotion weeks/events/workshops/seminar• Promote BC education and training coursesOrganisations must monitor and measure effectiveness of Training and AwarenessProgram© 2012, www.periculum.in Internal34

Summary of Key Challenges• Approach and resources to building BC strategy – mostly template filling.Use of isolated excel sheets, application. Lack of use of Integrated BCsolutions (ERP approach)• Technology recovery. Huge dependencies on external vendors and entities .Most incidents are not threatening IT incidents. But any incident of IToutage has a huge impact – both direct and indirect• Realistic testing. Holistic approach. IT, Business , service providers work inisolation• Lack of Industry synergy. Forum exist that includes foreign captive banks.But no real synergised effort either through Banking Association or throughregulations• Weak enforcement by central bank (RBI) . Many RBI guidelines andinstructions exist but mechanism to enforce them and measure theireffectiveness are inadequate© 2012, www.periculum.in Internal35

Some Food for thought for banking industry …Remember what is the key driver for BCM ( ManagementIntent)- Is it Compliance/Highly regulatory environment of the financial industry ?- Is it because your competitors are doing it ?- Is it another tick in the box ?Or …Do you really want to have a resilient Bank ?© 2012, www.periculum.in Internal36

Thank YouFor feedback/suggestions : brijendra@periculum.inwww.periculum.in© 2012, www.periculum.in Internal37