Friday, September 01, 2006

Business Continuity

In recent years, the incidents of terrorist attacks, natural disasters and contagious diseases (such as SARS and Avian Flu) have alarmed us the substantial risk of major operational disruptions to the financial system. Many financial institutions have seriously formulated their business continuity plan (BCP).

The three international financial regulators, namely IOSCO, Basel Committee under BIS, and IAIS, have just jointly released a paper titled "High-level Principles for Business Continuity". The purpose of this paper is mainly to support financial regulators to develop national / sector business continuity arrangements in order to improve resilience of financial systems to major operational disruptions.

The 7 high-level principles are:

  1. Board and senior management responsibility
  2. Major operational disruptions
  3. Recovery objectives
  4. Communications
  5. Cross-border communications
  6. Testing
  7. Business continuity management reviews by financial authorities

It is too boring to detail these principles here. You may find this paper for your own reading. I have just been drawn attention to its case study about the impact of 2003 SARS outbreak on HK's securities markets. The HK securities industry did not experience major operational disruptions as a result of the outbreak. None of the staff at any of the major investment banks contracted SARS. Staff at smaller retail brokers and other market participants also avoided infection.

I would like to highlight the following measures taken in the financial industy during the SARS outbreak:

  • Some working teams were split into two (each of which was capable of backing the other up) and members of one team would work from home.
  • Non-essential meetings with external parties were cancelled.
  • A casual dress code was introduced to facilitate the cleaning and disinfecting of clothing.
  • Flexible work hours were introduced to reduce taking public transport within rush hours.
  • Business travel in Asia was severely curtailed.

You may think the above measures, which can make our working life easier, should continue even after the SARS outbreak. With the advance of communication technology (e.g. Blackberry), we can make our working places more mobile and reduce the physical operation risk.

4 comments:

  1. Anonymous10:39 AM

    I remember those days during the SARS period. Unnecessary works were stopped and people concentrated on their (real) job.

    While business continuity is important (back-up is important), I have seen functions which are handled solely by one person. Others, just say that it is his/her job,not theirs.

    ReplyDelete
  2. Anonymous11:13 AM

    I would like to use BCP to illustrate that the function of Compliance is always misunderstood by even very senior people in the financial industry and an opportunity for others make the compliance people to share part of their responsibility (or to take some of the blame).

    I believe that as far as the compliance officer is concerned and what the compliance officer concerns about is whether the company has continuity planning. Perhaps he will review the plan itself for the purpose of detecting shortcoming (this in fact is internal auditor’s job).

    I have seen compliance people “requested” to attend preparation meetings, to review the plans, to stand-by as a key personnel in the central control room (what name it is called), to attend the post-review meeting. People said that the compliance people had to ensure the drill was properly performed and whether the drill was in compliant.. This was because business continuity planning and drill are compliance issues.

    I disagree. Yes, it has been written down that a firm needs BCP and BCP drills. Yet, the firm fulfills this requirement if there is a BCP and there are drills. Whether the plan can be effectively executed and whether the drills are effectively performed, I think is the job of senior executives of user departments and the internal auditors.

    Because of this misconception, either deliberately or ignorantly, compliance people have doing operational duties.

    ReplyDelete
  3. Agreed to Ban's observations. The line betweeen compliance and other internal control functions (e.g. operations, internal audit, risk management, etc.) is getting more blurred. While the scope of compliance function is not well defined, a compliance officer would sooner or later become 大打雜.

    ReplyDelete
  4. Anonymous12:06 PM

    You read my mind. I wanted to use a similar term to describe the function of compliance - 大眾打雜. I really hope that senior personnel will attend classes on Compliance because (1) to comply is their responsiblity and (2) they know what and how compliance is to be done.

    ReplyDelete