Business Continuity Management Policyand Framework
May 2010
This document is the sole property of the South African Reserve Bank and may not be copied or used for any purpose other than intended by the owner. If found, please return to The Manager, Business Continuity Management, Currency and Protection Services Department, South African Reserve Bank, P.O.Box 427, Pretoria, 0001.
1.Scope and background
The financial sector,of which the South African Reserve Bank (the Bank) is an integral part, is of cardinal importance to the wellbeing of South Africa.The other key stakeholdersare Government and the various participants in the financial industry which comprise entities such as the commercial banks, the exchanges, the settlement functions and the various regulators, as schematically depicted in the following diagram.
None of these members can exist in isolation; they depend on the effective functioning of each other in the financial process. It is thereforefutile to address business continuity if it is not done holistically and where all members of the financial sector, individually and collectively, are able to continue with critical financial operations in the event of a majordisruption.
The Bank’s executive management, primarily as governance and business requirements, directed that a Business Continuity Management (BCM) capability be established forthe Bank as a whole.
This policy document,including all supporting policies, structures, control measures, processes, procedures and interdependencies[1], attempts to establisha framework of preventative, mitigating and ameliorating measures that will enable the Bank to cope with various levels of disruption or security incidents.Central government and the financial industry are not included in the scope of this document.
The Financial Sector Contingency Forum (FSCF) has been mandated to ensure the establishment of an effective BCM capability in the South African Financial Sector and the Bank will continuouslyendeavour to align itsimplemented BCM discipline with the developed FSCF control measures.
2.Policystatements
2.1.The personnel of the Bank are its most valuable resource and the preservation of human life should be the primary consideration at all times.
2.2.Every department in the Bank is directed to have a Business Continuity Plan (BCP) that is commensurate with its critical business requirements.
2.3.Departments or business areas within the same operational business environment, alternatively known as clusters[2](AnnexureA), are directed to ensure the effective functioning and continuity of their individual critical business processes within the broader cluster environments.
2.4.BCP documents should consist of effectivecontrol measures in terms of personnel (critical and other staff), processes andprocedures, as well as infrastructure (premises and technology). These control measures should enable the Bank to prevent, mitigate, ameliorateand recover,within the minimum required timeframes[3], from any disruption[4]thatcould impact negativelyon its critical business processes.
2.5.BCPs shallbe evaluated, tested and maintained, at least biannually,to ensure that they are current, effective and functional.
3.Policyobjectives
3.1.This policy document represents the Bank's BCM commitments and directives. It further serves to ensure the existence and maintenance of a single framework for the management of a BCM discipline in the Bank.
3.2.Primarily, the aim of this document is to enable the Bank to manage effectively and efficiently its risks and to meet specifically the following objectives in the event of a major disruption:
3.2.1.Provide for the timeous availability of all key resources necessary to operate the critical business processes;
3.2.2.limit the impact on staff;
3.2.3.maintain and bolster market confidence;
3.2.4.maintain contact with key stakeholders;
3.2.5.comply with legal and governance requirements, such as the Occupational Health and Safety Act, as well as the King Report on Corporate Governance for South Africa(King III) and the King Code of Governance Principle”); and
3.2.6.manage costs effectivelyand efficiently.
4.Policy application and compliance
This policy applies to the Bank’s workforce[5]. Compliance therewith is required in all aspects of the Bank's business operations. Any person who wilfully or negligently disregards this policy and its implementation shall be subject to the Bank’s disciplinary process.
5.Policy constraints
5.1.Establishment of an adequate BCM capability and effectively catering for any major disruption are dependent on the availability of a budget, skilled staff and consideration of operational priorities.
5.2.Effective BCP is dependent on the availability of skilled resourcesat all times. Due to its specific nature the Bankhas centralised all its primary business functions within a single building. This situation, therefore,creates a risk forthe Bank of, possibly,not being in a position to respond effectively to a crisis situation, should the nature of the incident be such that critical staff are incapacitated and/or the Head Office building is inaccessible.
6.Policy directives
6.1.Organisational structures, accountabilities and responsibilities
6.1.1.In terms of King III the Bank’s Board of Directorsis accountable for Business Continuity Management.
6.1.2.The Governor’s Executive Committee (GEC) acts as the final decision-making authority forBCM in the Bank.
6.1.3.The Management Committee (MANCO), chaired by a deputy governor, is the central steering committee for BCMin the Bank and is accountable to the GEC in this regard.
6.1.4.The Bank’s Business Continuity Management Committee (BCMC) is tasked with carrying out the directives of MANCO in terms of the coordination of a bank-wide BCP.
6.1.4.1.The BCMC serves as an operational steering committee function, guiding the operational management of BCM activities.
6.1.4.2.The deputy governor whochairsMANCO also chairs the BCMC.
6.1.4.3.The head of department responsible for BCM is the deputy chairperson of the BCMC and acts as the chairperson of the BCMC meetings under normal conditions.
6.1.4.4.The BCMC provides the necessary BCM integration and facilitation between the Bank’s Executive, MANCO and the departments, providing the necessary expertise and support where necessary.
6.1.5.The BCMC also serves as the Bank’s official Crisis Management Committee, with the following responsibilities:
6.1.5.1.It responds to any crisis or disruptive situationthat has the potential to escalate to a BCP invocation,irrespective of its nature.
6.1.5.2.The chairperson may decide to mobilise all or only specific members of the Crisis Management Committee or co-opt any other relevant parties, depending on the particular incident or situation.
6.1.5.3.The chairperson will authorise regular escalation of information and the mobilisation of the relevant support functions.
6.1.5.4.The primary meeting venue of this committee will be in the Bank’s Head Office building or the Bank’s alternate site facility, should the Head Office building not be accessible.
6.1.6.The following Heads of Department or business areas constitute the broader BCMC:
6.1.6.1.Currency and Protection Services
6.1.6.2.Business Systems and Technology
6.1.6.3.Financial Stability
6.1.6.4.Internal Audit
6.1.6.5.Financial Markets
6.1.6.6.National Payment System
6.1.6.7.Representative of Executive Management.
6.1.7.The Heads of Department, or senior representatives, of the Legal Services, Financial Services, Corporate Services and Human Resources Departments may be co-opted to serve on the BCMC when required.
6.1.8.A financial markets crisis affecting the financial sector will be managed under the guidance of the deputy governor, or designate, responsible for financial stability issues. The National Payment System, Financial Stability, Financial Markets and Bank Supervision departments will support the deputy governor during this process.
6.1.9.Decision-making shall always be in accordance with the approved and implemented procedures and authorities. The governors will therefore always be the ultimate decision-making functionaries in the Bank. However, the circumstances might require that the governors be assisted in the taking of some emergency operational decisions during a crisis situation. Furthermore, in extreme cases the governors might not be available or be in a position to take decisions, due to incapacitation. The following processes shall be implemented to assist the governors in managing operational issues during a major disruption: -
6.1.9.1.Operational decisions that cannot be dealt with through the normal operational processes shall be referred to the BCMC. The governors shall, as far as possible, be consulted on, or be kept informed of, the operational emergency decision-making processes. The BCMC will exercise its delegated decision-making powers solely to take the necessary decisions to facilitate the continuity of the Bank’s critical business processes and could include, but are not limited to:
6.1.9.1.1.any procurement decisions, such as the emergency procurement of ICT and office equipment, entering into lease agreements and the appointment of contractors;
6.1.9.1.2.decisions, in consultation with the Financial Sector Contingency Forum, regarding the cross-sectoral impact and the management thereof that a security incident at the Bank might have;
6.1.9.1.3.decisions regarding official announcements, communiqués and press releases;
6.1.9.1.4.decisions regarding the prioritisation and allocation of resources, according to business requirements. This could include the re-allocation of staff to other premises or functions, the re-allocation and prioritisation of responsibilities and the contracting or appointment of external specialists; and
6.1.9.1.5.decisions regarding the official declaration of a disaster situation.
6.1.10.In the event of a “worst-case” disaster incapacitating the decision-making processes and capabilities of the Bank, the National Treasury shall be contacted by the most senior surviving Bank official to plan the way forward.
6.1.11.The BCMfunction is responsible for managing and co-ordinating the discipline of BCM on an organisational level and for facilitating the process on a departmental or business-area level. The BCM function has a reporting responsibility to the BCMC on operational issues.
6.1.11.1.Should none of the staff members in the function be available, the branch managers of the Johannesburg and Pretoria North branches will assume the responsibilities of the BCM function.
6.1.12.Heads of department, with the support of their appointed BCP co-ordinators, are responsible for developing, implementing, evaluating, testing, exercising and maintaining their respective BCPs.
6.1.13.Heads of department shall ensure that the appropriate BCPtraining, education and awareness are provided to all their staff.
6.2.Business Continuity Management Processes
6.2.1.The development of BCPs and the controls implemented to prevent adequately or mitigate against a major disruption shall be commensurate with the possible impact on critical business processes, which is determined through a Business Impact Analysis.
6.2.2.BCM methodology
The Bank has adopted the Business Continuity Institute (BCI) methodology, as depicted below, the details of which can be obtained from the Bank’s BCM function or from the official BCI website[6].
6.2.3.The continuum of BCM shall be managed according to the Business Continuity Management Framework, as depicted and detailed below.
H:\BCM\DATA\Policy\2010\BCM Policy and Framework February 2010.doc1
Business Continuity Management Framework
H:\BCM\DATA\Policy\2010\BCM Policy and Framework February 2010.doc1
1
6.2.3.1.Organisational BCM and decision-making structures (Point 1)
The details of these processes aredescribed in paragraph 6.1. above.
6.2.3.2.Business Continuity Management Policy (Point 2)
The Bank’s BCM policy is
- approved by the GEC within every three-year cycle, or earlier, should there be any significant changes;
- the guiding document for managing BCM in the Bank; and
- published on the Bank’s Intranet or available from the BCM function.
6.2.3.3.Risk analysis (Point 3)
This process entails
- mapping the organisational and individual business processes, thereby creating the understanding to design and implement specific BCP strategies and controls;
- assessing all operational threats and resulting risks, including security risks, in terms of people, business processes, premises and technology;
- determining all critical business process factors through comprehensive Business Impact Analysis (BIA) exercises;
- Aligning all BCPs with the identified risks, which are addressed by the BCP, in the departmental risk matrix. It is suggested that an extract of the particular risks be included as an annexure to the BCP document; and
- identifyingrecovery time objectives (RTO) in terms of the following timeframes:
- Four hours (investigations are being conducted to decrease this time to 2 hours);
- forty-eight hours; and
- five working days.
Note – Initial availability of critical workstations and infrastructures will only cater for the business processes with an RTO of four hours or less. However, some of the other information and communications technology (ICT) infrastructure will also be available, although not guaranteed, due to the commonalty of platform infrastructure.
6.2.3.4.Prevention and mitigation strategies (Point 4)
The applicable legislation to be considered during this phase is:
- The National Key Point Act; and
- The Occupational Health and Safety Act.
6.2.3.4.1.Crisis management strategy
Escalated BCP problems will be addressed by the Bank’s Crisis Management function, as detailed in paragraph 6.1.5 above.
6.2.3.4.1.1.The following three levels have been defined as a guideline for the escalation of anincident.
Level / Description / The following applies1 / Minor disruption to one or more critical business processes
(Normal operating procedures apply) /
- Critical business process interrupted, however, is dealt with effectively at an operational level.
- Problem resolved within an acceptable mean time to repair (MTTR)period.
- The MTTR refers to the time ittakes to resolvethe particular problem or situation and should include the initial assessment process.
- Problem resolution should always consider the identified RTO, which refers to the maximum time in which the critical ICT infrastructure is recovered and made available for business application recovery.
- Problem resolution should also consider the maximum tolerable period of disruption (MTPD), which includes the RTO and refers to the maximum time in which critical business processes need to be operational after a disruption.
2 / Significant disruption / Normally such a situation is identified by
- denial of access to the work environment, key facility or critical ICT infrastructure.
- critical business process interruption.
- the disruption being expected to last beyond the acceptableMTPD period.
3 / Major disruption (Worst case) /
- The building/facility has been damaged or the incident is of such a nature that it is not accessible.
- Staff members, especially those identified as being critical,are incapacitated.
Note 2 – Heads of department, members of their management team or their BCP co-ordinators will be informed in the event of the incident happening after business hours.
6.2.3.4.1.2.A successful BCM capability is dependent on effective and quick response mechanisms. It is, therefore, essential that any incident thatcould impact on the continuity of the Bankbe reported and escalated as a matter of urgency.
6.2.3.4.1.3.In most cases the initially reported incident will probably not result in a BCP invocation event and most often is only a maintenance issue thatis dealt with in the early stages. However, the lapse of time and a change of severity could escalate to the declaration of a disaster and the invocation of BCP processes.
6.2.3.4.1.4.It is essential that any incident that has the possibility of disrupting the continuity of the Bank be escalated to the appropriate BCM functionaries, being the Bank’s BCM function, the Main Security Control Room or even any member of the BCMC in the unlikely event of none of the above being contactable.
6.2.3.4.1.5.This process does not intend the to replace or bypass the existing incidentmanagement processes, but rather aims to establish awareness among the Bank’s staff to always keep in mind the possibility of a minor incident escalating into a BCP invocation. The appropriate BCM functionaries should, therefore, immediately be informed about any incident thathas the potential of escalating to a major disruption. Staff members should not deviate from the existing incident reporting process but should , in addition, escalate any such incident as quickly as possible. This would require that the person who initially reported the incident not lose track of ituntil it has been addressed successfully.
6.2.3.4.2.Disaster declaration
6.2.3.4.2.1.Authorised declaration functionaries
The Bank’s Executive, under the guidance of the Governor, is the ultimate decision-making authority in the Bank. It is, therefore, only the Governor or a deputy governor, in the event of the Governor not being in a position to do so, who will issue a declaration of BCP invocation or, in the extreme, a disaster declaration.
6.2.3.4.2.2.Declaration process and invocation of the Business Continuity Plan
The declaration of a disaster could havefar-reaching consequences and should not be undertaken lightly, and then only in extreme circumstances. Two situations can be identified.
6.2.3.4.2.2.1.Less serious incidents
The first is when an incident occurs, necessitating extraordinary interventions to manage the situation. The situation does not necessarily constitute a disaster and is managed through activating the implemented mitigating controls, such as the Emergency Management Plan and the BCP. The external communication response in such a situation, if any, should be that the Bank has had to invoke its BCP procedures and that its critical systems are successfully functioning from its alternate site facility.
6.2.3.4.2.2.2.Major disruptions
The second scenario is when an incident occurs that is so severe that it cannot be resolved or managed within the Bank. Such incidents normally have a systemic impact that wider than the Bank and could even necessitate the involvement of external support functions, such as that provided for under the National Key Point Act. It is, therefore, conceivable that the Bank’s Executive could decide to actually declare an official disaster in such extreme situations.
6.2.3.4.2.3.Situation leading to a disaster declaration and a BCP invocation
Two broad situations are defined in this regard. The first would be if the incident occurs after hours and staff are not at work. The second would be when the incident occurs during office hours and most of the staff are in the building.
6.2.3.4.2.3.1.Incidents occurring after office hours
The Main Security Control Room at the Bank’s Head Office will inform the following functionaries: