March 28, 2006
Business Continuity and Outsourcing
The noise over pillar I of CP3 has subsided somewhat since its final release in 2004 and even though many organizations are still in the thick of their capital adequacy programs, in fact whole regions such as the US actually lag behind the agenda none-the-less, the Bank of International Settlements (BIS) is now onto the next urgent topic of debate; business continuity and financial sector stability.
Late last year a joint forum of regulatory bodies pioneered by BIS released a high-level principles consultative document for business continuity however they are far from being alone with this level of tenacity towards Business Continuity Management. The International Association of Insurance Supervisors, International Organisation of Securities Commissions, Financial Services Authority in the UK; all have been releasing material over the last twelve months that pertains various programs which address Business Continuity.
BIS Joint Forum 14
The Monetary Authority of Singapore defines Business Continuity Management as:
Business Continuity Management (BCM) is an over-arching framework that includes policies, standards, and procedures. It not only addresses the restoration of information technology infrastructure but also focuses on the rapid recovery and resumption of MAS' critical functions during disruptions. One important aspect of the framework is the formulation of BCM policies and exercise strategies.
This is also echoed in the BIS document as `A whole-of-business approach` that includes policies, standards, and procedures however many institutions have simply focused on central facility centres rather than the full value chain approach that considers a dependency analysis that describes the interaction of each business layer from human roles to third parties and outsourced functions.
+ Outsourced Functions
What about outsourcing in Financial Services?
Well ten months earlier BIS also released a white paper discussing the transference of this risk to third party services (TPS) however not all banks are actually measuring the dependencies they have with these other entities.
BIS Joint Forum 12
With many of these third parties not regulated, there is concern among regulators as to how outsourcing could possibly `impede the ability of regulated entities to demonstrate to regulators (e.g., through examinations) that they are taking appropriate steps to manage their risks and comply with applicable regulations.` Business Continuity aside, Banks are in most cases unable to control some of the more basic security exposures that are present in outsourcers and this has been identified as a contributing factor to the numerous source of increasing theft and distribution of account numbers, credit card details and other client personal information which forms the basic compliance agenda of a regulated entity.
The joint forum does however outline nine principles it expects financial institutions to have in place to ensure their relationship with third parties doesn’t impede the second party; that being the customer and the bank-to-bank relationship. It is a concise read describing clearly the types of risks that might be present, the hurdles that could be encountered reaching the nine principles and it also has several case studies from Australia, Germany and US; showing where each regulator is drawing the line on what it considers a banks responsibility.
Its not all bad news though, some third party providers of services are starting to ask questions on what they need to do to assist banks have a transparent reporting process of risk profiles available for their regulator and some are looking at offering ‘a measure of capital’ that the bank might be able to include in its modeling.
One of the largest concerns remaining of course is that many of these third party providers are servicing several institutions from the same jurisdiction and hence a systemic fault or outage would potentially impact multiple banks simultaneously and that presents the largest of all fears for regulators. An example of which occurred a couple of years ago in Australia where a cash carrier servicing four banks had an industrial dispute that resulted in staff departing their obligations of servicing the ATM network. Like most union focused agendas the strike action targeted one of the busiest times of the year when any service is required most and many customers where unable to access cash over the Christmas period. Literally ATM’s were emptied in hours not to be replenished for days and some branches had to close because they were unable to distribute notes.
+ Back to Business Continuity and Capital
The BIS paper also focuses on 'the tension' between resilience and 'the costs'. In institutional terms that is a focus on returns verses costs, while the regulators are striving towards a broader public interest of financial sector stability. All very similar agendas but all with a different emphasis.
Fortunately there are always comprises to be had particularly for those banks that have selected Advanced Measurement Approach to operational risk and even more so if they are using the sbAMA methodology for estimating capital. Theoretically under such methods the bank is able to add a set of scenarios that clearly describe a potential impact from an event (with these third parties) in combination of its discrete likelihood. Now we know business continuity can’t always prevent the likelihood component of the event particularly with environmental disasters however, the bank can often control the extent of how far these impacts draw out and that is easier to translate into a capital exercise. Good models will have the ability to append such scenarios against the loss curve and then reduce their scale of magnitude through corrective actions and that has the positive effect of pushing the tail of this loss curve left along the axis translating to a lower capital number.
Posted by CausalEvents at 01:57 PM
| Comments (0)
