BANCA DITALIA Eurosistema Business Continuity the Italian Experience

BANCA D’ITALIA - Eurosistema Business Continuity: the Italian Experience Ravenio Parrini Payment System Oversight Office Banca d’Italia Budapest, 14 November 2007

BANCA D’ITALIA - Eurosistema Index 1 Business continuity initiatives in Italy 2 Specific rules issued by Banca d’Italia 3 CODISE: the National Joint Working Group 4 Summing up

BANCA D’ITALIA - Eurosistema Italian experience on BC. . September 2003: National black-out In few seconds time the national power line system collapsed. . • people trapped in lift • traffic lights switched off • mobile network down • congestion in public switched telephone network • national railway system blocked • fuel pump stations blocked • …. BC is an issue to take into account !!

BANCA D’ITALIA - Eurosistema (1. “BC: initiatives in Italy”) Business Continuity (BC) key issues: – major operational disruptions can result from unpredictable events (September 11 th, National black-out); – growing complexity of financial market infrastructures; – Interdependency (cross-systems, cross-operators, cross -countries): no one is an island… – Business Continuity of financial systems as a public good.

BANCA D’ITALIA - Eurosistema (1. “BC: initiatives in Italy”) The Italian Framework: two-layers approach 1. 2. Single infrastructure/institution: i. e. increase the resilience of the single operator as a component of the overall national system; promote a common level in Business Continuity; … single financial operators are the “first line of defense” in a crisis situation. National level coordination: i. e. a coordinating function with tasks of assessing the requirements, organizing tests, managing crisis; In addition…. – – a policy based on cooperation between authorities and financial operators inclusion of individual business continuity plans within the scope of the scrutiny by the competent supervisory authorities Implementation - A national contact list - The Joint Working Group (CODISE) - Three Supervisory Guidelines on BC

BANCA D’ITALIA - Eurosistema Index 1 Business continuity initiatives in Italy 2 Specific rules issued by Banca d’Italia 3 CODISE: the National Joint Working Group 4 Summing up

BANCA D’ITALIA - Eurosistema 2. Specific rules issued by Banca d’Italia At the end of 2004, after the public consultation, Banca d’Italia issued a set of Business Continuity Guidelines. (…. see www. bancaditalia. it) Guidelines have been designed primarily for the three financial sectors: Banking sector, Payment System infrastructures, Market infrastructures; Some requirements…: – Scope: services/operators (identified by CODISE analysis) and major banks; – BCP to be endorsed by the senior level management; – scenarios to be faced: disaster, cyber-attack, provider unavailability (as agreed in the CODISE WG); – recovery objectives (RTO): 2 -4 hours for vital services; – back-up sites: different risk profile, staff duplication/relocation; – emergency procedures: role/responsibility, crises teams, utilities backup, …

BANCA D’ITALIA - Eurosistema (2. “Specific rules …”) BCP Assessment of Payment System Infrastructures Financial operators BCPs are evaluated to verify compliance to Banca d’Italia BC guidelines. Assessment is based on: - bilateral meetings with financial operators; - evaluation of periodical documentation received by Banca d’italia; - a set of To. R (Term of Reference) derived from BC guidelines and used in evaluating operator’s BCP documents. To. Rs: a 35 -items check list. A “rating” for each item: A (Fully observed); B (Broadly observed); C (Partially observed); D (Not observed); To. Rs used to measure operator’s improvements in BC.

BANCA D’ITALIA - Eurosistema (2. “Specific rules …”) TIME FRAME Financial stakeholders in the scope of guidelines had to: By end 2004: · · Produce Business Continuity Plan (BCP) endorsed by senior management; Communicate the BCP to Banca d’Italia By end 2006: · Implement the BCP; Every 6 months: · Report to Banca d’Italia regarding BCP completed phases

2006 BANCA D’ITALIA - Eurosistema (2. “Specific rules …”) Operator improvements in 2004 -2006 2004 · focus on Services (protecting Assets is not enough. . ) · more emphasis on Resiliency (soundness – resist at disasters - is not enough… get ready to recover from “scratch”. . ), staff · management, emergency procedures; plan for Large Crisis scenarios (managing risks from day-by-day operations is not enough… the objective is the company survival in case of disaster) Financial Operator MISSION SERVICES Trading, Clearing, Settlement, . . ASSETS: Buildings; Staff , ICT

BANCA D’ITALIA - Eurosistema Improvements in 2004 -2006 How Resiliency Soundness 2004 sts 2006 co s iva l Stress losses (Disaster) Against What Incident Management Crisis team Alternative procedures Stack-holders coordination Contingency solutions Interdependencies reduction Physical sec. Logical sec Reliability (MTBF) High Availability Quality Maintenance Risk Analisys Audit Certifications ASSETS Expected losses v ur Alternative Sites Staff relocation TLC recovery ICT duplication Disaster Recovery 2006 2004 SERVICES What

BANCA D’ITALIA - Eurosistema Index 1 Business continuity initiatives in Italy 2 Specific rules issued by Banca d’Italia 3 CODISE: the National Joint Working Group 4 Summing up

BANCA D’ITALIA - Eurosistema 3 - The national Joint Working Group (CODISE) CODISE includes both authorities (all major supervisory functions) and major financial system representatives: – coordinated by Banca d’Italia and Consob (stock exchange commission) with the presence of a representative of the Italian Government – Operators of main market infrastructures, major banking group, major payment systems service providers. CODISE task: “to define the steps towards the System’s Business Continuity” , with the aim of limiting systemic risk

BANCA D’ITALIA - Eurosistema (3. “CODISE: the National …”) · CODISE : Main Objectives Scenario to face: large disruption (low probability, but large impact…. ) Critical objectives to cover: – liquidity issues (assure liquidity availability in case of crisis); – trading, clearing and settlement infrastructures (resiliency of. . ) – public confidence – link with cross-border systems

BANCA D’ITALIA - Eurosistema (3. “CODISE: the National …”) • The “CODISE” National Contact List Immediate low-cost intervention: in the first quarter of 2003, a National Contact List for Financial Business Continuity was set up. A contact list among CODISE members: each member declares its own crisis manger as “contact point“ to be called in case of crisis; (each list-entry is composed by Company name, Contact point name, phone/fax numbers, e-mail addresses, alternative numbers). The list is updated and activated by Banca d’Italia. Periodical test (~ once a year) are carried out in order to assure “fresh data” stored in the list.

BANCA D’ITALIA - Eurosistema (3. “CODISE: the National …”) • CODISE Workplan – – – Identification of relevant services Selection of scenarios Impact analysis Implementation of emergency plans Test and improvement of plans Main achievements of CODISE analysis ü “Vital” services (i. e: operations to be completed before end-of-day): – 8 financial services, 5 operators involved (trading, clearing, settlement – cash/securities) – National ATM networks, 3 major providers involved ü Scenarios (to be considered in developing BCP): – Regional Disaster – Cyber attack – Unavailability of an infrastructure/provider. ü Interdependency among financial operators (a cross-map of maximum tolerate outage among major operators); ü Crisis procedures (simple crisis communication procedure based on national contact list)

BANCA D’ITALIA - Eurosistema (3. “CODISE: the National …”) CRISIS COORDINATION: liaison with ECB structures. A new role for CODISE: the joint group was set up as a forum among Italian operators to share info and to plan common initiatives on BC. NOW is becoming also the “local crisis team” for coordination at EU level. Coordination Structure – ECB-PSSC is the European Crisis Team (teleconference among PSSC members); – The italian PSSC member is also the Chairman of CODISE (Central Manager for Payment Systems and Treasury Operations of Banca d’Italia) and plays the role of national Crisis Coordinator (CC). – Two scenarious: 1. Failure in an EU country: PSSC teleconference allows PSSC members to share info; the italian member (CC) can decide to activate CODISE contact list to share info and to take local initiatives. 2. Failure in Italy: the italian Crisis Coordinator (CC) activates the CODISE contact list for local initiatives; he contacts ECB-PSSC group to share info and coordinate initiatives

BANCA D’ITALIA - Eurosistema (3. “CODISE: the National …”) Crisis Coordination: operation failure in EU National contact list PSSC National crisis coordination committee (country “A”) CODISE Foreign operator failure (country “A”) Italian financial system National crisis coordination committees (EU countries)

BANCA D’ITALIA - Eurosistema Index 1 Business continuity initiatives in Italy 2 CODISE: the National Joint Working Group 3 Specific rules issued by Banca d’Italia 4 Summing up

BANCA D’ITALIA - Eurosistema Summing up… v Main achievements: – Common “Resilience Level” among major financial operators. – “Open debate” on BC among authorities and financial operators. – A simple coordination/communication procedure in case of crisis. v Next steps: – more detailed crisis management procedures at national level; – multi-years exercise plan with a growing complexity.

BANCA D’ITALIA - Eurosistema REFERENCES… Italian BC guidelines • Payment system infrastructures: – http: //www. bancaditalia. it/sispaga_tesor/ssp/infrastrutture/bi/linee/Linee_guida _SSP_en. pdf • Market infrastructures – http: //www. bancaditalia. it/banca_mercati/supervisione/normativa/linee/guidelin es/Guidelines_for_business_continuity. pdf • Banking sector – http: //www. bancaditalia. it/vigilanza/banche/normativa/disposizioni/ provv/requis iti_processi_rilevanza_sistemica. pdf Financial-Related Documents • High-level principles for business continuity (2005) (web site http: //www. bis. org/). • Business Continuity Oversight Expectations for Systemically Important Payment Systems (2006) (web site: http: //www. ecb. int/). • Interagency Paper on Sound Practices to Strengthen the Resilience of the U. S. Financial System (2002) – web site http: //www. sec. gov/). Relevant Web Sites • http: //www. thebci. org/ • http: //www. business-continuity. com/ • http: //www. survive. com/ • www. bsi-global. com • – see also BS 7799, ISO 27001 (information security standards).