BCP At Bangkok Bank, Thailand Bhakorn Vanuptikul, BCCE Executive Vice President Bangkok Bank Public Company Limited 10 May 2012 1
Agenda Business Continuity Management at Bangkok Bank Success Factors in implementing BCM Past Crisis Lessons Learned 2
About Bangkok Bank Largest bank in Thailand Total assets of US$ 68.3 billions Profit before taxes of US$1.1 billion reported in 2011 22,000 of employees 960 Branches in Thailand 27 Overseas Branches 3
Why we need Business Continuity Management? Financial Sector is an Integral Part of our Economy. Financial Institutions are IT centric and are interdependent with others. Finance Institutions are exposed to several within and outside risks. Bank of Thailand and Stock Exchange of Thailand require Banks to do BCP to ensure that the financial system is always functional. 4
BCP will even be more integral part of Financial Services because we are in the higher risk environment. Global warming and its consequences Terrorism Financial Meltdown and Currency Flow We rely on more digital infrastructures Multi-national supply chains New arm races 5
Regulations in Thailand Financial Institutes and Public Companies are required by Bank of Thailand & Stock Exchange of Thailand to prepare BCM policy & BCP along with these outlines: BCM policy Risk Analysis Business Impact Analysis Identify Critical Business Functions Recovery Objectives Business Continuity Plan Testing & Reviewing 6
Regulations in Thailand But the most important of all the guidelines: Board of Directors are responsible for the setting up of the BCM Policy as well as allocating enough resources to conduct the BCP as part of the overall risk Management. 7
B C M covers many components DRP (Disaster Recovery Plan) DRP is prepared to manage the continuity and recovery of systems, data centers, and communication services in the event of disaster. Bank must have at least 2 Data Centers (which locate in appropriate distance). These 2 data centers back-to-back back up critical applications. Bank must test DRP annually. BCP (Business Continuity Plan) BCP focuses on the continuity of critical functions of the Bank in the event of disaster. All critical function units have developed and prepared alternate sites distributing to many locations. Bank must test BCP annually. To ensure business continuity, Bank has set up the Business Continuity Management (BCM) program, which incorporates DRP, BCP, Security plan, and Crisis Management plan. Crisis Management plan The plan details actions to deal with incident, emergency and crisis. Bank has set up Crisis Management Team which is consisting of senior management and unit head of relevant critical function to be responsible for managing and making critical decision regarding the crisis response. 8
Business Continuity Management Process 9
Success Factors in implementing BCM Strong Management Support Use Consultant with Track Records Strong Team with Strong Personnel Has Good Methodology and Process in place Know Your Business and Know Your Organization Simple, Effective but Flexible BCP is Critical to BCM Each BU is familiar and is testing its BCP regularly Internal & External Communication is Critical in BCM 10
Lessons Learned from Previous Crisis Political Crisis of May 2010 Great Flood of November 2011 11
Political Crisis of May 2010 12
Political Crisis of May 2010 Bangkok Bank was caught in the Political Crisis of May 2010. The Damages Done: A few Branches in Bangkok were seriously burned and damages. Around 100 ATMs were smashed and a few were burned. Over 40 Branches across the country were damaged with home-made bomb, shot with assault rifles or smashed with rocks and batons. Luckily, no casualties on staff. 13
How we managed the crisis? Put priority on safety of our staff and customers at the top. Set up Crisis Management Team early on to monitor every development of the conflict 24/7. Has all the BCP in place and test them regularly. Establish good relationship with the government agencies including Central Intelligent Services, Army and Police Forces. 14
How we managed the crisis? Keep Low Profile in every operation we do. Buy Riot Insurance just 2 months ahead of the crisis. Move Staff to remote back up site before the second clash of army and protesters on May 19, 2010 Get cooperation from the media to keep the news of the damages as low as possible. Don t fight back with either words or weapons. This would escalate the situation. 15
Lessons Learned 1 Better External Communication may help reduce the impact from the conflict. Better Internal Communication would also foster staff s confidence in the bank s ability to handle the situation. Better relationship with communities around our premises could help prevent the fires and damages to properties. More Backup Locations as some were inside the dangerous zones. 16
Lessons Learned 2 Re-evaluate the Risk Analysis as political conflict was considered to be low risk but high impact. Re-thinking about key staff and alternates as staff were not able to come to work because of safety concerns. Re-thinking about equipments and supplies as the event like this, you may not be able to purchase anything. 17
Great Flood of August to November 2011 16 Billion Cubic Meter of Water that caused the flood over 14,000 Square Kilometer of Land Financial Impacts: US$ 45 Billions in damages and losses to properties, industrial plants, goods and services. Impacts to Population: 5 Million Peoples or 1.9 Million Households were effected. 728 deaths, mostly from drowning or electrocution. 18
Geographical extent of the flood 19
Great Flood of 2011 20
Crisis Management & BCP Lessons Learned 1 Scenarios study to understand the development of the Disaster. This is a regional disaster that is: Slow to take place but would last more than a month. Not all your facilities will face the disaster at the same time so you will have to deal with them at different stages of the crisis. Set up teams to deal with specific tasks. You have time to prepare but you would have to fight for the limited resources because everyone wants to do the same. 21
Transportations Impact to your staff, logistics, other services. Electricity Possible power outage and duration. Communications Impact to your work procedures, transactions. Lessons Learned 2 Anticipate the potential impacts to: Public Water Impact to ability to cool the Data Center, life support for staff. Health cares system Impact to your staff and their families, possible pandemic diseases after the flood. Food supply chains. Impact to your staff and their families during the flood. 22
Lessons Learned 3 Monitor the situation and information closely: There were so many sources of information, sort out which ones are reliable and relevant. Social networks could be useful and more up to date in this kind of disaster Information may be neither complete or accurate, try to assess the situation yourself. Use these information to formulate what will impact you, not only your operation, your business volume, but also your customers operations. 23
Lessons Learned 4 Look after your stake holders: Staff : Put their welfare as your priority. Allow them to take time off to take care of their houses, their families. Transportation for staff Customers : Provide alternative channel for services Flexible ways to identify your customers Match their other needs (no fee for inter-bank transactions) Communities Support the communities around your premises. 24
Lessons Learned 5 Focus on some new impacts and new circumstances. Impact on your staff availability More alternate of key staff who live in different area Foods and beds for BCP staff around backup sites Impact on your facilities Power and water supplies Communications Establish backup sites outside of the disaster area Stock up your critical supplies or pre-arrange for them Impact on your work loads Impact on your logistics 25
Conclusions Disaster is dynamic, follow it closely but most importantly, anticipate the potential impacts. Focus on how to reduce these impacts. Re-assess your plan, find vulnerabilities that may be associated with this type of disaster but be flexible. Don t rely on outside help, they are all busy. If you remember your staff, your customers in time of need, they will always remember you. 26
Q & A Bhakorn.van@bbl.co.th 27