Building Resilience

through an Effective BCP

Central Banking Seminar

(March 15-18, 2021)
 Presenters
• Muhammad Akmal, Director - Strategic Planning
Email: [email protected]

• Shehzad Ali Sharif, Senior Joint Director

Email: [email protected]

State Bank of Pakistan

2
 Topics
• Country Brief

• BCP Framework & Governance Structure

• Designing & Exercising the BC Plans to build

effective resilience

• Activating a BC Plan

3
 Brief introduction of Pakistan
• Fifth most populous country in the
world with a population of more than
220 million. Adult population 50%.
• Came into being in 1947 and located
at a strategic location
• Sevenfold expansion in Urban
population.
• Multicultural and multi-ethnic society

• Affected by the war on terror in the

neighborhood.
• Had a fair share of natural and man
made disasters.
• Home to one of the largest refugee
population (3 million persons)
 About SBP
• Initially Central Banking for Pakistan was done by Reserve Bank of India (RBI)

• Established in 1948 by founder of the Nation

• Initially governed by Pakistan Reserve Bank Order 1948 and later SBP Act 1956 (to-
date as amended)

• Head Office in Karachi and 16 Field offices across country in all the provinces

• Bifurcated in 2002 (Policy and Operational arms)

• SBP has four fully owned subsidiaries:

– SBP BSC: SBP Banking Services Corporation (Operational arm)
– NIBAF : National Institute of Banking & Finance (Training arm)
– DPC : Deposit Protection Corporation
– PSPC : Pakistan Security Printing Corporation
 Financial Sector Landscape of Pakistan
Securities & Exchange Government
State Bank of Pakistan
Commission of Pakistan Departments

Insurance (Life 10, Pakistan Post

Banks(33) (13000)
Non-Life 39, Re-Ins 1)

Central Directorate
Micro Finance
Investment Banks(12)
of National Savings Banking Infrastructure
Banks(11) (376)
Bank Branches 16,067
Leasing Companies(7) Overseas network 143
Development Finance
Modarabas (28)
Institutions(9) MFBs Branches 1,242
DFIs Branches 62
Exchange Companies MFIs
ATMs 15,612
(27-A,25-B) (29) POS 49,067
BB Agents 445,181
Credit Bureaus
(2) AMCs(23)
Accounts (mlns)
Payment System
Total Accounts 112.4
Operators
Mutual Funds(227) Conventional 59.9
(3) 6
Branchless Banking 52.5
 History of BC at SBP
• BCP first introduced in 2001-02, after the events of 9/11
• High level BCP Committee under the chairmanship of Deputy
Governor formed in 2002
• Initial focus on physical/terrorist threat
• Later on BCP development was taken as an activity under
Strategic Plan
• Established Dedicated Primary and Secondary Backup sites
(Alternate Working Sites) in Karachi
• Established DR Site (Tier 3 level) in another city
• Established 16 Backup Sites across the country for our offices
• Live transactions/business from backup site during test
exercises
 Why BCP ?
• A BCP is like an insurance policy; you pray that you will
never need to use it but you will be glad to have it if
you ever do.
• It enables an organization to respond efficiently to
potential threats that may render all or parts of its
operations and resources unavailable.
 Role of BC in Central Bank Resilience
• Central banks are a significant force in the
economic and financial infrastructures of their
countries. In critical times a central bank will need
to lead, consult and participate in the appropriate
response to crises.

• Pro-active business continuity management plays

a significant role in ensuring that the central bank
can fulfill its own role and that of the community
it serves.
9
 What is BCM / BCP/ DRP ?

• BCM: Business Continuity Management is defined as the holistic

management process that enables an organization to build resilient,
enterprise-wide (business or public-sector) operations in order to
minimize the disruption to people, processes, facilities and technology in
the event of an unplanned interruption of operations.

• BCP: Through this capability, the organization builds an effective program

that provides a planned response, recovery and restoration mechanism to
safeguard the interests of key stakeholders, their reputation and value-
enhancing activities.
 BCM / BCP / DRP
• DR: Disaster Recovery is an Integral part of the
organizations BCM plan by which it intends to recover
and restore its IT and Telecommunications capabilities
after an incident.

• In short
• DR – the technology
• BCP – the plans
• BCM – the management process
 Objective

• Objective of Business Continuity Plan (BCP) for State

Bank of Pakistan is to ensure continuity of its critical
functions (time sensitive) and prevent any major
disruptions in the financial system of the country in
case of a disaster either a natural or a man-made.
 Scope

• BCP is for the following potential events:-

– Fire

– Earthquake

– Floods and heavy rains

– Civil strife

– Sabotage/Bomb blast

– Act/ Threat of War

– or any other event causing severe disruption to SBP operations

at the Main SBP Building or any of the field offices of SBP BSC.
 Business Continuity Planning at SBP

Business Continuity Plans

BCP Book I BCP Book II

(for Departments) (for Offices)

 Critical Functions & Related Deptts.
S. No. Critical (Time Sensitive) Functions Related Departments/ Offices
1 Payment Settlement
 Accounts
 Finance and all Offices

2 Currency Management  Currency Management Department

 Finance
 Issue Offices
3 Government Accounts  Accounts
 Finance
 All Offices
4 Foreign Exchange Management
 Accounts
 Finance
 Treasury Operations Deptt
 IMID
 DMMD
 Karachi and Lahore Field Offices
5 Open Market Operations  Accounts
 Finance
 DMMD
 Karachi Office
6 Public Debt Management
 Accounts
 Finance
 DMMD and Field Offices
 BCP Governance Structure

BCP Committee

BCP Coordinator

Departmental Emergency Support Office BCP

BCP Coordinators Group Coordinators

Business Continuation Disaster Recovery

Support Team Support Team
 BCP Committee
• This Committee is comprised of senior management from critical areas of
the State Bank , its subsidiaries and coordinates all aspect of the Business
Continuity Plan (BCP). The role of BCP Committee include to: -

– Review and approve the BCP

– Review Testing and Exercising of BCP

– Undertake policy decisions for effective implementation of BCP

– Support activation of BCP

• The committee is required to meet on quarterly basis.

 Support Groups Defined under BCP
• Emergency Support Group (ESG) – Bank wide: ESG ensures that a
disaster at any of Bank’s location is handled appropriately and the
Backup Site is ready for business continuation within 24 hours. ESG is led
by Director IBSD and controls all the logistical, administrative, security
functions throughout the disaster.
• Disaster Recovery Support Team - Local: The Team is responsible for
emergency evacuation, handling medical emergencies, coordinating with
Security and Law Enforcement Agencies and media at the time of
disaster. The Team is also responsible to coordinate the recovery efforts
at the disaster site. The team works under the supervision of ESG.
• Business Continuation Support Team - Local: The Team is responsible to
provide all facilities at the back-up site to enable the Critical
Departments to continue their critical operations within 24 hours. The
Team seeks guidance from Departmental BCP Coordinators of the Critical
Departments for arrangement of facilities on occurrence of the event.
 Role of Departmental/Office BCP Coordinators

• HODs/ Chief Managers have overall responsibility for preparation, testing and
implementation of their Departmental/ office BCPs.
• Coordinators, nominated by the HODs/ Chief Managers, are responsible for
assisting the HODs/ Chief Managers in preparing, updating and testing of their
respective Departmental/ Office BCP.
• Coordinators also assist HODs/CMs in business continuation and disaster
recovery efforts and day-to-day coordination with BCP Coordinator. To be
current at all times, BCP will be maintained as a live document and is to be
regularly updated to reflect the on-going changes.
• Coordinators must convey any change in their Departmental/Office BCP
including change of key persons or their contact details promptly to BCP
Coordinator for its incorporation in the BCP on timely basis.
• Coordinators keep in touch with BCP Coordinator who liaises/coordinates with
the BCP Committee.
 BCP Activation Authority
SBP Main Buildings at Karachi

• Governor
• Deputy Governor
• BCP Coordinator

SBP-BSC HO Building in Karachi & Field offices across the country

• Governor
• Deputy Governor
• Managing Director (SBP-BSC)
• BCP Coordinator
 BCP Activation Process

• Whenever an event involving disruption of activities

occurs at any location, department, floor, building etc.,
BCP Coordinator should be informed in addition to
taking other appropriate actions which may be required
due to emergency.

• BCP Coordinator will assess the situation and seek a

decision from the Chairman BCP Committee and the
Governor.
 BCP Infrastructure
• Fully equipped Standalone Primary Backup Site for critical departments.

• Fully equipped Secondary Backup site for critical support departments.

• State of the art DR Site (Tier 3) established at a far flung location

• Four Field Offices are backup sites of each other

• Establishment of a Command & Control Center at Back up site to house members of

Emergency Support Group(ESG)

• Dedicated Radio communication between 4 different sites through dedicated

frequency. Satellite communication is also under consideration.

• Boarding & lodging, transportation and cash arrangements

• Generators and own Solar Power generation at Backup Site to handle prolonged power
outage
 SBP’s DR Site
• State Bank of Pakistan has established a State-of-the-art Disaster
Recovery (DR) Site that provides replicated backups for critical
banking and other in-house developed applications and files,
identified as critical. The applications/files have been divided
into the following three classes/tiers:

• Recovery Class 1: Gold Tier (RPO=0 and RTO<4 hours)

• Recovery Class 2: Silver Tier (RPO<4 hours and RTO<24 hours)

• Recovery Class 3: Bronze Tier (RPO<24 hours and RTO<72 hours)

 Recovery Class 1: Gold Tier (RPO=0 and RTO<4 hours)

System/Application Description
Globus Banking Core Banking System

Globus Currency Currency/Monetary Management

Real Time Gross Settlement (RTGS) Real time dues settlement between local
banks

SWIFT Fund transfers to all financial institutions

 Recovery Class 2: Silver Tier (RPO<4 hours and RTO<24 hours)

System/Application Description

ERP: Oracle Application Enterprise Resource Planning

MS Exchange Email Server (KHI) Mail Server

Electronic Credit Information Bureau (eCIB) Database for Credit Information

File Servers User File Shares

 Recovery Class 3: Bronze Tier (RPO<24 hours and RTO<72 hours)

System/Application Description

Data Warehouse (DWH) Central Data Warehouse for DAG and ERP

Data Acquisition Gateway (DAG) Portal for Publications for local banks
 Testing & Exercising the BC Plans
• Exercising the organization’s Business Continuity Plan assesses its
viability and ensures that the staff is familiar with the plans;
understand the escalation process as well as is able to activate
the recovery strategies.

• The purpose of testing is to achieve organizational acceptance

that the business continuity solution satisfies the organization’s
recovery requirements. A written but untested plan may be
worse than not having a plan in place at all because it lulls
everyone in the organization into a false sense of security.
 Types of BCP Exercises at SBP
• Table Top Testing: Document walk through – Quarterly

• Mock Exercises: A scaled down rehearsal – Bi Annual

• Rehearsal: Full fledge testing - Annual

• Combined Staff Relocation Exercise – Quarterly

• Surprise tests – Any time

 Table Top Testing

• To be conducted within office

• Easy to conduct

• Effective

• Time Required: Approximately 30 minutes

 Mock Exercises

• Required to be conducted at backup site

• Critical functions to be tested

• Routine operations should not be disturbed

• Time Required: Approximately 4 hours

 Rehearsal

• Required to be conducted at backup site

• All critical functions to be tested

• Time Required: Approximately 4 hours

 Combined Staff Relocation Exercises

• All critical departments conducts exercise at the same

time
• Stress testing of networks, IT and Electronic
Equipment, utilities, other amenities, etc.
• All support departments presence is required.
• Command & Control Center is used as a central point
for managing all activities.
 BCP Annual Test Plan FY20-21 - Snapshot
Table Top Mock Exercise Rehearsal
Name of
Deptt./Office
Scheduled Actually Scheduled Actually Scheduled Actually
Date Conducted Date Conducted Date Conducted

03-09-2020 15-10-2020 17-05-2021

02-12-2020 28-04-2021
DMMD 03-03-2020
26-04-2021

12-08-2020 15-10-2020 15-12-2020

18-11-2020 11-04-2021
17-02-2021
TOD
18-05-2021

12-08-2020 16-09-2020 15-06-2021

11-11-2020 16-03-2021
Lahore Office 10-02-2021
11-05-2021

Total Number of Exercises Every Year: 207 +

 Aim of testing
• Infrastructure & Technology
– Check availability
– Check things work technically

• People
– Practice: automatic and confident
– Improve teamwork

• Logistics
– To test assumptions

• Awareness
– Demonstrate to higher management & others
 Maintaining BCP
• Maintaining an effective BCP requires procedures
to incorporate:
– Glitches found by testing
– Staff changes

• Periodic review of
– Business Processes
– Threats and impacts
– Overall assumptions
– Suppliers
 Embedding BCM in the organization culture
• BCP Training Module Developed for Flagship induction
programs at the entry level
• BCP awareness sessions and seminars
• BCP Committee meetings at different locations
• Participation of BCP Team members in different exercises
• De-briefing after every CSR exercise and some other selected
exercises
• Certification for BCP Team Members
• BCP Certification included in the Professional Development
Program of SBP
Crisis Communication/Media Handling
• BCP Communication Cards

• All communication through Command & Control

Center

• BCP Crisis Communication software

• Pre-Developed Holding and Releasing Statements

• Only Chief Spokesperson is authorized to speak to the

media
• “BCM initiative is like the country's defence
forces, you can not start building up the
army when the enemy attacks, you need to
be prepared at all times''

Thanks
 New Functions under discussion

Sr. Critical (Time

Related Departments
No. Sensitive) Functions
1 Credit Risk Monitoring
through Early Warnings
System
 RMD
2 Monitoring of Voice
Recording Message

3 Security Information and

Event Management  OCISO
Monitoring
 BCP Scenarios
• Scenario 1: SBP premises are fine but can’t be
approached due to city unrest/rains etc.

• Boarding and Lodging arrangements at SBP Premises /

Nearest Hotel (s)

• Scenario 2: SBP premises either can’t be

accessed or have been damaged

• Working from Backup site.