The operation of the banking industry is highly dependent on information systems, and system resources and financial data tend to be concentrated, which brings great risks to the sustainable operation of banks. Once the business operation is interrupted, the consequences will lead to the suspension of individual banking business, and in extreme cases, it may even lead to the suspension of business in the whole industry, and the losses incurred are unpredictable.
Therefore, the Guidelines put forward the strategic plan that commercial banks should establish business continuity management systems from the perspective of industry supervision, expanded the connotation and extension of the theory and practice of comprehensive risk management system for commercial banks, and stipulated and discussed the system and process of establishing business continuity management for commercial banks in China from four aspects.
Firstly, the overall characteristics of cross-departmental and multi-departmental cooperation in the business continuity organizational structure of commercial banks in China are clearly pointed out, and a special business continuity management committee is set up to manage business units related to business continuity, such as senior management, business line departments and risk management departments.
Secondly, the "systematic" characteristics of business continuity plan are expounded. Business continuity plan is a disaster prevention and response mechanism, and it is a series of strategies and plans formulated in advance, which provides flexible preventive preparation, rapid emergency response and timely recovery and restart process for banks to deal with interruption events, including crisis communication plan, safety, evacuation plan and recovery plan.
Third, strengthen the drill, maintenance and continuous improvement of the plan. It is clear that commercial banks should carry out business continuity planning drills for all important businesses at least every three years; At key nodes such as major business activities and major social activities, or before major changes have taken place in key resources, mandatory requirements such as special drills for business continuity plans should also be carried out.
Finally, in order to improve the disaster recovery ability and business continuity of commercial banks in the case of catastrophe, the worst-case plan is formulated. At present, the business continuity management of domestic banks mainly focuses on high probability events such as system failure, personnel operation and power failure. There is a lack of proper plans and perfection for small-probability catastrophes such as natural disasters and epidemics of infectious diseases, and the degree of preparation for the development and response of catastrophes is not enough. These factors will become the bottleneck restricting the business continuity of commercial banks.
Exercise in peacetime.
"Business continuity management is a cross-border work, which requires not only disaster backup and recovery based on IT systems, but also the participation of people at different levels of the enterprise and the joint efforts of various resources to establish a comprehensive business continuity management system with crisis management as the core." Yin Hui, general manager of consulting service department of CICC Data System Company, told the reporter. At present, CICC has provided BCM management and consulting services for many large state-owned commercial banks and city commercial banks such as China Construction Bank and Bank of Communications.
Yin Hui revealed that at present, the CBRC's supervision focus on business continuity management of commercial banks is not only IT infrastructure environment, disaster recovery, emergency management and business continuity system construction, but also the frequency and types of drills, among which commercial banks need to carry out multi-form, cross-departmental and cross-regional drills and field drills, which puts higher demands on banks.
Therefore, CICC data has added the function of "emergency response and drill" in CeBCM3.0 version 3.0, and tested and revised the emergency plan according to the actual environment. Through drills, strengthen employees' coping methods in emergencies and improve their ability to deal with emergencies. Li Ke, deputy general manager of the data consulting service department of CICC, said that disaster recovery management and drills in various situations are very important for industry users, and the switch between production and disaster recovery requires multiple drills.
Testing and drilling are the necessary guarantee and basic link to verify the effectiveness, integrity and operability of the bank business continuity management plan and ensure the availability of resources. Through the regular testing and drills of various related plans, according to the problems found, changing personnel, resources and environment, the plans are constantly updated and maintained to ensure the smooth implementation of these plans in the event of interruption.
20 1 1 In September, the Risk Management Department of the head office of China Construction Bank coordinated seven departments, including Security Department, General Affairs Department, Operation Management Department, Electronic Banking Department, Public Relations Department, Personal Deposit and Investment Department and Information Technology Management Department, and organized branches in Sichuan, Guangxi and other provinces to conduct comprehensive business continuity drills in earthquake, flood and fire scenarios. The key contents include the recovery of standby sites in extreme disaster scenarios, personnel rescue and evacuation, recovery and replacement of manual business, media response and crisis public relations. To realize the coverage of its business continuity management system at the head office, branches and sub-branches.
In addition, the switching between business system and disaster recovery system is the key and difficult point of management during the exercise. Li Ke told reporters: "Switching is risky, especially when the system retreats." In order to solve this problem, Bank of Communications introduced a business continuity management platform and related information services in BCM project for daily drills and emergency support, which improved the efficiency of risk assessment and business impact analysis and the quality of emergency plans.
Gao Jun, general manager of the data center of Bank of Communications, said: "The continuous management system of the data center we developed focuses on the functions of emergency drills and emergency handling, and turns the traditional desktop drills into recordable simulation drills, which can be evaluated afterwards. At the same time, our staff can drill according to a fixed cycle. They are very skilled in the process and content, which improves the efficiency of the drill. "
At present, Bank of Communications has realized the automation of large-scale system disaster recovery switching, and realized the switching operation and failback of business systems between data centers and backup centers in the same city for the first time in domestic banks. The business recovery time is only 1.5 hours, achieving zero data loss (RPO is 0), reaching the international advanced level.