Professional Documents
Culture Documents
Pacific Bank LTD Disaster Recovery Planning (DRP)
Pacific Bank LTD Disaster Recovery Planning (DRP)
In exercise of the power conferred by Section 14(2) of Bank and Financial Institution Act
2063 and the Articles of Association of PACIFIC Bank, the Board of Directors of PACIFIC
Bank has approved this Disaster Recovery Planning 2015 vide its ………. Board Meeting
dated ……………………. for implementation after review and recommendation of Risk
Management Committee of the Bank. The core purpose of this document is to articulate a
framework for detailed procedures and guidelines for Disaster Recovery of the Bank by
identification and prioritization of critical business functions and incident handling during
occurrence of contingencies affecting day to day business activities.
Prepared By
Coordinated &
Reviewed By
Reviewed By
Reviewed By
Reviewed By
Reviewed By
Reviewed By
Reviewed By
Supported By
Any event that could negatively impact operations is included in the plan, such as
supply chain interruption, loss of or damage to critical infrastructure (major machinery
or computing /network resource). As such, risk management must be incorporated as
part of BCP.
Business as usual may not always be possible due to situation beyond our control
where we are compelled to suspend or temporarily close down the Operations of one /
several / all Branches of PACIFIC in order to protect the interest of Bank and its
employees. Such circumstances may be but not limited to nationwide strikes (Bandh),
riot or civil unrest, imposition of curfew, natural disaster (earthquake, landslide, flood
etc.), fire which could partially/completely disrupt the Operations of One/Several/All
Branches.
1.2 Definitions
Unless otherwise specifically indicated, the following terms used herein shall have the
following meaning(s):
i. Crisis Handling Team (CHT) is the apex body during any disaster whose main
objective is to safeguard the Bank’s employees and its assets.
ii. Operation during Disaster (ODD) is a document which shall be prepared by all
the branches/departments to ensure uninterrupted operations or resume
operation with a minimum down time in their respective area/branch during a
disaster.
iii. BCP Coordinators are the mediators between other staffs and CHT whose
primary objective is to furnish the information to the CHT and disseminate the
decisions of CHT to other staffs during any disaster.
iv. Contact Details refers to the important contact numbers of staffs, customers,
regulators, suppliers, police station, hospital, fire brigade, etc. in order to seek
assistance during a disaster.
v. Grab List is the list of items which each member of staff should endeavor to
collect from their surrounding work area without compromising their physical
safety, when they are evacuated from the building for whatever reason.
Other than the terms specifically defined hereinabove, the terms used in
various sections of this manual shall have the same meaning as has been
defined under various other policy documents of the Bank and the
applicable laws of land, wherever relevant.
This document shall be reviewed on annual basis by IRMD in order to identify any
gaps and recommend ways to fulfill the same.
1.4 Objective:
The main objective of this document is to set out procedures, processes and systems
necessary to continue or restore the operation in the event of a disruption. It provides
detailed guidance for implementing the recovery plan and outlines the roles,
responsibilities and succession in managing operational disruptions. It also defines
triggers for activating the BCP and establishes business resumption teams for core
business processes. The resilience of a financial institution to major operational
disruptions will be determined by the robustness of the country level BCP and BCPs of
all the participants (Branch/Department/Unit) within the organization.
Process Phase
Process
Analysis
Maintenanc Solution
e Design
2.1 Analysis:
The analysis phase consists of identification of threat and severity & categorization of
its impact on business/service delivery. Common threats include:
Epidemic
Earthquake
Fire
Flood
Cyber-attack (Phishing, System penetration)
After identifying the applicable threats, impact scenarios are considered to support the
development of a business recovery plan. The analysis of the threat and its impact
differentiates critical (urgent) and non-critical (non-urgent) organization
functions/activities. Critical functions are those whose disruption is regarded as
unacceptable. Perceptions of acceptability are affected by the cost of recovery
solutions. A function may also be considered critical if dictated by law.
Besides the threats identified above, there are other threat scenarios such as Capital
adequacy, Liquidity crisis in the market etc. These threats, their impact and
contingency plan for the same shall be addressed through the decisions of
ALCO/Operations Manual of the respective areas.
Based on the threat identification and its analysis, the severity can be categorized in to
following three stages:
Stage 1: This refers to situation, where our operations are hampered but physical
amenities, building etc remain intact and transactions can still be performed from
existing location i.e., Nepal bandh, strike, riot, threats etc.
Stage 2: This refers to situation, where fire, bomb, earthquake, physical damage of
building etc., have occurred and temporary recovery site may be required to be
established to resume critical activities.
Stage 3: This refers to situation, where physical amenities, building are severely
damaged, life threat of the employees and re-location of full activities is required for a
longer period.
After the analysis phase, business and technical recovery requirements precede the
solutions phase. Asset inventories allow for quick identification of deployable
resources. For a Financial Institution which relies heavily on IT, the plan requirements
may cover human resources, applications (CBS), data, manual workarounds,
computers and peripherals.
The robustness of an emergency management plan is dependent on how much money
an organization or business can place into the plan. The organization must balance
realistic feasibility with the need to properly prepare.
The solution design phase identifies the most effective disaster recovery solution that
meets the major requirements from the analysis stage. The solution design phase
determines the following:
During a crisis situation it may not be possible to follow the hierarchy ladder for
informing about the incident. As such staff members who come to know about the
incident first may inform to anyone in the hierarchy ladder. The escalation diagram is
given below.
D
E i
s Crisis s
c Handling s
Team e
a
l m
a i
ti Country BCP n
Coordinator
o a
n ti
o
o n
Departmental BCP Coordinator
f
I o
n f
f D
o e
Department Head / Any Staff Members c
r
m i
a s
ti i
Business Continuity Planning Page 8 of 38
o o
n n
Since each department/branch is unique in terms of its operations, location, staff etc., it
is the department/branch which shall be in a position to best prepare and update their
team members and situation on a regular basis. Therefore, each department/branch
should prepare Operations during Disaster (ODD) guidelines
BCP coordinators shall coordinate the entire incident upon receipt of information from
media (TV, Radio, print) and/or the branches/department where incident has occurred.
BCP coordinator shall also be responsible for disseminating the information.
a) At Country Level:
Country BCP coordinator
Country Deputy BCP coordinator
b) At Department/Branch Level:
Department/ Branch BCP coordinator
Department/ Branch Deputy BCP coordinator
The country BCP coordinator and country deputy BCP coordinator shall be assigned
by CEO or any other staff as designated by CEO. BCP coordinators in
Department/Branch level will be the Branch Manager or Department Head and Deputy
BCP coordinator will be Operation In-charge in case of Branches and supervisor or
second in-charge in case of departments.
Each Department/Branch shall list down the names of BCP coordinators in respective
Department / Branch as per Annexure-II.
The details of CHT members along with their contact information are mentioned in
Annexure-I. The CEO shall involve members of the board if the situation so warrants.
The flow of information is initiated from the Branch/Department staffs to the branch
level BCP coordinators. The branch level BCP coordinators shall further forward the
information to country BCP coordinators who shall forward the information to the CHT.
Based on the information received, the disaster situation is analyzed and the decision
of CHT is disseminated down the system as shown in the figure above.
The major objective of crisis management shall be:
Ensure the health, safety, security and welfare of staff and where appropriate
customers.
Control the immediate and developing situation whilst continuing operations
with minimum disruption.
Restore the business to normality as quickly as possible.
Minimize loss or damage and maintain business confidence / reputation.
Maintain effective communications internally, with customers, the media and
regulatory bodies.
Crisis management shall be followed by the actual implementation of the action plans
as appropriate and as decided by the CHT.
Implementation Phase
During a crisis time it is important to inform all concerned staff members, customers,
regulators, suppliers, police station, hospital, fire brigade etc., in order to seek
assistance and help in recovering our business. Therefore, an up to date telephone
numbers of such individual and offices should be prepared and retained.
Each Department/Branch shall list down the names and contact details of such
relevant persons or entity as appropriate under Annexure-II.
Each Department / Branch shall list down items for "Grab List" as per Annexure-III.
Each Department/Branch shall list down stationery items and mention the location
where the stationery has been kept as per Annexure IV.
Note: This provision is not required if another Branch is within a radius of 25 km.
This section deals with the steps, which needs to be taken as an immediate response
to an incident, which may disrupt the normal/regular business environment.
i. Bomb/Terrorist Threats:
Each Department / Branch shall prepare a staff roll call register as per Annexure-V.
ii. Strike/Riot:
In case of hold up, safety of our staff members and customers are of prime concern,
Members of staff are not to retaliate or confront with assailant(s) in a manner that
may aggravate the situation and invite untoward incident.
Concerned staff member or other staff members upon knowing the situation
should set off alarm system quietly and without the knowledge of the assailant(s)
if possible.
Do not voluntarily disclose information about any security arrangement unless
specifically asked by the assailants.
Inform department head / colleagues for further reporting to CHT after it is safe to
do so.
Each Department / Branch shall prepare a staff roll call register as per Annexure-V.
iv. Fire:
In case of fire, safety of our staff members and customers are of prime concern.
Therefore:
Review/assess the fire situation and if the fire seems to be small and manageable
use a suitable extinguisher if it is safe to do so, please do not try to tackle the fire
yourself if you do not feel safe.
In case of naturally occurring disasters like earthquake, flood, landslides etc., the safety
of our staffs and customers are our prime concern. Therefore:
Assess the severity of the disaster before evacuating the premises. At times, it
may be relatively safer to stay in rather than running outside the premise.
Each Department/Branch shall prepare a staff roll call register as per Annexure-V.
This section deals with the immediate response to be taken when notification is
received outside business hours.
In case of Bandh, strike, Bomb, Fire, Earthquake etc., occurring outside normal
business hours, our operations may be impacted unduly. Under the circumstances,
and depending on the situation, staff members should take but not limited to following
course of action.
i. Bandh/Strike:
If Bandh and strike is known in advance, vault keys and any other
important keys of drawers, filing cabinets etc. must be taken over by staff
whose residence is nearest to the office. Such transfer of keys must be
recorded in the appropriate key register. Contact your colleagues,
Departmental BCP coordinators to gather information about the situation.
While going to office or returning home after office, staff members should not
engage themselves in any mob activities.
Visitors should be prohibited from entering other areas of the Bank unless
it is absolutely necessary. BM/Operation in-charge must in consultation with
BM/Operation in-charge should assess the situation and the need for cash
holding. Cash at the counters should be kept to the minimum. Rural
branches/extension counters should transfer cash beyond a minimal level to
nearest Branch.
All transactions initiated during the day should be completed. In the event of
circumstances worsening to a level where it is not possible to complete posting
of transactions for the system, it should be completed as soon as possible using
alternate means such as VPN access.
It may not be possible for IT staff to leave the office on time. In keeping with this
situation, an appropriate arrangement shall be made by General Administration
and Projects Department to put up IT staff and other employees handling critical
functions inside the Bank/Branch premises or alternate nearby suitable location.
ii. Fire:
If fire breaks out in the office premise outside normal business hours contact
your colleagues, Departmental BCP coordinators to gather information
about the situation.
Make sure the fire department/Police department has been informed about the
situation.
BM/Operation in-charge should assess the situation and list down all the items
that was recovered from the damage and forward the list to General
Administration department.
BM/OIs should also gather information about the well-being of their staff, family
members and any physical damage to their homes besides gathering
information about the damage to the office property.
BM/Operation in-charge should assess the damage of the disaster and plan on
continuing operations as per the respective branch’s Operations during Disaster
(ODD) guidelines.
All staff members should be vigilant and appraise Heads of Department/BCP
coordinator of any pertinent information.
While Departments have been preparing for a temporary recovery site, CHT will also
be assessing the situation and extent of damage so they will be in a position to declare
whether it is safe to return to the work place or a crisis situation exists. CHT will
decide when to return and advise Country BCP coordinator to inform all
concerned about the decision and you will need to repeat many of the earlier steps in
this plan, thus ensuring the return is conducted in an orderly manner and business will
be able to re-commence immediately.
Please note that critical activities should be divided into 3 tiers depending on
the seriousness of business if we do not resume on time.
a) Tier – I:
This relates to most critical business activities, which requires resuming business
within 24 hours. Such activities could be honoring of customer cheques, Deposit
transactions, ATM services, stop payment of cheques, blocking debit card, remittance,
SWIFT, clearing transaction etc.
b) Tier – II:
c) Tier – III:
GAP (in case of Head Office) or Branch Manager (in case of Branches) should find and
establish a place where TBRS could be established. After TBRS has been established
the Branch Manager should advise Country BCP coordinator the location and contact
number of TBRS.
Once TBRS is found and established it is important to contact our regular customers
and advise them of our temporary location from where limited services are provided.
It is apparent that TBRS will have limited workspace and resources. It is not possible to
invite all the departmental staff members to work in TBRS. Therefore, invite only the
critical staff members to come in the TBRS to carry out critical activities.
Also, please liaise with IT department and General Administration and Projects
Department for assistance as and when required.
If the damage to the infrastructure is slight, you may be able to return to your own
office after properly assessing the Branch/Department premises. Upon returning to
home office, you should start to establish normal banking procedures.
You may need to speak to the customers to advise them that you have returned to
home office and operating as usual.
Each Department/Branch shall list down phone number of regular customers of the
Branch to inform that the normal Banking Operation has resumed.
Be careful when speaking to anyone outside the bank and ensure that you
communicate the right message. When a major incident takes place people need
to be re-assured that the matter is being professionally managed – you must
present the picture of “Business as Usual”. Do not say anything, which differs from any
statements made by CEO or the person designated by the CEO.
Also, a temporary accommodation arrangement for the relocating branch may need to
be placed if required. It shall be the responsibility of the Branch manager to liaise with
all concerned to suggest, recommend and establish temporary arrangement if required.
All communications with the media, authorities or other third parties MUST only be
handled by CEO or staff specifically designated by him. Under no circumstances,
anyone else should make any comment about the incident or the status of the recovery
process.
If media approaches any one, they should simply refer the media/enquirer to contact
the CEO or the person specifically designated by him, give them the telephone number
and say: - “It would be better for you to speak to our management as they will have
more up to date information”.
3.5.7 Insurance
In the aftermath of the incident and after assessing the damage full details of property
damage should be given to insurance company.
Disaster Recovery Plan for all Corporate Departments is outlined hereinabove except
for IT Department considering the extensive technical details required to outline the
process of Systems business resumption. Hence BCP for IT or Systems Disaster
Recovery is covered separately on a Disaster Recovery Plan, which is an integral part
of this document. IT Disaster Recovery Plan shall define the activities to be carried out
by members of IT Service Delivery to recover the service of pre-determined critical
computer applications to business user departments following the loss of (or loss of
access to) the Data Center at Corporate Office.
This is the most important phase of an organization’s BCP as it helps determine the
effectiveness of any BCP. The purpose of testing is to achieve organizational
acceptance that the solution satisfies the recovery requirements. Plans may fail to
meet expectations due to insufficient or inaccurate recovery requirements, solution
design flaws or solution implementation errors.
i) Checklist Testing:
A facility evacuation drill should be practiced at least once a year with all staffs to be
sure they understand how the evacuation should proceed, how to handle staffs with
physical limitations, external assembly locations, and how verification of all staffs is to
be accomplished.
All staffs must be well versed with the Country BCP and Unit/Department/Branch
specific Operations During Disaster (ODD) guidelines. All Units/Departments/Branches
are to conduct a separate session once a year to discuss the BCP/ODD and circulate
the change/outcome to the CHT members/BCP coordinators.
4.2 Maintenance
The BCP manual must evolve with the organization. Like most business procedures,
Disaster Recovery planning has its own jargon. Organization-wide understanding of
Disaster Recovery plan is vital and the changes identified and to be updated on regular
basis.
Annual maintenance cycle of the BCP manual shall be done in order to:
Confirmation of information in the manual, roll out to staff for awareness and
specific training for critical individuals.
Testing and verification of technical solutions established for recovery
operations.
Testing and verification of organization recovery procedures.
Issues found during the testing phase often must be reintroduced to the analysis
phase. This shall help to redesign the solution and address such issues.
The implementation of the Disaster Recovery Planning will regulate and also define
the way in which a crisis should be managed with the resources available (Human
and other material resources). The basic requirement of any organization during a
disaster situation is to resume the critical functions as soon as possible with the
minimum requirement of resource and cost.
Chief Executive Officer is the head of the management and Crisis Handling Team
(CHT) which shall be primarily responsible for the invocation of this document.
It shall be primary responsibility of CEO or designated alternate for circulation
and implementation of this document as and when required.
It shall be the responsibility of the CEO or designated to handle all
communications with the media, authorities or other third parties.
CHT in coordination with IRMD shall conduct checklist testing, evacuation drills
and knowledge testing exercises on bi-annual basis in order to ensure the
effectiveness of the process/procedures outlined in this document.
Such exercises are to be closely monitored by CHT and IRMD in order to make
sure the given instructions are followed properly. Also, review of the exercise to
be done once it is completed and corrective measures to be incorporated as
found appropriate.
Internal errors could be due unclear instructions, panic, unable to understand the
instructions by the staffs, which could result loss/damage to the physical health
of the staffs or Bank’s property. Hence, it is necessary to perform such drills and
checklist testing exercises in order to identify any possible internal errors and
appropriate corrective actions to be taken.
7.6 Disclaimer
This document is prepared as per the prevailing procedures, policies and
guidelines, NRB directives and existing statutory requirements. So, it needs to be
amended from time to time to meet any changes and to make it up-to-date at all
time. In case of ambiguity in any of the matters stated in this document, the
interpretation of the Chief Executive Officer shall be final.
(Note: A consolidated list of important telephone numbers of all Units/Branches is to be prepared and
uploaded on Izone by Human Resource Department. Any update in the Branch/Department list shall
be informed to a designated person in Human Resource Department. who shall update the
consolidated list on Izone).
BCP Co-ordinators
Branch/Department:
BCP Co-ordinators
Police Station:
Fire Brigade:
Hospital:
Department of Commerce
(You have to provide the telephone numbers here as per the stipulation under "Contact
Details" section 2.5 - page 4 of this document).
Grab List
Branch / Department:
Branch / Department:
1.
2.
3.
4.
5.
2 Yes No
3 Yes No
4 Yes No
5 Yes No
6 Yes No
7 Yes No
8 Yes No
9 Yes No
10 Yes No
11 Yes No
12 Yes No
13 Yes No
14 Yes No
15 Yes No
16 Yes No
17 Yes No
18 Yes No
________________________________________
Signature of Department Head / Branch Manager