Sunday Nov 24, 2024
Sunday Nov 24, 2024
Thursday, 18 January 2024 23:42 - - {{hitsCtrl.values.hits}}
|
Amid a world of uncertainty, collective hope for a better future resides in people’s minds. It is part of the human spirit to be optimistic. A well-functioning financial system is important in building people’s confidence in the economy that is fundamental to the quality of life and the country’s future. The banks, therefore, are responsible for keeping the economy going.
They must, consequently, be resilient and secure. Sri Lanka’s economy is at a very vulnerable stage. The World Bank says the Sri Lanka economy contracted by 7.8 % in 2022 and 7.9 % in the first half of 2023. At this stage, it shows positive signs of returning from the crisis. From the Banks’ side, they need to ensure strong resilience with effective risk management in place.
Today’s threat landscape is constantly changing for the worse. Natural disasters, cyber attacks, supply chain failures, people-related issues, third party vendors, technology mishaps, data piracy and skill shortages are a few among the many.
As we know, cyber threats have taken a major role as it has become more sophisticated, targeted, widespread and undetected. Banks need to have a sound understanding of all these and be on top of controlling them proactively.
Globally, banks follow a smarter, more cost-effective approach to managing risks to build resilience. ISO 22301 Business Continuity Management System is a well-recognised framework that banks and financial institutes adopt. From the well-accepted business strategy it couples with strong risk management to achieve business resilience.
ISO 22301 is a well-proven framework that is a protective and evaluative measure. Based on the
Plan-> Do -> Check -> Act (PDCA) iterative methodology is a highly systematic process that ensures consistency and reliability of the response and recovery capabilities.
In addition to ensuring long-term operational stability, implementing this standard in a medium to large organisation requires the expertise of a skilled subject matter expert and takes almost four months to complete. Two key features of implementing this standard are the engagement of top management and the development of a culture of incident preparedness throughout the organisation. By establishing such a culture, risks and vulnerabilities can be detected early, and all staff members will be trained to report any potential dangers to the bank. It is generally good practice for the business continuity, IT, information security, and risk departments to closely collaborate. There have been numerous examples of banks ignoring minor risk issues that have eventually escalated into major events such as ‘run on the Bank’.
Framework
The standard is divided into ten clauses, ranging from clause 1 to clause 10. Clauses 1 to 3 serve as the introduction, while clauses 4 to 10 comprise the mandatory requirements that must be fully implemented to obtain accreditation. Those who have implemented this standard confirm the benefits they gain from a consolidated culture of preparedness for incidents, responsiveness to them, and practice of recovery methods. Additionally, they have a set of common criteria to measure their own success.
Research Finding
Our research has shown five major benefits that Banks achieve by taking the ISO route for business resilience.
1. Enhanced Operational Resilience:
ISO 22301 provides a structured framework for banks to identify potential threats to their operations, evaluate the impact of any disruptions, and develop strategies to ensure continuity. By embracing ISO 22301, banks can improve their operational resilience, guaranteeing the continued delivery of critical services despite potential disruptions such as natural disasters, cyber-attacks, supply chain failures, third-party vendors, or other crises. Uninterrupted and efficient customer service is the key to a positive reputation.
2. Regulatory compliance
Compliance with ISO 22301 helps banks align their business continuity management practices with international standards. This can facilitate compliance with regulatory requirements related to operational resilience and business continuity. The Central Bank of Sri Lanka recognises the requirements of ISO 22301 may use it to assess an organisation’s resilience measures.
3. Stakeholder confidence and trust
ISO 22301 certification shows that a business is dedicated to being resilient and has the capability to manage and recover from disruptions efficiently. This dedication can increase the confidence of stakeholders, such as customers, investors, and regulatory authorities. Stakeholders are more likely to trust a bank that has demonstrated its ability to handle unexpected events and maintain the continuity of important services and activities.
4. Improved risk management
ISO 22301 directs banks to conduct comprehensive risk assessments and establish effective risk management processes. By identifying potential threats and vulnerabilities, banks can develop strong risk mitigation strategies and contingency plans. It’s important for banks to also consider third-party vendor risk management as an integral part of their overall approach to risk management. Taking a proactive approach to risk management helps to enhance the organisation’s resilience.
5. Efficient resource allocation
Adopting ISO 22301 enables banks to manage their resources more effectively to safeguard against unforeseen events. This is achieved by identifying critical processes and services through a structured approach to business continuity, assessing their importance, and allocating resources accordingly based on the potential impact of disruptions. This ensures that resources are directed to areas most essential for maintaining business operations during adverse conditions. In addition to these benefits, ISO 22301 provides a framework for continual improvement. Banks can regularly review and update their business continuity management systems, incorporating lessons learnt from exercises, incidents, and changes in the business environment. This iterative process ensures that the organisation remains adaptive and resilient in the face of evolving threats.
Conclusion
Even if a single bank in the country’s financial system breaks down, the chain reaction is devastating. The shock waves would spread across the banking and financial system and the entire economy. Therefore, prudent proactive measures will safeguard against unwanted disruptions or failures.
It is important to note that the specific benefits a bank realises may vary based on its size, complexity, and the nature of its operations. Additionally, achieving and maintaining ISO 22301 certification requires a commitment to ongoing improvement and compliance with the standard’s requirements.
The writer has over 30 years of international experience in business continuity, information security, and crisis management.
Compliance with ISO 22301 helps banks align their business continuity management practices with international standards. This can facilitate compliance with regulatory requirements related to operational resilience and business continuity. The Central Bank of Sri Lanka recognises the requirements of ISO 22301 may use it to assess an organisation’s resilience measures