A continued attitude

Part of the Banco Santander Group, Abbey’s Corporate Business Continuity Manager, Richard Bridgford, tells FST about the firms approach to BCM and the way banks are changing in the wake of the current economical climate.

Organizationally, our approach to business continuity very much focuses on what is strategically important to Abbey as an organization. In terms of our business, we view what the important processes are and what things that if we took a hit on, would be a showstopper to the organization. Of course, that is broken down to cover a multitude of potential disasters, such as a loss of building, systems or people, and there is a focus on company liquidity, market stability and customer service.

In terms of our responsibilities, a lot of the role I perform is around setting the standards, guidance, and corporate oversight and reporting through to senior against the strategic goals we have outlined. It is our individual business areas responsibility and their management’s responsibility to actually implement our policy and implement the plans within their own business areas, and they very clearly take ownership for doing that across the organization. In addition, we are aware of the things coming through from the Financial Services Authority (FSA) on what is going to be a concern to the sector, because ultimately they are going to be the major concerns to us as an organization.

BCM strategies are crucial to financial organizations, not least because of the current state of the economy and particular risks certainly face organisations that are lax in adequately implementing these strategies. BCM certainly has an impact on a financial institution’s customers, and certainly, across the banking sector, customers are now becoming more aware of business continuity and are tending to ask about it as part of doing business.

Further to this, the potential reputational risks that are present are certainly a concern to any one in the banking sector at the moment. The regulations, and the expectations of the FSA about appropriate business continuity practices, add to the risks.

The operational impact of liquidity-type issues is another risk factor that banks should consider. This is often seen as something of a traditional banking practice and not something seen as a business continuity issue, but if you look at things that have happened in the last twelve months, such as the Northern Rock crisis, for instance, it's almost at our peril now for financial institutions not take into account things that could have an operational or business continuity impact. The other risk is around anything that can shape the confidence people have in the bank, and we're currently in an environment where there's very little leeway for people's confidence to be shaken, in terms of their banks. It almost highlights the need for business continuity.

More than an IT issue

BCM is often treated purely as a problem in terms of IT, but the reality is that it really needs to encompass all areas of business. Our policy states that business continuity needs to cover three core elements, a loss of buildings, systems and people, and all of those aspects we have built into both our crisis management and business continuity processes. All areas are actively involved in developing business continuity strategies, and there is also involvement from the property side, the IT side, the human resources side, and both the development and implementation sides because we see it as integration. One element cannot succeed without the others.

Today, because we’re in a changing environment, we have the structures in place to be able to look at that, and we have the people and the structures involved where we could integrate those discussions. The key thing is the trigger of recognizing that one change – a change in the people strategy for example – may impact the other aspects of business continuity. Equally, changing technology may have a people impact. Ultimately, a trigger for a change in one aspect also has a knock-on affect to the whole concept of business continuity because we are a dynamic and changing organization, not just Abbey, but certainly within the entire Santander Group.

Having said our plans aren't just around technology, technology is still very important. We are a technology-dependent organization, and I think it is important to realise that there are more complex interdependencies, not just on our technology, but also on some of the market infrastructure that we're becoming more and more dependent on.

This is not just a bank working in isolation any more; and that applies at Abbey, at Santander, and it applies other institutions within the UK and European market. However, I think in mitigation, recovery technology is improving for IT, and there are now better ways of looking at virtual infrastructures and virtual technology that actually speeds up recovery times and makes it easier than perhaps five or 10 years ago to recover something you don't necessarily need and that's something we're definitely going down the route of.

The human element

One of the things that we have recognized as an organization has come out of events such as the seventh of July. Fortunately that had no real major impact on us as an organization, but having operations based in London, we were affected by it to some extent and had to invoke our plans on that basis. Also, coming out of the pandemic planning was a key element, and peopleare crucial; it's an element that I think a lot of organizations had moved away from. It's always been there, and it still in there, but most have always assumed people would just be available, and I think there have been a few eye openers in recent years to say that we need to do more planning. Without people, you have no solution. Who's going to run the processes? Who's going to operate the systems? Even with an IT solution, you need people to support the technology. There's still a people element and sometimes what gets forgotten is that IT systems or support systems are equally as important as their own people plans as a frontline of business.

Practice makes perfect

Richard Bridgford gives evidence of BCM in action
In 2006, in one of our major operations, there was a major crane collapse where they were building a hotel across the road. It left the crane in an unstable position, so we had to evacuate the building. We then looked at going through the existing impact analysis and information we have on our business continuity plans as to which teams in that building were critical, which are non-critical, what the key technology was, and quite quickly made the decision as to which teams needed relocating, and which teams we could hold back pending further information.

To be honest it was actually the first time we'd used that strategy, and it really worked very successfully for the critical areas and moving them within the area. It wasn’t the first time it had been tested, but was the first time it had been used. Of course it’s extremely important that these plans are regularly tested and updated in response to emerging threats, accordingly.

As a minimum standard, we look to testing all aspects, so this is both our recovery site testing and the actual business plan understanding testing. We have, as a bare minimum, a standard that every area has to do that every 12 months, or they need to update and retest the plans upon major change. So any aspect that triggers what we deem a material change of the way the business works, that would prompt an updating of plans, and to confirm the plan is updated, we have to test.