31 January 2002
The Chief Executive
All Authorized Institutions
Dear Sir/Madam,
The HKMA has been reviewing the implications of the events of 11 September 2001 (9/11) for business continuity planning. Discussions on this issue have been held with banks, both individually and as a group, including those whose New York offices were directly affected by 9/11. In addition, the HKMA has conducted a self-assessment exercise involving 25 AIs in Hong Kong to gain an understanding of the effectiveness of their business continuity plans (BCPs).
This letter offers some preliminary conclusions on the lessons to be learned based on the work undertaken so far. The HKMA will however continue its research in this area, taking into account guidance being developed by the international regulatory community including the Financial Stability Forum. We will also step up our review of institutions' BCPs as part of our examinations of e-banking and information technology controls in 2002. It is also our intention to issue more detailed guidelines on business continuity planning later this year.
General lessons
There seems to be a general consensus that the main lessons to be drawn from 9/11 include the following:
The state of readiness of BCPs in Hong Kong
This raises the issue of how well AIs in Hong Kong could have coped with a disaster on the scale of 9/11. The self-assessment exercise referred to earlier suggests that there are a number of areas in which AIs' BCPs could be improved. In particular, it appears that a number of AIs may be relying on the efforts that they have previously put into their Y2K planning. However, too much reliance should not be placed on this. Y2K was a known event for which preparations could be made in advance (e.g. in terms of special back-up arrangements). It was also essentially a software problem and did not raise the issue of destruction of people and property.
Institutions should not therefore assume that their BCPs are adequate simply because plans were prepared for Y2K. Apart from anything else, it is necessary for such plans to be reviewed, updated and tested regularly. AIs should therefore review their existing BCPs carefully in the light of a risk assessment of what they need to do to protect all the critical areas of their business under various scenarios. Given that BCPs involve a cost, this raises the question of what is the worst case scenario that AIs should plan for. This is an extremely difficult question on which to advise and institutions will to some extent need to form their own judgement. However, it would seem sensible for AIs to plan on the basis that they may have to cope with the complete destruction of buildings in which key offices or installations are located (rather than just denial of access for a period) and the loss of key personnel (including senior management)* . AIs should also plan on the basis that the surrounding infrastructure (in particular power and telecommunications) may be affected and that back-up facilities might need to be used for an extended period of time.
In the light of this, AIs may find it useful to consider two-tier plans: one to deal with short-term problems which would be fully developed with the physical capacity to put it into immediate effect and the other, which might be in paper form, to deal with a longer-term scenario (e.g. how to lease additional premises and how to accommodate processes that might not be critical immediately but would become so over time).
In developing, updating and testing BCPs it is important that the process should be endorsed and driven by top management. This is necessary to ensure that business continuity planning is taken seriously by all levels of staff and sufficient resources are devoted to putting the plan in place. Senior management should be aware of what they are personally required to do in the event of the BCP being invoked and should participate, where appropriate, in plan rehearsals which should be conducted, at a minimum, on an annual basis.
Specific lessons
Apart from the general lessons described above, there are a number of specific points of which AIs should take note:
The HKMA will be following up with individual AIs on the steps they have taken to review and, where necessary, enhance their BCPs in the light of the events of 9/11. They are urged to treat this as a vital issue for business survival. The HKMA will also be liaising with the Financial Services Bureau and other regulators in Hong Kong on what further steps should be taken to develop sector-wide contingency procedures and crisis management arrangements.
If you have any questions on the contents of this letter, please contact Shu-pui Li on 2878-1826 or Brian Lee on 2878-1651.
Yours faithfully
D T R Carse
Deputy Chief Executive
*This need not be caused by a terrorist attack. It could be the result of, e.g. a serious fire.