7 minute read
CASE STUDIES
Author: Michaël Renotte Photo credit: Michaël Renotte
BANQUE DE PATRIMOINES PRIVÉS CERTIFIED ISO 22301, A FIRST IN LUXEMBOURG!
Advertisement
banquedepatrimoinesprives.com
Carlos Fernandez-Rubies de Lillo Managing Director Josep Arseni Ramoneda Chief Operating Officer/Chief Financial Officer & François Clausse Head of IT Department - BPP
Banque de Patrimoines Privés at a glance...
st
Founded in 2010
7 billion assets under management in Luxembourg
First bank being ISO 22301 certified in Luxembourg
By gaining access, with the support of EBRC, to ISO 22301 certification, the Banque de Patrimoines Privés becomes the first Luxembourg-based financial institution to set up a Business Continuity Management System in full compliance with the standard.
The Banque de Patrimoines Privés is a Luxembourgbased financial institution geared towards private banking. It was founded in 2010 and mainly provides wealth management, custody and administration services for investment and portfolio management funds. In 2011, BPP was acquired by the Crèdit Andorrà group, the market leader in Andorra. “The Crèdit Andorrà group is in the midst of a major international development programme” explains Carlos Rubies, Managing Director of the Banque de Patrimoines Privés. “Today, Crèdit Andorrà is present in Europe - Andorra, Spain, Luxembourg and Switzerland - as well as in America.”
— AGILITY AND
RESPONSIVENESS:
CONDITIONS CONDUCIVE
TO CERTIFICATION
“Our strategy is essentially focused on our customers, who come from all regions of the world. It is for the purpose of ensuring the highest level of service to our customers that our policy is to be a first-class stakeholder in the activities we carry out” continues Carlos Rubies. “The small relative size of our bank makes us very agile stakeholders in an increasingly complex market. We are also very keen to anchor the quality and efficiency of our processes in a demanding normative framework, which is both a guarantee of safety for our customers and a differentiating factor in the market.”
“With the acquisition of Banque de Patrimoines Privés by Crèdit Andorrà” says François Clausse, Head of the bank’s IT Department, “various projects aimed at supporting the growth of our business have been launched, including the adoption of the Avaloq banking software, the deployment of the NeoXam GP3 application - to support the development of the fund industry - and the implementation of an electronic flow management solution.”
— ENSURING
INTEROPERABILITY
BETWEEN BUSINESS
AND IT
“At the same time, we undertook to implement procedures relating to business recovery, but the vision we had of it was purely IT-based, oriented towards disaster recovery, and disconnected from the needs of business departments. However, we wanted to ensure interoperability between business and IT flows, which requires different recovery times being taken into account.” It was with the aim of solving this equation that BPP’s management decided in 2017 to provide the bank with a Business Continuity Coordinator by offering its Head of IT the opportunity to follow training in order to obtain the title of Lead Implementer of the ISO 22301 standard, and thus acquire the necessary expertise to support the company in the implementation and management of its Business Continuity Management System.
— TRAINING IN REAL
CONDITIONS
“To achieve this objective, we chose to work with the Luxembourg leader in this field, EBRC. We decided by mutual agreement that the training would not be purely academic in nature. We used the bank and existing procedures to ensure that the training framework is as close as possible to the reality in the field.” During this training cycle, François Clausse gathered the company’s various stakeholders and, together, they conducted an in-depth reflection through several Business Impact Analysis and Risk Assessment sessions. “The Business Impact Analysis and Risk Assessment sessions have the advantage of enabling business process managers to put into perspective the role they play in the overall flow of the bank’s information system” explains François Clausse. “This exercise enabled us to map the main banking processes and the associated interdependencies. We have therefore been able to formalise a policy that has resulted in a strategy and various business recovery procedures.”
— CERTIFYING THE BANK
At the end of this first cycle, BPP’s management decided to increase the company’s level of maturity by making it take the path of certification. After validation by the Board of Directors, all efforts in 2018 were focused on achieving the ISO 22301 certification. “During the bank’s certification cycle, we formalised and tested all our procedures and implemented crisis management and automatic communication procedures, the latter of which are based on the F24 application. The experience was then validated by our internal and external audit departments, which enabled us to position our bank in line with the standard and thus achieve certification” explains François Clausse.
— A DEMANDING
STANDARD…
“ISO is an international standardisation body” he continued. “Therefore, the ISO 22301 standard enables us to establish and modify our model - but also to control, maintain and test it - using an unalterable and globally proven management system. In addition, the roles and responsibilities
SUPPORT WE HAVE RECEIVED FROM THE EBRC TEAMS.”
of all stakeholders are clearly stated, as the strategy emanates from the Board of Directors, the tactics are the responsibility of the Business Continuity Coordinator and operationality is ensured by the company’s various departments.” “However, the scope of the ISO 22301 standard is not limited to the recovery plan” notes François Clausse. “The standard also includes the protection of employees, the maintenance of the
company’s vital activities, contracts and SLAs, greater predictability and better understanding of events in the event of a crisis, as well as the protection of the entity’s reputation and competitiveness.” In order to meet the requirements of the ISO 22301 standard, it is also essential to develop a proper understanding of the organisation and to establish clear limits on the scope of the management system. In particular, it is important that the organisation respects the interests, needs and expectations of the various stakeholders - business departments, IT Department and staff - as well as the position of regulatory and supervisory bodies. “Thus,” underlines François Clausse, “the implementation of a Business Continuity Management System enables us to meet certain regulatory requirements, in particular that the bank is able to test the robustness and resistance of its systems.”
— … WHICH OPENS
UP CONSIDERABLE
PROSPECTS
“Finally,” he added, “achieving an international certification such as ISO 22301 demonstrates our interest in risk management and the resumption of our organization’s business. The effort made by the bank enables it to affirm the robustness of its system.” “We are indeed succeeding in achieving performances that seem difficult to achieve for a bank of our size” says Josep-Arseni Ramoneda, Chief Operating Officer of BPP. “We must therefore be able to demonstrate to our customers and partners that our processes are as efficient as they are robust. This effort also paves the way for other certification paths, in areas such as quality and security, for instance.”
— RELYING
ON A MARKET LEADER
As part of this certification, the Banque de Patrimoines Privés chose to work in partnership with EBRC. “With international expertise in this field, the professionals of EBRC Advisory team were able to optimise the implementation of the standard through summary documents that effectively support the Business Continuity Management System” explains the Head of the bank’s IT Department. Last year, the bank also chose to set up its emergency positions in EBRC’s Resilience Centre Luxembourg South in Kayl. “EBRC is the market leader with 1,000 emergency positions in totally secure spaces that enable us to completely and transparently switch our operations following a disaster or unavailability” confirms François Clausse. “It was in this same resilience centre and with the support of an EBRC Service Account Manager that we first tested our Business Continuity Management System. This test was a real success and, after validation by the Bank’s Executive Committee, our management system was audited by PECB, a global provider of training, examination, audit, and certification services for a wide range of international standards. Whether it is our journey towards achieving ISO 22301 certification or the establishment of our emergency positions, we can only welcome the support we have received from the EBRC teams. In addition to the great professionalism I have already mentioned, EBRC’s consultants demonstrated, during their interventions, a rare sense of listening, sharing and common interest that allowed us to establish a relationship of trust” concludes François Clausse.
In recent years, companies have had to contend with traditional risks - breakdowns, errors or moderate disasters - and emerging risks - climate-related disasters, cyber threats, terrorism, cascading failures that cause widespread service interruptions, etc. This change of perspective calls for the implementation of new strategies to ensure the growth and sustainability of organisations.
Published in 2012, the ISO 22301 standard is a Business Continuity Management Systems standard that can be used by organisations of all types and sizes. Once their management system has been implemented, organisations have the opportunity to apply for certification of compliance with the standard to demonstrate their compliance with good business continuity management practices to the legislative and regulatory authorities, potential customers and other interested parties. The ISO 22301 standard can also be used as a reference for the company to assess its situation in relation to good practices and for auditors to report to management.
The value of the standard goes beyond simply obtaining a certificate of compliance: it also serves to identify and manage current and future threats, to take proactive approach towards minimising the impact of incidents, to maintain essential functions in times of crisis, to minimise downtime during incidents and to demonstrate resilience.
