Banque de Luxembourg has been one of Luxembourg's leading wealth managers for more than a century. Like all financial institutions, Banque de Luxembourg complies with regulatory requirements that guarantee efficient management of risks that could have an impact on the availability of its banking services.
In 2015, the Bank joined forces with EBRC to set up a system to ensure the continuity of its operations. "We wanted to have a structured approach to business continuity, not only to meet the requirements of the regulator but also to guarantee the confidence of our clients and partners. Because banking is systemic, we needed to ensure that we were applying a responsible and thorough approach to risk. With the support of EBRC's teams, we used the ISO 22301 standard on security, resilience and business continuity management systems to develop a management framework that takes account of our businesses and risks.”
Assessing risks and the sensitivity of activities
Stéphane Vokar recalls that in 2015, the main concerns were the “Royal Hamilius” building site, a stone's throw from the Bank's head office. A gas leak or possible collapse would have rendered the building inaccessible, jeopardising business continuity. At the time, teleworking was not a widespread practice and it was necessary to find appropriate responses to the various risks identified. "Initially, the focus of the risk assessment involved analysing the sensitivity of certain business lines or support functions, and then identifying interdependencies. Through a process of exploration and discussions with our teams, we were able to draw up an inventory of essential activities and priority functions, and we implemented plans and processes to facilitate recovery in the event of a crisis and guarantee the continuity of our activities.”
Business Continuity Management: a dynamic approach
Because yesterday's risks are not today's (the Hamilius project is now completed, the Covid 19 crisis has passed and cyber risks are on the rise), Business Continuity Management needs to be part of an evolving approach. Business processes are changing, and regulations are being tightened, notably with the adoption of DORA (Digital Operational Resilience Act) and NIS2 (Network and Information Security 2), forcing players to comply with more stringent security and resilience requirements.
“The beauty of ISO 22301 is that it is much broader than the regulations require," explains Christophe Ruppert, Cyber-Resilience Advisor at EBRC. “It provides a framework from which we can build business continuity management into a continuous improvement approach, taking into account changes in business risks. It's a comprehensive and evolving toolkit, which also helps to build skills in relation to the various challenges facing the organisation.”
Facilitating maintenance of the business continuity management system
It is important that the Business Continuity Management System can be maintained effectively. This can be a time-consuming task, given the changing and increasingly complex environments.
After the major drive in 2015 to address these issues, the focus in recent months at Banque de Luxembourg has turned to updating its system, incorporating new risks and new requirements. "We already had an excellent basis, but it was important to update plans and reassess the business and technological processes in order to decide on our recovery priorities. There was also a desire to improve system maintenance and find ways of encouraging information sharing," explains Stéphane Vokar.
With this in mind, Banque de Luxembourg decided to implement EBRC's Cyber-Resilience Portal solution, a tool created to facilitate the modelling and operationalisation of the Bank's continuity requirements. "Thanks to this solution, developed by our teams and based on our proven expertise, information is centralised and can be shared more easily with the various stakeholders. Above all, it is a decision-making tool and an essential support for crisis management," explains Christophe Ruppert. “If an incident were to occur, the information contained in the portal would make it possible to understand how services would be affected, and to access the plans and procedures to be followed in order to restore essential services and, gradually, all business and IT activities.”
Now that the information is centralised, it is also easier to maintain the continuity management system, and also make procedures easily and transparently available, so that clients and the regulator can be informed if they have any questions.