Banque de Patrimoines Privés is a Luxembourg-based financial institution geared towards private banking. It was founded in 2010 and mainly provides wealth management, custody and administration services for investment and portfolio management funds. In 2011, BPP was acquired by the Crèdit Andorrà group, the market leader in Andorra.
"Crèdit Andorrà Group is in the midst of a major international development programme", explained Carlos Rubies, Managing Director of Banque de Patrimoines Privés. "Today, Crèdit Andorrà is present in Europe - Andorra, Spain, Luxembourg and Switzerland - as well as in America".
Agility and responsiveness: the right conditions for certification
"Our strategy is essentially focused on our customers, coming from all regions of the world. It is for the purpose of ensuring the highest level of service to our customers that our policy is to be a first-in-class stakeholder in the activities we carry out," continued Carlos Rubies. "The small relative size of our bank makes us very agile stakeholders in an increasingly complex market. We are also very keen to anchor the quality and efficiency of our processes in a demanding normative framework, which is both a guarantee of safety for our customers and a differentiating factor in the market."
"With the acquisition of Banque de Patrimoines Privés by Crèdit Andorrà," said François Clausse, Head of IT Department, "various projects aimed at supporting the growth of our activities have been launched, including the adoption of the Avaloq banking software, the deployment of the NeoXam GP3 application - to support the development of the fund industry - and the implementation of a workflow management solution."
Ensuring interoperability between business and IT
"At the same time, we undertook to implement procedures relating to business recovery, but the vision we had of it was purely IT-based, disaster recovery-oriented, and disconnected from the needs of business departments. However, we wanted to ensure interoperability between business and IT flows, which requires different recovery times being taken into account."
In 2017 and with the aim of solving this equation, BPP's management decided to provide the bank with a Business Continuity Coordinator by offering its Head of IT the opportunity to follow training in order to obtain the title of Lead Implementer of the ISO 22301 standard. This allowed him to acquire the necessary expertise to support the company in the implementation and operation of its business continuity management system.
Real-world training
"To achieve this objective, we chose to work with the leader in this area in Luxembourg, EBRC. We decided by mutual agreement that the training would not be purely academic in nature. We used the bank and existing procedures to ensure that the training framework is as close as possible to the reality in the field."
During this training cycle, François Clausse brought together the company's various stakeholders, whose jointly undertook an in-depth reflection through several Business Impact Analysis and Risk Assessment sessions.
"The Business Impact Analysis and Risk Assessment sessions have the advantage of enabling business process managers to put into perspective the role they play in the overall flow of the bank's information system," explained François Clausse. "This exercise allowed us to map the main banking processes and the associated interdependencies. We have therefore been able to formalize a policy that has resulted in a strategy and various business recovery procedures."
Certifying the bank
At the end of this first cycle, BPP's management decided to increase the company's maturity level by taking the path of certification. After validation by the Board of Directors, all efforts in 2018 were focused on achieving ISO 22301 certification.
"During the bank's certification cycle, we formalized and tested all our procedures, and implemented crisis management and automatic communication procedures, the latter being based on the Alarmtilt application. The experience was then validated by our internal and external audit departments, which enabled us to align our bank with the standard and thus achieve certification," explained François Clausse.
A demanding standard…
"ISO is an international standardization body," he continued. "Therefore, the ISO 22301 standard enables us to establish and modify our model - but also to control, maintain and test it - using an unalterable and globally proven management system. In addition, the roles and responsibilities of all stakeholders are clearly described, as the strategy comes from the Board of Directors, the tactics are the responsibility of the Business Continuity Coordinator, and operationality is ensured by the company’s various departments."
"However, the scope of the ISO 22301 standard is not limited to the recovery plan," noted François Clausse. "The standard also includes the protection of employees, the maintenance of the company's vital activities, contracts and SLAs, greater predictability and better understanding of events when a crisis arises, as well as the protection of the entity's reputation and competitiveness."
In order to meet the requirements of the ISO 22301 standard, it is also essential to develop a proper understanding of the organization and to establish clear limits on the scope of the management system. In particular, it is important that the organization respects the interests, needs and expectations of the various stakeholders - business departments, IT Department and staff - as well as the position of regulatory and supervisory bodies. "Thus," François Clausse emphasized, "the implementation of a business continuity management system enables us to meet certain regulatory requirements, in particular that the bank is able to test the robustness and resistance of its systems."
… which opens up considerable prospects
"Finally," he added, "achieving an international certification such as ISO 22301 demonstrates our interest in risk management and the resumption of our organization's business. The effort made by the bank enables it to affirm the robustness of its system."
"We are indeed succeeding in achieving performances that seem hardly possible for a bank of our size," said Josep-Arseni Ramoneda, BPP Chief Operating Officer. Therefore, we must be able to demonstrate to our customers and partners that our processes are as efficient as they are robust. This effort also paves the way for other certification paths, in areas such as quality and security, for instance."
Relying on a market leader
As part of this certification, Banque de Patrimoines Privés chose to work in partnership with EBRC. "With international expertise in this field, the professionals of EBRC Advisory team were able to optimize the standard through summary documents that effectively support the business continuity management system," said the Head of IT Department.
Last year, the bank also chose to set up its emergency positions in EBRC Resilience Centre Luxembourg South located in Kayl."EBRC is the market leader with 1,000 user emergency positions, in totally private spaces, that enable us to completely and transparently switch our operations following a disaster or unavailability," confirmed François Clausse. "It was in this same resilience centre and with the support of an EBRC Service Account Manager that we first tested our business continuity management system. This test was a real success and, after validation by the Bank's Executive Committee, our management system was audited by PECB, a global provider of training, examination, audit, and certification services for a wide range of international standards."
"Whether it is our journey towards achieving ISO 22301 certification or the establishment of our emergency positions, we can only welcome the support we have received from the EBRC teams. In addition to the great professionalism I have already mentioned, EBRC consultants demonstrated, during their interventions, a rare sense of listening, sharing and common interest that allowed us to establish a trustful relationship", concluded François Clausse.
About the ISO 22301 standard: 2012 – Business Continuity Management Systems
In recent years, companies have had to contend with traditional risks - breakdowns, errors or moderate disasters - and emerging risks – climate-related disasters, cyber threats, terrorism, cascading failures that cause widespread service interruptions, etc. This change of perspective calls for the implementation of new strategies to ensure the growth and sustainability of organizations.
Published in 2012, the ISO 22301 standard is a business continuity management system standard that can be used by organisations of all types and sizes. Once their management system has been implemented, organizations have the opportunity to apply for certification of compliance with the standard to demonstrate that they meet good business continuity management practices to the legal and regulatory authorities, potential customers and other interested parties. The ISO 22301 standard can also be used as a reference for the company to assess its situation in relation to good practices and for auditors to report to management.
The value of the standard goes beyond simply obtaining a certificate of compliance: it also serves to identify and manage current and future threats, to take proactive approach towards minimizing the impact of incidents, to maintain essential functions in times of crisis, to minimize downtime during incidents and to demonstrate resilience to customers, suppliers and partners.