Bhakorn Vanuptikul, BCCE

Executive Vice President

Bangkok Bank Public Company Limited

10 May 2012

BCP At Bangkok Bank, Thailand

1

Agenda

Business Continuity Management at Bangkok Bank

Success Factors in implementing BCM

Past Crisis

Lessons Learned

2

About Bangkok Bank

Largest bank in Thailand

Total assets of US$ 68.3 billions

Profit before taxes of US$1.1 billion reported in 2011

22,000 of employees

960 Branches in Thailand

27 Overseas Branches

3

Why we need Business Continuity

Management?

Financial Sector is an Integral Part of our Economy.

Financial Institutions are IT centric and are interdependent with

others.

Finance Institutions are exposed to several within and outside risks.

Bank of Thailand and Stock Exchange of Thailand require Banks to

do BCP to ensure that the financial system is always functional.

4

BCP will even be more integral part of Financial Services because we are in the higher risk environment.

Global warming and its consequences

Terrorism

Financial Meltdown and Currency Flow

We rely on more digital infrastructures

Multi-national supply chains

New arm races

5

Regulations in Thailand

Financial Institutes and Public Companies are required by Bank of Thailand & Stock Exchange of Thailand to prepare BCM policy & BCP along with these outlines:

BCM policy

Risk Analysis

Business Impact Analysis

Identify Critical Business Functions

Recovery Objectives

Business Continuity Plan

Testing & Reviewing

6

Regulations in Thailand

But the most important of all the guidelines:

Board of Directors are responsible for the setting up of the BCM Policy as well as allocating enough resources to conduct the BCP as part of the overall risk Management.

7

B C M covers many components

To ensure business continuity, Bank has set up the Business Continuity Management (BCM) program, which incorporates DRP, BCP, Security plan, and Crisis Management plan.

DRP (Disaster Recovery Plan)

DRP is prepared to manage the continuity and recovery of systems, data centers, and communication services in the event of disaster.

Bank must have at least 2 Data Centers (which locate in appropriate distance). These 2 data centers back-to-back back up critical applications.

Bank must test DRP annually.

BCP (Business Continuity Plan)

BCP focuses on the continuity of critical functions of the Bank in the event of disaster.

All critical function units have developed and prepared alternate sites distributing to many locations.

Bank must test BCP annually.

Crisis Management plan

The plan details actions to deal with incident, emergency and crisis.

Bank has set up Crisis Management Team which is consisting of senior management and unit head of relevant critical function to be responsible for managing and making critical decision regarding the crisis response.

8

Business Continuity Management Process

9

Success Factors in implementing BCM

Strong Management Support

Use Consultant with Track Records

Strong Team with Strong Personnel

Has Good Methodology and Process in place

Know Your Business and Know Your Organization

Simple, Effective but Flexible BCP is Critical to BCM

Each BU is familiar and is testing its BCP regularly

Internal & External Communication is Critical in BCM

10

Lessons Learned from Previous Crisis

Political Crisis of May 2010

Great Flood of November 2011

11

Political Crisis of May 2010

12

Political Crisis of May 2010

Bangkok Bank was caught in the Political Crisis of May 2010. The Damages Done:

A few Branches in Bangkok were seriously burned and damages.

Around 100 ATMs were smashed and a few were burned.

Over 40 Branches across the country were damaged with home-made bomb, shot with assault rifles or smashed with rocks and batons.

Luckily, no casualties on staff.

13

How we managed the crisis?

Put priority on safety of our staff and customers at the top.

Set up Crisis Management Team early on to monitor every development of the conflict 24/7.

Has all the BCP in place and test them regularly.

Establish good relationship with the government agencies including Central Intelligent Services, Army and Police Forces.

14

How we managed the crisis?

Keep Low Profile in every operation we do.

Buy Riot Insurance just 2 months ahead of the crisis.

Move Staff to remote back up site before the second clash of army and protesters on May 19, 2010

Get cooperation from the media to keep the news of the damages as low as possible.

Don’t fight back with either words or weapons. This would escalate the situation.

15

Lessons Learned 1

Better External Communication may help reduce the impact from the conflict.

Better Internal Communication would also foster staff’s confidence in the bank’s ability to handle the situation.

Better relationship with communities around our premises could help prevent the fires and damages to properties.

More Backup Locations as some were inside the dangerous zones.

16

Lessons Learned 2

Re-evaluate the Risk Analysis as political conflict was considered to be low risk but high impact.

Re-thinking about key staff and alternates as staff were not able to come to work because of safety concerns.

Re-thinking about equipments and supplies as the event like this, you may not be able to purchase anything.

17

Great Flood of August to November 2011

• 16 Billion Cubic Meter of Water that caused the flood over 14,000 Square Kilometer of Land

• Financial Impacts: US$ 45 Billions in damages and losses to properties, industrial plants, goods and services.

• Impacts to Population: 5 Million Peoples or 1.9 Million Households were effected. 728 deaths, mostly from drowning or electrocution.

18

Geographical extent of the flood

19

Great Flood of 2011

20

Crisis Management & BCP Lessons Learned 1

Scenarios study to understand the development of the Disaster.

This is a regional disaster that is:

Slow to take place but would last more than a month.

Not all your facilities will face the disaster at the same time so you will have to deal with them at different stages of the crisis. Set up teams to deal with specific tasks.

You have time to prepare but you would have to fight for the limited resources because everyone wants to do the same.

21

Lessons Learned 2

Transportations

Impact to your staff, logistics, other services.

Electricity

Possible power outage and duration.

Communications

Impact to your work procedures, transactions.

Public Water

Impact to ability to cool the Data Center, life support for staff.

Health cares system

Impact to your staff and their families, possible pandemic diseases after the flood.

Food supply chains.

Impact to your staff and their families during the flood.

Anticipate the potential impacts to:

22

Lessons Learned 3

Monitor the situation and information closely:

There were so many sources of information, sort out which ones are reliable and relevant.

Social networks could be useful and more up to date in this kind of disaster

Information may be neither complete or accurate, try to assess the situation yourself.

Use these information to formulate what will impact you, not only your operation, your business volume, but also your customers’ operations.

23

Lessons Learned 4 Look after your stake holders:

Staff :

Put their welfare as your priority. Allow them to take time off to take care of their houses, their families.

Transportation for staff

Customers :

Provide alternative channel for services

Flexible ways to identify your customers

Match their other needs (no fee for inter-bank transactions)

Communities

Support the communities around your premises.

24

Lessons Learned 5 Focus on some new impacts and new

circumstances.

Impact on your staff availability

More alternate of key staff who live in different area

Foods and beds for BCP staff around backup sites

Impact on your facilities

Power and water supplies

Communications

Establish backup sites outside of the disaster area

Stock up your critical supplies or pre-arrange for them

Impact on your work loads

Impact on your logistics

25

Conclusions

Disaster is dynamic, follow it closely but most importantly, anticipate the potential impacts.

Focus on how to reduce these impacts.

Re-assess your plan, find vulnerabilities that may be associated with this type of disaster but be flexible.

Don’t rely on outside help, they are all busy.

If you remember your staff, your customers in time of need, they will always remember you.

26

Q & A Bhakorn.van@bbl.co.th

27