To ensure business continuity, NCC operates the business continuity management system (hereinafter, BCMS), which is a part of the overall NCC management system and consists of the engineering, technological and organizational measures securing stability of critical business processes performance in emergency situations. BCMS reviews all activities of NCC (according to the operating model) – all business processes and required resources.
BCMS’s targets are:
- ensuring NCC’s ability to perform the assumed commitments to clients and counterparties;
- ensuring safety of employees and visitors in NCC’s premises;
- preventing potential disruption of NCC’s normal operation;
- mitigating material and intangible impact on NCC in case of disruption of NCC’s normal operation;
- recovery of normal operation within the established recovery time objective (RTO);
- ensuring the compliance of all business continuity arrangements with the requirements of the Russian government agencies and with the regulations and internal documents of NCC.
The measures performed as a part of BCMS are of a systemic nature. BCMS’s lifecycle is based on recommendations contained in ISO 22301:2012 – the Deming Cycle (PDCA). BCMS management and provision of necessary resources are supported by the top management and based on the resolutions of NCC’s management bodies. To ensure transparency of the business continuity principles, approaches and instruments used, fundamental documents, reports on NCC’s operational reliability evaluation and BCMS effectiveness are mandatorily approved by the NCC’s Supervisory Board.
BCMS is developed, implemented, exploited, and continuously improved on the basis of the Business Continuity Policy of CCP NCC updated and approved by the resolution of NCC’s Supervisory Board in December 2020 (hereinafter, the BC Policy), which is the underlying set of rules, requirements, and guidelines in the business continuity area.
The fundamental approaches to the continuity of NCC’s priority activities, protection and recovery of the resources necessary for such activity in the emergency situations are defined by NCC as a part of the Business Continuity Strategy, updated and approved by the resolution of NCC’s Supervisory Board in December 2020 (hereinafter, the BC Strategy).
In accordance with the BC Policy and BC Strategy, NCC has developed and annually updates CCP NCC’s Business Continuity Plan (hereinafter, the BC Plan, its new restated version was approved by the resolution of the Supervisory Board in December 2020), which defines the actions aimed at NCC’s business continuity in emergency situations. The BC Plan describes the course of actions and areas of responsibility of structural divisions and crisis management bodies to ensure recovery of the priority (main and critical in terms of disruption) activity of NCC operations upon announcement of the emergency situation till transition to the normal operation. The BC Plan is updated based on the results of BCMS regular processes: business impact analysis (BIA) and assessment of risks and threats to business continuity.
BCMS is exploited and developed with account of the recommendations and requirements of the regulator documented, inter alia, by the following normative legal acts:
- Bank of Russia Regulation 242-P dated 16.12.2003 ‘On Organizing Internal Controls in Credit Institutions and Banking Groups’;
- Bank of Russia Ordinance of 4258-U dated 30.12.2016 ‘On the Requirements for the Content, Procedure and Terms for Providing to the Bank of Russia the Plan for Ensuring Continuity of Operations of a Central Counterparty, Amendments to this Plan, the Procedure for Assessing the Plan for Ensuring Continuity of Operations of a Central Counterparty, on the Requirements for the Software and Hardware and Network Communications of a Central Counterparty, and on the Procedure for Creating, Keeping and Storing Data on the Property and Liabilities of a Central Counterparty and Their Movements’;
- Bank of Russia Ordinance 4429-U 21.06.2017 ‘On the Information Disclosed by the Central Counterparty, Requirements for the Procedure and Timeframes for Such Disclosure, and Determining the Rules for Information Provision to Clearing Members’;
- Bank of Russia Recommendation No. 20-MP dated 27.07.2015 ‘Methodical Recommendations on Business Continuity of Systemically Important Financial Market Infrastructures’;
- Bank of Russia Recommendation No. 28-MR dated 18.08.2016 ‘Methodical Recommendations on Business Continuity of Non-Credit Financial Institutions’.
To ensure fault tolerance of IT infrastructure and information systems of NCC and information loss prevention in case of hardware and software failures, NCC establishes the requirements for the geographically distributed architecture of the main IT solutions. The back-up data center is located at 16 km from the main one. In 2020, test switching of NCC’s IT capacities to the back-up data center was successful.
According to the BC Strategy and based on the business requirements, NCC has built backup offices, which start functioning upon unavailability of the main offices. Backup workplaces duplicate infrastructure of the main ones and are implemented according to the ‘hot functioning’ principle (some employees of the critical business units perform their functions from the backup office on an ongoing basis). Upon announcement of the state of emergency, the backup offices are ready to accommodate employees from the main sites without delay, as they are subject to regular testing, upgrading and updating (both soft- and hardware).
During the reporting period, the basic documents were updated according to the evaluation of the current state of NCC’s business continuity management framework with account of the external (pandemic) and internal (recommendations of NCC’s internal audit Service, NCC’s updated internal documents, which came into effect) factors. As a part of updating of the BC Policy, the target structure of internal regulations was established and approved. As a part of the updated BC Strategy, a 2-year road map was also created to organize and develop the business continuity function.
It should be also noted that in 2020, the operational reliability (D0), which determines the level of failure tolerance of NCC’s soft- and hardware, remained the same and was 100%.
Countering COVID-19 (coronavirus disease)
To combat the spread of the coronavirus disease and ensure business continuity, NCC has developed and performs, on an ongoing basis, the adequate prevention and response measures, which fully consider the requirements and restrictions introduced by the executive authorities. Moreover, a special focus is placed on the uninterrupted provision of NCC’s services and the safety and health of clients and employees.
One of the most effective means to combat the spread of coronavirus is transition to the remote work mode, therefore over 80% of NCC’s employees perform their official duties remotely. The employees have been provided with the relevant hardware in compliance with the information security requirements. In addition, statutory sanitary and hygienic and organizational measures have been introduced to mitigate the risk of infection spread.
The threat has been addressed both by way of the introduced measures of counteraction and restrictions and the regular monitoring and assessment of potential developments at the operational and strategic levels. Decisions are made on the basis of the most recent data on COVID-19 both within NCC, as well as Moscow Exchange Group, Moscow, Russia and the world as a whole.
Taking into account the implemented measures and the adapted activity, NCC possesses high-level resilience to the pandemic threats and ensures service provision in full and up to standard. It should be also noted that the tense epidemiological situation has not affected the implementation of the key projects and initiatives aimed at NCC’s strategic development.