Business Continuity Planning 2015

PACIFIC Bank Ltd
Business Continuity Planning (BCP)
Country level Business Continuity Planning

October 2015
PACIFIC Bank Limited
Business Continuity Planning
In exercise of the power conferred by Section 14(2) of Bank and Financial Institution Act
2063 and the Articles of Association of PACIFIC Bank, the Board of Directors of PACIFIC
Bank has approved this Business Continuity Planning 2015 vide its ………. Board Meeting
dated ……………………. for implementation after review and recommendation of Risk
Management Committee of the Bank. The core purpose of this document is to articulate a
framework for detailed procedures and guidelines for business continuity of the Bank by
identification and prioritization of critical business functions and incident handling during
occurrence of contingencies affecting day to day business activities.
Business Continuity Planning Page ii

Version History
S. No. Version Approving Authority Date of Approval
1 1st
Business Continuity Planning Page iii

Approval Sheet
Prepared By
Coordinated &
Reviewed By
Reviewed By
Reviewed By
Reviewed By
Reviewed By
Reviewed By
Reviewed By
Supported By
Business Continuity Planning Page iv

Contents
Chapter 1 .......................................................................................................................... 1
Background ....................................................................................................................... 1
1.1 Brief Description, Short Title and Commencement ..................................................... 1
1.2 Definitions .................................................................................................................. 2
1.3 Document Rationale ................................................................................................... 3
1.4 Objective: ................................................................................................................... 3
1.5 Operations during Disaster (ODD) Guidelines: ........................................................... 3
1.6 Related Regulatory Provision / Requirement: ............................................................. 5
Chapter 2 .............................................................................................................................. 6
Process Phase ...................................................................................................................... 6
Process ................................................................................................................................. 6
2.1 Analysis: ..................................................................................................................... 6
2.2 Solution Design: ......................................................................................................... 8
Chapter 3 ............................................................................................................................ 12
Implementation Phase ........................................................................................................ 12
3.1 Contact Details ......................................................................................................... 12
3.2 Grab List................................................................................................................... 12
3.3 Stationery Stocks stored Offsite ............................................................................... 12
3.4 Response to Incident ................................................................................................ 13
3.5 Resumption of Business ........................................................................................... 20
Chapter 4 ............................................................................................................................ 25
Testing and Maintenance .................................................................................................... 25
4.1 Testing and Organizational Acceptance ................................................................... 25
4.2 Maintenance ............................................................................................................. 26
Chapter 5 ........................................................................................................................ 27
Risk Management............................................................................................................ 27
5.1 Risk Assessment and Mitigations: ............................................................................ 27
5.2 Impact and Readiness Analysis and Resource Requirement.................................... 27
Chapter 6 ............................................................................................................................ 28
Roles and Responsibilities .................................................................................................. 28
6.1 Roles and Responsibilities of CEO/ Designated Alternate..................................... 28
6.2 Roles and Responsibilities of Crisis Handling Team (CHT) ................................... 28
6.3 Roles and Responsibilities of BCP Coordinators ................................................... 28
6.4 Roles and Responsibilities of Integrated Risk Management Department .............. 29
6.5 Roles and Responsibilities of Unit Heads/Dept. Heads/BMs ................................. 29
6.6 Roles and Responsibilities of Information Technology .......................................... 29
6.7 Roles and Responsibilities of General Administration & Project ............................ 29
Chapter 7 ........................................................................................................................ 30
Miscellaneous ..................................................................................................................... 30
Business Continuity Planning Page v

7.1 Testing and Drills ...................................................................................................... 30
7.2 Internal Errors........................................................................................................... 30
7.3 Record Management ................................................................................................ 30
7.4 Formats .................................................................................................................... 31
7.5 Relation of this manual with Other Document ........................................................... 31
7.6 Disclaimer ................................................................................................................ 31
7.7 Repeal and Saving ................................................................................................... 31
BCP Distribution List ........................................................................................................... 32
Annexure I .......................................................................................................................... 33
Annexure II ......................................................................................................................... 34
Annexure III ........................................................................................................................ 36
Annexure IV ........................................................................................................................ 37
Annexure V ......................................................................................................................... 38
Business Continuity Planning Page vi

Chapter 1
Background
1.1 Brief Description, Short Title and Commencement
Business continuity planning (or business continuity and resiliency planning) is the
process of creating systems of prevention and recovery to deal with potential threats to
a company. A business continuity plan is a plan to continue operations if a place of
business is affected by different levels of disaster which can be localized short term
disasters, to days long building wide problems, to a permanent loss of a building. Such
a plan typically explains how the business would recover its operations or move
operations to another location after damage by events like natural disasters, theft, or
flooding. For example, if a fire or earthquake destroys an office building or data center,
the people and business or data center operations would relocate to a recovery site.
Any event that could negatively impact operations is included in the plan, such as
supply chain interruption, loss of or damage to critical infrastructure (major machinery
or computing /network resource). As such, risk management must be incorporated as
part of BCP.
Business as usual may not always be possible due to situation beyond our control
where we are compelled to suspend or temporarily close down the Operations of one /
several / all Branches of PACIFIC in order to protect the interest of Bank and its
employees. Such circumstances may be but not limited to nationwide strikes (Bandh),
riot or civil unrest, imposition of curfew, natural disaster (earthquake, landslide, flood
etc.), fire which could partially/completely disrupt the Operations of One/Several/All
Branches.
Under such circumstances, where we are unable to resume operations in a timely

manner, could result in our inability to process transactions for a prolonged period.
Such delay in resuming operations may have a serious impact on the Bank's reputation
in the market or result in compensation claim by customers for delayed settlement,
inability to manage the Bank's market position, loss of customers, even leading to
termination of correspondent relationship etc.
Business Continuity Planning Page 1 of 38

In view of these facts, this document describes details of the process for resumption of
Operations by prioritizing the service needs of the customers in such adverse situation
with minimum possible interruption during any emergency situation which results in
temporary disruption of banking services. As this document describes process for
continuation of business so it is called "Business Continuity Planning" (BCP).
1.2 Definitions
Unless otherwise specifically indicated, the following terms used herein shall have the
following meaning(s):
i. Crisis Handling Team (CHT) is the apex body during any disaster whose main
objective is to safeguard the Bank’s employees and its assets.
ii. Operation during Disaster (ODD) is a document which shall be prepared by all
the branches/departments to ensure uninterrupted operations or resume
operation with a minimum down time in their respective area/branch during a
disaster.
iii. BCP Coordinators are the mediators between other staffs and CHT whose
primary objective is to furnish the information to the CHT and disseminate the
decisions of CHT to other staffs during any disaster.
iv. Contact Details refers to the important contact numbers of staffs, customers,
regulators, suppliers, police station, hospital, fire brigade, etc. in order to seek
assistance during a disaster.
v. Grab List is the list of items which each member of staff should endeavor to
collect from their surrounding work area without compromising their physical
safety, when they are evacuated from the building for whatever reason.
Other than the terms specifically defined hereinabove, the terms used in
various sections of this manual shall have the same meaning as has been
defined under various other policy documents of the Bank and the
applicable laws of land, wherever relevant.

1.3 Document Rationale
The purpose of this Manual is to develop a system and lay down procedures; and
establish a systematic way of continuing business during any disaster situation with
the use of minimal resources available.
This document shall be reviewed on annual basis by IRMD in order to identify any
gaps and recommend ways to fulfill the same.
1.4 Objective:
The main objective of this document is to set out procedures, processes and systems
necessary to continue or restore the operation in the event of a disruption. It provides
detailed guidance for implementing the recovery plan and outlines the roles,
responsibilities and succession in managing operational disruptions. It also defines
triggers for activating the BCP and establishes business resumption teams for core
business processes. The resilience of a financial institution to major operational
disruptions will be determined by the robustness of the country level BCP and BCPs of
all the participants (Branch/Department/Unit) within the organization.
The responsibility for ensuring uninterrupted Business/Operation rests with the

Department/Branches staff, and they shall take ownership of their individual plans.
Therefore, each Department/Branch/Unit should prepare Operations during Disaster
(ODD) guidelines to ensure uninterrupted operations or resume operation with a
minimum down time. The ODD guideline should be prepared considering all possible
scenarios and geographical location of the branches as well.
All Management Committee (MANCOM) members, Branch Managers, Department

Heads and Unit Heads should hold two copies of BCP (Master BCP and
Branch/Unit/Department specific ODD) as follows:
First Copy: To be kept at office for ready reference.

Second Copy: To be kept at home in case crisis/disaster occurs during out of office
hour and access to office premises is not possible or allowed.
1.5 Operations during Disaster (ODD) Guidelines:

An Operation during Disaster (ODD) is a document which is required to be prepared by
all the Branches/Department which shall act as a guideline for branches/departments
during a disaster. All the branches/departments are required to prepare an ODD
guideline and get it approved by the management. The ODD guideline needs to be

prepared in line with this country level BCP and the same has to be mandatorily
reviewed by Head-GAP, COO and CRO and approved by the CEO.
The Branches/Departments shall prepare their ODD guidelines considering the

following:
 Designate Branch/Department level BCP coordinators and Branch/Department
Deputy BCP coordinators (along with contact details) who shall be responsible
to communicate with the country level BCP coordinators during disaster.
 Designate Fire-warden and alternate Fire-warden (along with contact details)
who shall be responsible for coordinating with the local Fire department and
police department in case of fire. The fire-warden shall also be responsible to
coordinate the evacuation process if required (in situations other than fire as
well).
 Prepare a Roll-call register as per format prescribed in Annexure V.
 Identify a safe place (preferably an open ground) in the periphery of the
Branch/Department where all the staff members shall gather after a
disaster/evacuation. The assembly area shall be recorded in the ODD
document along with a location map.
 Identify and define the critical business activities of the Branches/Departments
and priority shall be given to resume the activities marked as critical during the
initial stage.
 A list of important contact details such as CHT members, country BCP
coordinators, suppliers/vendors, Police department, fire department, hospitals,
emergency services, Nepal Rastra Bank etc. to be prepared and included in the
ODD (As per format specified in the Annexure I & II of this document). A copy
of the same also to be retained at the residence of BM/Dept. Head or as
assigned.
 Prepare a grab list of the items to be taken while evacuating during the time of
disaster as per the prescribed format in Annexure III. The grab list items may be
different depending on the roles and responsibilities assigned to various staffs
during a disaster.
 Identify an alternate location (preferably a nearby branch) in case the existing
location is unavailable due to damage during disaster. The alternate location
needs to be included in the ODD and approved by the management.

1.6 Related Regulatory Provision / Requirement:
Nepal Rastra Bank IT Guidelines 2012 highlights the importance of Business
Continuity Plan with focus on reliable and continuous service. The Guidelines requires
the Bank to have a BCP Policy comprising of all critical aspects of people, process and
technology with a view to ensure continuity, resumption and recovery of business.

Chapter 2
Process Phase
Process
According to ISO 22301, business continuity plan is defined as “documented

procedures that guide organizations to respond, recover, resume, and restore to a pre-
defined level of operation following disruption.” Based on the international practices
(ISO 22301:2012 and BS 25999-2:2007), the Business continuity planning can be
effectively designed to have following lifecycle which requires to be reviewed and
maintained on timely manner:
Analysis
Maintenanc Solution
e Design
Testing & Implementa

Asscptance tion
2.1 Analysis:
The analysis phase consists of identification of threat and severity & categorization of
its impact on business/service delivery. Common threats include:
 Epidemic
 Earthquake
 Fire
 Flood
 Cyber-attack (Phishing, System penetration)

 Sabotage (insider or external threat)
 Hurricane or other major storm
 Utility outage
 Strikes/Bandhs
 Terrorism
 War/civil disorder
 Theft (insider or external threat, vital information or material)
 Random failure of mission-critical systems
 Power cut
After identifying the applicable threats, impact scenarios are considered to support the
development of a business recovery plan. The analysis of the threat and its impact
differentiates critical (urgent) and non-critical (non-urgent) organization
functions/activities. Critical functions are those whose disruption is regarded as
unacceptable. Perceptions of acceptability are affected by the cost of recovery
solutions. A function may also be considered critical if dictated by law.
Besides the threats identified above, there are other threat scenarios such as Capital
adequacy, Liquidity crisis in the market etc. These threats, their impact and
contingency plan for the same shall be addressed through the decisions of
ALCO/Operations Manual of the respective areas.
Based on the threat identification and its analysis, the severity can be categorized in to
following three stages:
Stage 1: This refers to situation, where our operations are hampered but physical
amenities, building etc remain intact and transactions can still be performed from
existing location i.e., Nepal bandh, strike, riot, threats etc.
Stage 2: This refers to situation, where fire, bomb, earthquake, physical damage of
building etc., have occurred and temporary recovery site may be required to be
established to resume critical activities.
Stage 3: This refers to situation, where physical amenities, building are severely
damaged, life threat of the employees and re-location of full activities is required for a
longer period.

2.2 Solution Design:
After the analysis phase, business and technical recovery requirements precede the
solutions phase. Asset inventories allow for quick identification of deployable
resources. For a Financial Institution which relies heavily on IT, the plan requirements
may cover human resources, applications (CBS), data, manual workarounds,
computers and peripherals.
The robustness of an emergency management plan is dependent on how much money
an organization or business can place into the plan. The organization must balance
realistic feasibility with the need to properly prepare.
The solution design phase identifies the most effective disaster recovery solution that
meets the major requirements from the analysis stage. The solution design phase
determines the following:
2.2.1 Escalation of Incident
During a crisis situation it may not be possible to follow the hierarchy ladder for
informing about the incident. As such staff members who come to know about the
incident first may inform to anyone in the hierarchy ladder. The escalation diagram is
given below.
D
E i
s Crisis s
c Handling s
Team e
a
l m
a i
ti Country BCP n
Coordinator
o a
n ti
o
o n
Departmental BCP Coordinator
f
I o
n f
f D
o e
Department Head / Any Staff Members c
r
m i
a s
ti i
o o
n n
Since each department/branch is unique in terms of its operations, location, staff etc., it
is the department/branch which shall be in a position to best prepare and update their
team members and situation on a regular basis. Therefore, each department/branch
should prepare Operations during Disaster (ODD) guidelines
Department/Branch/Unit should prepare an ODD by filling up the ODD distribution List

as per the formats listed from Annexure-II to Annexure-V. The filled up annexures are
to be forwarded to Chief Operating Officer for approval and any updates should be
immediately advised so that appropriate amendments can be made.
2.2.2 BCP Coordinators
BCP coordinators shall coordinate the entire incident upon receipt of information from
media (TV, Radio, print) and/or the branches/department where incident has occurred.
BCP coordinator shall also be responsible for disseminating the information.
The BCP coordinators shall be as follows:
a) At Country Level:
Country BCP coordinator
Country Deputy BCP coordinator
b) At Department/Branch Level:
Department/ Branch BCP coordinator
Department/ Branch Deputy BCP coordinator
The country BCP coordinator and country deputy BCP coordinator shall be assigned
by CEO or any other staff as designated by CEO. BCP coordinators in
Department/Branch level will be the Branch Manager or Department Head and Deputy
BCP coordinator will be Operation In-charge in case of Branches and supervisor or
second in-charge in case of departments.
Each Department/Branch shall list down the names of BCP coordinators in respective
Department / Branch as per Annexure-II.
2.2.3 Crisis Handling Team (CHT)

Crisis Handling Team (CHT) shall function as the apex body and its foremost priority
shall be to safeguard the safety of Bank’s employees and its assets. Based on the
information from the Branch/Department/Unit Heads, CHT shall assess the situation
and declare the invocation of BCP. This decision will be communicated to all the
Branch/Department/Unit Heads, who in turn will further communicate down to their
team members.
CHT shall constitute with following members:
1. Chief Executive Officer

2. Deputy General Manager
3. Chief Credit Officer
4. Head Retail Banking
5. Chief Finance Officer
6. Head Human Resource
7. Chief Operating Office
8. Chief Risk Officer
9. Manager – Information Technology
10. Manager Information Technology Strategy and Planning
11. Head General Administration and Project
The details of CHT members along with their contact information are mentioned in
Annexure-I. The CEO shall involve members of the board if the situation so warrants.
2.2.4 Crisis Management
Once the incident is reported/escalated to CHT through BCP coordinators, based on

the analysis of the situation and severity, CHT shall declare the invocation of
appropriate Stages of BCP as outlined in the Analysis section above.
The invocation of BCP shall be notified to the affected Branches/Departments through

email/phone call/SMS/Fax subject to availability and access to the medium of
communication. If multiple branches/departments are affected, the affected
branches/departments shall be divided in to clusters and different CHT members shall
be assigned as cluster in-charge who shall be further responsible for managing the
crisis of the assigned cluster. The cluster in-charge shall be responsible to gather
information from the department/branch BCP coordinators and based on the

information received, decisions of the CHT shall be disseminated through the cluster
in-charge.
A proper record of all the information received and decisions disseminated shall be
kept. A detailed report shall be prepared and submitted to the management once the
situation returns to normalcy. Such report shall be reviewed by COO and CRO which
shall provide vital information during review of the BCP document on regular basis.
Crisis Handling Country BCP Department/Branch Department/Branch

Team Coordinators BCP Coordinators Staffs
Represents flow of information from the Branch/Department to CHT

Represents flow of Decision from CHT to the Branch/Department
The flow of information is initiated from the Branch/Department staffs to the branch
level BCP coordinators. The branch level BCP coordinators shall further forward the
information to country BCP coordinators who shall forward the information to the CHT.
Based on the information received, the disaster situation is analyzed and the decision
of CHT is disseminated down the system as shown in the figure above.
The major objective of crisis management shall be:
 Ensure the health, safety, security and welfare of staff and where appropriate
customers.
 Control the immediate and developing situation whilst continuing operations
with minimum disruption.
 Restore the business to normality as quickly as possible.
 Minimize loss or damage and maintain business confidence / reputation.
 Maintain effective communications internally, with customers, the media and
regulatory bodies.
Crisis management shall be followed by the actual implementation of the action plans
as appropriate and as decided by the CHT.

Chapter 3
Implementation Phase
3.1 Contact Details
During a crisis time it is important to inform all concerned staff members, customers,
regulators, suppliers, police station, hospital, fire brigade etc., in order to seek
assistance and help in recovering our business. Therefore, an up to date telephone
numbers of such individual and offices should be prepared and retained.
Each Department/Branch shall list down the names and contact details of such
relevant persons or entity as appropriate under Annexure-II.
3.2 Grab List

In preparation of any emergency, which may involve the evacuation of a building, every
member of staff should have a “Grab List” for their desk or job. This is a suggested list
of items, which each member of staff should endeavor to collect from their surrounding
work area without compromising their physical safety, when they are evacuated from
the building for whatever reason. It must be emphasized that the items should be small
and few in number, so as not to delay evacuation or risk personal safety.
Each Department / Branch shall list down items for "Grab List" as per Annexure-III.
3.3 Stationery Stocks stored Offsite

Sufficient stock of stationery, which is required for conducting day to day operation of
the respective department /Branch should be kept off-site (as far as practicable) in
order to facilitate critical business activities from temporary location during emergency.

The required stationery should be packed in a carton box and labeled as "BCP –
stationery followed by name of department / branch". The carton box should also
contain the list of stationery inside the box. The stationery should be sufficient to cover
the period of at least 7 days. The appropriate off-site location for this purpose at the
branches would be Branch Manager's residence. However, approval from COO is
required for keeping stock of stationeries on off-site location. Respective
department/branches shall obtain approval from COO by providing a list of stationeries
that are packed in a carton box for maintaining off-site stock.
Each Department/Branch shall list down stationery items and mention the location
where the stationery has been kept as per Annexure IV.
Note: This provision is not required if another Branch is within a radius of 25 km.
3.4 Response to Incident
3.4.1 Immediate Response – During Business Hour
This section deals with the steps, which needs to be taken as an immediate response
to an incident, which may disrupt the normal/regular business environment.
i. Bomb/Terrorist Threats:
a) If a bomb/terrorist attack is threatened or on receiving information that bomb has

been or will be planted on Bank Premises, inform local police immediately.
b) The individual receiving the initial call of such threat should adopt the following
steps:
 Make every effort to remain calm and relaxed. Adopt a helpful attitude to the
caller on line of “will do all in my power to help, but decision is not mine”.
 Make clear written notes of call/s.
 Be alert for voice peculiarities, e.g. background noise, accent etc.
 If asked about involvement of police, deny that police are involved.
 Immediately inform department head/colleagues, who will further escalate the
matter to CHT.
Follow evacuation process as described below:

 In the event of bomb/terrorist threat, staying calm is the key
 Inform department head/colleagues for further reporting to CHT.
 Get the Contact Details as per Annexure
 With the help of the security guards present in the banking area, line up the
customers in the hall and start evacuation calmly.
 Instruct all staffs to evacuate the premise and gather in a nearby area relatively
safe.
 Department Head/Branch Manager should carry out a roll call to ensure that all
staff members of their respective department/branch are present. If all are not
present efforts should be made to find the whereabouts of the missing staff and
also inform CHT about the same.
 Wait for the Police/Security officials to arrive before taking any action on your
own.
Each Department / Branch shall prepare a staff roll call register as per Annexure-V.
ii. Strike/Riot:
If Strike/Riot breaks out during office/business hour:
 Inform department head/colleagues for further reporting to CHT.

 Review/assess the situation and half close the shutter of main entrance door or
close completely and use alternate access to allow customers into the customer
service area.
 Be alert and observe any person entering the branch premises.
 Hold minimum cash at the counter without impacting the operations.
 Depending upon the situation and as decided by CHT close the branch early to
enable all staff members to return home safely.
 Do not engage in any mob activities.
 On the next day, assess the situation and contact your department
head/colleagues and find out decision made by CHT and proceed accordingly.
iii. Hold Up:
In case of hold up, safety of our staff members and customers are of prime concern,

Therefore:
 Members of staff are not to retaliate or confront with assailant(s) in a manner that
may aggravate the situation and invite untoward incident.
 Concerned staff member or other staff members upon knowing the situation
should set off alarm system quietly and without the knowledge of the assailant(s)
if possible.
 Do not voluntarily disclose information about any security arrangement unless
specifically asked by the assailants.
 Inform department head / colleagues for further reporting to CHT after it is safe to
do so.
Evacuation Procedure on hearing the alarm:

 Upon hearing the whistle blow/siren (fire alarm) leave the building calmly
by usual route, if it is blocked use the alternate route / emergency exit
 Instruct all staff to leave the premises as soon as possible.
 Do not stop to collect personal belongings
 Do not use the Elevator.
 Assemble in a nearby area where there is relative safety
 Department Head / Branch Manager should carry out a roll call to ensure that all
staff members of their respective department / branch are present. If all are not
 Re-enter the building only if there is such an overriding need to do so and it is
safe to do so.
Each Department / Branch shall prepare a staff roll call register as per Annexure-V.
iv. Fire:
In case of fire, safety of our staff members and customers are of prime concern.
Therefore:
 Review/assess the fire situation and if the fire seems to be small and manageable
use a suitable extinguisher if it is safe to do so, please do not try to tackle the fire
yourself if you do not feel safe.

 Concerned staff member or other staff members upon knowing the situation
should set off the fire alarm system in order to inform other staff members and
customers.
 Request all the customers to stay calm and slowly evacuate the premises
avoiding the panic situation.
 Inform department head / colleagues for further reporting to CHT after it is safe to
do so.

 Inform department head / colleagues for further reporting to CHT
 Operate the nearest fire alarm
 Inform fire brigade
 If the fire seems to be small and manageable use a suitable extinguisher if it is
safe to do so, please do not try to tackle the fire yourself if you do not feel safe
 Evacuate the building – use nearest possible route/emergency exit
v. Natural Disaster (Earthquake, Flood, Landslides, Hurricane etc.):
In case of naturally occurring disasters like earthquake, flood, landslides etc., the safety
of our staffs and customers are our prime concern. Therefore:
 Assess the severity of the disaster before evacuating the premises.

 Request all the customers to stay calm and not to panic.
 Collect the items as per the Grab list (Annexure-III) before evacuating.
 Reassemble in a nearby area which is relatively safer.
 Inform department head/colleagues for further reporting to CHT after it is safe to
do so.
 Department Head/Branch Manager should carry out a roll call to ensure that all
staff members of their respective department/branch are present. If all are not
 Assess the severity of the disaster before evacuating the premises. At times, it
may be relatively safer to stay in rather than running outside the premise.

 Collect the Grab list items before evacuating.
 While evacuating the building – use nearest possible route/emergency exit.
 Inform department head/colleagues for further reporting to CHT after it is safe to
do so.
Each Department/Branch shall prepare a staff roll call register as per Annexure-V.
3.4.2 Immediate Response – Out of Business Hour
This section deals with the immediate response to be taken when notification is
received outside business hours.
In case of Bandh, strike, Bomb, Fire, Earthquake etc., occurring outside normal
business hours, our operations may be impacted unduly. Under the circumstances,
and depending on the situation, staff members should take but not limited to following
course of action.
i. Bandh/Strike:
 If Bandh and strike is known in advance, vault keys and any other
important keys of drawers, filing cabinets etc. must be taken over by staff
whose residence is nearest to the office. Such transfer of keys must be
recorded in the appropriate key register. Contact your colleagues,
Departmental BCP coordinators to gather information about the situation.
 Ensure to carry your Bank's I.D card.
 While going to office or returning home after office, staff members should not
engage themselves in any mob activities.
 During a bandh/strike situation, half-open the shutters/entrances or close them

completely and use alternate access to allow customers into the customer
service area, depending on the situation.
 Visitors should be prohibited from entering other areas of the Bank unless
it is absolutely necessary. BM/Operation in-charge must in consultation with

unit heads/BCP coordinator take other appropriate actions in order to protect
Bank’s assets, premises and staff security.
 BM/Operation in-charge should assess the situation and the need for cash
holding. Cash at the counters should be kept to the minimum. Rural
branches/extension counters should transfer cash beyond a minimal level to
nearest Branch.
 Safety of employees should be of prime concern. Depending on the situation

and the decision made by CHT, staff should leave office to reach their homes
safely.
 General Administration and Project Departments/BMs should ensure that
adequate numbers of security guards are deployed in branches. Security
guards must be extra vigilant during these times.
 All staff members should be vigilant and appraise Heads of Department/BCP

coordinator of any pertinent information.
 All transactions initiated during the day should be completed. In the event of
circumstances worsening to a level where it is not possible to complete posting
of transactions for the system, it should be completed as soon as possible using
alternate means such as VPN access.
 It may not be possible for IT staff to leave the office on time. In keeping with this
situation, an appropriate arrangement shall be made by General Administration
and Projects Department to put up IT staff and other employees handling critical
functions inside the Bank/Branch premises or alternate nearby suitable location.
ii. Fire:
 If fire breaks out in the office premise outside normal business hours contact
your colleagues, Departmental BCP coordinators to gather information
about the situation.
 Make sure the fire department/Police department has been informed about the
situation.

 BM/Operation In-charge should visit the premise and extend full
support/coordination to the fire/police department in order to bring the situation
under control.
 BM/Operation in-charge must in consultation with unit heads/BCP coordinator

take other appropriate actions in order to protect Bank’s assets and premises.
 Onlookers/Bystanders should be prohibited from entering Bank premise even

after the fire has been put out. Security guards shall be instructed to stay on high
alert. If need be, BM/OI shall seek help from local police to secure the premise to
protect the cash and other valuable documents of the bank.
 BM/Operation in-charge should assess the situation and list down all the items
that was recovered from the damage and forward the list to General
Administration department.
 BM/Operation in-charge should assess the situation and arrange to transfer

cash, documents and other assets to the nearest Branch for safe keeping.
 General Administration and Project Departments/BMs should ensure that

adequate numbers of security guards are deployed in branches. Security
guards must be extra vigilant during these times.

iii. Natural Disaster (Earthquake, Flood, Landslides, Hurricane etc.)
 If natural disaster like earthquake or flood or landslide occurs outside normal

business hours contact your colleagues, Departmental BCP coordinators to
gather information about the situation.
 BM/OIs should also gather information about the well-being of their staff, family
members and any physical damage to their homes besides gathering
information about the damage to the office property.

 BM/Operation in-charge should assess the situation and visit the bank premises
considering the situation as safety of employees is the prime concern.
 BM/Operation in-charge must in consultation with unit heads/BCP coordinator

take other appropriate actions in order to protect Bank’s assets and premises.
 BM/Operation in-charge should assess the damage of the disaster and plan on
continuing operations as per the respective branch’s Operations during Disaster
(ODD) guidelines.
3.5 Resumption of Business
3.5.1 Check Office Environment
Immediately in the aftermath of the incident, it may not be possible to resume

the full-fledged operations. However, it may be important to resume certain critical
activities. For this reason and as per the decision from CHT, Temporary Business
Recovery Site (TBRS) may be established. If the decision is to return to the office the
following should include the first items to be checked, with any deficiencies being
reported as appropriate.
Inform all staff members to return to their respective workstation.
 Check if equipment are working.

 Check physical structure around your respective areas to the extent possible etc.
 Check that your department can connect to the system network.
 Commence re-structuring the day’s activities.
 Start processing the day’s activities
3.5.2 CHT Decision

If the damage to the infrastructure is slight, you may be able to return to your own
office after properly assessing the Branch/Department premises. You should inform
CHT and await the decision before returning to home office.
While Departments have been preparing for a temporary recovery site, CHT will also
be assessing the situation and extent of damage so they will be in a position to declare
whether it is safe to return to the work place or a crisis situation exists. CHT will
decide when to return and advise Country BCP coordinator to inform all
concerned about the decision and you will need to repeat many of the earlier steps in
this plan, thus ensuring the return is conducted in an orderly manner and business will
be able to re-commence immediately.
3.5.3 Temporary Resumption
Immediately in the aftermath of the incident, it may not be possible to resume

the full-fledged operations. However, it may be important to resume certain critical
activities. For this reason and as per the decision from CHT, Temporary Business
Recovery Site (TBRS) may be established.
Please note that critical activities should be divided into 3 tiers depending on
the seriousness of business if we do not resume on time.
a) Tier – I:
This relates to most critical business activities, which requires resuming business
within 24 hours. Such activities could be honoring of customer cheques, Deposit
transactions, ATM services, stop payment of cheques, blocking debit card, remittance,
SWIFT, clearing transaction etc.
b) Tier – II:
This relates to business activities, which requires resuming within 3 working

days. Such activities could be account transfer, Funds transfer, RTGS transactions,
issuance of L/C etc.
c) Tier – III:

This relates to business activities, which requires resuming within 7 working days.
Such activities could be processing of customer loan application, acceptance of share
transfer etc.
GAP (in case of Head Office) or Branch Manager (in case of Branches) should find and
establish a place where TBRS could be established. After TBRS has been established
the Branch Manager should advise Country BCP coordinator the location and contact
number of TBRS.
Once TBRS is found and established it is important to contact our regular customers
and advise them of our temporary location from where limited services are provided.
It is apparent that TBRS will have limited workspace and resources. It is not possible to
invite all the departmental staff members to work in TBRS. Therefore, invite only the
critical staff members to come in the TBRS to carry out critical activities.
Also, please liaise with IT department and General Administration and Projects
Department for assistance as and when required.
3.5.4 Returning to Home Office/Normalcy
If the damage to the infrastructure is slight, you may be able to return to your own
office after properly assessing the Branch/Department premises. Upon returning to
home office, you should start to establish normal banking procedures.
You may need to speak to the customers to advise them that you have returned to
home office and operating as usual.
Each Department/Branch shall list down phone number of regular customers of the
Branch to inform that the normal Banking Operation has resumed.
Be careful when speaking to anyone outside the bank and ensure that you
communicate the right message. When a major incident takes place people need
to be re-assured that the matter is being professionally managed – you must
present the picture of “Business as Usual”. Do not say anything, which differs from any
statements made by CEO or the person designated by the CEO.
3.5.5 Relocation of Business

If it is not safe to return to work in existing premises, the damage could be of serious
nature, which requires relocation of entire business. This triggers the 3rd stage of BCP.
If the damage to existing premises is so extensive, which prevents re-occupation; CHT

shall review the situation and take decision whether to continue business from TBRS
until new premises is found. Re-locating to permanent new premises is not covered in
this plan as that will require a considerable amount of planning as per the prevailing
situation. CHT will plan the relocation and involve member of the Board of Directors if
deemed appropriate.
As the business will be re-locating to other premises it is also important to contact

the key external authorities with which the business has regular contact and inform
them of the situation. CHT will advise / obtain necessary approval from NRB. The
customers also need to be aware of the relocation and thus, it shall be the
responsibility of all the branch/department staffs to communicate the message in an
assuring manner.
Also, a temporary accommodation arrangement for the relocating branch may need to
be placed if required. It shall be the responsibility of the Branch manager to liaise with
all concerned to suggest, recommend and establish temporary arrangement if required.
3.5.6 Public Relations/Media
All communications with the media, authorities or other third parties MUST only be
handled by CEO or staff specifically designated by him. Under no circumstances,
anyone else should make any comment about the incident or the status of the recovery
process.
If media approaches any one, they should simply refer the media/enquirer to contact
the CEO or the person specifically designated by him, give them the telephone number
and say: - “It would be better for you to speak to our management as they will have
more up to date information”.
3.5.7 Insurance

Immediately after receipt of information about the incident, which may have
impacted the Bank's property, insurance company should be notified over the
phone by GAP after obtaining details of such damage from the concerned
Department Head / Branch Manager.
In the aftermath of the incident and after assessing the damage full details of property
damage should be given to insurance company.
3.5.8 Disaster Recovery
Business Continuity Plan for all Corporate Departments is outlined hereinabove except
for IT Department considering the extensive technical details required to outline the
process of Systems business resumption. Hence BCP for IT or Systems Disaster
Recovery is covered separately on a Disaster Recovery Plan, which is an integral part
of this document. IT Disaster Recovery Plan shall define the activities to be carried out
by members of IT Service Delivery to recover the service of pre-determined critical
computer applications to business user departments following the loss of (or loss of
access to) the Data Center at Corporate Office.
Objective of the Disaster Recovery Plan would be:
 To provide resilience and recovery of the overall technology infrastructure of the

Bank encompassing Data Centers, communication services (voice and data), and
e-commerce.
 To ensure that critical management and business activities which depend on IT

system availability, are recovered and resumed within recovery time objectives
(RTOs).

Chapter 4
Testing and Maintenance
4.1 Testing and Organizational Acceptance
This is the most important phase of an organization’s BCP as it helps determine the
effectiveness of any BCP. The purpose of testing is to achieve organizational
acceptance that the solution satisfies the recovery requirements. Plans may fail to
meet expectations due to insufficient or inaccurate recovery requirements, solution
design flaws or solution implementation errors.
Hence, in order to test the effectiveness of the outlined guidelines, preparedness,

identify the need for change or design flaws, it is recommended to conduct testing on
various levels at least on biannual basis. Following tests are required to be carried out
biannually/annually as recommended:
i) Checklist Testing:
In order to regularly update all the important documentations highlighted in the

annexures, checklist testing is required to be conducted at least twice a year. The
checklist testing has to be done mandatorily by all the units/department/branches.
Checklist testing includes updating the CHT list, BCP coordinators, grablist, adequate
supplies are stored at backup site, contact details of all the staffs, contact details of
emergency contacts, details of vendors/suppliers, insurance policies etc.
ii) Emergency Evacuation Drill:
A facility evacuation drill should be practiced at least once a year with all staffs to be
sure they understand how the evacuation should proceed, how to handle staffs with
physical limitations, external assembly locations, and how verification of all staffs is to
be accomplished.

iii) Knowledge Testing:
All staffs must be well versed with the Country BCP and Unit/Department/Branch
specific Operations During Disaster (ODD) guidelines. All Units/Departments/Branches
are to conduct a separate session once a year to discuss the BCP/ODD and circulate
the change/outcome to the CHT members/BCP coordinators.
4.2 Maintenance
The BCP manual must evolve with the organization. Like most business procedures,
business continuity planning has its own jargon. Organization-wide understanding of
business continuity plan is vital and the changes identified and to be updated on
regular basis.
Annual maintenance cycle of the BCP manual shall be done in order to:
 Confirmation of information in the manual, roll out to staff for awareness and
specific training for critical individuals.
 Testing and verification of technical solutions established for recovery
operations.
 Testing and verification of organization recovery procedures.
Issues found during the testing phase often must be reintroduced to the analysis
phase. This shall help to redesign the solution and address such issues.

Chapter 5
Risk Management
5.1 Risk Assessment and Mitigations:
SN Risks Mitigations
1 Loss/Damage due to Deputation of Security personnel, having insurance
Strike/Riots/Bandhs coverage for entire assets.
2 Loss/damage due to Fire Timely information to Fire department, emergency
evacuation of the premise, having insurance coverage for
entire assets.
3 Loss/Damage due to Emergency evacuation of the premise, having insurance
Natural disaster (flood, coverage for entire assets.
earthquake)
4 Loss/Damage due to Deputation of Security personnel, having insurance
theft/robbery coverage for entire assets.
5 Loss/Damage due to Deputation of Information Security Officer, strict and
Cyber Attack advanced firewall/network policies, having insurance
coverage for entire assets.
6 Loss/Damage due to Adequate stock of alternate resources (batteries/fuel for
power failure for generators), having insurance coverage for entire assets.
extended period
5.2 Impact and Readiness Analysis and Resource Requirement
The implementation of the Business Continuity Planning will regulate and also define
the way in which a crisis should be managed with the resources available (Human
and other material resources). The basic requirement of any organization during a
disaster situation is to resume the critical functions as soon as possible with the
minimum requirement of resource and cost.

Chapter 6
Roles and Responsibilities
6.1 Roles and Responsibilities of CEO/ Designated Alternate
 Chief Executive Officer is the head of the management and Crisis Handling Team
(CHT) which shall be primarily responsible for the invocation of this document.
 It shall be primary responsibility of CEO or designated alternate for circulation
and implementation of this document as and when required.
 It shall be the responsibility of the CEO or designated to handle all
communications with the media, authorities or other third parties.
6.2 Roles and Responsibilities of Crisis Handling Team (CHT)
 The primary responsibility of the Crisis Handling Team (CHT) shall be to

safeguard the Bank’s employees and its assets.
 It shall be the responsibility of CHT to control the developing situation whilst
continuing the operations with minimum disruptions.
 It shall be the responsibility of CHT to communicate the decisions taken to the
BCP coordinators/Unit heads/Dept. Heads/BMs and provide further guidance.
 It shall be the responsibility of CHT to restore the business to normalcy.
6.3 Roles and Responsibilities of BCP Coordinators
 The primary responsibility of the BCP coordinators shall be information handling.

 It shall be the responsibility of the BCP coordinators to escalate the incident to
CHT.
 It shall also be the responsibility of the BCP coordinators to disseminate any
information/instructions received from CHT.

6.4 Roles and Responsibilities of Integrated Risk Management
Department
 The primary role and responsibility of the Integrated Risk Management

Department shall be to identify, quantify to the extent possible, monitor and
maintain the BCP document.
 Timely review of the content of the document
 Organize drills and knowledge testing/ugradation.
6.5 Roles and Responsibilities of Unit Heads/Dept. Heads/BMs
 The primary responsibility of the Unit heads/Dept. heads/BMs shall be to ensure

the safety of the staffs and Bank’s assets.
 Preparation of Unit/Dept./Branch based Operations During Disaster (ODD)
guidelines in line with this country level BCP document
 Sharing of information/decisions as and when received with other team
members/CHT.
6.6 Roles and Responsibilities of Information Technology
 The primary responsibility of the Information Technology department shall be to

ensure safeguarding of the data center.
 To ensure the database is up-to-date and replicated at another location as well.
 To support in setting up temporary work locations as and when required.
 To provide any other technical assistance wherever required.
6.7 Roles and Responsibilities of General Administration &

Project
 The primary responsibility of the General Administration and Project department

shall be to the safety of the staffs and Bank’s assets.
 To provide logistics support wherever required.
 To liaise with CHT to ensure adequate support is provided to fulfill the decisions
of CHT.
 Arrange for temporary work stations as and when required during disaster.
 To ensure proper stock of stationeries and other required logistics.

Chapter 7
Miscellaneous
7.1 Testing and Drills
CHT in coordination with IRMD shall conduct checklist testing, evacuation drills
and knowledge testing exercises on bi-annual basis in order to ensure the
effectiveness of the process/procedures outlined in this document.
Such exercises are to be closely monitored by CHT and IRMD in order to make
sure the given instructions are followed properly. Also, review of the exercise to
be done once it is completed and corrective measures to be incorporated as
found appropriate.
7.2 Internal Errors

Even though the document outlines major procedures to be followed during a
disaster, there might be some lapses by the staffs resulting in “internal” errors.
Internal errors could be due unclear instructions, panic, unable to understand the
instructions by the staffs, which could result loss/damage to the physical health
of the staffs or Bank’s property. Hence, it is necessary to perform such drills and
checklist testing exercises in order to identify any possible internal errors and
appropriate corrective actions to be taken.
7.3 Record Management

The output of the drills or actions taken during a disaster should be recorded and
documented properly for any future references
Retention and management of the records shall be as per the Operational

Manual Record Management of the Bank.

7.4 Formats
Formats of the forms and checklist are as per annexure which has been outlined
in the annexure of this document.
Any changes deemed necessary to the formats, contents of the formats, and
details mentioned in the annexures attached to this document shall be initiated
by Integrated Risk Management Department and addressed through approval of
the CEO to be ratified by the Board vide the subsequent Board Meeting.
7.5 Relation of this manual with Other Document

Business Continuity Planning and Disaster Recovery Plan are supplementary
documents of each other. Any contents not covered by this manual shall be
governed under various other policy documents of the Bank wherever relevant.
7.6 Disclaimer
This document is prepared as per the prevailing procedures, policies and
guidelines, NRB directives and existing statutory requirements. So, it needs to be
amended from time to time to meet any changes and to make it up-to-date at all
time. In case of ambiguity in any of the matters stated in this document, the
interpretation of the Chief Executive Officer shall be final.
This Manual is a proprietary document of PACIFIC Bank Limited. Under no

circumstances its content should be discussed to anybody outside the Bank
unless specifically approved by CEO.
7.7 Repeal and Saving
Any amendment in the laws/rules/regulations/ NRB Directives/Circulars affecting

provisions under this document shall have automatic effect amending such
provisions under this document.

BCP Distribution List:
The copy (ies) of this plan will be distributed as follows:
1. Crisis Handling Team

a. Mr. Laxman Risal : Chairman - Crisis Handling Team
b. Mr. Bimal Daga : Member - Crisis Handling Team
c. Mr. Sujit Shakya : Member - Crisis Handling Team
d. Mr. Sunil Pokhrel : Member - Crisis Handling Team
e. Mr. Prabin Basnet : Member - Crisis Handling Team
f. Mr. Bhanu Dabadi : Member - Crisis Handling Team
g. Mr. Sudhir Pandey : Member - Crisis Handling Team
h. Mr. Roshan Neupane : Member - Crisis Handling Team
i. Mr. Sushil Bhattarai : Member - Crisis Handling Team
j. Mr. Parmeswor Shrestha : Member - Crisis Handling Team
k. Mr. Rajesh Subedi : Member - Crisis Handling Team
2. Mr/Ms……………………………………. : Departmental BCP Co-ordinator

One copy at home
One copy at office (with Grab List Items)
3. Mr/Ms……………………………………. : Deputy Departmental Co-ordinator

One copy at home
4. Mr/Ms……………………………………. : Department Head

One copy at home
5. Mr/Ms……………………………………. : Legal Officer

One copy at home
One at the office (with Grab List Items)
6. Staff members of the Department / Branch as appropriate

a. Mr/Ms……………………
b. Mr/Ms……………………
c. Mr/Ms……………………
d. Mr/Ms……………………
e. Mr/Ms……………………
f. Mr/Ms……………………
g. Mr/Ms……………………
7. One Copy at( )Branch,( address) (as the Recovery Site)

Annexure I
Crisis Handling Team Members
Names Office No. Ext. Residence Mobile
(Note: A consolidated list of important telephone numbers of all Units/Branches is to be prepared and
uploaded on Izone by Human Resource Department. Any update in the Branch/Department list shall
be informed to a designated person in Human Resource Department. who shall update the
consolidated list on Izone).

Annexure II
BCP Co-ordinators
Branch/Department:
BCP Co-ordinators
Names Office No Extension Residence Mobile

……………….. (Name of
BCP coordinator)
……………….. (Name of
Deputy BCP coordinator)
………………(Name of
Department/Branch BCP
coordinator)
………………..(Name of
Deputy
Department/Branch BCP
coordinator)
Department Staff Members
Names Office No Extension Residence Mobile
Other Important Telephone Numbers
Names Office No.
Police Station:
Fire Brigade:
Hospital:
Nepal Rastra Bank
Department of Commerce
(You have to provide the telephone numbers here as per the stipulation under "Contact
Details" section 2.5 - page 4 of this document).

Supplier / Insurance Co
Sl. Contact Contact No.

No. Description Vendor Person

Annexure III
Grab List
Branch / Department:
(List of items to be picked up on the way out of building, when evacuated)
Department Section Item

Name/Desk Name

Annexure IV
Stationery Stocks stored off - site
Branch / Department:
List of stationery Items:
S.N Items Quantity
1.
2.
3.
4.
5.
Detailed description of location where the stationery is stored off - site –

Annexure V
Staff Roll Call Register
Department / Branch:…………….. Branch
S.N Name of Staff Present Remarks ( if absence)

1 Yes No
2 Yes No
3 Yes No
4 Yes No
5 Yes No
6 Yes No
7 Yes No
8 Yes No
9 Yes No
10 Yes No
11 Yes No
12 Yes No
13 Yes No
14 Yes No
15 Yes No
16 Yes No
17 Yes No
18 Yes No
________________________________________
Signature of Department Head / Branch Manager

Business Continuity Planning 2015

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Business Continuity Planning 2015

Uploaded by

Copyright:

Available Formats

PACIFIC Bank Ltd

Business Continuity Planning (BCP)

Country level Business Continuity Planning

Business Continuity Planning Page ii

Business Continuity Planning Page iii

Business Continuity Planning Page iv

Business Continuity Planning Page v

Business Continuity Planning Page vi

Under such circumstances, where we are unable to resume operations in a timely

Business Continuity Planning Page 1 of 38

Business Continuity Planning Page 2 of 38

The responsibility for ensuring uninterrupted Business/Operation rests with the

All Management Committee (MANCOM) members, Branch Managers, Department

First Copy: To be kept at office for ready reference.

1.5 Operations during Disaster (ODD) Guidelines:

Business Continuity Planning Page 3 of 38

The Branches/Departments shall prepare their ODD guidelines considering the

Business Continuity Planning Page 4 of 38

Business Continuity Planning Page 5 of 38

According to ISO 22301, business continuity plan is defined as “documented

Testing & Implementa

Business Continuity Planning Page 6 of 38

Business Continuity Planning Page 7 of 38

2.2.1 Escalation of Incident

Department/Branch/Unit should prepare an ODD by filling up the ODD distribution List

2.2.2 BCP Coordinators

The BCP coordinators shall be as follows:

2.2.3 Crisis Handling Team (CHT)

Business Continuity Planning Page 9 of 38

CHT shall constitute with following members:

1. Chief Executive Officer

2.2.4 Crisis Management

Once the incident is reported/escalated to CHT through BCP coordinators, based on

The invocation of BCP shall be notified to the affected Branches/Departments through

Business Continuity Planning Page 10 of 38

Crisis Handling Country BCP Department/Branch Department/Branch

Represents flow of information from the Branch/Department to CHT

Business Continuity Planning Page 11 of 38

3.1 Contact Details

3.2 Grab List

3.3 Stationery Stocks stored Offsite

Business Continuity Planning Page 12 of 38

3.4 Response to Incident

3.4.1 Immediate Response – During Business Hour

a) If a bomb/terrorist attack is threatened or on receiving information that bomb has

Follow evacuation process as described below:

Business Continuity Planning Page 13 of 38

If Strike/Riot breaks out during office/business hour:

 Inform department head/colleagues for further reporting to CHT.

iii. Hold Up:

Business Continuity Planning Page 14 of 38

Evacuation Procedure on hearing the alarm:

Business Continuity Planning Page 15 of 38

Follow evacuation process as described below:

v. Natural Disaster (Earthquake, Flood, Landslides, Hurricane etc.):

 Assess the severity of the disaster before evacuating the premises.

Follow evacuation process as described below:

Business Continuity Planning Page 16 of 38

3.4.2 Immediate Response – Out of Business Hour

 Ensure to carry your Bank's I.D card.

 During a bandh/strike situation, half-open the shutters/entrances or close them

Business Continuity Planning Page 17 of 38

 Safety of employees should be of prime concern. Depending on the situation