Hong Kong Financial Services
Business Continuity Management Forum
CMT
1) What is a CMT and which level of CMT should participate?
2) Can you share the scenario so we know who to invite to our CMT?
3) Can we decide how many CMT members participate in the exercise or is this something the exercise defines?
4) How will the participating institutions be able to communicate with other parties and each other during the exercise?
Exercise
5) Why is there a participation fee?
6) If we register for WISE2017, do we need to commit to attending the full four-hour exercise or can we opt to join part of it?
7) Who should we appoint as exercise facilitator? What will the facilitator need to do?
8) Can you provide any more information regarding the exercise (scope, specification..)?
9) How long will the exercise take?
10) What will be the format of the simulation (i.e. in forms of e-mail communications, telephone call, video conference)?
11) What's the difference between WISE2015 and WISE2017?
Logistics
12) You have limited capacity. Will registration be on first come first serve basis?
13) How much preparation work is envisaged for participants?
14) What happens if a typhoon or other incident occurs on the day of the exercise?
Regulators
15) Is this a regulatory mandated exercise (HKMA, SFC)?
16) Will the exercise involve communicating with the regulators?
Post Exercise Reporting
17) Will there be any “success” or “failure” of each participating bank and, if so, on what basis will each status be judged. Will the simulation results be disclosed to regulator and public?
18) To what extent will participating Bank’s internal information be disclosed / required (e.g. Bank’s internal BCP plan) during the simulation?
19) Will the simulation results be disclosed to the participating companies, regulators and public?
1) What is a CMT and which level of CMT should participate?
We expect the firm’s Hong Kong Crisis Management team to participate. This will typically consist of the most senior heads of the corporate functions as well as the heads of the business divisions, and is normally chaired by the COO or the CEO.
2) Can you share the scenario so we know who to invite to our CMT?
The scenario will not be disclosed before the exercise, but it will be diverse, challenging and complex, ensuring both business and corporate support functions will be needed and engaged to respond to the simulated events.
3) Can we decide how many CMT members participate in the exercise or is this something the exercise defines?
It is recommended that your entire Hong Kong Crisis Management Team participates. In most organizations the CMT is composed of the most senior heads of both the corporate functions, as well as the business divisions, and chaired by the COO or CEO. The scenario will be sufficiently challenging and complex to engage every CMT member.
4) How will the participating institutions be able to communicate with other parties and each other during the exercise?
During the exercise, the CMTs will be able to communicate with other parties through a dedicated list of telephone numbers and email addresses. Amongst the (simulated) parties that can be called are the authorities, the press, market data providers, the exchanges, the clearing houses, IT companies, public utilities, Police and other first responders, etc. The CMTs can also communicate with each other in the exercise.
5) Why is there a participation fee?
Our project has no profit objective, our books will be transparent and any material surplus will be reimbursed to the participants.
The amount is based on a cost estimate in line with industry practice in other countries with similar exercises such as Singapore, UK and US. The expenses relate mainly to our organising partner's (Control Risks) staff costs, the preparation of simulated news reports (‘life’ video reports etc) and the technical infrastructure (web portal) to distribute these situation updates simultaneous to all participants.
6) If we register for WISE2017, do we need to commit to attending the full four-hour exercise or can we opt to join part of it?
The exercise starts at 1pm, allowing time at the start for the Facilitator to brief the CMT, setting the objectives, rules and format. The scenario then unfolds over a period of time leaving space at the end for the debrief. The time taken to complete the exercise in each organisation may vary, but the objectives of the exercise cannot be achieved by only taking part in a section of the exercise. As the scenario builds over the session, CMT members will need to be present from 1pm to be able to properly input in to the exercise.
7) Who should we appoint as exercise facilitator?
Each organisation has been asked to identify a Facilitator who will be the primary point of contact during simulation on the day of the exercise. You can also assign a backup facilitator or contact in case the main facilitator is unable to commit to all briefing sessions. After registration you will be asked to provide the name, job title, email and contact telephone number of the facilitator.
The facilitator:
a) Should not participate as member of the Crisis Management Team, but only be facilitator
b) Should ideally be someone from your organisation’s risk, resilience, business continuity or crisis management functions with understanding of the requirements of designing and delivering a simulation exercise;
c) Should also have the authority and experience to focus internal resources on required activities and should be able to make decisions about your organisation’s involvement;
d) Will be responsible for your organisation’s logistics and infrastructure arrangements prior to and during the exercise as advised by WISE organisers.
e) For this exercise, the facilitator does not decide the crisis response for own company but facilitate the crisis management team to respond to the simulated crisis.
f) Must commit to attend Facilitator Briefing sessions including a follow up session after the WISE exercise.
8) Can you provide any more information regarding the exercise (scope, specification..)?
Please refer to our website www.hkfsbcm.org for the basic information on the WISE exercises.
9) How long will the exercise take?
The scheduled time is 1pm - 5pm; this includes a prebriefing to the CMT to ensure they understand the objectives, rules and format, the exercise and a debrief. It is important to ensure all participants stay for the debrief; this is where the lessons and improvements are recorded.
10) What will be the format of the simulation (i.e. in forms of e-mail communications, telephone call, video conference)?
Each participating company is expected to log in to a web portal which provides newsfeeds and videos of the events unfolding during the crisis scenario. In addition, the events will also be delivered to the participants through telephone calls, short message texts (SMS)and emails.
During the exercise, the CMTs will be able to communicate with other parties through a dedicated list of telephone numbers and email addresses. Amongst the (simulated) parties that can be called are the authorities, the press, market data providers, the exchanges, the clearing houses, IT companies, public utilities, Police and other first responders, etc. The CMTs can also communicate with each other in the exercise.
11) What's the difference between WISE2015 and WISE2017?
WISE2015 was designed and delivered by volutneers from the industry. They were supported by a number of partners; PwC, Deloitte, KPMG, EY, Hill & Associates - all who gave their time for free. The show of support was fantastic but cannot be relied upon again and therefore WISE2017 is being managed by Control Risks (CR). The participation fee will cover the cost of their services, and the techology required to support the exercise.
12) You have limited capacity. Will registration be on first come first serve basis?
Every application is assessed on suitability, and we will contact you should be there be any doubt. The set-up of the WISE exercise is easily scalable, we don't expect to reach limits in number of participants. For WISE2015 we were able to accept all 25 financial institutions that signed up. In WISE2017 we expect to welcome even more participants - as of May 31 participants had registerd.
13) How much preparation work is envisaged for participants?
Every participating financial institution should assign a facilitator, who will be primarily responsible for the logistics before and during the exercise. He or she will attend two briefing sessions. As a facilitator he will look after logistics such as ensuring that all CMT members are invited and know what to expect, and that the various modes of communication are functional during the exercise.
14) What happens if a typhoon or other incident occurs on the day of the exercise?
In advance of the exercise, participants are asked to block out 2 separate dates a couple of weeks apart; the 27th October for the exercise and another as a a backup date that can be cancelled if the exercise is completed. As the dates are only 2 weeks apart, we do not expect to have to repeat connectivty tests and rehearsals.
15) Is this a regulatory mandated exercise (HKMA, SFC)?
Although the exercise is an industry driven initiative and is therefore neither a regulatory nor a supervisory activity, it provides your institution with the opportunity to test your business continuity planning, senior management preparedness and crisis management responses within the setting of an industry-wide crisis simulation. It also provides your institution with an opportunity to test the effectiveness of its communication with other institutions, stakeholders and affected parties in case of a crisis.
Should you have any questions regarding the SFC’s or HKMA’s position, please contact SFC and/or HKMA directly via email at riskandstrategy@sfc.hk or bsotr@hkma.iclnet.hk respectively, with provision of your institution's contact information
16) Will the exercise involve communicating with the regulators?
Yes and No... During the simulation, Crisis Management Teams of the participating institutions will be required to communicate with their authorities. These authorities will be simulated by the exercise command centre. .
As part of the exercise, dedicated phone numbers and email addresses will be made available to separate exercise communication from ‘real’ communication.
It must be noted that this exercise is not a ‘test’ with ‘pass or fail’. Individual results will not be shared with the regulator (or anyone else). The objective is to improve the ability of the industry to respond to unexpected crisis situations. We find it essential that all findings will be anonymized so that no individual firm comes out looking badly. We therefore recommend everyone, including firms with less well established Crisis Management Teams, to participate. There will be no repercussions.
17) Will there be any “success” or “failure” of each participating bank and, if so, on what basis will each status be judged. Will the simulation results be disclosed to regulator and public?
No, there will be no ‘pass or fail’ for the CMTs. This event is an exercise, to build experience. It is not a test. The objective is to improve the ability of the industry to respond to unexpected crisis situations. All results will be disclosed to the participating organization only in full confidence. Results will not be shared with the regulators or the public.
18) To what extent will participating Bank’s internal information be disclosed / required (e.g. Bank’s internal BCP plan) during the simulation?
It must be noted that this exercise is not a ‘test’ with ‘pass or fail’. The objective is to improve the ability of the industry to respond to unexpected crisis situations. Each firm should facilitate and manage their own Crisis Management Team (CMT) discussions and all internal outcome discussions will remain internal. There is no obligation to share any discussion outcomes or decisions with any of the simulated Trusted Advisors, eg. regulators, law enforcement. We find it essential that all findings are anonymous; each firm will have a different level of maturity and their own lessons to be learnt.
19) Will the simulation results be disclosed to the participating companies, regulators and public?
The exercise results will be aggregated in a closure report and no participating company will be identified against any specific result. For example, the exercise closure report may state "60% of respondents indicated that they have activated alternative work arrangements when event XXX occurred. Each firm will receive an individual briefing, should they wish, from Control Risks to provide a greater understanding of how they can individually improve their response.
We therefore recommend everyone, including firms with less established Crisis Management Teams, to participate. There will be no repercussions.