Iccrea Banca has implemented its own business continuity system, which, in accordance with the provisions established by the Bank of Italy with the dispositions of 4 November 2004 (Guidelines for the service continuity of qualified payment system infrastructures) and in keeping with the policies defined by the Board of Directors, is developed through a continuous and iterative sequence of phases:
The impact (economic, regulatory, reputation) of predefined disaster scenarios on all business processes is analysed, including the identification of security requirements expressed in terms of recovery time (RTO - Recovery Time Objective) and maximum data loss time interval (RPO - Recovery Point Objective).
Technological and organisational measures are planned and implemented to ensure adequate resilience to possible disaster scenarios. These measures are divided into four main sub-systems: DRP for information technology (alternative sites for data processing); HRRP for human resources (key resource management); ORP for logistics (general services and workspace management); EARP for relations with external parties (communication, liaison and coordination procedures). For vital and critical processes, more specific organisational measures (so-called administrative recovery procedures) are also defined, which include, where possible, contingency measures (procedures to be applied pending recovery).
The methods of incident detection and management of recovery and return to normalcy for each specific disaster condition to be managed were documented in detail.
Measures were defined to ensure that the system's functionality is maintained over time through continuous critical review and adaptation to changing business needs.
More in detail, Iccrea has two sites – primary and secondary – with different risk profiles (seismic, hydrogeological, etc.) about 12 km apart and interconnected through computer systems and redundant optical fibres, capable of guaranteeing the updating of the archives in the two sites in synchronous mode (RPO equal to zero). The sites are equipped with appropriately redundant service infrastructure for power supply, air conditioning, access control and spaces for the performance of administrative functions.
Given its particular role as the Central Institution of the Cooperative Credit Banks category, the system undergoes a robust annual testing plan involving all components of the continuity system (technology, logistics, human resources, relations with external parties) as well as the main external structures for services and connection with the Cooperative Credit Banks.
From an organisational point of view, Iccrea has:
- A structure that ensures the management of the BCP and its sub-systems (technologies, logistics, human resources, etc.) through the timely allocation of related management and development responsibilities.
- A steering and control committee for Security and Business Continuity issues, chaired by the Deputy VDG and composed of the heads of the business areas as well as the heads of the BCP and internal audit subsystems.
- A crisis management committee.
The entire system is certified in accordance with the UNI EN ISO 22301:2014 standard (certificate no. 45390 issued by the CSQA certifying body), as well as being subject to systematic audits by the Internal Audit Function.
