Sociedad de Gestión de los Sistemas de Registro Compensación y Liquidación de Valores, S.A.U (hereinafter "IBERCLEAR"), as a company of the Bolsas y Mercados Españoles Group (hereinafter BME), participates in the BME Group. Business Continuity management system. In addition, in compliance with Regulation 909/2014 of the European Parliament, of July 23, 2014 (CSDR) and its implementing regulations IBERCLEAR, within the framework of the BME Group continuity management system, has established, applies and maintains an adequate continuity strategy of its activity and recovery in case of a disaster aimed at guaranteeing the preservation of its functions, the opportune recovery of the operations and the fulfilment of its obligations.
In this regard, IBERCLEAR, in line with the BME Group Business Continuity Policy and in compliance with the aforementioned CSDR, incorporates into its Business Continuity Policy all the elements of the BME Group Business Continuity Policy as well as the specifications of its management scope.
Purpose
The overall objective of the Business Continuity of BME is to make the necessary preparations and plan a sufficient set of procedures to adequately respond to the appearance of a harmful incident, from the moment such is declared until the full recovery of normality in the different business activities, minimising the impact caused to the operations.
Business Continuity Principles.
The BME Group Business Continuity Policy is based on a set of principles that have been formulated taking into account the business needs of the BME Group companies and with a high degree of knowledge of the risks associated with them. These principles are:
1. The primary objective is the protection and safety of personnel, both under normal operating conditions and in a contingency situation.
2. BME Management will be responsible for managing the key risks to the continuity of the processes considered critical by the Organisation.
3. Attempt to minimise the impact that could be derived from any emergency situation on services identified as critical, or their level of provision.
4. Return the affected location to normal as soon as possible having mitigated the consequences of the harmful incident.
5. BME will guarantee that the BME Group Business Continuity Plan, as well as the corresponding Technical Disaster Recovery Plans, are developed and implemented in an appropriate manner, taking into account the identified critical services and processes and using the evaluation of the risks, their probability and impact as a point of reference.
6. BME will keep its Business Continuity Plan and the Technical Disaster Recovery Plans updated at all times, for which it will carry out regular reviews and whenever a significant change occurs that could affect them.
7. BME undertakes to periodically test its Business Continuity Management System to ensure its suitability to the needs of the BME group and to adapt it whenever necessary in view of the results of said tests.
8. BME will guarantee that all personnel involved in both the Continuity Plan and the Technical Disaster Recovery Plans are informed of their responsibilities within the framework of Business Continuity, through training, dissemination and testing.
9. BME will ensure that critical processes/services are recovered within the timeframes stipulated in the Business Continuity Plan.
10. BME will guarantee the preparation of the corresponding Continuity Procedures, among which are the internal and external communication plans, and to keep them updated through regular reviews.
11. BME will regularly review the correct functioning of the Business Continuity Management System as well as its testing system and the alignment thereof with this Business Continuity Policy.
In compliance with the provisions set forth in the CSDR and in the implementation of BME's Business Continuity Policy, IBERCLEAR has assumed the BME Group Business Continuity Policy as its own as well as all the Continuity Principles established therein, with the following specialities derived from the supervised activity that it performs.
Responsabilities
In order to coordinate the Business Continuity Principles, the BME Group has created a structure at various levels and has established the responsibilities assigned to each of them.
Board of Directors
The Board of Directors is the most senior body responsible for ensuring the effectiveness and adequacy of the BME Group's Business Continuity.
Management Committee
It is the highest level executive body within the BME Group and the main body responsible for the management of the Group's Business Continuity.
Continuity and Risk Committee
It is the body in charge of coordinating the Business Continuity within the BME Group and which main responsibility is Oversee the application of this Business Continuity Policy, as well as to review it annually, propose any modifications it deems necessary, and submit them to the Management Committee for approval. Likewise, the Continuity and Risks Committee will ensure the Business Continuity Policies of the Group companies that, by virtue of the regulations that apply to them, must have a Business Continuity Policy that adapts to and complements the BME Group Business Continuity Policy.
Continuity Supervisor
The Continuity Supervisor is the main executing figure of the Continuity and Risks Committee and the main responsibilities are:
Continuity Representatives
The Continuity Representatives will be responsible for coordinating the Business Continuity function within each of the BME Group Companies. Their main duties is to keep the Board of Directors of the Group company they are responsible for informed of any relevant situation that affects business continuity or any relevant issue dealt with by the Continuity and Risks Committee.
Likewise, in order to articulate these Principles of Business Continuity, IBERCLEAR has a structure at various levels with specific responsibilities assigned to each of them:
The Board of Directors
The Board of Directors of IBERCLEAR, the body responsible for approving IBERCLEAR's Business Continuity Policy and the Business Continuity Plan, as established in article 6, section 2.m) of the Regulations of the Board of Directors.
Likewise, it is responsible for ensuring the correct management of business continuity within the Company, in coordination with the bodies entrusted with the management of business continuity within the BME Group, of which IBERCLEAR is a part.
Risk Committee
The Board of Directors will have the Risk Committee which, as an advisory committee of this body on the current and future global strategy and appetite of the Company with regard to risk, will advise the Board of Directors on the Business Continuity Policy of IBERCLEAR and the Business Continuity Plan prior to its approval.
Chief Risk Officer or CRO
When defining business continuity as part of the Company's risks, the IBERCLEAR Chief Risk Officer assumes the role of the Company's Continuity Representative, thus becoming responsible for coordinating the Business Continuity provisions within IBERCLEAR.
Their main duties in this area are:
Critical processes and recovery objectives
IBERCLEAR has defined the recovery time objective (RTO) for each of its processes and essential functions.
Procesos críticos/esenciales |
RTO |
Notary service |
2h |
Central maintenance service |
2h |
Settlement service |
2h |
RENADE services |
45m |
PTI (Gestión del Sistema de Información) |
2h |
Links service |
2h |
Resources and recovery strategy
IBERCLEAR has all the necessary means to ensure the recovery of its services and essential functions within the established target recovery times.
The main strategy established by IBERCLEAR to ensure the continuity of its essential functions, and therefore the continuity of its business, is to ensure the redundancy of all those elements that support the critical functions of the Company. Essentially:
Provision of an alternative work centre with sufficient capacity to host the functions required by IBERCLEAR, to which workers can move at an appropriate time.
IBERCLEAR has developed and continuously updates the different Continuity Procedures (communication, activation, transfer to the alternative centre, etc.) established in the provisions applicable in case of an emergency and which are included in the Business Continuity Plan.