Company Management System SIA Processes and Management Systems

Transcript

1 Company Management System SIA Processes and Management Systems Drawn up by: Verified by: Approved by: Stefano Canetta RGO Lorenzo Verducci HRO Alessandra Carazzina RGO David Neumarker HRO Marco Ornito HRO Roberto Poli RGO Paolo Ghia HRO Raffaele Pace RGO Document Code: Classification: Application Domain: Public SIA

2 SIA Processes and Management Systems INDEX INDEX 2 1 AIM OF THE DOCUMENT COMPANY PRESENTATION Corporate Values Corporate Social Responsibility Code of ethics and organizational model Environmental Sustainability MANAGEMENT COMMITMENT AND DUTIES OF THE PERSONNEL SIA s Management Commitment Personnel Fulfillments CORPORATE PROCESSES SYSTEM Business Processes Support Processes Governance Processes MANAGEMENT SYSTEMS Management system policies Scope of application of certified systems Exclusions Quality Quality Policy Roles and Responsibilities Elements of the Quality Management System Monitoring Continual improvement Business Continuity Business Continuity Policy Business Continuity Guidelines Roles and Responsibilities Elements of the Management System Monitoring of the BCMS Continual improvement Information Security Information Security Policy Information Security Guidelines Roles and Responsibilities Elements of the management system The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 2 of 36

3 SIA Processes and Management Systems Monitoring of the System Continual Improvement Risk Governance System Compliance Governance System Other Management Systems Personal Data Protection Physical Security REQUIREMENTS RELATING TO DOCUMENTATION APPENDIX A THE SYSTEM OF PROCESSES A.1 Business Processes A.1.1 Feasibility Process A.1.2 Design Process A.1.3 Offer management process A.1.4 Contract management process A.2 Service Management Processes A.2.1 Control of service production and supply activities A.2.2 Validation of the supply process A.2.3 Identification and Traceability A.2.4 Property of the Customer A.2.5 Storage of products A.2.6 Management of monitoring and measurement devices A.3 Governance Processes A.4 Support Processes A.4.1 Legal A.4.2 Personnel Management A.4.3 Procurement process A.4.4 Supplier qualification and evaluation process A.4.5 Infrastructures A.4.6 Working Environment A.4.7 Communication A.4.8 Administration and Finance APPENDIX B - GENERAL INFORMATION B.1 History of amendments B.2 Definitions B.3 References B.4 Cover key The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 3 of 36

4 SIA Processes and Management Systems 1 AIM OF THE DOCUMENT The aim of this document is to describe SIA s processes system and the related management systems. 2 COMPANY PRESENTATION SIA is European leader in the design, creation and management of technology infrastructures and services for Financial and Central Institutions, Corporates and Public Administration bodies, in the areas of payments, e-money, network services and capital markets. SIA Group provides its services in around 40 countries, and also operates through its subsidiaries in Hungary and South Africa. The company has offices in Milan and Brussels. In 2013, SIA managed 2.7 billion card payments and 2.2 billion credit transfers and collections, 28.6 billion trading and post-trading transactions and carried terabytes of data on the network. Our mission: To design, create and manage competitive, secure and reliable transactional services in the areas of payments, e-money, networking, trading and post-trading on behalf of Financial and Central Institutions, Corporates and Public Administration Bodies. Our vision: To create an international network of highly qualified and efficient specialists and infrastructures and to become the unifying hub of a network of excellence that is agile and well-organized, operating with the highest levels of professionalism. SIA is organized into Divisions and Departments, which are responsible for the company s business and the design and delivery of products and services, and into Staff Departments for all the company s business support activities. More information about the company and the group is available at Corporate Values SIA presents itself on the market as a network of excellence and places the Customer at the center of its daily activities, taking inspiration from the ethical values inextricably linked to the professionalism of its staff: competence responsibility reliability innovation participation The values unite and distinguish us as SIA people and professionals. The values guide all those who work with SIA, be they shareholders, employees or external collaborators. Our behavior constantly allows us to improve our excellence, customer focus and the way we live and work at SIA. The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 4 of 36

5 SIA Processes and Management Systems 2.2 Corporate Social Responsibility SIA sees Social Corporate Responsibility as the creation of tangible value for the community in collaboration with its stakeholders, through a constant dialogue with public and private players present in the territory and by supporting projects aimed at social development in partnership with the non-profit sector and always in line with its corporate mission. SIA believes that donations are a valid means for making a social commitment that follows the principles and rules of conduct set out in the Code of Ethics of the company, to promote and support the creation of projects that are real, measurable and well defined in the areas which over time prove to have the greatest social impact: healthcare social issues studies and research 2.3 Code of ethics and organizational model 231 Based on the conviction that ethical business conduct is a necessary condition for the success of the company and in accordance with the provisions of Legislative Decree 231/2001, SIA has: defined its Code of Ethics, which expresses the values, rights, duties and ethical responsibilities with respect to all business entities with which it comes into contact for the achievement of its corporate purpose; defined its organizational model designed to prevent crimes committed by its directors, officers or employees, in the interest of or to the benefit of the company; implemented an internal supervisory body with the task of supervising the operations and effectiveness of and compliance with the Organizational Model, in addition to its updating. defined its Anti-corruption Guidelines for the purposes of promoting compliance with ethical standards and full conformity with national and international laws concerning the prevention of corruption, in all its direct and indirect forms, in addition to integrity, transparency and correctness in the performance of the company s activities. 2.4 Environmental Sustainability SIA believes in the principles of environmental responsibility and - in line with applicable regional, national, rules and with the requirements of ISO undertakes to ensure that all its activities are carried out in full respect of the environment, minimizing environmental impacts both direct and indirect effects of its activities. The company's strategy in the field of environmental responsibility is based on the following principles: - Security - Savings - Recycling The areas of priority interest in which SIA continues to reduce its environmental impact are: - Energy and water - Materials - Mobility - Other eco-friendly activities The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 5 of 36

6 SIA Processes and Management Systems 3 MANAGEMENT COMMITMENT AND DUTIES OF THE PERSONNEL 3.1 SIA s Management Commitment SIA s Management: communicates to its collaborators that the respect of the Customer s requirements, and the mandatory requirements related to them, should always have a central role; defines the Quality Policy, Business Continuity Policy, Information Security Policy and the Risk Policy and makes them known to the entire staff so that the objectives set out are achieved and the necessary resources are made available; attributes to the various heads of the corporate functions the necessary authority to carry out the tasks assigned to them; ensures the widespread dissemination of process updates and evolutions to all the personnel; following significant changes in the processes system, guarantees specific training sessions for the structures affected by these changes; appoints the Quality Management Representative. 3.2 Personnel Fulfillments Regardless of their role, all SIA staff, both internal and external, must: know the content of the company management systems policies and contribute to the implementation of the directives and objectives set out in them; work according to corporate processes and in accordance with the policies defined by the company; process corporate information in an appropriate manner. Any act that could jeopardize the safety of persons and the security of information owned by SIA, its customers or third parties is subject to appropriate disciplinary and/or legal action. The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 6 of 36

7 SIA Processes and Management Systems 4 CORPORATE PROCESSES SYSTEM SIA s system of processes describes the activities, responsibilities and interactions between the organizational units. The processes are drawn up by the Human Resources & Organization Department, in collaboration with all the functions involved with the exception of specific processes for Management Systems relating to Information Security, Business Continuity, Compliance Management and Risk Management, which are defined by the Risk Governance Department. The company has: identified the business processes; identified support processes; identified governance processes; established the sequence and interaction between processes; defined the measurement criteria aimed at verifying the effectiveness of the processes; ensured that the resources necessary for the correct implementation of processes are available; set up control activities aimed at verifying whether the processes achieve the results set out or can be improved. The system of processes involves planning, execution, control and review phases and it is constantly updated and improved in relation to customer needs and to the organizational needs of the company. Should SIA choose to outsource processes that affect the compliance of the product with the requirements, it shall ensure control over such processes. The system of processes must define the methods for controlling outsourced processes. All external supplies, even if coming from group companies, are regulated by contracts defining the performance and service levels expected. All the processes have been defined in compliance with the AGCM provision, which for services provided in Italy requires, in summary: 1. [ ] the separation between offers for services provided by the various Divisions and by the NET Department, which supplies Network services; 2. [ ] the accounting separation for the Division responsible for NET activities; 3. [ ] the sale by the Division responsible for NET activities of NET services exclusively through its personnel and at unbundled conditions with respect to the offering of the other divisions on the basis of separate, autonomous contracts; 4. [ ] the array of measures aimed at guaranteeing full interoperability, both technically and economically, on all the interbank routes towards existing and potential network operators authorized to operate within the scope of the SITRAD convention. The corporate organization and the system of processes were defined also taking into account the Bank of Italy s instructions on the governance and control of processes and business continuity regulations [ ]. The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 7 of 36

8 SIA Processes and Management Systems Values, Ethical Code and Organizational Model 231 Corporate Planning, Merger and Acquisition, Industrial Accounting, Intercompany, Anticorruzione. Risk, Complliance, Quality, Business Continuity, Information Securety, Safety, Privacy. Feasibility Business Processes Sales and Contract Management Development Service Management CUSTOMERS Governance Processes Management Systems Support Processes Human Resources, Supply Management, Provisioning, Finance & Administration, Communication Business Processes The System of Corporate Processes: summary Business processes make up SIA s value chain, starting from customer and market requirements: Feasibility process Design and development process Offer management process Contract management process Service management process o ICT incident management process o Problem management process o Change management process o Release management process o Service level management process o ICT capacity planning process o Process for the management of complaints, reimbursements and penalties The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 8 of 36

9 SIA Processes and Management Systems Support Processes The support processes are designed to back up the business processes: Management of human resources Management of suppliers Procurement Administration and finance Communication Governance Processes The governance processes relate to the definition of the general rules of the company, to the definition of the corporate strategic objectives and the verification of their achievement: Definition and management of the strategic plan Industrial accounting Management of Merger and Acquisition operations Management of the inter-group budget Management of the inter-group supplies The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 9 of 36

10 SIA Processes and Management Systems 5 MANAGEMENT SYSTEMS SIA has always considered Quality, Information Security, Business Continuity, Compliance and Risk Management to be strategic factors that can easily be transformed into a competitive advantage for the market positioning. SIA has implemented its own systems with the aim of increasing the satisfaction of its customers, improving processes and the levels of quality and security of services, adopting international standards recognized worldwide. Compliance to these standards is confirmed by the achievement of the certifications ISO 9001:2008, ISO/IEC 27001:2013 and ISO 22301: Management system policies SIA has decided to develop the Quality Policy, the Business Continuity Policy, the Information Security Policy and the Risk Policy because it considers their implementation essential in relationships with customers, suppliers, group companies and shareholders. Through the guarantee of an adequate system of processes, an appropriate level of information security, and in compliance with the laws and regulations and the requirements set out by the Supervisory Bodies, the Policies permit SIA to respond appropriately to the needs of customers and to market requirements and to achieve the corporate objectives. 5.2 Scope of application of certified systems The scope of application of the certified Management Systems (Quality, Security and Business Continuity) is: Concept, design, development, marketing and management of infrastructure and technology services, dedicated to Central and Financial Institutions, to Corporates and to Public Administrations (including services for retention of digital documents), in the areas of payments, e-money, the network services, capital markets and big databases Exclusions There are no exclusions to the scope of application related to SIA S.p.A. activities. 5.3 Quality Quality Policy SIA pays great attention to Quality as a critical element for the satisfaction of its customers, in full compliance with the requirements of the general and industry regulations. The company has set up a Quality Management System that includes the definition of the system of corporate processes and the attribution of the related responsibilities. The Quality Policy defined by the Top Management is distributed to all the personnel, and includes the following guiding principles: the guarantee of the satisfaction of customer requirements and of applicable regulatory requirements; the continual improvement of corporate processes through measurement and monitoring systems; behavioral and technical training aimed at guaranteeing a level of professionalism able to ensure customer satisfaction; the regular review of the policy itself in order to guarantee the constant satisfaction of customer and market needs; the implementation and maintenance of a Quality Management System compliant with the international standard ISO 9001:2008. The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 10 of 36

11 SIA Processes and Management Systems Roles and Responsibilities The Quality Management Representative, having the authority and resources necessary to perform the role, and in cooperation with the Quality function, is responsible for: ensuring that the processes are defined, implemented and updated; reporting regarding any improvements required; ensuring the promotion of awareness of customer requirements across the organization through the definition and management of the Quality Management System (QMS). The Quality Function is part of the Risk Governance Department and is responsible for governing the Quality Management System Elements of the Quality Management System SIA has defined, documented and implemented a Quality Management System in compliance with the requirements of the ISO 9001:2008 standard and has created the system of processes described in Chapter 4 of this document. In addition, the Top Management has identified and allocated the resources necessary for the implementation of the Quality Management System. SIA has set up the procedures: "Management of Documentation and Registrations"; "Management of Non- Compliances, Corrective Actions and Preventive Actions"; "Management of Internal Audits". SIA s processes and procedures can be found in the company document management system. The specific competences have been defined in the system of roles for all professional profiles, including the profiles that directly affect the quality of services and products. Continual improvement of Quality Management System (QMS) Plan Requirements Act Improvement CUSTOMER Product/Service Do Customer Feedback Mgmt. Review Check The Quality Management System The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 11 of 36

12 SIA Processes and Management Systems Monitoring The Company has defined suitable indicators to measure the ability of its processes and services to produce the expected results related to set objectives. The data relating to the efficiency and effectiveness of the Quality Management System are analyzed by the various managers and then discussed during the Management Review. The aim of the data analysis is to identify strengths and weaknesses of the system, prepare any corrective or preventive actions and guarantee constant improvement. SIA regularly performs surveys aimed at verifying Customer Satisfaction levels. The results are analyzed and any necessary activities implemented Quality review The Top Management defines objectives consistent with the Quality Policy which are monitored and reviewed at regular intervals according to their level of importance. The objectives of the Quality Management System are formalized in the review performed by the Risk Governance Department and are classified as follows: maintenance/improvement objectives monitoring objectives certification objectives training objectives Checks on the progress of the objectives of the Quality Management System are regularly performed by the Risk Governance Department. The Top Management carries out and documents the Quality Review with the aim of verifying the degree of adequacy of the Quality Management System. Input elements of the Quality Review by the Management The Quality Review by the Management is based on the analysis of the following documented information: the results of the internal audits, with the indication of non-compliances, observations and opportunities for improvement; the feedback of the Customer, with specific attention to complaints, praise and the results of Customer Satisfaction surveys; the indicators measuring the performance of the processes, the company and the related analysis; the progress of corrective and preventive actions taken; the activities defined in the previous Reviews evaluated in the current Review; any amendments to be made to the Quality Management System; proposals for the improvement of the System; any other element that the Top Management wishes to discuss and that have direct or indirect impacts on the Quality Management Systems. Output elements of the Quality Review by the Management The Output elements of the Quality Review by the Management include decisions and activities relating to: the improvement of the Quality Management System and Processes; the improvement of service performances in relation to customer requirements; the resources necessary to achieve the objectives and the implementation of the decisions made Internal Quality Audits In order to pursue the continual improvement of the Quality Management System (QMS), Internal Quality The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 12 of 36

13 SIA Processes and Management Systems Audits are planned, carried out and documented annually. The objectives of the Internal Quality Audits are: Verify the application, adequacy and effectiveness of the QMS; Identify the specific areas for improvement of the QMS; Identify the suitable Corrective and Preventive Actions. The rules for the planning and management of these activities are documented in the procedure relating to Internal Quality Audits Management of non-compliances SIA has defined and documented the methods for the management of non-compliances, of corrective and preventive actions in order to guarantee the effectiveness and efficiency of the Quality Management System and of processes with the aim of achieving customer satisfaction in full respect of the agreements entered into. The rules concerning the planning and management of these activities are documented in the procedure Management of Non-Compliances, Corrective Actions and Preventive Actions Continual improvement SIA is committed to constantly improving its Quality Management System in relation to the organizational needs of the company. This objective is pursued through: the systematic analysis of the indicators and of the objectives set out; the Management Review, with specific attention to: the results of data analysis the outcomes of the audits the performance of processes and services the progress of the objectives of the individual Organizational Units the previous Management Reviews the corrective and improvement plans under way. 5.4 Business Continuity The following points describe the most significant aspects of the Business Continuity Management System. For further details and clarifications, please see the document Business Continuity Management System Business Continuity Policy SIA pays great attention to Business Continuity as a critical element in the supply of services, in full respect of the contracts entered into with customers, the Bank of Italy s guidelines and, more generally, in compliance with the relevant international methodologies and standards. In particular, the company has set up a Business Continuity Management System, which includes the rules of conduct, the processes, the chain of command and technology, logistics and Disaster Recovery infrastructures for the management of emergencies in case of events that may compromise business continuity. The Business Continuity Policy defined by the Top Management and distributed to all the personnel is divided into the following guiding principles: Adoption of a business continuity model that is recognized as a valuable reference at international level and which pursues the ongoing improvement of the BCMS (since 2007, SIA has adopted the BS The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 13 of 36

14 SIA Processes and Management Systems standard as a reference model for the creation of its Business Continuity Management System. In 2012, the BS was converted into the ISO standard, and in 2013 SIA adapted its BCMS to conform to the new standard); Subdivision of the Business Continuity objectives for the various services in a manner consistent with commercial contracts with customers and with the requirements set out by the Supervisory Bodies; Identification of technical and organizational solutions in line with the company's economic requirements Business Continuity Guidelines The Risk Governance Department defines and distributes the Business Continuity guidelines, as approved by the Top Management. These guidelines are formulated in conjunction with those of the Information Security Management System (ISMS) and must be known and applied by all SIA personnel in the planning, design and delivery of services and, more generally, in the performance of their duties Roles and Responsibilities With regard to the Business Continuity Management System (BCMS), the Top Management: identifies the main business continuity roles within the individual business units, setting up an appropriate organizational structure that is responsible for managing and implementing Business Continuity in the company and a pre-defined organizational structure for the extraordinary management of emergencies and crises. The following are also set up and identified: the Business Continuity and Disaster Recovery Steering Committee the Business Continuity Contact Persons The aim of the Risk Governance Committee is to provide information on the activities underway and on those that will be started up in the various areas governed by the Risk Governance Department. With the aim of achieving greater synergy, the Business Continuity Management System is connected to the Risk Governance System Elements of the Management System SIA has defined, documented and implemented a Business Continuity Management System compliant with the requirements of the ISO standard. The Company Management has identified and allocated the resources necessary for the implementation of the Business Continuity Management System. SIA has set up the following procedures: "Management of BCMS documentation", "Management of BC Audits", "Management of BC Tests". SIA s Business Continuity processes and procedures are available in the company document management system. The specific duties have been defined in the system concerning the roles of all professional profiles, which includes the profiles that directly affect the quality of services and products. The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. Page 14 of 36

15 SIA Processes and Management Systems Continual improvement of business continuity management system (BCMS) Plan Establish Interested parties Requirements for Business Continuity Act Mantain and Improve Implement and Operate Do Intersested parties Managed Business Continuity Monitor and review Check Monitoring of the BCMS The contents of this document are the property of SIA S.p.A. Classification: Public All rights reserved. The Business Continuity Management System The company monitors and manages the Business Continuity Management System through three main activities: Tests and drills Business Continuity Review Business Continuity Audits Tests and Drills SIA sets up a multi-year plan of Business Continuity tests and an annual Disaster Recovery test plan. Business Continuity tests are performed to evaluate the effectiveness and efficiency of the Emergency and Crisis Management Process and of the Business Continuity Plans of Departments/Divisions, which are necessary to ensure the restoration of business operations. The rules for the planning and management of these activities are documented in the Procedure for the Management of BC Tests. The Disaster Recovery tests are necessary to evaluate the functioning and efficiency of the back-up structures of the technological infrastructure and to keep the skills of the people involved up to date. For the Disaster Recovery aspects, the frequency and methods are dictated by various factors such as customer requirements, contractual obligations, the criticality of services and processes, their interdependency with regard to other services and/or processes, any regulatory constraints, etc Business Continuity Review The review of the BCMS has the objective of verifying its adequacy following the evolution of the rules and requirements expressed by the relevant standards and regulations and to identify specific activities aimed at ensuring its maintenance. Page 15 of 36