Incident Escalation Matrix

Purpose

This document defines the Bank's incident escalation matrix, ensuring that operational incidents are escalated to the appropriate level of management in a timely and structured manner. Proper escalation enables rapid decision-making, minimises client and business impact, and ensures regulatory notification obligations are met.

Scope

This matrix applies to all operational incidents across the Bank, including technology failures, payment processing disruptions, security breaches, fraud events, compliance breaches, physical security incidents, and client-impacting service disruptions.

Severity Classification

Severity	Definition	Examples
S1 — Critical	Widespread impact on clients or operations; core systems unavailable; significant financial or reputational exposure	Core Banking System outage, data breach affecting client data, SWIFT connectivity failure, major fraud event (>USD 1M)
S2 — Major	Significant impact on a business line or client segment; partial system failure; material financial exposure	Payment processing delays affecting multiple clients, branch network outage, failed bulk payment batch (>USD 500K), compliance breach requiring regulatory notification
S3 — Moderate	Limited impact on operations or clients; system degradation with workaround available; manageable financial exposure	Single branch system failure, individual payment failure (>USD 50K), minor compliance exception, client complaint involving potential financial loss
S4 — Minor	Minimal impact; isolated event; no material financial or reputational exposure	Individual user access issue, minor process error, delayed report generation

Escalation Matrix

S1 — Critical Incidents

Timeline	Action	Responsible Party
Immediately (T+0)	Incident detected and logged in Incident Management System (IMS)	Detecting staff / system alert
Within 15 minutes	Notify line manager and Incident Commander (on-call)	Detecting staff
Within 30 minutes	Activate Crisis Management Team (CMT); notify Head of Operations, CRO, CIO	Incident Commander
Within 1 hour	Notify CEO, General Counsel, Head of Communications	Incident Commander / CMT
Within 2 hours	Assess regulatory notification requirements; prepare initial communication to regulator if required	Compliance / Legal
Within 4 hours	Issue internal situation report to Executive Committee; prepare client communication (if applicable)	CMT / Communications
Ongoing	Hourly status updates to CMT until resolution	Incident Commander

S2 — Major Incidents

Timeline	Action	Responsible Party
Immediately	Incident logged in IMS	Detecting staff
Within 30 minutes	Notify line manager and department head	Detecting staff
Within 1 hour	Notify Head of Operations and CRO	Department head
Within 2 hours	Assess regulatory notification requirements	Compliance
Within 4 hours	Issue situation report to COO	Department head
Ongoing	Status updates every 2 hours until resolution	Assigned incident manager

S3 — Moderate Incidents

Timeline	Action	Responsible Party
Immediately	Incident logged in IMS	Detecting staff
Within 1 hour	Notify line manager	Detecting staff
Within 4 hours	Notify department head (if not resolved)	Line manager
Within 1 business day	Resolution or escalation to S2 if impact increases	Line manager

S4 — Minor Incidents

Timeline	Action	Responsible Party
Immediately	Incident logged in IMS	Detecting staff
Within 4 hours	Notify line manager	Detecting staff
Within 3 business days	Resolution and closure in IMS	Line manager

Crisis Management Team (CMT)

The CMT is convened for all S1 incidents and S2 incidents at the discretion of the Head of Operations. The standing members of the CMT are:

Chief Operating Officer (Chair)
Chief Risk Officer
Chief Information Officer
Head of Operations
Head of Compliance
General Counsel
Head of Corporate Communications

Additional members are co-opted based on the nature of the incident (e.g., Head of Payments for payment-related incidents, CISO for cybersecurity incidents).