The ESM headquarters in Luxembourg’s Kirchberg district, the long-time home of private sector banks and public sector European institutions, has a major advantage over some older institutions: it was unencumbered by legacy systems – or even walls. This means its physical and information technology (IT) infrastructure were purpose-built.
‘We were in a very lucky position because in many areas, we could start from scratch and design it through,’ said Boris Fallnicht, ESM facilities manager.
Designers took inspiration from the finance sector, contemporary public buildings, and even Silicon Valley start-ups to create a creative, problem-solving environment that would function within an institutional framework. ‘We are not a start-up anymore – but we try to keep that spirit alive in a mature long-lasting institution,’ said Secretary General Anev Janse.
Breaking down walls is an operative principle. The management team’s offices are spread throughout the building and accessible to all, not cordoned off in a C-suite. To instil the out-of-the-box thinking that was the hallmark of the ESM’s breakneck, crisis-driven inception, the set-up features community spaces, as well as movable walls and partitions so room layouts can be re-arranged to accommodate meetings of different size and purpose.
The office’s buildout and décor were constrained by two factors: ensuring staff could do their jobs come what may and safeguarding the security of the ESM’s people, infrastructure, computer, and communications systems.
With two organisations sharing a staff and a roof, even day-to-day business entails a degree of complexity. To track the firewalls’ finances, for example, the ESM’s accountants need to use two sets of accounting rules. As a treaty-based international financial institution, the ESM uses the rules laid out in the EU accounting directive to manage its books. The EFSF, with its private sector legal structure, uses International Financial Reporting Standards. ‘The set-up is quite different and they are not all that compatible,’ said Thomas Pies, head of finance and control.
Remote, reliable, secure data access was crucial. At the height of the crisis, staff knew they could be called on at any hour of the day or night, so the computing network had to extend to wherever they were. The EFSF was soon aligned with major corporations with robust teleworking systems to allow colleagues to videoconference in, from home, from a roadshow, or, in the event of a crisis or natural disaster, from an off-site office. Dave Wallace, the ESM’s head of information technology and operations, called the globalised office ‘one of our first mantras. We saw it as key that people could work from anywhere at any time as if they were in the office.’
Security was also essential for hosting high-level ministerial gatherings. Just eight months after its inauguration, the ESM held its first annual Board of Governors meeting in June 2013 at the new premises. The ESM needed to accommodate 17 finance ministers and their delegations, manage the flow of security, provide media access, and handle food and beverage delivery during and around discussions and photo ops – in other words, all the logistical minutiae of hosting a major event.
‘We had to coordinate everything with the Luxembourg police, so that the transfers were swift and safe,’ Fallnicht said. ‘We had to ensure the tightest access protocols for participants due to the political temperature of the times.’
In 2013, the ESM set up a disaster recovery site. Unlike the shared back-up facilities used by banks in London or Paris, the ESM is the sole operator of its site. In the event of a sudden need to evacuate the headquarters, for example, it wouldn’t have to compete with rival tenants for the backup space.
Staff work out of the recovery site at least twice a year as part of disaster response training. Some departments will temporarily relocate there during upgrades or refits of the main office. ESM officials have examined a wide range of scenarios that could occur without warning and could hobble daily operations – from the outbreak of an epidemic, to a cyberattack, or even the local loss of electricity.
‘We are very strong on scenario analysis, and we have a wide range of events for which we have a pre-planned response,’ said Djoneva, deputy head of ESM corporate governance and internal policies. ‘We need to be able to operate on a 24/7 basis.’
From a systems perspective, the ESM needs to ensure that its physical and digital infrastructures can withstand disaster, natural or otherwise. This was understood right from the start, when the EFSF rented a small generator to keep power flowing to key functions in the event of a blackout. The first uninterrupted power supply for the whole building was installed in 2014, followed by a customised system.
Every year, the ESM also conducts an incident management exercise to train and test the responsiveness of top management. There is a certain theatrical staging to this. In one room sit experts who simulate a real-life incident, peppering senior ESM managers in another room with incremental bits of information as the fictional crisis unfolds. ESM spokespeople are also involved, since a major part of emergency response is communicating with the public.
Unlike the exercises, however, the threats themselves can be all too real. In a 2017 campaign, eight letter bombs were sent to institutions, including the German finance ministry and the IMF office in Paris. A booby-trapped parcel addressed to ESM Managing Director Regling was intercepted at Athens airport, as was one addressed to Eurogroup President Dijsselbloem. Together with Luxembourg authorities, the ESM took emergency security precautions to protect Regling and ESM staff.
In terms of its information technology network, the ESM grew up in the cloud era, and could ‘leapfrog many of our peers by adapting a fully outsourced strategy leveraging the latest cloud systems and thinking,’ Wallace said. ‘This allowed the ESM to scale up quickly and flexibly, adopting the newest technology along the way.’
As well as keeping on top of technology, the ESM is keen to encourage innovation. Its Technology Officer Rogelio Rodriguez programmed an expert system – a precursor of artificial intelligence – to probe for functional inconsistencies in the ESM’s 250 daily financial-system reports. It’s nicknamed Jarvis. Automatic scanning of spreadsheets not only saves human time – for example removing the need to validate the daily cost-of-funding calculation by hand – but also helps address any bugs that crop up. Lately, Rodriguez has been leading the team’s investigations into the potential benefits for the ESM of deep data and artificial intelligence, as well as blockchain-type distributed ledger technologies. Blockchain, a secure method of asset tracking, has the potential to revolutionise the way capital markets operate, given the evolving need for trusted third parties and improved transaction settlement. Deep data analytics could maximise the value of specific data streams while minimising needs for large data storage. Artificial intelligence could lead to radically more efficient systems.
Jelena Zelenović Matone is another ESM technology pioneer. A former refugee of the Yugoslav civil wars, she joined the ESM in 2014. Thanks to her technology expertise, gained from working in the private sector in Canada, she anticipated some of the ESM’s needs before they had fully emerged such as the setting up of security protocols within the information technology department. Zelenović Matone said that, in her time at the ESM, she has been given the time and scope to consider technical approaches that were still off the radar, which is testimony to the ESM’s commitment to excellence. ‘They gave me the freedom to further explore these areas, such as IT general controls, automated IT application controls, end-user computing controls, and policies and procedures that were yet to be developed at the ESM.’
The frameworks and controls she designed, along with her quarterly risk dashboards, made a strong impression on the ESM’s auditors and have become an integral part of internal oversight. Zelenović Matone also has been sought out by other international financial organisations to share technology-related internal control and audit solutions.
To share know-how and to stay abreast of the latest developments, Anev Janse is active in both public and private sector networks. Together with peer institutions, the ESM set up a financial technology forum for staff to discuss the latest trends and share best practices both online and in person.
Anev Janse is often asked to share the ESM’s experiences around the globe on becoming part of a start-up-oriented financial technology circle to keep abreast of new ideas and test products. ‘We learn and they learn,’ Anev Janse said. ‘That’s also the way to push innovation in Europe.’
 Directive 86/635/EEC of the Council of the European Communities of 8 December 1986 on the annual accounts and consolidated accounts of banks and other financial institutions, as amended by Directive2001/65/EC of 27 September 2001, by Directive2003/51/EC of 18 June 2003 and by Directive 006/46/EC of 14 June 2006.
 New York Times (2017), ‘Letter bomb injures worker at International Monetary Fund office in Paris’, 16 March 2017. https://www.nytimes.com/2017/03/16/world/europe/paris-imf-bomb.html; and BBC News, ‘Paris IMF letter bomb that injured one was sent from Greece’, 16 March 2017. https://www.bbc.com/news/world-europe-39292671
 DutchNews.nl (2017), ‘Dutch finance minister target of Greek parcel bomb: Report’, 21 March 2017. https://www.dutchnews.nl/news/2017/03/dutch-finance-minister-target-of-greek-parcel-bomb-report/; Euractiv.com (2017), ‘Dijsselbloem “mail bomb target”, says spokesman’, 22 March 2017. https://www.euractiv.com/section/politics/news/dijsselbloem-mail-bomb-target-says-spokesman/