How to create a strategic Business Continuity Plan in line with MAS regulations
What is Business Continuity Planning (BCP)?
Business Continuity Planning is the readiness to manage business interruptions in order to provide continuity of services at an acceptable level and to safeguard the Financial Institution’s (FI’s) financial and competitive position. BCP ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.
BCP is conceived in advance and involves input from key stakeholders and personnel. A Financial Institution (“FI”) should define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) at the business function level. In addition, an FI should set a minimum performance level for each business function. The minimum performance level, RTO and RPO, would constitute the business continuity objectives for each business function.
BCP: MAS Perspective
The Monetary Authority of Singapore (MAS) sets out the following broad principles for BCP which, these principles act like guidelines and sets a standard for all FI’s. These principles outlined under The Guidelines on Risk Management Practices – Business Continuity Management, 2003 are as follows:
- Board of Directors and senior management should be responsible for their institution’s Business Continuity Management (BCM). Senior management is responsible for steering BCM with policies and strategies necessary for the continuation of critical business functions.
- Institutions should embed business continuity management into their business as-usual operations, incorporating sound practices. BCM is a proactive process that addresses operational risk by developing clear policies, strategies, and accountabilities for the recovery of critical business functions.
- Institutions should test their business continuity plan regularly, completely, and meaningfully. Changes in technology, business processes and staffs’ roles and responsibilities can affect the appropriateness of the BCP; and ultimately the business continuity preparedness of institutions. It is therefore important to regularly test its functionality and effectiveness.
- Institutions should develop recovery strategies and set recovery time objectives for critical business functions. Without these clear markers, scarce resources may be inappropriately diverted to less important activities. This may adversely affect the institutions’ reputation and survivability.
- Institutions should understand and appropriately mitigate interdependency risk of critical business functions. Institutions should mitigate the risk arising from these complex dependencies as far as practically possible and consider such dependencies in their recovery strategies and recovery time objectives.
- Institutions should plan for wide-area disruptions. Institutions are responsible for deciding on the need to cater for multiple zones outage scenarios, taking into consideration their respective levels of critical business activities and prudent risk management policies.
- Institutions should practice a separation policy to mitigate concentration risk of critical business functions. To mitigate concentration risk of critical business functions, institutions could consider the following approaches:
- Primary-secondary site separation. Separate the primary and secondary sites of critical business functions into different zones.
- Critical business functions separation and intra-function separation. Separating critical business functions into different zones would mitigate the risk of losing multiple critical business functions from a single-zone disruption.
MAS Regulatory Changes with regards to BCP
The MAS first issued the Business Continuity Management (BCM) Guidelines in 2003. These guidelines were supplemented by additional guidance on pandemic and physical security measures in 2006. On 07 March 2019 MAS released a consultation paper on proposed revisions to guidelines on business continuity management. The proposed changes are part of MAS’ efforts to help FIs strengthen their resilience to disruptions. FIs will be expected to adopt the Guidelines within a year following its publication. The essential points to bear in mind are as follows:
- FIs should have in place end-to-end business continuity plans for each service that is delivered to their customers. This shall draw out any internal or external dependencies.
- FI’s should through its Business Impact Analysis (BIA) identify business functions that are critical to them based on the potential loss (both financial and non-financial) to them should these functions be disrupted.
- A strong governance policy should be established to address a wide range of disruptive events including, but not limited to loss of staff, equipment and infrastructure (both IT and physical), potential loss of services provided by third parties to the FI.
- Build business-as-usual (“BAU”) risk management organizational culture that embeds business continuity as part of an FI’s.
- The crisis management plan setting out the criteria and processes for Crisis Management Team activation, should be in place.
- FIs should aim to be proactive, transparent and factual, in its crisis communications, so as to maintain customer confidence and safeguard the interest of their customers. crisis communication plans should include the following:
- List of all stakeholders with primary and secondary means of communication;
- Pre-drafted media statement templates;
- List of designated spokespersons and their alternates.
- Different type of Testing scenario should be placed in the BCP and FI should conduct different types of testing to gain the confidence that they will be able to continue to operate reliably, responsively, and efficiently as planned. Specifically, an FI should, at minimum, conduct the following annually:
- crisis management and communications exercise involving all CMT members and their alternates; and
- A test relating to the BCP for each critical business function.
- Have in place a formal testing program to systemically validate their ability to achieve their objectives in the event of a disruption. The tests conducted could range from basic call-tree activation and failover of specific applications and IT components, to more complex exercises.
We, at Argus Global, are a team of consultants who specialize in Regulatory Compliance for Financial Institutions in Singapore that are regulated by MAS. We can help you plan a BCP which shall take into account the broad principles set by MAS, and the general working requirements of FI. We are equipped to draft varied testing scenario that can address a broad range of plausible scenarios from wide-area disruptions to pandemics. We will be happy to answer your queries, whether specifically to this article or any other regulatory compliance hurdles you may face. Do reach out to us at [email protected].