Risk Assessment
OM-5.4.6
In developing a BCP, licensees must consider realistic threat scenarios that may (potentially) cause disruptions to their business processes.
October 07OM-5.4.7
Licensees should analyse a threat by focusing on its impact on the business processes, rather than on the source of a threat. Certain scenarios can be viewed purely in terms of business disruption in specific work areas, systems or facilities. The scenarios should be sufficiently comprehensive to avoid the BCPs becoming too basic and thereby avoiding steps that could improve the resiliency of the licensee to disruptions.
October 07OM-5.4.8
Business continuity plans must take into account different types of likely or plausible scenarios to which the bank may be vulnerable. In particular, the following specific scenarios must at a minimum, be considered in the BCP:
• Utilities are not available (power, telecommunications);• Critical buildings are not available or specific facilities are not accessible;• Software and live data are not available or are corrupted;• Vendor assistance or (outsourced) service providers are not available;• Critical documents or records are not available;• Critical personnel are not available; and• Significant equipment malfunctions (hardware or telecom).Amended: October 2012
October 07OM-5.4.9
Licensees must distinguish between threats with a higher probability of occurrence and a lower impact to the business process (e.g. brief power interruptions) to those with a lower probability and higher impact (e.g. a terrorist bomb).
October 07OM-5.4.10
As a starting point, licensees must perform a "gap analysis". This gap analysis is a methodical comparison of what types of plans the licensee requires in order to maintain, resume or recover critical business operations or services in the event of a disruption, versus what the existing BCP provides. Management and the Board can address the areas that need development in the BCP, using the gap analysis.
Amended: July 2011
October 07
