OM-4 OM-4 Business Continuity Management
OM-4.1 OM-4.1 Introduction
OM-4.1.1
All businesses may experience serious disruptions to their business operations. These disruptions may be caused by external events such as flooding, power failure or terrorism, or by internal factors such as human error or a serious computer breakdown. The probability of some events may be small, but the potential consequences may be massive, whereas other events may be more frequent and with shorter time horizons.
Added: January 2020OM-4.1.2
The purpose of a Business Continuity Plan ('BCP') is to minimize the operational, financial, legal, reputational, and other material consequences arising from a disruption. The objectives of a good BCP are:
(a) To minimise financial loss to the licensee;(b) To continue to serve customers and counterparties in the financial markets; and(c) To mitigate the negative effects that disruptions can have on a licensee's reputation, operations, liquidity, credit quality, its market position, and its ability to remain in compliance with applicable laws and regulations.Added: January 2020Scope and Key Elements of a Business Continuity Management (BCM)
OM-4.1.3
The requirements of this Chapter apply to all licensees.
Added: January 2020OM-4.1.4
Branches of foreign banks may apply alternative arrangements to those specified in this module, where they are subject to comprehensive BCM arrangements implemented by their head office or other member of their group, provided that:
(a) They have notified the CBB in writing what alternative arrangements will apply;(b) They have satisfied the CBB that these alternative arrangements are equivalent to the measures contained in this chapter, or are otherwise suitable; and(c) The CBB has agreed in writing to these alternative arrangements being used.Added: January 2020OM-4.2 OM-4.2 General Requirements
OM-4.2.1
To ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption all
Conventional bank licensees must establish a comprehensive framework for business continuity management (BCM) and must maintain a business continuity plan (BCP) appropriate to the scale and complexity of their operations. A BCP must address the following key areas:(a) Data back up and recovery (hard copy and electronic);(b) Continuation of all critical systems, activities, and counterparty impact;(c) Financial and operational assessments;(d) Alternate communication arrangements between the licensee and its customers and its employees;(e) Alternate physical location of employees;(f) Communications with and reporting to the CBB and any other relevant regulators; and(g) Ensuring customers' prompt access to their funds in the event of a disruption.Added: January 2020OM-4.2.2
Effective BCM framework must incorporate policy, procedures and tools required to manage the risk of major operational disruptions. The BCP must be comprehensive, limited not just to disruption of business premises and information technology facilities, but covering all other critical areas, which affect the continuity of critical business operations or services (e.g. liquidity, human resources and others).
Added: January 2020OM-4.2.3
Licensees must notify the CBB promptly if there are events that lead to activating their BCP. They must also provide regular progress reports, as agreed with the CBB, until the BCP is deactivated.Added: January 2020OM-4.2.4
The CBB expects
licensees to plan for how they may cope with the complete destruction of buildings and surrounding infrastructure in which their key offices, installations, counterparties or service providers are located. The loss of key personnel, and a situation where back-up facilities might need to be used for an extended period of time are important factors in effective BCPs.Added: January 2020OM-4.2.5
Licensees may find it useful to consider two-tier plans: one to deal with near-term problems; this should be fully developed and able to be put into immediate effect. The other, which might be in paper form; should deal with a longer-term scenario (e.g. how to accommodate processes that might not be critical immediately but would become so over time).Added: January 2020OM-4.3 OM-4.3 Board and Senior Management Responsibilities
Establishment of a Policy, Processes & Responsibilities
OM-4.3.1
A licensee's Board of Directors and Senior Management are collectively responsible for a bank's business continuity. The Board must approve the policies, while senior management must approve procedures and processes for a licensee's BCP.
Added: January 2020OM-4.3.2
Licensees must establish a Crisis Management Team (CMT) to develop, maintain and test their BCP, as well as to respond to and manage the various stages of a crisis. The CMT must comprise members ofsenior management and heads of major support functions (e.g. building facilities, IT, corporate communications and human resources).Added: January 2020OM-4.3.3
Licensees must establish (and document as part of the BCP) individuals' responsibilities in helping prepare for and manage a crisis; and the process by which a disaster is declared and the BCP initiated (and later terminated).Added: January 2020Monitoring and Reporting
OM-4.3.4
The CMT must submit regular reports to the Board and senior management on recovery and response activities in the event of major operational disruptions and also on the results of the testing of the BCP (refer to section OM-4.9). Major changes must be developed by CMT, reported to
senior management , and endorsed by the Board.Added: January 2020OM-4.3.5
The Chief Executive of a licensee must sign a formal annual statement submitted to the Board on whether the response and recovery strategies adopted are still valid and whether the documented BCP is properly tested and maintained. The annual statement must be included in the BCM documentation and will be reviewed as part of the CBB's on-site examinations.
Added: January 2020OM-4.4 OM-4.4 Developing a Business Continuity Plan
Impact Analysis
OM-4.4.1
Licensees' BCPs must be based on (i) a business impact analysis (ii) an operational impact analysis, and (iii) a financial impact analysis. These analyses must be comprehensive, including all business functions and departments, not just IT or data processing.Added: January 2020OM-4.4.2
The key objective of a Business Impact Analysis is to identify the different kinds of risk to business continuity and to quantify the operational and financial impact of disruptions on a licensee's ability to conduct its critical business processes.
Added: January 2020OM-4.4.3
A typical business impact analysis is normally comprised of two stages. The first is to identify and prioritise the critical business processes that must be continued in the event of a disaster. The first stage should take account of the impact on customers and reputation, the legal implications and the financial cost associated with downtime. The second stage is a time-frame assessment. This aims to determine how quickly the licensee needs to resume critical business processes identified in stage one.
Added: January 2020OM-4.4.4
Operational impact analysis focuses on the firm's ability to maintain communications with customers and to retrieve key activity records. It identifies the organizational implications associated with the loss of access, loss of utility, or loss of a facility. It highlights which functions may be interrupted by an outage, and the consequences to the public and customer of such interruptions.
Added: January 2020OM-4.4.5
A Financial Impact Analysis identifies the financial losses that (both immediate and also consequent to the event) arise out of an operational disruption.
Added: January 2020Risk Assessment
OM-4.4.6
In developing a BCP,
licensees must consider realistic threat scenarios that may (potentially) cause disruptions to their business processes.Added: January 2020OM-4.4.7
Licensees should analyse a threat by focusing on its impact on the business processes, rather than on the source of a threat. Certain scenarios can be viewed purely in terms of business disruption in specific work areas, systems or facilities. The scenarios should be sufficiently comprehensive to avoid the BCPs becoming too basic and thereby avoiding steps that could improve the resiliency of the licensee to disruptions.Added: January 2020OM-4.4.8
BCPs must take into account different types of likely or plausible scenarios to which the bank may be vulnerable considering both the control (pre-event) measures and response (post-event) measures. In particular, the following specific scenarios must at a minimum, be considered in the BCP:
(a) Utilities are not available (power, telecommunications);(b) Critical buildings are not available or specific facilities are not accessible;(c) Software and live data are not available or are corrupted;(d) Vendor assistance or (outsourced) service providers are not available;(e) Critical documents or records are not available;(f) Critical personnel are not available; and(g) Significant equipment malfunctions (hardware or telecom).Added: January 2020OM-4.4.9
Licensees must distinguish between threats with a higher probability of occurrence and a lower impact to the business process (e.g. brief power interruptions) to those with a lower probability and higher impact (e.g. a terrorist bomb).Added: January 2020OM-4.4.10
As a starting point,
licensees must perform a "gap analysis". This gap analysis is a methodical comparison of what types of plans the licensee requires in order to maintain, resume or recover critical business operations or services in the event of a disruption, versus what the existing BCP provides. Management and the Board can address the areas that need development in the BCP, using the gap analysis.Added: January 2020OM-4.5 OM-4.5 Recovery Levels & Objectives
OM-4.5.1
The BCM framework must include strategies and procedures to maintain, resume and recover critical business operations or services. The plan must differentiate between critical and non-critical functions. The BCM policy must clearly describe the types of events that would lead up to the formal declaration of a business disruption and the process for activating the BCP.
Added: January 2020OM-4.5.2
The BCM policy must clearly identify alternate sites for different operations, the total number of recovery personnel, workspace requirements, and applications and technology requirements. Office facilities and records requirements must also be identified.
Added: January 2020OM-4.5.3
Licensees should take note that they might need to cater for processing volumes that exceed those under normal circumstances. The interdependency among critical services is another major consideration in determining the recovery strategies and priority. For example, the resumption of the front office operations is highly dependent on the recovery of the middle office and back office support functions.Added: January 2020OM-4.5.4
Individual critical business and support functions must establish Recovery Time Objectives (RTO), Recovery Point Objectives (RPO) and Maximum Tolerable Period of Disruption (MTPD) with respect to the bank's recovery programme. RTOs, RPOs and MTPDs must be approved by the senior management prior to proceeding to the development of the BCP.
Added: January 2020List of Contacts and Responsibilities
OM-4.5.5
The BCM framework must consider a communication strategy, established procedures for communication, methodology for transmitting, writing and reading of relevant information designed for each business unit where appropriate, the nature of information a list of all key resources charged with the tasks and the full listing of employees and relevant stakeholders. The list must include personal contact information on each key employee such as their home address, home telephone number, and cell phone or pager number so they may be contacted in case of a disaster or other emergency.
Added: January 2020OM-4.5.6
The BCM policy must contain all the necessary process steps to complete each critical business operation or service. Each process must be explained in sufficient detail to allow another employee to perform the job in case of a disaster.
Added: January 2020Alternate Sites for Business and Technology Recovery
OM-4.5.7
Most business continuity efforts are dependent on the availability of an alternate site (i.e. recovery site) for successful execution. The alternate site may be either an external site available through an agreement with a commercial vendor or a site within the Licensee's real estate portfolio. A useable, functional alternate site is an integral component of BCP.
Added: January 2020OM-4.5.8
Licensees must examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites must be sufficiently remote from, and do not depend upon the same physical infrastructure components as a licensee's primary business location. This minimises the risk of both sites being affected by the same disaster (e.g. they must be on separate or alternative power grids and telecommunication circuits).
Added: January 2020OM-4.5.9
Licensees' alternate sites must be readily accessible and available for occupancy (i.e. 24 hours a day, 7 days a week) within the time requirement specified in their BCP. Should the BCP so require, the alternate sites must have pre-installed workstations, power, telephones and ventilation, and sufficient space. Appropriate physical access controls such as access control systems and security guards must be implemented in accordance with Licensee's security policy.
Added: January 2020OM-4.5.10
Other than the establishment of alternate sites,
licensees should also pay particular attention to the transportation logistics for relocation of operations to alternate sites. Consideration should be given to the impact a disaster may have on the transportation system (e.g. closures of roads). Some staff may have difficulty in commuting from their homes to the alternate sites. Other logistics, such as how to re-route internal and external mail to alternate sites should also be considered. Moreover, pre-arrangement with telecommunication companies for automated telephone call diversion from the primary work locations to the alternate sites should be considered.Added: January 2020OM-4.5.11
Alternate sites for technology recovery (i.e. back-up data centres), which may be separate from the primary business site, should have sufficient technical equipment (e.g. workstations, servers, printers, etc.) of appropriate model, size and capacity to meet recovery requirements as specified by
licensees' BCPs. The sites should also have adequate telecommunication (including bandwidth) facilities and pre-installed network connections as specified by their BCP to handle the expected voice and data traffic volume.Added: January 2020OM-4.5.12
Licensees should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware).Licensees should satisfy themselves that such vendors do actually have the capacity to provide the services when needed and the contractual responsibilities of the vendors should be clearly specified.Licensees should recognise that outsourcing a business operation does not transfer the associated business continuity management responsibilities.Added: January 2020OM-4.5.13
The contractual terms should include the lead-time and capacity that vendors are committed to deliver in terms of back-up facilities, technical support or hardware. The vendor should be able to demonstrate its own recoverability including the specification of another recovery site in the event that the contracted site becomes unavailable.
Added: January 2020OM-4.5.14
Certain
licensees may rely on a reciprocal recovery arrangement with other institutions to provide recovery capability (e.g. Cheque sorting and cash handling).Licensees should, however, note that such arrangements are often not appropriate for prolonged disruptions or an extended period of time. This arrangement could also make it difficult forLicensees to adequately test their BCP. Any reciprocal recovery agreement should therefore be subject to proper risk assessment and documentation bylicensees , and formal approval by the Board.Added: January 2020OM-4.6 OM-4.6 Detailed Procedures for the BCP
OM-4.6.1
Once the recovery levels and recovery objectives for individual business lines and support functions are determined, the development of the detailed BCP should commence. The objective of the detailed BCP is to provide detailed guidance and procedures in a crisis situation, of how to recover critical business operations or services identified in the Business Impact Analysis stage, and to ultimately return to operations as usual.
Added: January 2020Crisis Management Process
OM-4.6.2
A BCM framework must include a Crisis Management Plan (CMP) that serves as a documented guidance to assist the CMT in dealing with a crisis situation to avoid spill over effects to the business as a whole. The overall CMP, at a minimum, must contain the following:
(a) A process for ensuring early detection of an emergency or a disaster situation and prompt notification to the CMT about the incident;(b) A process for the CMT to assess the overall impact of the crisis situation on the licensee and to make quick decisions on the appropriate responses for action (i.e. staff safety, incident containment and specific crisis management procedures);(c) Arrangements for safe evacuation from business locations (e.g. directing staff to a pre-arranged emergency assembly area, taking attendance of all employees and visitors at the time and tracking missing people through different means immediately after the disaster);(d) Clear criteria for activation of the BCP and/or alternate sites;(e) A process for gathering updated status information for the CMT (e.g. ensuring that regular conference calls are held among key staff from relevant business and support functions to report on the status of the recovery process);(f) A process for timely internal and external communications; and(g) A process for overseeing the recovery and restoration efforts of the affected facilities and the business services.Added: January 2020OM-4.6.3
If CMT members need to be evacuated from their primary business locations, the licensee should set up a command centre to provide the necessary workspace and facilities for the CMT. Command centres should be sufficiently distanced from the licensee's primary business locations to avoid being affected by the same disaster.
Added: January 2020Business Resumption
OM-4.6.4
Each relevant business and support function must assign at least one member to be a part of the CMT to carry out the business resumption process for the relevant business and supported function. Appropriate recovery personnel with the required knowledge and skills must be assigned to the team.
Added: January 2020OM-4.6.5
Generally, the business resumption process consists of three major phases:
(a) The mobilisation phase — This phase aims to notify the recovery teams (e.g. via a call-out tree) and to secure the resources (e.g. recovery services provided by vendors) required to resume business services.(b) The alternate processing phase — This phase emphasizes the resumption of the business and service delivery at the alternate site and/or in a different way than the normal process. This may entail record reconstruction and verification, establishment of new controls, alternate manual processes, and different ways of dealing with customers and counterparties; and(c) The full recovery phase — This phase refers to the process for moving back to a permanent site after a disaster. This phase may be as difficult and critical to the business as the process to activate the business resumption process.Added: January 2020OM-4.6.6
For the first two phases above, clear responsibilities should be established and activities prioritised. A recovery tasks checklist should be developed and included in the BCM framework.
Added: January 2020Technology Recovery
OM-4.6.7
Business resumption very often relies on the recovery of technology resources that include applications, hardware equipment and network infrastructure as well as electronic records. The technology requirements that are needed during recovery for individual business and support functions should be specified when the recovery strategies for the functions are determined.
Added: January 2020OM-4.6.8
Licensees should pay attention to Heat, Ventilation and Air Conditioning (HVAC) requirements and resilience of critical technology equipment and facilities such as the uninterruptible power supply (UPS) and the computer cooling systems. Such equipment and facilities should be subject to continuous monitoring and periodic maintenance and testing.Added: January 2020OM-4.6.9
Appropriate personnel must be assigned with the responsibility for technology recovery. Alternative personnel need to be identified as back up for key technology recovery personnel in the case of the latter unavailability to perform the recovery process.
Added: January 2020Disaster Recovery Models
OM-4.6.10
There are various disaster recovery models that can be adopted by
licensees to handle prolonged disruptions. The traditional model is an "active/back-up" model, which is widely used by many organizations. This traditional model is based on an "active" operating site with a corresponding alternate site (back-up site), both for data processing and for business operations.Added: January 2020OM-4.6.11
A split operations model, which is increasingly being used by major institutions, operates with two or more widely separated active sites for the same critical operations, providing inherent back up for each other (e.g. branches). Each site has the capacity to take up some or all of the work of another site for an extended period of time. This strategy can provide nearly immediate resumption capacity and is normally able to handle the issue of prolonged disruptions.
Added: January 2020OM-4.6.12
The split operations model may incur higher operating costs, in terms of maintaining excess capacity at each site and added operating complexity. It may also be difficult to maintain appropriately trained staff and the split operations model can pose technological issues at multiple sites.
Added: January 2020OM-4.6.13
The question of what disaster recovery model to adopt is for individual
licensees' judgment based on the risk assessment of their business environment and the characteristics of their own operations.Added: January 2020OM-4.7 OM-4.7 Vital Records Management
OM-4.7.1
Each BCM framework must clearly identify information deemed vital for the recovery of critical business and support functions in the event of a disaster as well as the relevant protection measures to be taken for protecting vital information.
Licensees must refer to Chapter OM-6 when identifying vital information for business continuity. Vital information includes information stored on both electronic and non-electronic media.Added: January 2020OM-4.7.2
Copies of vital records must be stored off-site as soon as possible after creation. Back-up vital records must be readily accessible for emergency retrieval. Access to back-up vital records must be adequately controlled to ensure that they are reliable for business resumption purposes. For certain critical business operations or services,
licensees must consider the need for instantaneous data back up to ensure prompt system and data recovery. There must be clear procedures indicating how and in what priority vital records are to be retrieved or recreated in the event that they are lost, damaged or destroyed.Added: January 2020OM-4.8 OM-4.8 Other Policies Standards, and Processes
Employee Awareness and Training Plan
OM-4.8.1
Licensees must implement an awareness plan and business continuity training for employees to ensure that all employees are continually aware of their responsibilities and know how to remain in contact and what to do in the event of a crisis.Added: January 2020OM-4.8.2
Key employees should be involved in the business continuity development process, as well as periodic training exercises. Cross training should be utilised to anticipate restoring operations in the absence of key employees. Employee training should be regularly scheduled and updated to address changes to the BCP.
Added: January 2020Public Relations & Communication Planning
OM-4.8.3
Licensees must develop an awareness program and formulate a formal strategy for communication with key external parties (e.g. CBB and other regulators, investors, customers, counterparties, business partners, service providers, the media and other stakeholders) and provide for the type of information to be communicated. The strategy needs to set out all the parties the licensee must communicate to in the event of a disaster. This will ensure that consistent and up-to-date messages are conveyed to the relevant parties. During a disaster, ongoing and clear communication is likely to assist in maintaining the confidence of customers and counterparties as well as the public in general.Added: January 2020OM-4.8.4
The BCM framework must clearly indicate who may speak to the media and other key external parties, and have pre-arrangements for redirecting external communications to designated staff during a disaster. Important contact numbers and e-mail addresses of key external parties must be kept in a readily accessible manner (e.g. in wallet cards or
licensees' intranet).Added: January 2020OM-4.8.5
Licensees may find it helpful to prepare draft press releases as part of their BCP. This will save the CMT time in determining the main messages to convey in a chaotic situation. Important conversations with external parties should be properly logged for future reference.Added: January 2020OM-4.8.6
With reference to internal communication, the BCP should set out how the status of recovery can be promptly and consistently communicated to all staff, parent bank, head office, branches and subsidiaries (where appropriate). This may entail the use of various communication channels (e.g. broadcasting of messages to mobile phones of staff,
Licensees websites, e-mails, intranet and instant messaging).Added: January 2020Insurance and other Risk Mitigating Measures
OM-4.8.7
Licensees must have proper insurance coverage to reduce the financial losses that they may face during a disaster.Licensees must regularly review the adequacy and coverage of their insurance policies in reducing any foreseeable risks caused by disasters (e.g. loss of offices, critical IT facilities and equipment).Added: January 2020Government and Community
OM-4.8.8
Licensees may need to coordinate with community and government officials and the media to ensure the successful implementation of the BCP. This establishes proper protocol in case a city- wide or region- wide event impacts the licensee's operations. During the recovery phase, facilities access, power, and telecommunications systems should be coordinated with various entities to ensure timely resumption of operations. Facilities access should be coordinated with the police and fire department and, depending on the nature and extent of the disaster.Added: January 2020Disclosure Requirements
OM-4.8.9
Licensees must disclose how their BCP addresses the possibility of a future significant business disruption and how the licensee will respond to events of varying scope.Licensees must also state whether they plan to continue business during disruptions and the planned recovery time. In all cases, BCP disclosures must be reviewed and updated to address changes to the BCP.Added: January 2020OM-4.8.10
The
licensees might make these disclosures on their websites, or through mailing to key external parties upon request.Added: January 2020OM-4.9 OM-4.9 Maintenance, Testing and Review
Testing & Rehearsal
OM-4.9.1
A BCP is not complete if it has not been subject to proper testing. Testing is needed to ensure that the BCP is operable. Testing verifies the awareness of staff and the preparedness of differing departments/functions of the bank.
Added: January 2020OM-4.9.2
Licensees must test their BCPs at least annually.Senior management must participate in the annual testing and demonstrate their awareness of what they are required to do in the event of the BCP being involved. Also, the recovery and alternate personnel must participate in testing rehearsals to familiarise themselves with their responsibilities and the back-up facilities and remote sites (where applicable).Added: January 2020OM-4.9.3
All of the BCP's related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing must be comprehensive enough to cover the major components of the BCP as well as coordination and interfaces among important parties. A testing of particular components of the BCP or a fully integrated testing must be decided or depending on the situation. The following points must be included in the annual testing:
(a) Staff evacuation and communication arrangements (e.g. call-out trees) must be validated;(b) The alternate sites for business and technology recovery must be activated;(c) Important recovery services provided by vendors or counterparties must form part of the testing scope;(d)Licensees must consider testing the linkage of their back up IT systems with the primary and backup systems of service providers;(e) If back up facilities are shared with other parties (e.g. subsidiaries of the licensee), the licensee needs to verify whether all parties can be accommodated concurrently; and(f) Recovery of vital records must be performed as part of the testing.Added: January 2020OM-4.9.4
Formal testing reviews of the BCP must be performed to assess the thoroughness and effectiveness of the testing. Specifically, a post-mortem review report must be prepared at the completion of the testing stage for formal sign-off by
Licensees' senior management . If the testing results indicate weaknesses or gaps in the BCP, the plan and recovery strategies must be updated to remedy the situation.Added: January 2020Periodic Maintenance and Updating of a BCP
OM-4.9.5
Licensees must have formal procedures to keep their BCP updated with respect to any changes to their business. In the event of a plan having been activated, an assessment process must be carried out once normal operations are restored to identify areas for improvement. If vendors are needed to provide vital recovery services, there must be formal processes for regular annual assessment of the appropriateness of the relevant service level agreements.Added: January 2020OM-4.9.6
Individual business and support functions, with the assistance of the CMT, must review their business impact analysis and recovery strategy on an annual basis. This aims to confirm the validity of, or whether updates are needed to, the BCP requirements (including the technical specifications of equipment of the alternate sites) for the changing business and operating environment.
Added: January 2020OM-4.9.7
The contact information for key staff, counterparties, customers and service providers must be updated as soon as possible when notification of changes is received.
Added: January 2020OM-4.9.8
Significant internal changes (e.g. merger or acquisitions, business re-organisation or departure of key personnel) must be reflected in the plan immediately and reported to
senior management .Added: January 2020OM-4.9.9
Copies of the BCP document must be stored at locations separate from the primary site. A summary of key steps to be taken in an emergency situation must be made available to
senior management and other key personnel.Added: January 2020Audit and Independent Review
OM-4.9.10
The internal audit function of a licensee or its external auditors must conduct periodic reviews of the BCP to determine whether the plan remains realistic and relevant, and whether it adheres to the policies and standards of the licensee. This review must include assessing the adequacy of business process identification, threat scenario development, business impact analysis and risk assessments, the written plan, testing scenarios and schedules.
Added: January 2020OM-4.9.11
Significant findings and recommendations must be brought to the attention of the Board and Senior Management within three months of the completion of the review. Furthermore, Senior Management and the Board must ensure that any gaps or shortcomings reported to them are addressed in an appropriate and timely manner.
Added: January 2020
