Back Custom print Link Text Only Rich Text Print

  • OM-4.5 OM-4.5 Recovery Levels & Objectives

    • OM-4.5.1

      The BCM framework must include strategies and procedures to maintain, resume and recover critical business operations or services. The plan must differentiate between critical and non-critical functions. The BCM policy must clearly describe the types of events that would lead up to the formal declaration of a business disruption and the process for activating the BCP.

      Added: January 2020

    • OM-4.5.2

      The BCM policy must clearly identify alternate sites for different operations, the total number of recovery personnel, workspace requirements, and applications and technology requirements. Office facilities and records requirements must also be identified.

      Added: January 2020

    • OM-4.5.3

      Licensees should take note that they might need to cater for processing volumes that exceed those under normal circumstances. The interdependency among critical services is another major consideration in determining the recovery strategies and priority. For example, the resumption of the front office operations is highly dependent on the recovery of the middle office and back office support functions.

      Added: January 2020

    • OM-4.5.4

      Individual critical business and support functions must establish Recovery Time Objectives (RTO), Recovery Point Objectives (RPO) and Maximum Tolerable Period of Disruption (MTPD) with respect to the bank's recovery programme. RTOs, RPOs and MTPDs must be approved by the senior management prior to proceeding to the development of the BCP.

      Added: January 2020

    • List of Contacts and Responsibilities

      • OM-4.5.5

        The BCM framework must consider a communication strategy, established procedures for communication, methodology for transmitting, writing and reading of relevant information designed for each business unit where appropriate, the nature of information a list of all key resources charged with the tasks and the full listing of employees and relevant stakeholders. The list must include personal contact information on each key employee such as their home address, home telephone number, and cell phone or pager number so they may be contacted in case of a disaster or other emergency.

        Added: January 2020

      • OM-4.5.6

        The BCM policy must contain all the necessary process steps to complete each critical business operation or service. Each process must be explained in sufficient detail to allow another employee to perform the job in case of a disaster.

        Added: January 2020

    • Alternate Sites for Business and Technology Recovery

      • OM-4.5.7

        Most business continuity efforts are dependent on the availability of an alternate site (i.e. recovery site) for successful execution. The alternate site may be either an external site available through an agreement with a commercial vendor or a site within the Licensee's real estate portfolio. A useable, functional alternate site is an integral component of BCP.

        Added: January 2020

      • OM-4.5.8

        Licensees must examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites must be sufficiently remote from, and do not depend upon the same physical infrastructure components as a licensee's primary business location. This minimises the risk of both sites being affected by the same disaster (e.g. they must be on separate or alternative power grids and telecommunication circuits).

        Added: January 2020

      • OM-4.5.9

        Licensees' alternate sites must be readily accessible and available for occupancy (i.e. 24 hours a day, 7 days a week) within the time requirement specified in their BCP. Should the BCP so require, the alternate sites must have pre-installed workstations, power, telephones and ventilation, and sufficient space. Appropriate physical access controls such as access control systems and security guards must be implemented in accordance with Licensee's security policy.

        Added: January 2020

      • OM-4.5.10

        Other than the establishment of alternate sites, licensees should also pay particular attention to the transportation logistics for relocation of operations to alternate sites. Consideration should be given to the impact a disaster may have on the transportation system (e.g. closures of roads). Some staff may have difficulty in commuting from their homes to the alternate sites. Other logistics, such as how to re-route internal and external mail to alternate sites should also be considered. Moreover, pre-arrangement with telecommunication companies for automated telephone call diversion from the primary work locations to the alternate sites should be considered.

        Added: January 2020

      • OM-4.5.11

        Alternate sites for technology recovery (i.e. back-up data centres), which may be separate from the primary business site, should have sufficient technical equipment (e.g. workstations, servers, printers, etc.) of appropriate model, size and capacity to meet recovery requirements as specified by licensees' BCPs. The sites should also have adequate telecommunication (including bandwidth) facilities and pre-installed network connections as specified by their BCP to handle the expected voice and data traffic volume.

        Added: January 2020

      • OM-4.5.12

        Licensees should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware). Licensees should satisfy themselves that such vendors do actually have the capacity to provide the services when needed and the contractual responsibilities of the vendors should be clearly specified. Licensees should recognise that outsourcing a business operation does not transfer the associated business continuity management responsibilities.

        Added: January 2020

      • OM-4.5.13

        The contractual terms should include the lead-time and capacity that vendors are committed to deliver in terms of back-up facilities, technical support or hardware. The vendor should be able to demonstrate its own recoverability including the specification of another recovery site in the event that the contracted site becomes unavailable.

        Added: January 2020

      • OM-4.5.14

        Certain licensees may rely on a reciprocal recovery arrangement with other institutions to provide recovery capability (e.g. Cheque sorting and cash handling). Licensees should, however, note that such arrangements are often not appropriate for prolonged disruptions or an extended period of time. This arrangement could also make it difficult for Licensees to adequately test their BCP. Any reciprocal recovery agreement should therefore be subject to proper risk assessment and documentation by licensees, and formal approval by the Board.

        Added: January 2020