• OM-4 OM-4 Business Continuity Planning

    • OM-4.1 OM-4.1 General Requirements

      • OM-4.1.1

        To ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption, all licensees must maintain contingency and business continuity plan (BCP) to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. A BCP must address the following key areas:

        (a) Data back up and recovery (hard copy and electronic);
        (b) Continuation of all critical systems, activities, and counterparty impact;
        (c) Financial and operational assessments;
        (d) Alternate communication arrangements between the licensee and its customers and its employees;
        (e) Alternate physical location of employees; and
        (f) Communications with and reporting to the CBB and any other relevant regulators.
        January 2014

      • OM-4.1.2

        For reasons that may be beyond a licensee's control, a severe event may result in the inability of the licensee to fulfil some or all of its business obligations, particularly where the licensee's physical, telecommunication, or information technology infrastructures have been damaged or made inaccessible. This can, in turn, result in significant financial losses to the licensee. This potential event requires that licensees establish disaster recovery and business continuity plans that take into account different types of plausible scenarios to which the licensee may be vulnerable, commensurate with the size and complexity of the licensee's operations.

        January 2014

      • OM-4.1.3

        Licensees should identify critical business processes, including those where there is dependence on external vendors or other third parties, for which rapid resumption of service would be most essential. For these processes, licensees should identify alternative mechanisms for resuming service in the event of an outage. Particular attention should be paid to the ability to restore electronic or physical records that are necessary for business resumption. Where such records are backed-up at an off-site facility, or where a licensee's operations must be relocated to a new site, care should be taken that these sites are at an adequate distance from the impacted operations to minimise the risk that both primary and back-up records and facilities will be unavailable simultaneously.

        January 2014

      • OM-4.1.4

        Licensees should periodically review their disaster recovery and business continuity plans so that they are consistent with the licensee's current operations and business strategies. Moreover, these plans should be tested periodically to ensure that the licensee would be able to execute the plans in the unlikely event of a severe business disruption.

        January 2014

      • OM-4.1.5

        Effective BCPs must be comprehensive, limited not just to disruption of business premises and information technology facilities, but covering all other critical areas, which affect the continuity of critical business operations or services (e.g. liquidity, human resources and others).

        January 2014

      • OM-4.1.6

        Licensees must notify the CBB promptly if their BCP is activated. They must also provide regular progress reports – as agreed with the CBB – until the BCP is deactivated.

        January 2014

    • OM-4.2 OM-4.2 Board and Senior Management Responsibilities

      • Establishment of Policy, Processes & Responsibilities

        • OM-4.2.1

          A licensee's Board of Directors and senior management are collectively responsible for a licensee's business continuity. The Board must endorse the policies, standards and processes for a licensee's BCP, as established by its senior management. The Board and senior management must delegate adequate resources to develop the BCP, and for its maintenance and periodic testing.

          January 2014

        • OM-4.2.2

          Licensees must establish a Crisis Management Team (CMT) to develop, maintain and test their BCP, as well as to respond to and manage the various stages of a crisis. The CMT must comprise members of senior management and heads of major support functions (e.g. building facilities, IT, corporate communications and human resources).

          January 2014

        • OM-4.2.3

          Licensees must establish (and document as part of the BCP) individuals' responsibilities in helping prepare for and manage a crisis; and the process by which a disaster is declared and the BCP initiated (and later terminated).

          January 2014

      • Monitoring and Reporting

        • OM-4.2.4

          The CMT must submit regular reports to the Board and senior management on the results of the testing of the BCP (refer to section OM-4.8). Major changes must be developed by the CMT, reported to senior management, and endorsed by the Board.

          January 2014

        • OM-4.2.5

          The Chief Executive of a licensee must sign a formal annual statement submitted to the Board on whether the recovery strategies adopted are still valid and whether the documented BCP is properly tested and maintained. The annual statement must be included in the BCP documentation and will be reviewed as part of the CBB's on-site examinations.

          January 2014

    • OM-4.3 OM-4.3 Developing a Business Continuity Plan

      • Impact Analysis

        • OM-4.3.1

          Licensees' BCPs must be based on:

          (a) A business impact analysis;
          (b) An operational impact analysis; and
          (c) A financial impact analysis.

          These analyses must be comprehensive, including all business functions and departments, not just IT or data processing.

          January 2014

        • OM-4.3.2

          The key objective of a business impact analysis is to identify the different kinds of risk to business continuity and to quantify the operational and financial impact of disruptions on a licensee's ability to conduct its critical business processes.

          January 2014

        • OM-4.3.3

          A typical business impact analysis is normally comprised of two stages. The first is to identify and prioritise the critical business processes that must be continued in the event of a disaster. The first stage should take account of the impact on customers and reputation, the legal implications and the financial cost associated with downtime. The second stage is a time-frame assessment. This aims to determine how quickly the licensee needs to resume critical business processes identified in stage one.

          January 2014

        • OM-4.3.4

          Operational impact analysis focuses on the licensee's ability to maintain communications with customers and to retrieve key activity records. It identifies the organisational implications associated with the loss of access, loss of utility, or loss of a facility. It highlights which functions may be interrupted by an outage, and the consequences to the public and customer of such interruptions.

          January 2014

        • OM-4.3.5

          A financial impact analysis identifies the financial losses that (both immediate and also consequent to the event) arise out of an operational disruption.

          January 2014

      • Risk Assessment

        • OM-4.3.6

          In developing a BCP, licensees must consider realistic threat scenarios that may (potentially) cause disruptions to their business processes.

          January 2014

        • OM-4.3.7

          Business continuity plans must take into account different types of likely or plausible scenarios to which the licensee will be vulnerable. The following specific scenarios must at a minimum, be considered in the BCP:

          (a) Utilities are not available (power, telecommunications);
          (b) Critical buildings are not available or specific facilities are not accessible;
          (c) Software and live data are not available or are corrupted;
          (d) Vendor assistance or (outsourced) service providers are not available;
          (e) Critical documents or records are not available;
          (f) Critical personnel are not available; and
          (g) Significant equipment malfunctions (hardware or telecom).
          January 2014

    • OM-4.4 OM-4.4 BCP – Recovery Levels & Objectives

      • OM-4.4.1

        The BCP must document strategies and procedures to maintain, resume and recover critical business operations or services. The plan must differentiate between critical and non-critical functions. The BCP must clearly describe the types of events that would lead up to the formal declaration of a business disruption and the process for activating the BCP.

        January 2014

      • OM-4.4.2

        The BCP must clearly identify alternate sites for different operations, the total number of recovery personnel, workspace requirements, and applications and technology requirements. Office facilities and records requirements must also be identified.

        January 2014

      • OM-4.4.3

        Licensees should take note that they might need to cater for processing volumes that exceed those under normal circumstances. The interdependency among critical services is another major consideration in determining the recovery strategies and priority.

        January 2014

      • OM-4.4.4

        Individual critical business and support functions must establish the minimum BCP recovery objectives for recovering essential business operations and supporting systems to a specified level of service ("recovery level") within a defined period following a disruption ("recovery time"). These recovery levels and recovery times must be approved by the senior management prior to proceeding to the development of the BCP.

        January 2014

      • List of Contacts and Responsibilities

        • OM-4.4.5

          The BCP must contain a list of all key personnel. The list must include personal contact information on each key employee such as their home address, home telephone number, and cell phone so they may be contacted in case of a disaster or other emergency.

          January 2014

        • OM-4.4.6

          The BCP must contain all the necessary process steps to complete each critical business operation or service. Each process must be explained in sufficient detail to allow another employee to perform the job in case of a disaster.

          January 2014

      • Alternate Sites for Business and Technology Recovery

        • OM-4.4.7

          Most business continuity efforts are dependent on the availability of an alternate site (i.e. recovery site) for successful execution. The alternate site may be either an external site available through an agreement with a commercial vendor or premises owned or under the control of the licensee. A useable, functional alternate site is an integral component of BCP.

          January 2014

        • OM-4.4.8

          Licensees must examine the extent to which key business functions are concentrated in the same or adjacent locations and the proximity of the alternate sites to primary sites. Alternate sites must be sufficiently remote from, and do not depend upon the same physical infrastructure components as a licensee's primary business location. This minimises the risk of both sites being affected by the same disaster (e.g. they must be on separate or alternative power grids and telecommunication circuits).

          January 2014

        • OM-4.4.9

          Licensees' alternate sites and alternate recovery mechanisms must be readily accessible and available for occupancy (i.e. 24 hours a day, 7 days a week) within the time requirement specified in their BCP. Should the BCP so require, the alternate sites must have pre-installed workstations, power, telephones and ventilation, and sufficient space. Appropriate physical access controls such as access control systems and security guards must be implemented in accordance with the licensee's security policy.

          January 2014

        • OM-4.4.10

          Other than the establishment of alternate sites, licensees should also pay particular attention to the transportation logistics for relocation of operations to alternate sites. Consideration should be given to the impact a disaster may have on the transportation system (e.g. closures of roads). Some staff may have difficulty in commuting from their homes to the alternate sites. Other logistics, such as how to re-route internal and external mail to alternate sites should also be considered. Moreover, pre-arrangement with telecommunication companies for automated telephone call diversion from the primary work locations to the alternate sites should be considered.

          January 2014

        • OM-4.4.11

          Alternate sites for technology recovery (i.e. back-up data centres), which may be separate from the primary business site, should have sufficient technical equipment (e.g. workstations, servers, printers, etc.) of appropriate model, size and capacity to meet recovery requirements as specified by licensees' BCPs. The sites should also have adequate telecommunication (including bandwidth) facilities and pre-installed network connections as specified by their BCP to handle the expected voice and data traffic volume.

          January 2014

        • OM-4.4.12

          Licensees should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware). Licensees should satisfy themselves that such vendors do actually have the capacity to provide the services when needed and the contractual responsibilities of the vendors should be clearly specified. Licensees should recognise that outsourcing a business operation does not transfer the associated business continuity management responsibilities.

          January 2014

        • OM-4.4.13

          The contractual terms should include the lead-time and capacity that vendors are committed to deliver in terms of back-up facilities, technical support or hardware. The vendor should be able to demonstrate its own recoverability including the specification of another recovery site in the event that the contracted site becomes unavailable.

          January 2014

        • OM-4.4.14

          Certain licensees may rely on a reciprocal recovery arrangement with other institutions to provide recovery capability. Licensees should, however, note that such arrangements are often not appropriate for prolonged disruptions or an extended period of time. This arrangement could also make it difficult for licensees to adequately test their BCP. Any reciprocal recovery agreement should therefore be subject to proper risk assessment and documentation by licensees, and formal approval by the Board.

          January 2014

    • OM-4.5 OM-4.5 Detailed Procedures for the BCP

      • OM-4.5.1

        Once the recovery levels and recovery objectives for individual business lines and support functions are determined, the development of the detailed BCP should commence. The objective of the detailed BCP is to provide detailed guidance and procedures in a crisis situation, of how to recover critical business operations or services identified in the business impact analysis stage, and to ultimately return to operations as usual.

        January 2014

      • Crisis Management Process

        • OM-4.5.2

          A BCP must set out a Crisis Management Plan (CMP) that serves as a documented guidance to assist the CMT in dealing with a crisis situation to avoid spill over effects to the business as a whole. The overall CMP, at a minimum, must contain the following:

          (a) A process for ensuring early detection of an emergency or a disaster situation and prompt notification to the CMT about the incident;
          (b) A process for the CMT to assess the overall impact of the crisis situation on the licensee and to make quick decisions on the appropriate responses for action (i.e. staff safety, incident containment and specific crisis management procedures);
          (c) Arrangements for safe evacuation from business locations (e.g. directing staff to a pre-arranged emergency assembly area, taking attendance of all employees and visitors at the time and tracking missing people through different means immediately after the disaster);
          (d) Clear criteria for activation of the BCP and/or alternate sites;
          (e) A process for gathering updated status information for the CMT (e.g. ensuring that regular conference calls are held among key staff from relevant business and support functions to report on the status of the recovery process);
          (f) A process for timely internal and external communications; and
          (g) A process for overseeing the recovery and restoration efforts of the affected facilities and the business services.
          January 2014

        • OM-4.5.3

          If CMT members need to be evacuated from their primary business locations, the licensee should set up a command centre to provide the necessary workspace and facilities for the CMT. Command centres should be sufficiently distanced from the licensee's primary business locations to avoid being affected by the same disaster.

          January 2014

      • Business Resumption

        • OM-4.5.4

          Each relevant business and support function must assign at least one member to be a part of the CMT to carry out the business resumption process for the relevant business and supported function. Appropriate recovery personnel with the required knowledge and skills must be assigned to the team.

          January 2014

      • Technology Recovery

        • OM-4.5.5

          Business resumption very often relies on the recovery of technology resources that include applications, hardware equipment and network infrastructure as well as electronic records. The technology requirements that are needed during recovery for individual business and support functions should be specified when the recovery strategies for the functions are determined.

          January 2014

        • OM-4.5.6

          Licensees should pay attention to the resilience of critical technology equipment and facilities such as the uninterruptible power supply (UPS) and the computer cooling systems. Such equipment and facilities should be subject to continuous monitoring and periodic maintenance and testing.

          January 2014

        • OM-4.5.7

          Appropriate personnel must be assigned with the responsibility for technology recovery. Alternative personnel need to be identified as back up for key technology recovery personnel in the case of the latter unavailability to perform the recovery process.

          January 2014

    • OM-4.6 OM-4.6 Vital Records Management

      • OM-4.6.1

        Each BCP must clearly identify information deemed vital for the recovery of critical business and support functions in the event of a disaster as well as the relevant protection measures to be taken for protecting vital information. Licensees must refer to Chapter GR-1 when identifying vital information for business continuity. Vital information includes information stored on both electronic and non-electronic media.

        January 2014

      • OM-4.6.2

        Copies of vital records must be stored off-site as soon as possible after creation. Back-up vital records must be readily accessible for emergency retrieval. Access to back-up vital records must be adequately controlled to ensure that they are reliable for business resumption purposes. For certain critical business operations or services, licensees must consider the need for instantaneous data back up to ensure prompt system and data recovery. There must be clear procedures indicating how and in what priority vital records are to be retrieved or recreated in the event that they are lost, damaged or destroyed.

        January 2014

    • OM-4.7 OM-4.7 Other Policies Standards, and Processes

      • Employee Awareness and Training Plan

        • OM-4.7.1

          Licensees must implement an awareness plan and business continuity training for employees to ensure that all employees are continually aware of their responsibilities and know how to remain in contact and what to do in the event of a crisis.

          January 2014

        • OM-4.7.2

          Key employees should be involved in the business continuity development process, as well as periodic training exercises. Cross training should be utilised to anticipate restoring operations in the absence of key employees. Employee training should be regularly scheduled and updated to address changes to the BCP.

          January 2014

      • Public Relations & Communication Planning

        • OM-4.7.3

          Licensees must develop an awareness program and formulate a formal strategy for communication with key external parties (e.g. CBB and other regulators, investors, customers, business partners, service providers, the media and other stakeholders) and provide for the type of information to be communicated. The strategy needs to set out all the parties the licensee must communicate to in the event of a disaster. This will ensure that consistent and up-to-date messages are conveyed to the relevant parties. During a disaster, ongoing and clear communication is likely to assist in maintaining the confidence of customers as well as the public in general.

          January 2014

        • OM-4.7.4

          The BCP must clearly indicate who may speak to the media and other key external parties, and have pre-arrangements for redirecting external communications to designated staff during a disaster. Important contact numbers and e-mail addresses of key external parties must be kept in a readily accessible manner (e.g. in wallet cards or licensees' intranet).

          January 2014

        • OM-4.7.5

          Licensees may find it helpful to prepare draft press releases as part of their BCP. This will save the CMT time in determining the main messages to convey in a chaotic situation. Important conversations with external parties should be properly logged for future reference.

          January 2014

        • OM-4.7.6

          As regards internal communication, the BCP should set out how the status of recovery can be promptly and consistently communicated to all staff, head office, branches and subsidiaries (where appropriate). This may entail the use of various communication channels (e.g. broadcasting of messages to mobile phones of staff, licensees websites, e-mails, intranet and instant messaging).

          January 2014

      • Disclosure Requirements

        • OM-4.7.7

          Licensees must disclose how their BCP addresses the possibility of a future significant business disruption and how the licensee will respond to events of varying scope. Licensees must also state whether they plan to continue business during disruptions and the planned recovery time. The licensees might make these disclosures on their website, or through mailing to key external parties upon request. In all cases, BCP disclosures must be reviewed and updated to address changes to the BCP.

          January 2014

    • OM-4.8 OM-4.8 Maintenance, Testing and Review

      • Testing & Rehearsal

        • OM-4.8.1

          Licensees must test their BCPs at least annually. Senior management must participate in the annual testing, and demonstrate their awareness of what they are required to do in the event of the BCP being involved. Also, the recovery and alternate personnel must participate in testing rehearsals to familiarise themselves with their responsibilities and the back-up facilities and remote sites (where applicable).

          January 2014

        • OM-4.8.2

          All of the BCP's related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing must be comprehensive enough to cover the major components of the BCP as well as coordination and interfaces among important parties. A testing of particular components of the BCP or a fully integrated testing must be decided depending on the situation. The following points must be included in the annual testing:

          (a) Staff evacuation and communication arrangements (e.g. call-out trees) must be validated;
          (b) The alternate sites for business and technology recovery must be activated;
          (c) Important recovery services provided by vendors or counterparties must form part of the testing scope;
          (d) Licensees must consider testing the linkage of their back up IT systems with the primary and back up systems of service providers;
          (e) If back up facilities are shared with other parties (e.g. subsidiaries of the licensee), the licensee needs to verify whether all parties can be accommodated concurrently; and
          (f) Recovery of vital records must be performed as part of the testing.
          January 2014

        • OM-4.8.3

          Formal testing reviews of the BCP must be performed to assess the thoroughness and effectiveness of the testing. Specifically, a post-mortem review report must be prepared at the completion of the testing stage for formal sign-off by licensees' senior management. If the testing results indicate weaknesses or gaps in the BCP, the plan and recovery strategies must be updated to remedy the situation.

          January 2014

      • Periodic Maintenance and Updating of a BCP

        • OM-4.8.4

          Licensees must have formal procedures to keep their BCP updated with respect to any changes to their business. In the event of a plan having been activated, a review process must be carried out once normal operations are restored to identify areas for improvement. If vendors are needed to provide vital recovery services, there must be formal processes for regular (say, annual) reviews of the appropriateness of the relevant service level agreement.

          January 2014

        • OM-4.8.5

          Individual business and support functions, with the assistance of the CMT, must review their business impact analysis and recovery strategy on an annual basis. This aims to confirm the validity of, or whether updates are needed to, the BCP requirements (including the technical specifications of equipment of the alternate sites) for the changing business and operating environment.

          January 2014

        • OM-4.8.6

          The contact information for key staff, counterparties, customers and service providers must be updated as soon as possible when notification of changes is received.

          January 2014

        • OM-4.8.7

          Significant internal changes (e.g. merger or acquisitions, business re-organisation or departure of key personnel) must be reflected in the plan immediately and reported to senior management.

          January 2014

        • OM-4.8.8

          Copies of the BCP document must be stored at locations separate from the primary site. A summary of key steps to be taken in an emergency situation must be made available to senior management and other key personnel.

          January 2014

      • Audit and Independent Review

        • OM-4.8.9

          The internal audit function of a licensee or its external auditor must conduct periodic reviews of the BCP to determine whether the plan remains realistic and relevant, and whether it adheres to the policies and standards of the licensee. This review must include assessing:

          (a) The adequacy of business process identification;
          (b) Threat scenario development;
          (c) Business impact analysis and risk assessments;
          (d) The written plan;
          (e) Testing scenarios and schedules; and
          (f) Communication of test results and recommendations to the Board.
          January 2014

        • OM-4.8.10

          Significant findings must be brought to the attention of the Board and senior management within three months of the completion of the review. Furthermore, senior management and the Board must ensure that any gaps or shortcomings reported to them are addressed in an appropriate and timely manner.

          January 2014

    • OM-4.9 OM-4.9 Cyber Security Risk Management

      • OM-4.9.1

        To prepare for the eventuality of cyber attacks, licensees must have a cyber attack response mechanism in place. The BCP of the licensee must also be properly enhanced to account for all CBB requirements and must be regularly tested to assure that the licensee is capable of dealing with cyber attacks.

        Added: October 2016