OM-4.5 OM-4.5 Detailed Procedures for the BCP
OM-4.5.1
Once the recovery levels and recovery objectives for individual business lines and support functions are determined, the development of the detailed BCP should commence. The objective of the detailed BCP is to provide detailed guidance and procedures in a crisis situation, of how to recover critical business operations or services identified in the business impact analysis stage, and to ultimately return to operations as usual.
January 2014Crisis Management Process
OM-4.5.2
A BCP must set out a Crisis Management Plan (CMP) that serves as a documented guidance to assist the CMT in dealing with a crisis situation to avoid spill over effects to the business as a whole. The overall CMP, at a minimum, must contain the following:
(a) A process for ensuring early detection of an emergency or a disaster situation and prompt notification to the CMT about the incident;(b) A process for the CMT to assess the overall impact of the crisis situation on thelicensee and to make quick decisions on the appropriate responses for action (i.e. staff safety, incident containment and specific crisis management procedures);(c) Arrangements for safe evacuation from business locations (e.g. directing staff to a pre-arranged emergency assembly area, taking attendance of all employees and visitors at the time and tracking missing people through different means immediately after the disaster);(d) Clear criteria for activation of the BCP and/or alternate sites;(e) A process for gathering updated status information for the CMT (e.g. ensuring that regular conference calls are held among key staff from relevant business and support functions to report on the status of the recovery process);(f) A process for timely internal and external communications; and(g) A process for overseeing the recovery and restoration efforts of the affected facilities and the business services.January 2014OM-4.5.3
If CMT members need to be evacuated from their primary business locations, the
licensee should set up a command centre to provide the necessary workspace and facilities for the CMT. Command centres should be sufficiently distanced from thelicensee's primary business locations to avoid being affected by the same disaster.January 2014Business Resumption
OM-4.5.4
Each relevant business and support function must assign at least one member to be a part of the CMT to carry out the business resumption process for the relevant business and supported function. Appropriate recovery personnel with the required knowledge and skills must be assigned to the team.
January 2014Technology Recovery
OM-4.5.5
Business resumption very often relies on the recovery of technology resources that include applications, hardware equipment and network infrastructure as well as electronic records. The technology requirements that are needed during recovery for individual business and support functions should be specified when the recovery strategies for the functions are determined.
January 2014OM-4.5.6
Licensees should pay attention to the resilience of critical technology equipment and facilities such as the uninterruptible power supply (UPS) and the computer cooling systems. Such equipment and facilities should be subject to continuous monitoring and periodic maintenance and testing.January 2014OM-4.5.7
Appropriate personnel must be assigned with the responsibility for technology recovery. Alternative personnel need to be identified as back up for key technology recovery personnel in the case of the latter unavailability to perform the recovery process.
January 2014
