• OM-4.8 OM-4.8 Maintenance, Testing and Review

    • Testing & Rehearsal

      • OM-4.8.1

        Licensees must test their BCPs at least annually. Senior management must participate in the annual testing, and demonstrate their awareness of what they are required to do in the event of the BCP being involved. Also, the recovery and alternate personnel must participate in testing rehearsals to familiarise themselves with their responsibilities and the back-up facilities and remote sites (where applicable).

        January 2014

      • OM-4.8.2

        All of the BCP's related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing must be comprehensive enough to cover the major components of the BCP as well as coordination and interfaces among important parties. A testing of particular components of the BCP or a fully integrated testing must be decided depending on the situation. The following points must be included in the annual testing:

        (a) Staff evacuation and communication arrangements (e.g. call-out trees) must be validated;
        (b) The alternate sites for business and technology recovery must be activated;
        (c) Important recovery services provided by vendors or counterparties must form part of the testing scope;
        (d) Licensees must consider testing the linkage of their back up IT systems with the primary and back up systems of service providers;
        (e) If back up facilities are shared with other parties (e.g. subsidiaries of the licensee), the licensee needs to verify whether all parties can be accommodated concurrently; and
        (f) Recovery of vital records must be performed as part of the testing.
        January 2014

      • OM-4.8.3

        Formal testing reviews of the BCP must be performed to assess the thoroughness and effectiveness of the testing. Specifically, a post-mortem review report must be prepared at the completion of the testing stage for formal sign-off by licensees' senior management. If the testing results indicate weaknesses or gaps in the BCP, the plan and recovery strategies must be updated to remedy the situation.

        January 2014

    • Periodic Maintenance and Updating of a BCP

      • OM-4.8.4

        Licensees must have formal procedures to keep their BCP updated with respect to any changes to their business. In the event of a plan having been activated, a review process must be carried out once normal operations are restored to identify areas for improvement. If vendors are needed to provide vital recovery services, there must be formal processes for regular (say, annual) reviews of the appropriateness of the relevant service level agreement.

        January 2014

      • OM-4.8.5

        Individual business and support functions, with the assistance of the CMT, must review their business impact analysis and recovery strategy on an annual basis. This aims to confirm the validity of, or whether updates are needed to, the BCP requirements (including the technical specifications of equipment of the alternate sites) for the changing business and operating environment.

        January 2014

      • OM-4.8.6

        The contact information for key staff, counterparties, customers and service providers must be updated as soon as possible when notification of changes is received.

        January 2014

      • OM-4.8.7

        Significant internal changes (e.g. merger or acquisitions, business re-organisation or departure of key personnel) must be reflected in the plan immediately and reported to senior management.

        January 2014

      • OM-4.8.8

        Copies of the BCP document must be stored at locations separate from the primary site. A summary of key steps to be taken in an emergency situation must be made available to senior management and other key personnel.

        January 2014

    • Audit and Independent Review

      • OM-4.8.9

        The internal audit function of a licensee or its external auditor must conduct periodic reviews of the BCP to determine whether the plan remains realistic and relevant, and whether it adheres to the policies and standards of the licensee. This review must include assessing:

        (a) The adequacy of business process identification;
        (b) Threat scenario development;
        (c) Business impact analysis and risk assessments;
        (d) The written plan;
        (e) Testing scenarios and schedules; and
        (f) Communication of test results and recommendations to the Board.
        January 2014

      • OM-4.8.10

        Significant findings must be brought to the attention of the Board and senior management within three months of the completion of the review. Furthermore, senior management and the Board must ensure that any gaps or shortcomings reported to them are addressed in an appropriate and timely manner.

        January 2014