Transcription of Business Continuity Management
1 Issued on: 14 December 2021 BNM/RH/ED 028-18 Business Continuity Management Exposure Draft Applicable to 1. Licensed banks 2. Licensed investment banks 3. Licensed Islamic banks 4. Licensed insurers 5. Licensed takaf ul operators 6. Prescribed development f inancial institutions 7. Operators of designated payment systems 8. Approved issuers of electronic money Business Continuity Management Exposure Draf t Issued on: 14 December 2021 This Exposure Draft (ED) sets out the proposed revisions to the current Guidelines on Business Continuity Management (Revised) issued by the Bank on 3 June 2011.
2 Drawing from the lessons learnt from the recent pandemic, the proposals aim to strengthen the state of preparedness of financial institutions to withstand operational disruptions and improve their operational resilience. This may entail potential reviews and enhancements to financial institutions policies and processes to achieve the intended outcomes of these proposed requirements. The Bank invites written feedback on the proposed requirements, including suggestions on areas to be clarified and alternative proposals that the Bank should consider.
3 The written feedback should be supported with clear rationale, including accompanying evidence or illustrations, where appropriate, to facilitate an effective consultation process. In addition to providing general feedback, respondents are also requested to respond to the specific questions set out in this ED. Responses must be submitted electronically to the Bank via by 31 March 2022. In the course of preparing your feedback, you may direct any queries to the following officers: 1. Diyana Izzati Ridza Saifuddin 2.
4 Janneni Suthakaran 3. Yap Ke Li Business Continuity Management Exposure Draf t Issued on: 14 December 2021 TABLE OF CONTENTS PART A OVERVIEW ..1 1 Introduction ..1 2 3 Legal provisions ..1 4 Effective 5 Interpretation ..2 6 Related legal instruments and policy documents ..5 7 Policy documents and circulars PART B POLICY REQUIREMENTS ..7 8 Responsibilities of the board and senior Management ..7 9 BCM framework and methodology ..9 (a) Risk assessment and Business impact (b) Critical Business functions.
5 10 (c) Maximum Tolerable Downtime and Recovery Time Objective .. 10 (d) Essential services .. 11 (e) Recovery strategy .. 11 (f) Crisis Management plan , Business Continuity plan and disaster recovery plan .. 12 (g) Crisis communication .. 14 (h) Interdependencies .. 14 (i) Alternate site and recovery site .. 15 (j) Critical Business information 16 (k) Testing and exercises .. 16 PART C REGULATORY REPORTING .. 19 10 Reporting of disruptions to the Bank .. 19 PART D TRANSITIONAL ARRANGEMENTS .. 21 11 Transitional arrangements.
6 21 APPENDIX 1 LIST OF POSSIBLE SCENARIOS LEADING TO OPERATIONAL 22 APPENDIX 2 EXAMPLES OF PRECAUTIONARY AND CONTINGENCY MEASURES TO SUPPORT PROVISION OF ESSENTIAL SERVICES .. 23 APPENDIX 3 CRISIS REPORTING TO THE 25 Business Continuity Management (BCM) 1 of 26 Issued on: 14 December 2021 PART A OVERVIEW 1 Introduction Operational resilience of financial institutions is critical to ensure Continuity in the provision of financial services through periods of disruptions, maintain orderly market conditions and sustain public confidence in the financial system.
7 Business Continuity is an integral pillar of operational resilience. Business Continuity Management (BCM) entails an enterprise-wide framework, policies and processes that enable financial institutions to respond, recover and resume operations of critical Business functions from operational disruptions that arise from internal or external risk events. Effective Business Continuity Management can minimise operational, financial and reputational risks that can materially impact financial institutions.
8 This policy document aims to (a) facilitate the development and implementation of a robust BCM framework, policies and processes by financial institutions which are integrated with their overall risk appetite and reinforce sound risk Management practices; (b) strengthen the capacity and preparedness of financial institutions to respond and recover from operational disruptions; and (c) preserve the Continuity of critical Business functions and essential services within a specified timeframe in the event of an operational disruption.
9 2 Applicability This policy document is applicable to financial institutions as defined in paragraph For a financial institution operating as a foreign branch in Malaysia, the requirements in this policy document shall apply to the Malaysian branch with the following modifications: (a) any reference to the board in this policy document shall refer to the governing body/committee of the foreign branch; and (b) any reference to senior Management in this policy document shall refer to the officers performing a senior Management function of the branch.
10 3 Legal provisions This policy document is issued pursuant to (a) sections 47(1), 143 and 266 of the Financial Services Act 2013 (FSA); Business Continuity Management (BCM) 2 of 26 Issued on: 14 December 2021 (b) sections 57(1), 155 and 277 of the Islamic Financial Services Act 2013 (IFSA); and (c) sections 41(1), 116(1) and 126 of the Development Financial Institutions Act 2002 (DFIA). 4 Effective date This policy document comes into effect 6 months from the date of issuance of final policy document, subject to the transitional arrangements as set out in Part D.
