Business Continuity Management

1 Issued on: 14 December 2021 BNM/RH/ED 028-18 Business Continuity Management Exposure Draft Applicable to 1. Licensed banks 2. Licensed investment banks 3. Licensed Islamic banks 4. Licensed insurers 5. Licensed takaf ul operators 6. Prescribed development f inancial institutions 7. Operators of designated payment systems 8. Approved issuers of electronic money Business Continuity Management Exposure Draf t Issued on: 14 December 2021 This Exposure Draft (ED) sets out the proposed revisions to the current Guidelines on Business Continuity Management (Revised) issued by the Bank on 3 June 2011. Drawing from the lessons learnt from the recent pandemic, the proposals aim to strengthen the state of preparedness of financial institutions to withstand operational disruptions and improve their operational resilience .

2 This may entail potential reviews and enhancements to financial institutions policies and processes to achieve the intended outcomes of these proposed requirements. The Bank invites written feedback on the proposed requirements, including suggestions on areas to be clarified and alternative proposals that the Bank should consider. The written feedback should be supported with clear rationale, including accompanying evidence or illustrations, where appropriate, to facilitate an effective consultation process. In addition to providing general feedback, respondents are also requested to respond to the specific questions set out in this ED. Responses must be submitted electronically to the Bank via by 31 March 2022. In the course of preparing your feedback, you may direct any queries to the following officers: 1.

3 Diyana Izzati Ridza Saifuddin 2. Janneni Suthakaran 3. Yap Ke Li Business Continuity Management Exposure Draf t Issued on: 14 December 2021 TABLE OF CONTENTS PART A OVERVIEW ..1 1 Introduction ..1 2 3 Legal provisions ..1 4 Effective 5 Interpretation ..2 6 Related legal instruments and policy documents ..5 7 Policy documents and circulars PART B POLICY REQUIREMENTS ..7 8 Responsibilities of the board and senior Management ..7 9 BCM framework and methodology ..9 (a) Risk assessment and Business impact (b) Critical Business functions .. 10 (c) Maximum Tolerable Downtime and Recovery Time Objective .. 10 (d) Essential services .. 11 (e) Recovery strategy .. 11 (f) Crisis Management plan, Business Continuity plan and disaster recovery plan .. 12 (g) Crisis communication .. 14 (h) Interdependencies .. 14 (i) Alternate site and recovery site.

4 15 (j) Critical Business information 16 (k) Testing and exercises .. 16 PART C REGULATORY REPORTING .. 19 10 Reporting of disruptions to the Bank .. 19 PART D TRANSITIONAL ARRANGEMENTS .. 21 11 Transitional arrangements .. 21 APPENDIX 1 LIST OF POSSIBLE SCENARIOS LEADING TO OPERATIONAL 22 APPENDIX 2 EXAMPLES OF PRECAUTIONARY AND CONTINGENCY MEASURES TO SUPPORT PROVISION OF ESSENTIAL SERVICES .. 23 APPENDIX 3 CRISIS REPORTING TO THE 25 Business Continuity Management (BCM) 1 of 26 Issued on: 14 December 2021 PART A OVERVIEW 1 Introduction Operational resilience of financial institutions is critical to ensure Continuity in the provision of financial services through periods of disruptions, maintain orderly market conditions and sustain public confidence in the financial system. Business Continuity is an integral pillar of operational resilience .

5 Business Continuity Management (BCM) entails an enterprise-wide framework, policies and processes that enable financial institutions to respond, recover and resume operations of critical Business functions from operational disruptions that arise from internal or external risk events. Effective Business Continuity Management can minimise operational, financial and reputational risks that can materially impact financial institutions. This policy document aims to (a) facilitate the development and implementation of a robust BCM framework, policies and processes by financial institutions which are integrated with their overall risk appetite and reinforce sound risk Management practices; (b) strengthen the capacity and preparedness of financial institutions to respond and recover from operational disruptions; and (c) preserve the Continuity of critical Business functions and essential services within a specified timeframe in the event of an operational disruption.

6 2 Applicability This policy document is applicable to financial institutions as defined in paragraph For a financial institution operating as a foreign branch in Malaysia, the requirements in this policy document shall apply to the Malaysian branch with the following modifications: (a) any reference to the board in this policy document shall refer to the governing body/committee of the foreign branch; and (b) any reference to senior Management in this policy document shall refer to the officers performing a senior Management function of the branch. 3 Legal provisions This policy document is issued pursuant to (a) sections 47(1), 143 and 266 of the Financial Services Act 2013 (FSA); Business Continuity Management (BCM) 2 of 26 Issued on: 14 December 2021 (b) sections 57(1), 155 and 277 of the Islamic Financial Services Act 2013 (IFSA); and (c) sections 41(1), 116(1) and 126 of the Development Financial Institutions Act 2002 (DFIA).

7 4 Effective date This policy document comes into effect 6 months from the date of issuance of final policy document, subject to the transitional arrangements as set out in Part D. 5 Interpretation The terms and expressions used in this policy document shall have the same meanings assigned to them in the FSA, the IFSA or the DFIA, as the case may be, unless otherwise defined in this policy document. For the purposes of this policy document S denotes a standard, an obligation, requirement, specification, direction, condition and any interpretative, supplemental and transitional provisions that must be complied with. Non-compliance may result in enforcement actions; G denotes guidance which may consist of statements or information intended to promote common understanding and advice or recommendations that are encouraged to be adopted; activity refers to a Business or operational function, process or system; alternate site refers to another place for Business units to resume critical operation during a disaster.

8 It is a site held in readiness for use during a disruption to maintain the Business Continuity of the financial institution. A financial institution may have more than one alternate site. In some cases, an alternate site may involve facilities that are used for normal day-to-day operations but are able to accommodate additional Business functions when a primary location becomes inoperable; board means the board of directors of a financial institution, including a committee of the board where responsibilities of the board as set out in this policy document have been delegated to such a committee; Business Continuity refers to the ability of a financial institution to maintain Continuity of its service and support to its customers during an event of disruption; Business Continuity Management (BCM) 3 of 26 Issued on: 14 December 2021 Business Continuity Management or BCM refers to an enterprise-wide framework that encapsulates policies, processes and practices that ensure the continuous functioning of a financial institution during an event of disruption.

9 It also prepares the financial institution to resume and restore operations of Business functions in a timely manner during an event of disruption, thus minimising any material impact to the financial institution; Business Continuity plan or BCP refers to a comprehensive action plan that documents the procedures, processes, systems and resources necessary to resume and restore the Business functions of a financial institution in the event of a disruption; Business impact analysis or BIA refers to the process of measuring the quantitative and qualitative impact to the Business operations in the event of a disruption. It is used to identify recovery priorities and recovery strategies that are critical to develop a Business Continuity plan; call tree refers to a layered hierarchical communication model that graphically depicts the calling responsibilities and calling order used to contact senior Management , employees, customers, vendors and other key contacts in the event of a disruption; communication protocols refer to established procedures of communication that were agreed in advance between the financial institution and external parties.

10 Such procedures typically include the methodology for transmitting, writing, and reading of data, for example: (a) phone calls and text messages; (b) e-mails and intranet for employees; (c) teleconferences or meetings with identified internal or external parties; or (d) press releases, website postings, or news conferences for the public and other external stakeholders; crisis Management plan refers to a comprehensive action plan that documents the procedures and processes to support decision making by the crisis Management team (CMT)1 in the event of a crisis. It includes criteria for triggering the BCP and DRP; critical Business functions refer to operations, activities or processes undertaken by a financial institution, where failure or discontinuance is likely to (a) critically impact the financial institution financially or non-financially; and (b) disrupt the provision of essential services to the public; disaster recovery plan or DRP refers to a comprehensive action plan that documents the procedures and processes that are necessary to recover and restore IT systems, applications and data of a financial institution in the event of a disruption.