Chapter 15: Business Continuity Management
Introduction
Business Continuity Management is to ensure timely resumption of the Licensed Person’s business in the event of a disruption by minimising the consequential damages. The Licensed Person must implement appropriate Business Continuity Management and comply with the following standards at a minimum.
15.1 Business Continuity Management
- 15.1.1The Licensed Person must identify, define and analyse all types of risk that may result in a business disruption and assess the impact thereof; and
- 15.1.2The Licensed Person must implement an appropriate Business Continuity Plan to ensure the continuity of the business during a disruption.
15.2 Business Continuity Plan (BCP)
- 15.2.1Business Continuity Plan must include:
- a)Identification and assessment of potential crises, disasters and risks including their impact on the business;
- b)Ways and means to deal with such crises, disasters and risks;
- c)Plans to provide protection to the Licensed Person and its employees in case of unforeseen disasters;
- d)Plans to avoid suspension of operations or plans to minimize the period of suspension of operations to minimise losses;
- e)Tools and processes for storing sensitive information and the recovery thereof to avoid loss of information during the occurrence of disasters; and
- f)Guidelines to contact relevant authorities and partners (i.e. the Central Bank, foreign correspondents, etc.) to inform them about the disaster and suspension of operations, if necessary.
- 15.2.2The Licensed Person must follow the below standards while implementing the Business Continuity Plan:
- a)A sufficient number of experienced employees must be available for the purpose of recovery and resumption of the business;
- b)Roles, responsibilities and powers of employees in relation to the Business Continuity Plan must be clearly defined;
- c)Resumption priorities must be clearly agreed and documented; and
- d)Appropriate training must be provided to employees for the effective implementation of the Business Continuity Plan.
- 15.2.1Business Continuity Plan must include:
15.3 BCP Testing
- 15.3.1Testing of the Business Continuity Plan must be undertaken at regular intervals in order to assess the capability of the Licensed Person to resume business after a disruption;
- 15.3.2Accordingly, the Licensed Person must:
- a)Test the Business Continuity Plan at least annually;
- b)Testing must also be undertaken considering any key changes in the business model, products, systems and relevant infrastructure; and
- c)Testing details and results must be documented for verification by the Central Bank Examiners during an examination.
- 15.3.3Testing results must be reviewed by the Manager in Charge and by the Board of Directors (or by the Owner/Partners where there is no Board of Directors); and
- 15.3.4The Business Continuity Plan must be reviewed and updated based on the results of such testing.