Bank Negara Malaysia BCM Guidelines 2008

BCM INSTITUTE

ON

BUSINESS CONTINUITY MANAGEMENT (BCM)

MANAGEMENT POWERTOOLS

GUIDELINES ON BUSINESS

CONTINUITY MANAGEMENT (BCM)

BANK NEGARA MALAYSIA

CENTRAL BANK OF MALAYSIA

ONLINE RESOURCES

BCM Institute : www.bcm-institute.org

Business Continuity & Disaster Recovery Forum: bcmi.collectivex.com

BCMpedia: www.bcmpedia.org

Downloaded from BCM Institute Forum:

bcmi.collectivex.com

BCM Institute Offices Worldwide: Singapore | Australia | Africa | China | Thailand | Hong Kong | Pakistan | Middle East | Malaysia

http://www.bcm-institute.org/


http://www.bcmpedia.org/


A. OVERVIEW................................................................................................................. 1

A.1 Introduction…………………………………………………………………………...1

A.2 Objective of Guidelines ……………………………………………………………..1

A.3 Application and Effective Date of Guidelines ……………………………………..2

A.4 BCM Life Cycle ……………………………………………………………………..3

B. BCM PRINCIPLES AND REQUIREMENTS .............................................................. 4

B.1 BCM Framework……………………………………………………………………..4

B.1.1 Board and Management Oversight..................................................... 4

B.1.2 BCM Policy ......................................................................................... 5

B.1.3 Roles and Responsibilities.................................................................. 5

B.1.4 BCM Culture ....................................................................................... 7

B.2 BCM Methodology…………………………………………………………………...8

B.2.1 Risk Assessment and Business Impact Analysis ............................... 8

B.2.2 Critical Business Functions ................................................................ 9

B.2.3 Recovery Strategy ........................................................................... 10

B.2.4 Maximum Tolerable Downtime and Recovery Time Objectives ....... 11

B.2.5 Level of Disruption ........................................................................... 11

B.2.6 Formulation of Plan.......................................................................... 12

B.2.7 Alternate and Recovery Sites........................................................... 14

B.2.8 Critical Business Information Records ............................................. 15

B.2.9 Testing of Plan ................................................................................. 16

C. COMMUNICATION................................................................................................... 19

D. INTERNAL AUDIT.................................................................................................... 20

E. OUTSOURCING ....................................................................................................... 21

F. SUBMISSION LIST................................................................................................... 22

G.GLOSSARY............................................................................................................... 23

H. APPENDICES........................................................................................................... 28

Appendix 1 – Level of Disruption (LoD) Matrix………………………………………...28

Appendix 2 – National Influenza Pandemic Preparedness Plan (NIPPP)……….…29

Appendix 3 – BCP and DRP Test Matrix………………………………..……………...31

Appendix 4 – BCP and DRP Post Test Analysis Report…………..………………….32

Appendix 5 – List of Bank Negara Malaysia’s Contact Numbers…..………………..38

BNM/RH/GL/ 013-3 IT and DFI Supervision Department

Guidelines on Business Continuity Management Page 1 / 39

A. OVERVIEW A.1 Introduction 1. Business continuity management (BCM) entails enterprise-wide planning and

arrangements of key resources and procedures that enable the institution to respond and continue to operate critical business functions across a broad spectrum of interruptions to the business, arising from internal or external events.

2. Continuous availability of critical and essential services is a necessity for the institution to promote customer confidence, ensure regulatory compliance and protect its reputation. It is therefore crucial for the institution to continuously enhance its capabilities to respond swiftly and to ensure the continuity of critical business processes in the event of a major disruption.

3. The Guidelines outline BCM principles and specific requirements with regard to the formulation of business continuity plan (BCP) and disaster recovery plan (DRP), implementation, testing and maintenance of the plans by the institution.

4. The Guidelines should be read in conjunction with other relevant guidelines or circulars issued by Bank Negara Malaysia (the Bank) from time to time.

5. With the issuance of these Guidelines, Part VII on Business Resumption and Contingency Plan in the “GPIS1 - Guidelines on Management of IT Environment” issued in May 2004 is superseded.

A.2 Objective of Guidelines 6. The primary objective of the Guidelines is to outline and enforce minimum BCM

requirements on the institution so as to ensure the continuity of critical business functions and essential services within a specified timeframe in the event of a major disruption. Minimum disruption to essential business services would in turn enhance public confidence in the institution and the financial system, and mitigates reputational risk to the institution.

7. The Guidelines set out the Bank’s expectations for the institution to adopt sound and effective BCM procedures and practices to improve its resilience and be prepared for any eventualities. Broadly, the Guidelines aim to ensure that the institution:-

(i) Has in place a comprehensive BCM framework which includes a business continuity policy;

(ii) Establishes a comprehensive BCM programme to formulate, implement and test the BCP;



(iii) Reviews and updates the BCP and DRP continuously to reflect changes in the operating environment; and

(iv) Provides sufficient information to the Board of Directors (Board) to enable them to discharge their responsibilities under the Guidelines.

A.3 Application and Effective Date of Guidelines

8. The Guidelines are applicable to all institutions under the purview of the Bank, with effect from 1 January 2008, which include:

(i) Institutions licensed under the Banking and Financial Institutions Act 1989 (BAFIA);

(ii) Islamic banks licensed under the Islamic Banking Act 1983 (IBA); (iii) Institutions licensed under the Insurance Act 1996 (IA); (iv) Entities regulated under the Takaful Act 1984 (TA); and (v) Development financial institutions prescribed under the Development

Financial Institutions Act 2002 (DFIA). 9. The institution is required to comply with the Guidelines. Nevertheless, the

institution is encouraged to adopt more stringent measures in addition to the requirements prescribed in the Guidelines.

10. Any non-observance of or deviation from the Guidelines should be based on proper risk assessment and risk management process, taking into account the nature, scale and complexity of the institution’s business operations as well as risk tolerance. The Guidelines operate on the premise that the Board retains ultimate accountability for the implementation and effectiveness of BCM.

11. Given that BCM also encompasses disaster recovery for IT systems, crisis management and contingency planning, the institution should ensure that internal linkages with crisis management and emergency response procedures as well as external dependencies on key service providers/vendors are adequately considered during business continuity planning. In addition, safeguard measures should also be undertaken on human life and business assets/premises.



A.4 BCM Life Cycle 12. The Guidelines are formulated based on the principles and best practices of

BCM life cycle, comprising:

(i) Analysing the institution’s business functions and their criticality through risk assessment (RA) and business impact analysis (BIA);

(ii) Formulating appropriate and workable BCM recovery strategies based on the risk assessment and business impact analysis;

(iii) Developing and implementing BCP and DRP; (iv) Testing the plans; (v) Reviewing and maintaining the plans; (vi) Auditing the plans; and (vii) Conducting ongoing awareness programmes and communication, training

and education on BCM.



B. BCM PRINCIPLES AND REQUIREMENTS B.1 BCM Framework

B.1.1 Board and Management Oversight

Principle: The Board and Management are responsible for ensuring the implementation of effective BCM framework within the institution.

13. The Board and Management are responsible to ensure enterprise-wide implementation of sound BCM practices as part of good corporate governance and prudent risk management.

14. The Board and Management should be aware of and assess the potential threats and risks to the institution and the corresponding impact on critical business functions as well as their responsibilities with regard to BCM. The Board should provide leadership, direction and oversight in ensuring that effective BCM practices, recovery and resumption procedures are in place for the continuation of critical business functions should a major operational disruption occur.

15. The Board and Management should also be aware of potential impact on the institution’s operations of any potential failure or disruption in services provided by vendors and other third-party or intra-group service providers. They should ensure that the expectations and obligations of each party are clearly defined, understood and enforceable to ensure smooth implementation during a business disruption.

16. The Board is expected to approve the overall BCM policy and strategies by ensuring that the BCM policy is consistent with the institution’s risk tolerance level as well as the nature, complexity and materiality of the institution’s business operations, while Management is responsible to effectively implement the BCM policy and strategies set out by the Board.

17. As part of its governance responsibility, the Board or a committee of the Board is expected to ensure that the institution has a workable BCP in place for all critical business functions and that the plan is consistent with the institution’s overall business objectives.

18. The Board should ensure that the BCP is adequately tested and regularly updated as per the requirements set forth in the Guidelines, to reflect changes in the operational environment and business activities and the level of risk that the institution represents to the operation of the financial system.

19. Management should periodically assess the institution’s readiness for effective response to major disruption.

20. As executive level support and commitment is a critical aspect of BCM, Management should articulate clear expectation for business continuity preparedness throughout the institution to foster BCM effectiveness.



21. The Board and Management should provide sufficient annual budget allocation and resources for effective implementation and maintenance of BCM. This may vary according to the size and complexity of the institution’s BCM arrangement.

22. In the case where the institution’s BCP arrangement is outsourced to a third party, the responsibilities of the Board and Management shall remain in ensuring that sound and effective BCM practices are being adopted by the service provider.

B.1.2 BCM Policy

Principle: The institution should have clearly defined policies for business continuity management.

23. The institution should have in place a properly documented BCM policy, which is essential to reinforce the importance of BCM and to commit the institution to a structured and consistent approach in implementing effective BCM practices.

24. Management is responsible for developing the BCM policy for Board’s approval, implementing the approved policy and associated processes, conducting periodic review on the BCM’s effectiveness, and communicating BCM issues or concerns to the Board in a timely manner.

25. At a minimum, the BCM policy should set out the objective, scope, strategies, inter-linkages with other contingency and emergency response procedures as well as delineate the lines of authority and responsibility for effective implementation of BCM throughout the institution.

26. The BCM policy should be periodically reviewed and updated to ensure its relevance and that it reflects the current risk tolerance of the Board and business goals of the institution.

27. Management should ensure that the BCM policy is clearly communicated to staff at all levels so that they are aware of their respective roles, responsibilities and accountability with respect to BCM.

B.1.3 Roles and Responsibilities

Principle: The institution should clearly define the roles and reporting lines of individuals and/or committee responsible for BCM.

28. The institution should establish a formal and permanent Business Continuity Management (BCM) Committee, represented by senior management from various business and technical departments, which is appropriate with the size and complexity of the institution to effectively deal with a business disruption.



Where appropriate, the committee should report directly to a committee of the Board in order to promote and maintain effective BCM practices.

29. The BCM Committee should have documented terms and reference. 30. To support and provide feedback to the high-level BCM Committee, the

institution may establish a working level committee. The committee should comprise a BCM coordinator (who is assigned to monitor the business continuity project) and representatives which include, but not limited to:

(i) Major business units; (ii) IT; (iii) Internal audit (on an advisory capacity only); (iv) Quality assurance / compliance; (v) Legal; (vi) Human resource; (vii) Security; (viii) Property management and services; and (ix) Corporate services/communication.

31. The institution should establish a dedicated BCM function for the effective coordination and supervision of all BCM activities, which reports directly to the BCM Committee.

32. Management should ensure that BCM activities are conducted by competent staff with technical knowledge and experience consistent with the nature and complexity of the institution’s business activities.

33. In ensuring that due attention is accorded to BCM, business continuity planning should reside with the business units and involve those who carry out the critical business functions. This approach places ownership and accountability for business continuity preparedness on the heads of business units who are expected to assess and declare their state of readiness to Management periodically.

34. For smooth handling of a major disruption, the institution should consider establishing a crisis management team to coordinate the recovery and resumption of all critical business functions. Among others, the team should:

(i) Assume the central role in monitoring and assessing the impact of the disruption;

(ii) Provide appropriate advice to Management on the need to invoke the BCP;

(iii) Make operational decisions in response to the disruption; and (iv) Communicate with internal and external stakeholders.



B.1.4 BCM Culture

Principle: BCM practices should be embedded into business operations and corporate culture of the institution.

35. Management should progressively promote an organisational culture that places high priority on enhancing business continuity capability and ensures BCM becomes an integral part of strategic management process and routine business operations.

36. Prior to undertaking new activities, procurement or strategies, Management should ensure that business continuity requirements are given adequate consideration at the planning and development stages.

37. The institution should ensure that staff are equipped with proper understanding of their respective roles and trained to perform their responsibilities with respect to prevention of crisis and recovery of business operations in times of disruptions. All staff, including new recruits, should be briefed on the institution’s business continuity arrangement to better prepare for all eventualities. Where possible, specific training requirements should be included in the performance objectives of staff involved in BCM activities.

38. Awareness and periodic briefings for the Board and Management are equally important to ensure continuing commitment and support for the BCM.



B.2 BCM Methodology B.2.1 Risk Assessment and Business Impact Analysis

Principle: The institution should identify and assess potential threats that could severely interrupt operations and business activities. Institutions should also evaluate the business impact of the threats on all business functions and the financial system in general.

39. The institution should undertake a structured risk assessment (RA) process to identify potential threats that could cause material business disruptions, resulting in the inability to fulfill business obligations.

40. In undertaking the risk assessment, scenario analysis and planning should be conducted based on the potential loss, inaccessibility or unavailability of the following resources:

(i) Key personnel, including decision makers and recovery personnel; (ii) Office premises (including branch, locally or abroad) and facilities within

the same or nearby geographical location or region; (iii) Critical business information and records; (iv) IT systems and infrastructure, including network devices and peripherals

as well as other support facilities; and (v) Services of key suppliers, service providers or vendors, including

outsourcing vendors. 41. Risk assessment should be carried out at least annually or more frequently if

there are significant changes to the internal operating or external environments. 42. The institution should assess the likelihood of the identified threats occurring and

determine the impact on the institution. In this regard, the institution is expected to carry out a business impact analysis (BIA), annually which forms the foundation of developing the BCP and whenever there are material changes to the institution’s business activities.

43. The BIA exercise should be conducted for all business functions in a structured and systematic manner, so as to identify critical business functions, resources and infrastructure of the institution.

44. The institution should determine the potential financial and non-financial impacts (i.e. legal, operational and reputational) on the institution if the critical business functions, resources and infrastructure are unavailable for a given period of time during a major disruption.



45. The institution should also assess the impact of an outbreak of a pandemic or infectious diseases on their critical business operations and ensure that appropriate measures are in place to ensure continuity of critical business functions and that such functions can be sustained over a prolonged period of disruption due to high absenteeism and/or relatively large geographical areas are under quarantine/isolation.

46. Management should ensure the adequate participation and involvement of all business units in the BIA process. The heads of business units should be responsible and accountable for the RA, BIA and BCP.

B.2.2 Critical Business Functions

Principle: The institution should identify the critical business functions essential for the development of recovery strategy to ensure resumption of its operations.

47. Given the impracticality and high cost involved in order to recover all business functions during a crisis, the institution should define the critical business functions that must continue in the event of a major disruption and establish the priorities for recovery. With the recovery priorities in place, the institution would then be able to determine the appropriate strategy and resource requirements (people, technology, equipment, facilities, etc.) to enable a phased recovery of the critical business functions within an acceptable timeframe.

48. In determining the criticality of business functions, focus should be accorded to business functions, which may involve among others the following:

(i) Large-value and time-sensitive payment instructions; (ii) Clearing and settlement of material transactions; (iii) Fulfillment of material end-of-day funding and collateral obligations; (iv) Management of customers’ risk positions; (v) Provision of essential banking services and payments such as cash

withdrawals, deposits and remittances through various delivery channels that are necessary to maintain public confidence;

(vi) Provision of essential insurance/takaful services; (vii) Provision of other services that may have systemic impact to other market

participants or financial system; and (viii) Communication with the regulator and stakeholders, including counter-

parties. Apart from the above, the institution may include other services or activities that are deemed critical to their business functions.



49. The institution should take into account the interdependencies of all critical business functions, and the extent to which they depend upon internal and/or external parties such as utilities and telecommunication service providers.

B.2.3 Recovery Strategy

Principle: The institution should develop recovery strategies and procedures for all critical business functions derived from the BIA exercise.

50. The institution should formulate and document appropriate recovery strategies for all critical business functions to ensure the continuity or recovery of essential services within the acceptable timeframe.

51. The recovery strategies should, amongst others indicate the recovery timeframe, delivery of the minimum level of essential services, functional relocation, the alternate and recovery sites, mode of processing, key recovery personnel including the decision makers, work area, data, facility and technology requirements, where appropriate.

52. In developing recovery strategies, adequate consideration and succession planning should be accorded to scenario where the workforce and productivity may be substantially reduced as a consequence of a significant increase in mortality and morbidity.

53. For technology requirements, the recovery strategy should clearly indicate the type of recovery site to be adopted that commensurates with the nature, scale and complexity of the institution’s business operations.

54. For human resource requirements, the institution should also include recovery strategy pertaining to pandemic or infectious diseases threat. Where necessary, the institution should refer to the National Health Council or Ministry of Health Malaysia (MOH) and always be vigilant of any advisories or notification by these or other authorities.

55. The recovery strategies should be regularly reviewed to ensure their continued relevance as business activities and operating environment change.

56. The recovery strategies and resource requirements should be approved by Management and the relevant committees to ensure alignment with corporate goals and business objectives.



B.2.4 Maximum Tolerable Downtime and Recovery Time Objectives

Principle: The institution should determine maximum tolerable downtime (MTD) and recovery time objectives (RTO) for all critical business functions.

57. Based on the BIA results, the institution should determine the MTD and RTO for each critical business function. The goal is to develop a BCP that details the procedures and the minimum level of resources required to recover the critical business functions within the recovery timeframe and maintain services at an acceptable level.

58. The institution should ascertain the targeted MTD and RTO for all critical business functions in consultation with various affected parties, including the IT Department, taking into consideration the nature, scale and complexity of business functions and their dependencies and impact on other parties.

59. The MTD and RTO set should practically correspond with the importance and criticality of the business functions. In particular, the institution should set shorter MTD and RTO for business functions that have significant impact on customer services and RTO should not exceed MTD. All MTDs and RTOs of critical business functions should be validated and approved by Management or the relevant committees and endorsed by the Board.

60. The institution is expected to recover important payment systems and critical business functions that could pose systemic impact on other market participants within the specified MTD and RTO.

61. The institution should consider incorporating specific RTO requirements in contractual arrangements with key service providers, suppliers, counterparties, etc.

B.2.5 Level of Disruption

Principle: The institution should identify the minimum services and the recovery strategy for critical business functions that correspond to each level of disruption.

62. In the event of a major disruption, it is important that the scale of the disruption be assessed in terms of its severity. Correspondingly, this would facilitate the appropriate remedial actions and the type of essential services to be rendered under various scenarios.



63. For this purpose, the institution should identify the minimum essential services and the recovery strategy for all the critical business functions, based on the suggested level of disruption (LoD) given below. The institution is also required to maintain a record depicting the LoD and the corresponding minimum essential services and recovery strategy as outlined in the LoD Matrix (refer to Appendix 1).

LoD Description

1 Affect isolated areas of the business operations such as a branch, department, and the situation is well contained within the area. Probability of exceeding MTD/RTO is Low.

2 Affect a number of branches or departments. Probability of exceeding MTD/RTO is Moderate.

3 Affect head office business premises or the production data centre (single branch institution) Probability of exceeding MTD/RTO is High.

4 Affect region or entire state where the institution operates. May cause systemic impact. Probability of exceeding MTD/RTO is High.

5 Affect nationwide or regional Probability of exceeding MTD/RTO is High.

64. The institution is required to complete the LoD matrix and submit to Pengarah,

Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia before 31 January of each year.

B.2.6 Formulation of Plan

Principle: A business continuity plan and disaster recovery plan should be formulated and approved by Management. The institution should ensure that the plan is effectively implemented and properly maintained by all business units.

65. The institution should develop a workable business continuity plan (BCP) and disaster recovery plan (DRP) for at least all critical business functions, including domestic and overseas branches or subsidiaries operations.



66. Management should be involved in business continuity planning. In the case

where the BCP and DRP formulation is undertaken by a consultant, the responsibility of Management does not diminish in ensuring that a well-designed plan is developed.

67. The BCP and DRP should include, at least:

(i) Procedures to be followed in response to a major disruption to business operations. The procedures should enable the institution to respond swiftly to a crisis situation, recover and resume the critical business functions, resources and infrastructure outlined in the BCP within the stipulated timeframe.

(ii) Escalation, declaration and notification procedures. The institution should maintain a call tree and contact list.

(iii) The conditions for BCP activation and the individual who has the authority to declare a disaster and grant permission to execute the recovery processes.

(iv) A list of all resources required to recover critical business functions in the face of a major disruption. This would include, but not limited to, key recovery personnel, computer hardware and software, office equipment and relevant documentation.

(v) Relevant information about the alternate and recovery sites. (vi) Procedures for restoring normal business operations. This should include

the orderly entry of all business transactions and records into the relevant IT systems and the completion of all verification and reconciliation procedures.

68. Given that the threat of a pandemic or infectious disease poses unique challenges, the institution should also ensure that their BCPs have adequate arrangements and resources to deal with a possible emergence of a pandemic or infectious disease. In this regard, the institution is encouraged to align their preparatory and response measures to the outbreak stages used by the Ministry of Health Malaysia. The institution could refer to Appendix 2 on the measures to be undertaken in the event of an outbreak of a pandemic or infectious disease.

69. The institution should ensure that recovery personnel’s responsibilities are clearly documented in the BCP. During a major disruption, staff could be unavailable for various reasons. As such, it is important that alternate recovery personnel be identified for all critical business functions.



B.2.7 Alternate and Recovery Sites

Principle: The institution should make arrangements for alternate and recovery sites should the business premise, infrastructure and systems supporting critical business functions become unavailable in the event of a major disruption.

70. The institution should make available a functional alternate and recovery site for their business functions and technology in the event the business premises, key infrastructure and systems supporting critical business functions become unavailable.

71. The alternate and recovery sites could either be in-house arrangements, or available through agreement with third-party recovery facility provider, or a combination of both options.

72. The institution should assess the suitability and capacity of the alternate and/or recovery site to ensure that the site is:

(i) Sufficiently distanced from the primary site to avoid being affected by the same disaster or source of disruption;

(ii) Using a separate or alternative telecommunication network and power grid from the primary site to avoid single point of failure; and

(iii) Readily accessible and available for occupancy, taking into consideration the logistic requirements within the recovery timeframe stipulated in the BCP and DRP.

73. For technology requirements, the institution should ensure that the IT systems at the recovery sites are:

(i) Compatible with the institution’s primary systems (in terms of capacity and capability) to adequately support the critical business functions; and

(ii) Continuously updated with current version of systems and application softwares to reflect any changes to the institution’s system configurations (e.g. hardware or software upgrades or modifications).

The institution should provide a recovery facility (hot-site, online mirroring, etc), which commensurates with its established MTD/RTO and for critical business functions that pose systemic risks.



74. For the use of a third-party alternate site or recovery facility, the institution

should :

(i) Establish a written contract to safeguard the institution’s interest; (ii) Provide a service level agreement (SLA) between the institution and the

third party to ascertain the level and type of services to be provided to the institution. The SLA should be properly documented and approved by the Management;

(iii) Mitigate concentration risks, where the service provider renders the recovery facilities to several customers or to customers within the same locality or industry. In this regard, the agreement should specifically identify the conditions under which the recovery facility may be used and specify how customers would be accommodated if simultaneous disruptions affect several customers of the recovery facility provider;

(iv) Assess the capacity and capability of the third party sites for use for a reasonable prolonged period; and

(v) Ensure that adequate physical and logical access control is provided by the service provider to safeguard the recovery facility.

The institution should ensure that a periodic and continuous review and monitoring be undertaken on the service level provided by the third party and the measures mentioned in items (iii), (iv) and (v) above.

B.2.8 Critical Business Information Records

Principle: Proper procedures should be put in place to ensure the availability of systems and critical business information records for the recovery of critical business functions in the event of a major disruption.

75. The institution should ensure that sufficient number of backup copies of critical business information, software and related hardcopy documentation (for systems and users) are available for the recovery of critical business functions. A copy of the information, documentation and software should be made available at an off-site premise or backup site, and any changes or updates should be done periodically and reflected in all copies.

76. A full systems backup should be periodically conducted and should at least consist of the updated version of the operating system software, production programs, system utilities and all master and transaction files. The frequency of backup would depend on its criticality and should be performed after critical modification or updates.



77. All backup media should be properly labelled using standard naming conventions that at least indicate usage, date and retention schedules. Backup media should also be regularly tested, where practicable, to ensure that they can be restored when necessary. All backup media should also be rotated in a systematic and timely cycle.

78. Backup media should also be stored off-site in a secure and access-controlled environment, which is of consistent standard to the main site and in accordance with manufacturer’s recommendations. The backup site should also be located at a distance that would protect it from damage resulting from any incident at the primary site, but facilitates quick retrieval process.

79. Transportation to the backup site should be done in a controlled and secured manner with proper authorisation and record. Procedures for disposal of backup media should also be in place.

B.2.9 Testing of Plan

Principle: The BCP and DRP must be tested regularly to ensure the functionality and effectiveness of the recovery strategies and procedures, preparedness of staff and other recovery resources.

80. The institution should test the BCP and DRP for all critical business functions and application systems.

81. BCP should be tested at least once a year for all critical business functions, while the DRP for all critical application systems should be tested at least twice a year, of which one of the tests should be a “live run”. Where necessary, the institution is also encouraged to conduct periodic BCP and DRP testings for the critical business functions.

82. For RENTAS system (where applicable), due to its criticality, the institution is required to conduct "live run" testing from the institution’s recovery site in accordance with prevailing guidelines on RENTAS.

83. The scope of testing should be sufficiently comprehensive to cover the major components of the BCP and DRP as well as coordination and interfaces among important parties.

84. The type of BCP and DRP testing should include both functional (e.g. simulated, “live”, full blown, etc) and non-functional testing (call tree and desktop exercises or walkthrough).

85. Large and complex institution should at least conduct an integrated testing on a reasonable wide-scale for all the critical business functions, using back up IT systems to gauge and assess the application system linkages and network connectivity. Load/capacity requirements that are required to support minimum services level to be provided during a disaster should also be included during



testing. Where possible, the involvement of key service providers/vendors in BCP testing should be considered to evaluate the adequacy and availability of external services that might be required. However, the institution is reminded to exercise due care when undertaking the above testing in view of the risk involved and to ensure minimal inconvenience to the public.

86. Test plans with predetermined test goals and test criteria, using realistic simulations and activity volumes should be developed for the testing. Formal testing documentation (including test plan, objectives, scenarios, procedures and results) should be produced to ensure thoroughness and effectiveness of testing, and properly maintained for audit purposes.

87. Management should be involved in the annual testing process to demonstrate their commitment as well as to familiarize themselves with their recovery roles. In addition, Management should ensure that all relevant staff (i.e. recovery and alternate personnel) participate in the testing exercises.

88. Minimum BCP and DRP testing requirements include, but not limited to:

(i) Verifying completeness of the plan and adequacy of recovery procedures; (ii) Assessing familiarity of staff with their business continuity responsibilities

and the institution’s evacuation procedures; (iii) Evaluating connectivity, functionality, performance and load capacity of

alternate and recovery sites; (iv) Assessing adequacy of security implementation and staff awareness; (v) Assessing effectiveness of communication plan and coordination with

relevant parties; (vi) Evaluating response time; and (vii) Recommending remedial actions for future tests.

89. The institution is expected to prepare a post-test analysis report, where evaluation of the testing performance against the testing goals is made. This is to ensure adequacy and integrity of testing, to identify problems and to develop the necessary corrective action plans. The analysis could also be used to eliminate redundancies and any waste of resources.

90. BCP and DRP test results for critical business function and application should be timely communicated to the Board.

91. The institution is required to submit to Pengarah, Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia the following documents:

(i) Annual BCP and DRP test matrix before 31 January of every calendar year (refer to Appendix 3); and

(ii) BCP and DRP post-test analysis report within two months after the date of testing (refer to Appendix 4)



B.2.10 Maintenance of Plan

Principle: The institution must carry out periodic review of the BCP and DRP. The plan must be updated to reflect changes in the operating environment and business activities.

92. The BCP and DRP should be reviewed and updated regularly. The plans including risk assessment and BIA should be reviewed and updated on an ongoing basis (at least annually or when necessary) so that they are consistent with the institution’s current operations and business strategies. The institution is expected to employ a formal process for maintaining the plan where regular reviews, validations and updates are conducted to ensure their continued relevance and effectiveness. This includes addressing gap(s) identified during BCP and DRP testings.

93. Ongoing review of the adequacy of backup systems, software, applications, and other resources should also be included in the BCP and DRP update cycle.

94. Management must review the final revised BCP and DRP and endorse the changes to the recovery strategies and procedures.

95. Management is responsible and accountable for ensuring that the BCP and DRP are up-to-date, effective and tested periodically. As such, periodic reporting on the progress and strategic issues or concerns with regard to BCM should be communicated to the Board on a timely manner.

96. An updated copy of the BCP and DRP should be provided to the relevant parties and should be stored at an off-site premise or backup site that can be easily accessed during a disaster/prolonged disruption.

97. The institution is required to adopt version control to facilitate updating and maintenance of the plans.



C. COMMUNICATION

Principle: The BCP should incorporate strategy and approach for communication with relevant internal and external stakeholders. The institution must maintain an updated emergency contact list of key personnel and relevant parties.

98. Communication is of the utmost importance especially during a business disruption or a crisis. Clear and effective communication would help to alleviate anxiety or rumours and assist in promoting public confidence.

99. In this respect, the institution should include in the BCP, a communication plan for notifying all relevant internal and external stakeholders (e.g. home and host regulators, counterparties, key service providers, media and the public) following a major disruption to the operations of the institution.

100. The institution should consider preparing predetermined messages tailored to a number of plausible disruption scenarios to ensure consistent and effective messages are conveyed in a timely manner to the various stakeholders.

101. The institution must notify the Bank immediately or not exceeding two hours after experiencing a major disruption (LoD 2 and above) that has the potential to materially impact customer service. Using the LoD matrix, the institution should notify the severity of the disruption, essential services to be provided, the actions being taken and the timeframe for returning to normal operations. The institution should also notify the Bank when normal operations have resumed. Refer to Appendix 5 for the list of Bank Negara Malaysia’s contact number.

102. The institution must maintain an emergency contact list of all relevant parties and key recovery personnel essential for the swift response and recovery of critical business functions. The contact list should be regularly updated.



D. INTERNAL AUDIT

Principle: The institution’s internal audit should conduct regular independent evaluation of the adequacy and relevance of BCM policy, strategies, procedures and testing of the BCP and DRP.

103. Internal auditors should periodically verify that sound and effective BCM practices are implemented in the institution, in line with the principles and requirements stipulated within the Guidelines and the institution’s BCM policies and procedures.

104. In line with BNM/GP10 – Guidelines on Minimum Audit Standards for Internal Auditors of Financial Institutions, internal auditors should participate as observers during the development of BCP and DRP. The internal auditors are to maintain objectivity and independence from any operational responsibility of BCM being developed.

105. Internal auditors should be involved in major functional BCP and DRP testing as observers to provide an independent evaluation of the testing preparation and exercise performance. A written assessment report should be prepared and submitted to the Audit Committee for review.

106. On an annual basis, internal auditors should review the level of commitment to BCM and overall preparedness against the institution’s BCM policies and regulatory requirements. For outsourced services, the auditors or other independent party should periodically review the BCP testing undertaken by the outsourcing vendor to ensure their business continuity preparedness. Gaps identified should be documented in the audit report together with action plans for further improvement by the respective business functions or outsourcing vendor. The audit report should be submitted to the Audit Committee.

107. An executive summary of the audit report, which includes comments from the Audit Committee, should be forwarded to Pengarah, Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia not exceeding two months after being presented to the Audit Committee.



E. OUTSOURCING

Principle: In the event that some parts of the business functions are outsourced, the institution should ensure that risk arising from outsourcing does not compromise its business continuity preparedness.

108. The institution is expected to address all issues relevant to managing the risks associated with each outsourcing arrangement to the extent reasonable given the unique circumstances and having regard to the interests of the institution.

109. The institution should ensure that the outsourcing vendor is subjected to the BCM Guidelines, where appropriate.

110. The outsourcing contract should specify the requirements for ensuring the continuity of the outsourced business function in the event of a major disruption affecting the outsourcing vendor’s services. Recovery time objectives (RTO) should be built into the outsourcing contract, with provisions for legal liability should the RTO not be achieved.

111. The institution should ensure that the outsourcing vendor has in place fully documented and adequately resourced BCP and DRP. The institution should ensure that periodic testing is conducted by the outsourcing vendor on its BCP and DRP at least annually and twice a year, respectively. The vendor should notify the institution of the test results and action to be undertaken to address any gap. The institution may also require its outsourcing vendor to declare their state of business continuity readiness to the institution, annually.

112. The institution should include a clause in the outsourcing agreement, which allows the institution’s internal auditor or other independent party appointed to review the BCM of the outsourcing vendor.

113. The institution should be notified in the event that the outsourcing vendor makes significant changes to its BCP and DRP, or encounters other circumstances that might have a serious impact on its services.

114. The institution’s own BCP should address reasonably foreseeable situations where the outsourcing vendor fails to provide the required services, causing disruptions to the institution’s operations. In particular, the plan should ensure that the institution has in its possession, or can readily access, all records necessary for it to sustain business operations and meet obligations in the event the outsourcing vendor is unable to provide the contracted services.



F. SUBMISSION LIST

The institution is required to submit the following documents to Pengarah, Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia.

Frequency of

Submission Submission of Date of

Submission Sign-Off By Page Format

LoD Matrix Before 31 January of every calendar year

Chief Executive

Officer

12, item no. 64

Refer to Appendix

1

Annually BCP and DRP Test Matrix

Before 31 January of every calendar year

Chief Executive

Officer

17, item no. 91(i)

Refer to Appendix

3

BCP and DRP Post-Test Analysis Report

Within two months after the test has been conducted - for each BCP and DRP test conducted

BCM Coordinator

/ DRP Coordinator

17, item no. 91(ii)

Refer to Appendix

4

Once Available

Executive Summary of BCP and DRP Audit Report

Within two months after being formally endorsed by Audit Committee

Chief Internal Auditor

20, item no. 107

-



G. GLOSSARY

Alternate Site

Refers to as an alternate site for business units to resume critical operation during disaster. A site held in readiness for use during a business continuity event to maintain an institution’s business continuity. An organisation may have more than one alternate site. In some cases, an alternate site may involve facilities that are used for normal day-to-day operations but which are able to accommodate additional business functions when a primary location becomes inoperable.

Board

Refers to the institution’s Board of Directors.

Business Continuity

The ability of an institution to ensure continuity of service and support for its customers and to maintain its viability before, after and during an event.

Business Continuity Management (BCM)

A whole-of-business approach that includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimize the operational, financial, legal, reputational and other material consequences arising from a disruption. BCP and DRP are the key components of BCM.

Business Continuity Plan (BCP)

A comprehensive documented action plan that outlines the procedures, processes and systems necessary to resume or restore the business operation of an institution in the event of a disruption.



Business Impact Analysis (BIA) A component of business continuity management. BIA is the process of measuring (quantitatively and qualitatively) the business impact or loss of business processes in the event of a disruption. It is used to identify recovery priorities, recovery resource requirements and essential staff and to help shape a business continuity plan .

Call Tree A document that graphically depicts the calling responsibilities and the calling order used to contact management, employees, customers, vendors and other key contacts in the event of an emergency, disaster or severe outage situation.

Card Services

Include credit card and bankcard services.

Critical Business Function (CBF) Business function that is considered crucial for an institution based on the BIA and risk assessment performed. Classification of CBF should be based on the following criteria:

a) Crucial and required to support customer services b) Generate highly significant income c) Required by related regulatory bodies d) Might cause systemic impact e) Disruption which will result in substantial business losses in terms of revenue,

customer and reputation

Critical Business Information Record

A record that is critical for the institutions that must be preserved and available for retrieval if needed.

Desktop Exercise

One method of exercising teams in which participants review and discuss the actions they would take per their plans, but do not perform any of these actions. The exercise can be conducted with a single team, or multiple teams, typically under the guidance of exercise facilitators.



Disaster Recovery Plan (DRP)

A comprehensive written plan of action that sets out the procedures and establishes the processes for IT systems and requirements that are necessary to support and restore the business operation of an institution in the event of a disruption.

Essential Services

Vital services that need to be provided by an institution either during normal business day or during disaster.

Full-Blown Testing

Involves large or wide scope/scale of testing of all IT systems, including network infrastructure and connectivity using production data and resources on IT recovery sites. Basically, the objective of the test is to gauge load handling and capacity of the recovery site. Where necessary, business operations are shifted to the recovery site in accordance with the disaster recovery plan. This test is clearly a very thorough test, but one which must be carefully planned and has the capacity to cause a major disruption to operations, if the test fails.

Integrated Testing

An exercise conducted on multiple interrelated components of a Business Continuity Plan, can be either under simulated or live operating environment. Examples of interrelated components may include interdependent departments or interfaced systems.

“Live” Run Testing

Involves the use of production data and resources for testing on IT recovery sites in a live environment. Where necessary, business operations are shifted to the recovery site in accordance with the disaster recovery plan. This test is clearly a very thorough test, but one which must be carefully planned and has the capacity to cause a major disruption of operations, if the test fails.

Management

Refers to the institution’s senior management, which also include the Chief Executive Officer and President as well as their deputies, etc.



Maximum Tolerable Downtime (MTD)

This is the timeframe during which a recovery must become effective before an outage compromises the ability of an institution to achieve its business objectives and survival.

Recovery Site

Refers to recovery (backup) site for IT system as an alternate to primary data centre. Also known as disaster recovery (DR) site. Examples of recovery site arrangement are: a) Replacement - do nothing but replace the system after disaster. b) Cold site - completed data centre infrastructure but without equipment. c) Warm site - capable of providing backup operating support but would require (at a

minimum) the restoration of current data. d) Hot site - fully equipped, operationally ready data centre. e) Reciprocal arrangement - mutual backup between institutions. f) Full redundancy - dual production systems configuration, where the production

system is duplicated at recovery site. g) Commercial recovery facility - subscribe to third party service provider or relocate

staff to the alternate processing site

Recovery Time Objective (RTO)

The timeframe required for IT systems and applications to be recovered and operationally ready to support business functions after an outage. (See illustration below)

CLEAR BACKLOG

Outage Invoke DRP System Data Outage Invoke DRP System Data

Recovery Time Objective (RTO)

RECOVERYESCALATION

Outage Occurs

Invoke DRP

System Recovered

Data Current




Risk Assessment

Process of identifying the risks to an institution, assessing the critical functions necessary for an institution to continue its business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

Simulation Testing

Involves bringing the recovery site to a state of operational readiness, but maintaining operations at the primary site. Thus staff are relocated, backup tapes transferred, and operational readiness established in accordance with the disaster recovery plan while operations at the primary site continue normally.

Structured Walkthrough

An exercise in which team members physically implement the business continuity plans and verbally review each step to assess its effectiveness, identify enhancements, constraints and deficiencies.

Systemically Important Payment System

Defined as the payment and settlement system that plays a critical role in preserving the systemic stability of the financial system. It would present systemic risk and/or affect public or investor confidence should the system is unable to complete (recover) and resume critical functions and activities in a timely manner.

Systemic Risk

Includes the risk that the failure of one institution in the financial system to meet its required obligations will cause other institutions to be unable to meet their obligations when due, thereby potentially causing significant liquidity dislocations or credit problems and threatening the stability of the financial markets.



APPENDICES Appendix 1 – Level of Disruption (LoD) Matrix

Institution : XYZ Berhad

Critical Business Function : <Name of Critical Business Function>

Date : _______________

LoD Minimum Essential Services Provided Business Continuity Strategy MTD

(hour) RTO

(hour)

1

2

3

4

5

Prepared by : < Name >

< Designation >

< Date >

Concurred by : < Name >

< Designation >

< Date >

* The MTD and RTO of the same essential service(s) at different LoD should be the same.



Appendix 2 – National Influenza Pandemic Preparedness Plan (NIPPP) WHO Alert Levels

Phases Transmission Objectives

Inter-pandemic period (planning and preparedness)

Phase 1 Phase 2

Influenza virus subtype in animals only (risk to humans low) Influenza virus subtype in animals only (risk to humans substantial) Confirm pandemic outside Malaysia

Strengthening pandemic preparedness at all levels Minimize the risk of transmission to humans; Detect and report rapidly, if it occurs Detect and report rapidly, if it occurs

Pandemic Alert (emergency and pre-emptive response)

Phase 3 Phase 4 Phase 5

Human infection (transmission in close contacts only) Confirm Pandemic within Malaysia. 3a: imported 3b: within Malaysia Limited human-to-human spread; small clusters <25 cases lasting < 2 weeks Second waves or other waves of pandemic. 4a: outside Malaysia 4b: inside Malaysia Localized human to human spread; Larger clusters 25-50 cases over 2-4 weeks

Ensure rapid characterization of new virus Detect, notify and respond to additional cases Contain the virus or delay its spread Maximum efforts to contain or delay the spread

Pandemic (minimizing impact)

Phase 6 Widespread in general population

Minimize the impact of the pandemic



The following table provides a summary of the stages before and during a pandemic:

MOH Alert Level Definition Phase 1 and Phase 2 Pre-pandemic stages

1. Action to be taken during this stage includes planning, communication, personal active equipment, screening tools, antiviral agents and vaccination recommendations.

2. Audit or self evaluation also may be conducted to gauge the preparedness.

Phase 3 to Phase 6 Pandemic stage

1. This stage occurs when the Government of Malaysia declares a pandemic. Influenza symptoms need to be screened during this stage, communications to staff on the next action plan, medication processes ongoing for those contracted with the disease.

Notes: This level is additional to the levels provided in the Ministry of Health’s Guidelines. At this stage, morbidity rates are exceedingly high, economic activities are severely affected and emergency measures are needed to bring the situation under control.

Source: “Recommendations on Influenza Pandemic Preparedness For Industry in Malaysia”, Ministry of Health Malaysia and The Society of Occupational and Environmental Medicine (SOEM) of the Malaysian Medical Association (MMA), March 2006.



Appendix 3 – BCP and DRP Test Matrix

ADMINISTRATIVE INFORMATION

Name of Institution Contact Tel. No

Name of Contact Person Fax No

Designation Email Address

BCP DRP

BCP/DRP PRE-TEST PLAN INFORMATION

Name of Critical Business Function:

State the following:

Type of Testing Objectives of testing Scope of Testing

Functional Testing

(e.g. Integrated Test; Full Blown; Simulated)

Non-Functional

(e.g. Call tree; Walkthrough; Desk-top)

Expected Date of Testing

MTD (Hours)

Expected RTO (Hours)

List of personnel involved (please indicate the department name & designation)

List of external dependencies involved e.g. third party service provider, Telco (please indicate the company’s name and service provided)

Sign Off By: ________________________ ________________________

CEO/ MD/ President BCM/DRP Coordinator



Appendix 4 – BCP and DRP Post Test Analysis Report

ADMINISTRATIVE INFORMATION

Name of Institution Contact Tel. No

Name of Contact Person Fax No

Designation Email Address

BUSINESS / DISASTER RECOVERY TEST GENERAL INFORMATION

Objectives of Test Test Scenario

Test 1

Test 2

Test 3

No of Staff Involved: Please tick whichever applicable:

IT Non-IT (Please list the details as per the attachment)

BRCP DRP Date(s) of Test:_______________

Internal Audit

Other Parties e.g 3rd party service provider; Vendor, Telco



TYPE OF TESTING (You may tick more than one)

Functional Testing Non-functional Testing CRITICAL BUSINESS

FUNCTIONS MTD

Unit Test Integrated Test Full Blown Simulated Live Run Call Tree

Walk-Through / Desk-Top

E.g. branch operations

No. of branches involved (if applicable) = ____________________________

Scope of Test : < Please describe here - refer to the Guidelines >



Test Location & Address

Application Systems

Systems Criticality

Expected RTO Recovery Strategy Type of

Recovery Site Primary Data Centre

Computer Recovery Site

Business Recovery Site

Systems Criticality Classification

(a) Very critical - Crucial and critically required to support customer services. - Generate highly significant income. - To comply with related regulatory requirements. - Might cause systemic impact. - Disruption which will result in substantial business losses in terms of

revenue, customer and reputation (b) Critical

- Required to support customer services. - Generate significant income. - To comply with related regulatory requirements. - Disruption will result in business losses in terms of revenue,

customer and reputation. (c) Required

- Indirectly support customer services. - Comply with related regulatory requirements. - Disruption to business functions could be tolerated using other

alternate mode of processing. (d) Non-Critical

- Not affecting customer services, compliant with regulatory requirements is not necessary

System Recovery Time Objective (RTO) (hours/days)

The timeframe required for IT systems and applications to be recovered and operationally ready to support business functions after an outage


The timeframe during which a recovery must become effective before an outage compromises the ability of an organization to achieve its business objectives

Recovery Strategy

(There could be more than one strategy used for one application system)

(a) Backup and restore - Using end of day backup and stored offsite. (b) Journaling / Forward recovery - Journal log kept and taken offsite

periodically in a day. (c) Electronic Vaulting - Routine backups transmitted via network to offsite

direct access storage device. (d) Electronic Journaling - Journal log transmitted periodically to backup site

via network. (e) Data mirroring - Data is transmitted real time via dedicated network to a

disk array at backup site. (f) System Failover - Entire system component is duplicated at hot site, real-

time data replication. Near zero data loss, virtually instant recovery



Type of Recovery Site

(a) Replacement - do nothing but replace after disaster.

(b) Cold site - completed data centre infrastructure but without equipment.

(c) Reciprocal arrangement - mutual backup between companies.

(d) Warm site - capable of providing backup operating support but would require (at a minimum) the restoration of current data.

(e) Hot site - fully equipped, operationally ready data centre.

(f) Full redundancy - dual production systems configuration, production system is duplicated at recovery site.

(g) Commercial recovery facility - subscribe to third party service provider or relocate staff to the alternate processing site



Application System: ______________________________

Activities Date & Day

Start Time

End Time

Time Taken Problem Encountered Action Taken Remarks

Disaster Declaration

Movement to recovery site:

(a) People: IT Staff

Business Users

(b) Backup Tapes

System Preparation/Restoration

Data Preparation/Restoration

Connectivity

User logon

Transaction testing

Actual RTO

Overall Test Result



System Preparation / Restoration

Covers all activities required to bring up the DR system from the time relocation to DR site has completed, including preparation for network and branch connectivity, system preparation, system restoration (Operating System and Application System) and other necessary activities until the system is ready for normal transaction

Data Preparation / Restoration

Covers all activities required for data preparation and database restoration

Overall Test Result

(a) Successful, if

all test objectives are fully met, and

able to meet expected RTO, and

no problems encountered, or

only minor problems encountered which could be rectified immediately or within short period of time.

(b) Partially successful, if

test objectives are partially met, and

problems encountered are more serious in nature which require more time and effort to rectify, need collaboration with third party (example Telekom) or require Senior Management’s involvement (for example need investment to increase capacity of the DR system).

(c) Fail, if

test objectives are not met at all, or

unable to proceed with the test and requires a re-test.

Note: For tests which had failed, please state the re-test date.

INTERNAL AUDIT ASSESSMENT

Prepared By:

………………………………….………………………

Name : ______________________________ Designation : ______________________________


Guidelines for Business Continuity Management Page 38 / 39

Appendix 5 – List of Bank Negara Malaysia’s Contact Numbers

Department Contact Person Telephone Number (a) During Office Hours

Director 03 – 26988044 ext. 731503 - 26989167 (DL)

Deputy Director – Division 1 03 – 26988044 ext. 735903 – 26913685 (DL)

Deputy Director – Division 2 03 – 26988044 ext. 804703 - 26910845 (DL)


Financial Conglomerate Supervision Department – JP1


Director 03 – 26988044 ext. 757903 – 26943926 (DL)

Deputy Director – Division 1 03 – 26988044 ext. 7316


Banking Supervision Department – JP2


Director 03 – 22635000 ext. 270303 – 2031 1794 (DL)



Insurance and Takaful Supervision Department – JP3


Director 03 – 22635000 ext. 333303 - 20312200 (DL)

Deputy Director – IT Risk 03 – 22635000 ext. 330503 - 20317788 (DL)

IT and Development Financial Institution Supervision (DFI) Department – JP4

Deputy Director – DFI 03 – 22635000 ext. 101003 - 22746340 (DL)


Guidelines for Business Continuity Management Page 39 / 39

Department Contact Person Telephone Number

Investment Operations and Financial Market Department – JOPPK

Dealing Room 03 - 26922343 03 - 26915695

Risk Management Unit The Bank’s BCM Coordinator 03 - 22635000 ext. 1388

(b) After Office Hours

Security Department Operations Room of Security 03 - 26988044 ext. 8999

Note : DL - Direct Line

Bank Negara Malaysia BCM Guidelines 2008

Documents

Transcript of Bank Negara Malaysia BCM Guidelines 2008