Business Continuity Management – New Guidelines and Timelines

Tom: Good afternoon everyone, and welcome to this Waystone Compliance Solutions webinar, where we will discuss the monetary authority of Singapore’s recently published guidelines on business continuity management, how they apply to financial institutions, and how firms here in Singapore should approach their implementation. My name is Tom Fisher, and with me today are Khushboo Gulrajani and Barry Holmes. 

Waystone Compliance Solutions is a global organization. Our business is in ensuring our clients’ investment strategies and operational processes remain aligned with all relevant jurisdictions. Our team of over 100 professionals are based in Asia, Europe, Middle East, and North America, and provide clients with local, regional, and international services. Our diverse range of clients include financial advisors, hedge funds, private equity, venture capital firms, and banks. Whatever the discipline, as your architects in the world of asset management, we can provide the structures, technical expertise, and guidance you need to navigate the ever-changing regulatory landscape with confidence. Waystone Compliance Solutions in Singapore is a regulatory compliance consulting firm, assisting companies in their interactions with the monetary authority of Singapore. 

We specialize in providing objective insights, subject expertise, and ongoing support to all our clients’ licensing requirements, training, drafting of policies and procedures, and audit needs. Waystone Compliance Solutions is part of the Waystone Group, the global leader in the provision of risk, compliance, and governance solutions to the asset management industry. Globally, Waystone is in 16 locations, with more than 1,000 staff, covering North America, Europe, Middle East, and Asia. Khushboo and Barry will now take you through the new business continuity management guidelines, and offer solutions on how you can navigate them. Over to you, Khushboo. 

About Singapore’s Business Continuity Management Framework

Khushboo: Thanks, Tom, for the introduction, and a very warm welcome to everyone who’s listening to us today. So, business continuity management, as we call it, BCM, is not a very new concept to the financial institutions here in Singapore. So, the BCM framework was first introduced by the MAS or published by the MAS back in 2003, with a slight modification and revisions in 2006. With the recent change in threat landscape, these guidelines have been further revised now, very recently, in June, 2022. The latest changes are timely, as they reflect the key thinking of the industry, a move towards operational resilience, as well as the key improvements and the findings, learnings from the COVID-19. 

So, as mentioned, these guidelines are newly-implemented, and it is important for the financial institutions to ensure that they are meeting these guidelines by June 2023, which is less than two months from now onwards. So, today we will be covering some of these key areas that you need to keep in mind or need to adhere to when you are adopting a business continuity management framework. 

BCM revised guidelines recap

So, under the revised guidelines, the financial institutions are required to adopt a service-centric approach, through timely recovery of critical business services to their customers. They are required to identify end-to-end dependencies that support these critical business services, and also try to address any gaps that could hinder the effective recovery of such services. The companies are also required to enhance their threat monitoring and environmental scanning processes, try to conduct regular audits, tests, and industry exercises. So, before we go into the details about the key changes or the key revisions, let’s take a moment and step back to understand what constitutes business continuity management. 

What is Business Continuity Management?

Now, business continuity management includes various scenarios, potential threats to an organization, and the impact these threats could have on an organization if they materialize. It tries to answer certain questions such as, how would the business continue with service in case of a disruption? How long can the business continue to serve? What are the remedial actions that the companies can take to ensure that they are minimally impacted due to these disruptions? It is very increasingly important that the financial institutions take into their consideration unexpected disruptions. 

Now, these disruptions could be large-scale, such as pandemic COVID-19, or cyber attacks, or vulnerabilities due to the change in the technology adoptions, or these could be little smaller in scale, such as probably power outage or fire. Now, smaller or medium-size enterprises are more vulnerable to these disruptions, given they have very limited financial resources or human resources. It is therefore very important that they build resilience into their businesses, and ensure that they’re able to recover from the unexpected shocks. 

Overview of revised BCM guidelines

Now, this slide is trying to give a brief idea about what were the key areas that the MAS focused, and their previous guidelines, and what are these new revisions that the MAS has introduced. Now, the revised guidelines have included very sound BCM principles that the financial institutions are encouraged to adopt. They provide additional specific guidance on each key areas, to guide financial institutions towards implementation. These includes identification of critical business services, service recovery time objective, dependency mapping, and certain new things that needs to be implemented, such as audit on business continuity management. We will be covering each of these key aspects in next few slides in detail. 

Responsibility of the board and senior management

So, the first and foremost is the responsibility of the board and the senior management. The company, while including, like, or ensuring a business continuity management or framework is in proper place, it is important that the board and senior management has a proper control and oversee on these guidelines. MAS in their revised guidelines have made a very clear distinction between the roles and responsibilities of the board and the senior management. Now, for a board, it is important that they provide the proper comprehensive BCM frame…and ensure that the BCM framework is established, ensure that there is a sufficient authority given to the senior management, ensure that there are proper resources available in terms of budget, technology, and human resources to ensure that the company is able to implement an effective BCM. 

On a periodic basis, they’re also required to ensure that the company goes through independent audit to assess the effectiveness of the controls, risk management, and the governance framework. Whereas for the senior management, it’s more towards the implementations side. They’re required to ensure that the protocols in are place for an effective BCM, they are required to ensure that the critical business functions’ systems have been identified. And for each of these systems, there are recovery strategies in place, there are proper authorities given to the personnel to carry out their functions in case of a disruption, and on an annual basis, ensure that proper tests are being conducted wherein they are able to identify the gaps and weaknesses, and ensure that the remediation measures are being corrected. 

On an annual basis, the senior management is required to provide an annual attestation to the board, to ensure and give an overview of the BCP’s preparedness, as well as their adherence to the revised BCM guidelines. If requested by the MAS, this attestation report is also required to be submitted to the MAS.  

Critical business services and functions

Now, one of the very important key considerations is the critical business service and functions identification. Now, while supervising a financial institution, the MAS will, of course, assist the quality of the board and the senior management and the internal controls and frameworks. 

However, in the guidelines, they have specifically mentioned that the key importance will be given to understand how the companies have identified their business services and functions. Now, in case of a disruption, it is not possible for most of the business organizations to recover all of their business services and functions at the earliest opportunity. Therefore, it becomes critically important that they identify those business services and functions which are critical to them. And also, the ones that can have impact on their unavailability, on the safety and soundness of the company. For example, will it impact the financial soundness of the company? Will it impact the liquidity of the company? Will it impact the legal regulatory requirements. The impact these could have on the customers of the company, and the impacts that these could have on other financial institutions who are using the company’s business service. 

Now, there might also be certain functions that may not directly support a business service, but they might be very critical in supporting the financial institutions during a disruption. To give you an example, if you are an asset management firm, maybe your trade execution or a portfolio management is very important for the company, and may be identified as a critical business service. 

However, in case if there is a disruption, then to handle the [inaudible 00:09:20] or to handle the various stakeholders, third parties, it might be important that your IT function as well as your human resource function is also functioning properly. Now, for each of the critical business services and functions that you identify, it is important that you develop a recovery strategy for them. That is basically a backup plan, for example, ensuring that there’s an alternate site where the people can start working from, or maybe giving additional trainings to the manpower so that they can act as a backup. It is important that for each of these critical business service and function, a person has been appointed who can oversee the recovery and resumption in case a disruption happens within the company. 

Service Recovery Time Objective (STRO)

The next slide is linked to the previous one, which is establishing a service recovery time objective, now, as we call it as RTO. Now, RTO is the maximum acceptable time that a business function or a service can be down after an unexpected disaster or a failure. It is, as mentioned in the slide, it is a duration of time to restore a specific business service from the point of disruption to the point wherein actually it is sufficient to meet the business obligations of the company. 

It is a very time-based metrics, and it should take into considerations the obligations of the customers as well as the financial ecosystem at large. Now, going back to our example, for example, maybe for a trade execution or a portfolio management, the RTO has to be very less, maybe one or two hours. But maybe for a business development team or for a HR function, it could be three to four hours. Now, for each of these recovery time objectives that have been said, there has to be a recovery strategy in place to ensure that you are meeting such STROs. These could be, show we discussed previously, an activation of alternate site or expansion of the service capacity. 

Now, RTO basically defines a turning point after which time the consequences of interruption from a disaster or failure totally becomes unacceptable. Therefore, it is very important that you clearly define the criteria for the BCP activation, even when a critical business service encounters a partial disruption. 

Dependency mapping

The next key important area that we need to focus on is dependency mapping. Now, the companies now cannot take a silo approach when they are framing their business continuity management. The financial sector has become increasingly interconnected with the growing reliance on common IT systems, the third parties, processes, and people. As a first step to mitigate the risk arising from the interdependencies, the financial institutions should be able to identify and map their end-to-end dependencies on such people, processes, technology, and the third parties. For the third parties, it is increasingly important that you ensure that there is a service level agreement in place, ensure that the service provider or the third-party service provider has a proper business plan activation process in place, and that they have given you an assurity that in case of a disruption, they are able to provide support to you to ensure that you are able to cater to your customers’ needs. 

Incident and crisis management 

The next slide is on the incident and crisis management. Now, in case an incident happens, it is very important that the financial institution is able to resume its critical business services and functions within the stipulated RTOs that they have drawn up. It is important that while incident planning, you draw up a very clear, very defined template for each of these incident responses. It may not be very specific that it becomes too difficult for an organization to adapt it to a different situation. However, the plan should kind of provide more of a framework than a specific steps. These includes training for the requisite teams, continuously testing their processes and the plans that they have implemented, to ensure that in case of a disruption, the company is able to resume the business. 

This includes table-top discussions, in-depth operational exercise, so that everyone has a very general idea of how to respond in case of an incident. In case of a crisis, it is the responsibility of the senior management to ensure that they are able to steer the financial institutions out of a crisis. The crisis management structure should be properly well-defined. It should ensure that there are proper roles and responsibilities that has been given to the people. There should be predefined triggers and criteria for a timely activation of the crisis management and management structure. 

Proper communication should be done with the internal parties, the employees of the companies. They should be made aware of such crisis at a proper time so that they can provide assurity to the company, as well as ensure that they’re able to work properly. The communication too with the external stakeholders should also be very proactive, transparent, and factual. It is important that you reassure your stakeholders, and maintain customer confidence during a disruption or a crisis. It is also important that during a crisis, you notify the MAS as soon as possible, but not later than one hour upon the discovery of incidents where the business operations will be severely disrupted.  

The reporting has to be as per the reporting template that has been specified by the MAS, wherein it is important that you mention the impact these disruptions are having to the customers, as well as the steps that you have taken to remediate the actions. Now, the next few slides are concentrating on other key areas, such as concentration risk, the audit timelines, the testing requirements. This is something that will be taken up by my colleague, Barry. So, Barry, over to you. 

Concentration risk

Barry: Thank you very much, Khushboo. So, linking into what you’ve just covered, and the key area of dependency mapping and critical services and functions, concentration risk is now at the forefront of the new guidelines from MAS, and it’s really important for firms to understand, especially global firms that rely on global services, that relying on one party to do a service, and that could be internal or external, is a risk, and that needs to be considered. And the nature and the size and the complexity of the business needs to factor that in. 

So, for example, on screen at the moment, critical business function segregation, so, in same zone. So, country risk as well as same-location risk. So, some firms are departmentalizing areas, so even employees. Cross-training is a very important element. I, myself, working for smaller companies, wore many hats over the years. Compliance officer, anti-money-laundering officer, BCM manager, sanctions officer, whistleblowing officer. That’s all concentration risk. One individual having too many hats on. It’s not allowed to have too many hats and one party doing it, but the firm needs to understand what is their concentration risk. 

So, linking back to what Khushboo already covered, the dependency mapping is critical. So, doing a gap analysis of your business, and end-to-end, to understand what activities your firm does. Do you have an online portal? Who provides the service for that? Do you have one staff member doing many roles, like I already covered? So, it’s really important to understand your business. And what we’re recommending is you have a clearly-documented, evidential assessment of your business. We’ll be providing a checklist if anyone wants a reference point with the new guidelines, which we would recommend that as your starting point, to look at where you are now and where you need to move by the 6th of June 2023. If you move on to the next slide, Khushboo. 

Testing/continuous review

Testing continuous review. Now, this has always been a critical step in BCM. Business continuity management is only as good as the plan that’s put in place and the consideration for the business. You must be continuously reviewing and testing your business. Now, just to clarify, we would not recommend a full test every single time. I myself have been involved in full tests. And it is a risk to the business, especially if you do it on a Wednesday afternoon and you have to shut down some of your live activities. It’s not commercially sensible. The best thing to do is to start small. And I would always recommend, even though also, not always popular, at the weekend. 

Shut down one area at the weekend, and then try and recover it. And then if there is an issue, on Sunday, you can recover it. So, pick an item, pick an area that’s the most important to you. Going back to what Khushboo said about data mapping and dependency mapping, making sure you understand what your business does and what is the critical functions. And then you can look at what area to focus on. So, it could be simple. It could be your telephone system. How do you receive and make telephone calls? That could be one area. 

If you are heavily reliant on the telephone system, then that obviously is a critical function to your business. So, we would urge you to look at your business model and what is relevant and important to you, or look at common threats in the media at the moment, and ransomware. So, look at your data, and if someone put a ransomware on your system and that you couldn’t access data, one particular folder, how would you recover? Do you have live replication? Could you get the data back? Would you only lose an hour? Paying ransom is never a recommendation by governments and regulators, because you do not know who the bad actor or actress is, or where they are, and the likelihood of getting the money back… Getting the data back. 

So, it’s really important to understand your business. And testing is critical, from my point of view as well, from personally being responsible for the BCM. It’s making sure employers are aware of what the BCM, and what happens in the event of an incident. So, Khushboo’s already mentioned COVID. We’ve all been through a pandemic, and it wasn’t, obviously, a fun exercise. And it did test financial institutions, obviously, as governments, etc. as well. However, we’re now in a semi-normal environment. And as such, the BCM framework needs to be enhanced to cater the current threats in the market and around the world. 

So, what you need to do is look at your business, look at your model, document it, document it, document it. That’s the key.  

Stress test BCPs

And then, number four there, stress test. Look at your business model and look at plausible scenarios, and then test them. Just to clarify, the regulator is not expecting you to look at every single scenario or every single eventuality. They’re asking firms to look at their business model, look at their critical services, look at their critical functions, and look at service recovery, like Khushboo touched on earlier. What is a reasonable timescale? For example, payroll. Payroll, obviously, for employers is extremely critical, because that’s how we pay for our bills, etc., and have fun. 

So, payroll, even though it’s not that frequent, obviously, on a monthly, usually, basis, payroll’s still a critical service, and needs to be established. So, do you outsource your service of payroll? This is fundamental questions that your business needs to look at. Or is it in-house? If it’s in-house, you’ve obviously got more control. If it is external, we’re working with various clients in the moment, enhancing their business continuity framework. And payroll is one of the key areas where the solution could be as simple as we’ll send a check, or we’ll do a bank transfer. But, have you thought about the mechanisms for doing that? Can you do that? Does your bank allow it? These are all simple questions that need to be considered prior to an actual incident happening, because, in the time of crisis or an incident, time is of the essence. 

And as Khushboo already highlighted, you need to report this to the regulator if an incident happens within an hour. Think about that. Sixty minutes. That’s not that long. And I’ve been through hundreds of incidents over the last 20 years. And if you haven’t been through one, they’re not fun. But, a good, well-oiled plan, a good, updated plan, is critical. Back many years ago, I worked for a company [inaudible 00:21:39] a briefcase. And that briefcase had a mobile phone in it, had the BCM plan, had some money, and that was it. Unfortunately, nobody kept it updated. And also, the person that managed it left the company, and nobody knew the briefcase code. 

It’s a very simple and stupid failure of a BCP plan, because, also, the phone in it was so outdated, no one had a phone charger, and it was dead. And they had a prepaid card in there as well for cash, and it had expired as well. So, it’s a very simple and bad example of BCM, how it was… When it was first implemented, it was amazing. It was robust, etc. But single-party concentration risk. Once again, an employee left the company. That’s why succession planning is critical. And this links back to other areas that we’re not touching today, but your firm should be fully aware of. 

Importance of individual accountability

Individual accountability, like Khushboo already talked about. Someone needs to be responsible for those recovery. The senior management and the board need to have that oversight, and individual accountability, looking at the five outcomes. You need to be aware of who is responsible. And also, employer awareness. And this links also to cybersecurity, a very important area. I touched upon earlier, if you’ve got an online portal, this is critical. If you take payments online, and that element shuts down, can you still trade? Or, would you have to say, “Sorry, customers, we can’t take payments today.” Or could you do another mechanism? Bank transfer, check, etc.? Same with payroll. 

And also, you need to look at your entire business model. So, people normally focus on IT only, when it should be resources, i.e. people, and systems controls, and what activities your business are doing. So, really focus on your business model. And this is why that checklist that I mentioned earlier, that we can send to you if you want a copy of it, when you just go through your existing framework, the new guideline and say, “Ah, actually, we need to enhance this area.” We’re working with clients at the moment and their existing framework is sufficient for the existing weld of BCM. And it may be 5, 10 pages. We’re enhancing their policies and procedures, and some are going over 70, 90, 100 pages. 

Now, the number of pages is irrelevant. The content needs to be there, and it needs to be a living document. It needs to be a real-life document. That’s what the regulator has echoed. They’ve reinforced that, and that’s why testing is critical, and a continuous review. So, as Khushboo already touched on, the senior management should have triggers in place. So, do you have quarterly compliance meetings? In that meeting, you should be talking about any changes to the business model. Have you taken on new regulator activity? Straight away then, your BCM needs to be reassessed. Do you outsource your compliance services? If so, what would happen if they went out of business or they were temporary, had an incident themselves and had to activate their BCM?

Sanction screening 

Sanction screening. If you can’t comply with your legal compliance obligations, you cannot trade legally. So, for example, if you can’t do sanction screening, it’s a very simple exercise, screening at your database, your beneficial holders, of, against the sanction list. If you can’t perform that function, then you can’t trade. So, you need to look at all your activities and what you do. If you outsource 99% of your business activities to third parties, then obviously, you’re at higher risk. Not to say that you can’t outsource it, but remember, the responsibility is with the legal regulated entity. MAS will focus on the legal regulated entity, and benchmark them against the guidelines. 

Now, with everything to do with regulation, it’s comply or explain. You need to comply with the regulations to the letter or the spirit, or you need to explain and justify why not. Some examples that I can go through. Office access. How do you get access to your office? Think about it. It’s a very simple question. Do you have a key, a physical key, or do you have a key card, or is it a touchscreen? Or, at Waystone, in Singapore, we have face recognition. However, none of these systems and controls are perfect. 

So, for example, again, not a great example, but it happened to me last week. I had a coffee, I was very hot because I was rushing for a meeting. The facial recognition, because of the pandemic, also has a temperature gauge. It wouldn’t let me in for 10 minutes. Then I remembered, I’ve got a key card, just in case. So, that’s operational resilience. Obviously, if I would’ve waited another half an hour, somebody else would’ve come past and they would’ve let me in. But this is the sort of thing, you need to work out what you do, internally and externally as a business, and from start to finish. Now, opening the door to the office is a simple thing, but how do you get into the office? 

Water damage. A few years ago, I worked at a company, and above our office was a hotel, and they had a water leak on a Sunday. And on Monday, we got in the office and the water damage went on our server. Lucky enough, we had a business plan in place, and the IT team were brilliant. They started to rebuild the server, and it should have taken maybe four to five hours because they’d practiced. However, the plan hadn’t been updated for a few months. And the server change that was recently updated wasn’t built in. So, I’ll simplify it a little bit because it was a bit too technical, but they had steps one to six, but five was missing, for example. So, they could build partially the server, but they couldn’t build the rest of it. And that’s the sort of thing where we’re talking about continuous review. 

If something changes, the plan needs to be revisited, especially after a test. When you test your plan, if something comes out of it, you need to enhance your plan. Or, if the regulator does a communication about cyber awareness, and is there a new threat in the market? Mobile devices, there are more threats out there regarding hacking of mobile devices. Do you allow your staff to bring devices to work? Big question. We want to make sure staff are empowered and they can continue working, obviously taking personal considerations into consideration. But do they have their personal phones at work? Have they got encryption on their phones? Do they have multi-authenticity on their phones? So, a code that changes every 30 seconds to log in to work laptops. These are all elements that need to be considered. But hopefully, the example of opening the door to the office is a simple one, but it gets you to think about every step of the process. 

Audit plan suggestion

Next slide please. One of the new requirements, and this is a big one. This is a BCM-specific audit. So, just think about that. This is just on BCM, business continuity management. So, firms have internal audits on a regular basis. They have external audits. And Waystone does internal audits, and we cover BCM in that, as a, one of maybe 60, 70 different subjects. 

However, by the 6th of June this year, all firms must have a BCM plan. And that plan, we’ve got an example on the slide. It’s a very simple one. It doesn’t need to be complicated, by the way. It just needs to cater for what your firm will do by the 6th of June, 2024. So, what we recommend is your senior management, consider what the plan is. So, will you do it internally? Do you have the relevant skills and experience, and, the key word, “independent party,” internally that can do it? If not, then you need to outsource it. If you’re going to outsource it, that comes with same risks, obviously. 

You need to ensure that the person that’s doing it or the party that’s doing it has got the relevant skills, qualifications, and experience to do it. Now, we would recommend that you ensure they do a feasibility study, as a phase one. So, Waystone’s currently helping many, many customers through this exercise. And there are, obviously, many service providers out there. But make sure that you get clarification from the service provider, what they will do for you. Because at the end of the day, you’re the regulated entity, and in the event of something going wrong in the future, you need to be able to demonstrate that your senior management have taken the rules, the guidance, the principles, and the spirit of the rules and guidelines, and adopted them. 

So, make sure you get an output. So, what we would recommend is feasibility study. Basically, that is knowing your business. So, the service provider should ask you lots of questions, and get lots of documents. So, basically, look at your existing framework, analyze that existing framework, and it provides you a output. So, a phase one. And that should be an overview of your business, and making sure that they’ve understood your business. Once they’ve got that, then they can provide a recommendation how to enhance your framework. If you’ve got nil framework, i.e. you’ve got no plan in place, which some firms do have, even though, as Khushboo said, the guidelines are already there, some firms haven’t got anything in place. 

Now, this is a very good opportunity to, obviously, fix that. Some firms have something in place, and it’s robust in the current world, as I already alluded to earlier. However, they need to enhance it. So, with your service provider, you need to work with them, and it should be a collaboration. They need to make sure it covers the key areas.  

Management

So, on screen at the moment, management. They should be strengthening the management oversight, as Khushboo already spoke about earlier. Governments, context, leadership. Each recovery element should have an appointed individual to recover that. And they should have the relevant knowledge and experience and skills to do that as well. 

If they don’t, they need to obviously undertake training, and that’s where a service provider may be able to provide additional training as well.  

Business impact and risk assessment 

Business impact and risk assessment. Now, this links back to what I already talked about, individual accountability. Who is responsible for your BCM? That’s a simple first question. It could be the CEO, it could be the IT manager. Someone needs to be appointed.  

Contingency Arrangements

Contingency arrangements, controls, operations, like Khushboo already mentioned, about a different office. If something happened, could you relocate? COVID, again, we don’t like to keep referring to it, but it’s the most recent extended incident that we had. 

And we worked from home, many of us. I remembered opening an office in France, sitting at a ironing board on my laptop in my front room, for months and months, doing work on a laptop, on a ironing board. And it’s not good memories, but funny memories. But that can still be a recovery. MAS has already said about COVID, you can use that model, however, this is an important part, you can’t just do it as business normal. You still need to adapt and adopt to the new guidelines. If that resilience, operational resilience of the COVID pandemic, is the way forward for you, you need to forget about the COVID part, and build it into your existing model in your new BCM framework. 

Documented plans 

Documented plans, once again, policies and procedures. These can’t be, going back to my briefcase example, these can’t be on the shelf gathering dust. These need to be living documents. For example, when you’re doing a new project, you should be factoring that in. It should be similar to considering IT, or HR, or if you’re doing a new business line, you need to factor in business continuity. For example, are you building an online portal? That would be a new activity. You need to factor that in. Are you moving into a new territory? Once again, you need to build that into your consideration. 

Training and testing 

Training and testing. For me, training and testing is probably one of the most critical elements, because I’ve seen well-experienced senior management crumble during an incident. And that’s not their fault. They’ve just never been through a real-life incident. And I remember my first one, in my 20s. It wasn’t a fun exercise. However, testing, training, testing, training, preparedness, and employee awareness. This is a critical function. And Khushboo would probably agree. Getting employees active awareness. For example, the compliance manual. Do you get your staff to sign the compliance manual, or confirm on an annual basis they’re aware of it? And that’s important. 

Going back to individual accountability, making sure they know if they spot a fire in the office, first of all, human preservation, obviously, making sure that they look after human safety. Call the fire brigade immediately. Save the property, save the individuals, then activate the incident. It could be a trivial little fire, waste paper basket or something, and it could be contained. However, knowing how fires work, as a previous fire marshal, you still need to make sure that there’s no wider risk, embers somewhere else that haven’t been caught. So, it could be a short-term disruption, i.e. four hours, but that still needs consideration because the phones are still going to ring, emails are still going to come in, and MAS still may need to be notified, like Khushboo talked about. 

But this where the plan needs to factor in short-term disruption, as well as long-term disruption. And that goes for your own firm, but also your service providers.  

Review and update process

And, finally, review and update process, governance, improvement, evaluation. So, for example, we’ve seen some firms, and I’ve personally, as a previous compliance officer, approved by the UK regulator, the UAE regulator, and working in Europe as well, is ongoing review, putting triggers in place. So, I’ve seen firms put quarterly reviews in. Let’s look at the quarterly, the business continuity plan on a quarterly basis. Has anything changed? “John, Barry was on a holiday then. Barry, John, is there any updates?” “Oh, no. Nothing’s changed.” “Okay.” Making sure. 

And at the end of the day, that’s your evidence as well. And the regulator, it’s a common saying around the world, but if it’s not written down, it didn’t happen. And that’s where your documents are evidence. And this goes back to that checklist I mentioned at the beginning, and in the middle as well. Waystone can send you a copy. Basically, that’s your evidence of how you’ve gone through these guidelines and enhanced them. And it’s an overarching important note that your firm must ensure accountability and responsibility for the business continuity of its critical business services. 

So, echoing what Khushboo talked about at the beginning, this is fundamental. Some firms, and this is a hard thing to accept, sometimes, some firms don’t know their own business. They don’t know how the sanction screening is doing at the senior management level. It’s done by the compliance function. So, this is where senior management need to understand what is outsourced. And critical services, critical functions. And Khushboo may be able to add some more in, but outsourcing. Outsourcing is an existing requirement that you must have an outsourcing register, as prescribed by MAS, a template, and you must continuously be reviewing that, making sure that your outsource providers have got, as required, a BCM plan themselves, making sure that they’ve got resilience, making sure that the agreements are in place.  

Recovery. We’ve working with some clients that their service providers have got a recovery time of two hours. So, that helps their own recovery time by a knock-on effect. So, on screen at the moment, looking at the critical services, once every three years, an audit must be done. The first one needs to be done by 6th of June, 2024. The audit plan, as I’ve already highlighted, needs to be in place by the 6th of June this year. And, as Khushboo already highlighted, it’s not that far away. We’re on the 20th of April today. And just think about next week’s the end of April, and then we’re in May. And there’s bank holidays, etc. in Singapore. 

Appoint a qualified party. Now, this is important. There are qualifications out there for BCM. However, the MAS have not prescribed specific qualifications, unlike other industries and other roles. However, what you need to do is look at the service provider, if you’ve ruled out internal audit, and make sure the person’s qualified. For example, at Waystone, we’ve got various different people that are qualified. I’m a cyber security specialist. I’ve got 25 qualifications in various subjects, governance, etc. which, I’ve done many audits, BCM, etc. Khushboo as well has done many audits. 

So, it’s making sure that you get that skillset and you get that expertise. And, also, at the end of the day, you’re paying for a service, so you need to be…they need to be able to evidence that they can do it. And that’s why feasibility study, making sure that that’s part one. Part two is the documentation. And they can’t just give you an off-the-shelf template, because they don’t know your business 100%. It needs to be a collaboration and customization of your plan. 

And also, you need to have a walkthrough with that plan with your senior management. And some firms will have, obviously, committees set up, audit committees, etc., and those committees need to go through it as well, and have confidence. And that’s the key word. In the event of an incident, part one, would it work when you test it, etc.? Part two, if the regulator asks for a copy of it, would they be able to have confidence in that plan? And it needs to be sustainable. Because obviously, as I said earlier, some plans are 50, 60, 70 pages, 100 pages, and some have many appendixes and checklists and templates. But you need to be able to look at your testing and your output and make sure that it’s fit for purpose. I think that’s the most important thing. 

Also, when you have other audits, making sure that you’re factoring any remedial actions that are highlighted in those findings as well. So, today is the 24th of April. Next week is May. So, time is ticking on. The 6th of June 2023 is when you’re meant to have an audit plan in place. Now, that’s the most simplistic part today, the audit plan. It just needs to be a one-page document, just confirming that you’re going to have an appointed, either internal auditor, or external auditor, by Q4 2023. And the audit’s going to take place by Q1 2024, ensuring that it’s all done and dusted by the 6th of June, 2024. It’s really important that this is on your senior management agenda, or board agenda, and it’s a fixed item. 

I would highly recommend this, being part of many audits and board meetings and meeting agendas over the years, as a compliance officer, head of compliance. It’s really important to have a fixed agenda until it’s resolved. And also, it shows that corporate governance to the regulator, if ever asked. And make sure you go back to those qualifications and a qualified party. So, top tips, as we’ve already covered, start early. There is time. So, there’s no need to panic. If you’ve got an existing framework, you just need to do a gap analysis against the new requirements, or outsource it. There are many service providers out there. So, start early, engage them early, get a quote, get an engagement letter. Just get some feedback, how long they think it’s going to take on the size and complexity of your business. Make sure it’s on your board agenda. They’re fully aware. This goes back to corporate governance. 

We don’t know what MAS is going to do, or the regulator’s going to do. They could ask all firms, on the 30th of May, “Have you executed compliance with MAS guidelines regarding BCM guidelines?” Unlikely, but you never know. They could do it on the 7th of June. So, I’ve seen regulators do this, as a thematic review, or just to touch base with regulated firms. We’re outside of the pandemic now. However, the threat landscape, as Khushboo already highlighted, it’s still there. Cybersecurity is massive at the moment. Map out and plan, comply with the timeline. Consider who will be, who will do the audit, as I’ve already said, experience, skill, knowledge. And then to finish, Khushboo, proactive, proactive, proactive. That’s the key. And then after that, it’s documentation, documentation, documentation. 

Webinar recap

And then, just to recap, the timeline, 6th of June, 2022, the new guidelines came in, as Khushboo highlighted at the beginning. Sixth of June this year, 2023, all firms must meet the new guidelines, and establish a BCM audit plan. Now, that’s not to complete the plan, but it’s to have a BCM audit plan. Sixth of June next year, 2024, all firms must have conducted their first BCM audit. And then that’s business as usual. So, we would highly recommend that you treat this as an urgent activity project, gap analysis, whatever you want to call it, but it should be on the top of your senior management board agenda, and should be a priority for the next couple of months. Thank you very much.  

Tom: Thank you Khushboo and Barry for your thoughts on these Monetary Authority of Singapore guidelines and their implementation. I trust that you’ve all found this webinar informative, and it has given you a better idea of your business continuity management obligations. Here at Waystone Compliance Solutions, we can undertake a gap analysis on your current business continuity management plan, and make suggestions to bring it in line with the guidelines. We can also draft a business continuity management policy for you, as well as designing an audit plan in preparation for the required business continuity management audit by June, 2024. Please do reach out to us if you think that we can assist. We’ll be happy to provide guidance and advice. Thank you, and have a lovely afternoon.