MAS BCM Guidelines: Preparing for the 2026/2027 BCM Audit Cycle in Singapore
Under the MAS BCM Guidelines (June 2022), all financial institutions (“Fis”) were required to complete their first independent BCM audit by 6 June 2024. MAS requires that an independent audit be conducted at least once every three years thereafter. This means the next BCM audit cycle will be due by 6 June 2027 (or three years from the completion date of the latest BCM audit).
Regulated FIs should begin preparations for the next independent BCM Audit as required by the BCM Guidelines (June 2022) to ensure continued compliance with MAS operational resilience and BCM requirements. Early preparation will help institutions avoid last‑minute remediation, reduce audit findings, and demonstrate a mature operational resilience posture to MAS.
BCM Guidelines (June 2022)
The MAS Business Continuity Management Guidelines (June 2022) significantly strengthened operational resilience requirements for financial institutions operating in Singapore.
The Guidelines introduced a service-centric approach to operational resilience, requiring FIs to identify and prioritise critical business services and functions.
The key focus areas were as follows:
- Identification of Critical Business Services – Determining services that are critical to customers or financial system
- Establishment of Service Recovery Time Objectives (SRTOs) – Establishing clear recovery timelines for disruptive scenarios
- End-to-end Dependency Mapping – Mapping dependencies across people, processes, technology, facilities, and third parties
- Third-party and Concentration Risk Management – Identifying vulnerabilities arising from outsourcing or key service providers
- Crisis Management Frameworks – Establishing effective crisis escalation, governance, and communication procedures
- BCP Testing and Scenario Testing – Conducting periodic testing of the business continuity plans disruption scenarios
- Independent BCM Audit – Mandatory independent audit of the BCM framework at least once every three years.
These requirements form the foundation of MAS operational resilience expectations for financial institutions in Singapore. FIs that embed these principles into day‑to‑day operations will be better positioned for supervisory reviews and future audit cycles.
MAS Supervisory Focus on BCM and Operational Resilience
The Monetary Authority of Singapore continues to place strong supervisory focus on operational resilience, BCM frameworks, and third-party risk management.
MAS may conduct:
- Thematic reviews
- Targeted inspections
- Follow-up supervisory engagements.
These supervisory reviews may assess how financial institutions have remediated findings identified in 2024 BCM audit cycle, embedded BCM frameworks into day-to-day operational processes and strengthened operational resilience against technology disruptions, cyber incidents and outsourcing risks.
Supervisory reviews are expected to focus on the operational effectiveness of BCM frameworks including:
- Service Recovery Time Objectives (SRTO)
- Dependency Mapping
- Third-party risk management and outsourcing oversight
- Board and senior management oversight of BCM programmes.
Financial institutions should therefore prepare on the basis that MAS supervisory scrutiny will continue ahead of the 2026/2027 BCM audit deadline. Institutions that can demonstrate strong governance, robust testing, and clear SRTO alignment will be better positioned to meet MAS expectations.
Anticipated Areas of Audit Focus
Based on supervisory trends and industry experience, FIs should expect focus in the following areas:
- Identification and validation of critical business services
- Calibration of Service Recovery Time Objectives (SRTOs)
- Completeness of end-to-end dependency mapping (people, processes, technology, facilities, third parties)
- Alignment of recovery and continuity strategies with defined SRTOs
- Adequacy of third-party due diligence, contractual arrangements, and contingency arrangements
- Effective testing of BCP and remediation of weaknesses
- Audits of the BCM program and remediation of gaps.
FIs should expect auditors to request detailed evidence, challenge assumptions, and assess whether resilience measures are embedded rather than documented only at a policy level.
MAS BCM Audit and Compliance Support in Singapore
Preparing for an MAS BCM audit requires a detailed review of operational resilience frameworks, governance structures, and testing procedures.
Waystone provides BCM audit and MAS compliance support to financial institutions in Singapore.Our services include:
- MAS BCM Independent Audit – Comprehensive assessments of BCM frameworks to ensure compliance with MAS BCM Guidelines and operational resilience expectations
- Gap Analysis and Remediation Support – Identification of gaps against MAS regulatory requirements and provision of practical remediation plans
- Operational Resilience and Dependency Mapping Reviews – Assessment of SRTO calibration, dependency mapping, and third-party resilience
- BCM Testing and Scenario Review – Evaluation of business continuity testing programmes and crisis management frameworks
With deep experience supporting MAS‑regulated institutions across APAC, Waystone helps clients strengthen operational resilience, reduce regulatory risk, and prepare confidently for the 2026/2027 BCM audit cycle.
If your institution is preparing for the MAS BCM audit cycle or requires support with MAS compliance in Singapore, our APAC Compliance Solutions team would be happy to assist. Please reach out to your usual Waystone representative or contact us below.