On 6 June 2022, The Monetary Authority of Singapore (MAS) released the revised Business Continuity Management Guidelines (BCM Guidelines).
What are the BCM Guidelines?
BCM Guidelines are applicable to all financial institutions (FIs) and emphasise the need for all FIs to maintain their business continuity and resilience against disruptive events such as cyber attacks and pandemic outbreaks. The extent and degree to which an FI implements the BCM Guidelines should be commensurate with the nature, size, risk profile and complexity of its business operations.
Why are business continuity management procedures important?
Effective business continuity management procedures are essential for efficient and safe continuation of business in today’s world. MAS has indicated that as part of its supervision, FIs will be assessed on how well they have adopted the BCM guidelines within their organisation and particular attention will be placed on business continuity management of an FI’s critical business services.
How long do financial institutions have to comply with BCM guidelines?
FIs have 12 months from the date of issuance to comply with the BCM Guidelines. FIs are also required to establish their BCM audit plan within 12 months with the first BCM audit to take place within 24 months from issuance of the BCM Guidelines, for example, 6 June 2024.
Summary of MAS BCM changes
| Identification of critical services and functions |
- Analyse the impact of the unavailability of these critical services and functions on FI’s safety and soundness, FI’s customers and other FIs that depend on the business service
- Establish recovery strategies
- Assign clear accountability and responsibility for business continuity of critical services and functions
- Appoint personnel to oversee recovery and resumption in event of disruption.
|
| Service Recovery Time Objective (SRTO) |
- Establish SRTO for each critical business service
- Establish recovery strategies to meet SRTOs
- For critical business services supported by number of business functions, ensure Recovery Time Objective (RTOs) are adequate
- Ensure clearly defined criteria are set to trigger activation of BCP.
|
| Dependency mapping |
- Map end-to-end dependencies on people, processes, technology and other resources
- Implement measures to enable third-party service providers to meet SRTOs of critical business services
- Manage concentration risks to single service providers.
|
| Continuous review and testing |
- Monitor and identify external threats and developments potentially disrupting business and escalate to stakeholders and senior management
- Conduct gap analysis against BCP after operational disruption to identify areas of improvement
- Update BCP and test plans based on operational changes and threat landscape
- Review SRTOS and RTOs and dependencies annually or upon material changes.
|
| Audit |
- Conduct an independent audit on FI’s BCM preparedness at least once every three years.
- Escalate significant audit findings to Board and senior management
- Submit audit report to MAS upon request.
|
| Crisis management |
- Implement processes to manage incidents to resume critical business services and functions
- Establish clear communication channels with staff and external stakeholders to provide updates
- Notify MAS via incident reporting template no later than one hour upon discovery of incidents where business operations will be severely disrupted or when BCP is going to be activated.
|
| Responsibilities of Board and Senior Management |
- Board and senior management ultimately responsible for FI’s business continuity and provide strong governance over BCM
- Senior management to provide annual attestation to Board on FI’s BCM preparedness, alignment to BCM Guidelines and key issues
- Attestation report to submit to MAS upon request.
|
Want more information on the MAS business continuity management guidelines? Contact our APAC compliance specialists today.
Find out more about Waystone’s Risk Management Solutions