REMINDER: MAS Revised Guidelines on Business Continuity Management (BCM)
Although customers are the primary objective to be protected, it should be noted that employees and the market itself are also protected.
The revised MAS Guidelines issued on 6 June 2022 replace all previous versions that were published by MAS (including “Further Guidance on BCM”).
FIs must meet the new Guidelines by June 2023 and establish a BCM audit plan, with the first BCM audit to take place by June 2024.
The key message for firms is that there are new principles and practices that must be implemented in order to strengthen their operational resilience.
Action to take now
The new guidelines require FIs to go further, much further than before, to adopt a service centric approach. The new guidelines demand that the customer is the focal point of all decisions in respect of potentials risks and failings:
- FIs must take a step back, identify those critical business services, unique to the FIs, but in addition to critical business functions, the FIs must safeguard the delivery of services to customers, on an ongoing basis and customers must have confidence that if an event occurs, the FIs have resilience built into their plans.
- FIs must assess the critical Business Services, external facing service, which, if disrupted on short term or long term, is likely to have a significant impact on the FI’s safety and soundness, its customers or other FIs that depend on the business service.
- FIs must undertake robust assessments of critical business functions, which is activity performed by individual organisational lines, such as department or unit, which, if disrupted, is likely to have a significant impact on the FI, whether directly or indirectly, financially, or non-financially.
- FIs must set target recovery times and establish service recovery times, with the objectives to provide clarity on the recovery expectations for critical business services.
- FIs must identify and map end-to-end dependencies, and through this it should cover people, processes, technology and other resources (including those involving third parties) that support each critical business service.
- Significantly, FIs must conduct a BCM audit, to cover the FI’s overall BCM framework and the BCM of each of its critical business services, concentrating on the adequacy and effectiveness of its BCM framework, at least once every three years.
- FIs must continuously review and improve throughproactively monitoring and scanning for relevant threats that could disrupt its normal operations andthey mustcontinuously seek out areas to enhance and ensure that their BCM remains relevant and forward looking.
- FI’s Board and Senior Management have full responsibility and the Board and Senior Management are ultimately responsible for the FI’s BCM, they MUST (a) have in place crisis management structure, plans and procedures. (b) conduct regular and comprehensive testing (d) validate the effectiveness of the FI’s response and recovery arrangements (d) remediate any gaps or weaknesses identified (e) mitigate concentration risk, by reducing exposure to risk arising from the concentration of people, technology, or other required resources in the same zone, or reliance on a single service provider.
What is the timeline?
As we start the new year FIs should consider the revised BCM requirements and actions required.
BCM covers the entire business, end-to-end, including business flow. FIs must have detailed assessments and documentation, which means time must be invested by preparing early.
How can Waystone help?
Waystone’s team of experts can assist your firm at every stage, by assisting with a new or enhanced robust BCM policy, audit framework and providing a mock regulatory audit. Please reach out to your usual Waystone representative or contact us below.