MAS issues revised Business Continuity Management Guidelines for FIs
On 6 June 2022, the Monetary Authority of Singapore (“MAS”) issued a revised version of the Business Continuity Management Guidelines (“Guidelines”) to help financial institutions (“FIs”) strengthen their resilience against service disruptions arising from IT outages, pandemic outbreaks, cyber-attacks and physical threats. To enable the continuous delivery of services to customers, FIs should adopt a service-centric approach through timely recovery of critical business services facing customers, identify end-to-end dependencies that support critical business services and address any gaps that could hinder recovery of such services, and enhance threat monitoring and environmental scanning, and conduct regular audits, tests, and industry exercises.
MAS expects FIs’ senior management and personnel who are responsible for implementing business continuity management (“BCM”) to familiarise themselves with the Guidelines and understand their intent and implications.
This article provides a brief overview of the revised Guidelines.
Effective date of the Guidelines
FIs are expected to meet the Guidelines within 12 months following their issuance. FIs should establish their BCM audit plan within 12 months, and the first BCM audit should be conducted within 24 months of the issuance of the Guidelines.
Background
The Guidelines take into account feedback received from two rounds of public consultation in March 2019 and October 2021. On 6 June 2022, MAS issued its response to feedback received on the second round of public consultation (“Response”).
For more information about the public consultations, please see our articles titled “MAS proposes revisions to Technology Risk Management Guidelines and Business Continuity Guidelines” and “MAS issues second consultation paper and response to feedback on proposed revisions to Guidelines on Business Continuity Management”.
Critical business services and functions
Critical business services and functions are those that, if unavailable, could pose a risk to the FI’s safety and soundness, or adversely impact its customers or other FIs. In the event of a disruption, an FI should prioritise the recovery of its business services and functions based on their criticality and determine the appropriate recovery strategies and resource allocation.
The FI should identify its critical business services and functions by considering the impact of their unavailability on:
- FI’s safety and soundness: Examples of adverse impact include damage to the FI’s financial and liquidity position, loss of assets and revenue, loss of business and investments, and inability to meet legal and regulatory obligations (including sanctions compliance).
- FI’s customers: Besides considering the number of customers that a business service supports, FIs should also consider the type of customers (e.g. retail, corporate or interbank customers.) impacted and how they may be affected when the business service is unavailable.
- Other FIs that depend on the business service: FIs should also consider the extent of systemic impact on the financial sector at large. As an example provided by MAS in its Response, an FI appointed as the sole agent to settle USD cheque clearing obligations across the financial sector could impact multiple FIs when its service is unavailable.
To assist FIs in determining their critical business services, MAS has provided examples of business services in the Appendix of the Guidelines.
FIs should review their critical business services and functions at least annually, or whenever there are material changes to the people, process, technology, or other resources that support the delivery of critical business services.
To minimise the degree of disruption, safeguard customer interests and maintain the safety and soundness of the FI, the FI establishing recovery strategies should adopt an end-to-end view of the critical business services’ dependencies, and not only consider the recovery of individual processes, but the complete set of processes supporting the delivery of the service.
For clear accountability and responsibility for the business continuity of critical business services, the FI should appoint personnel to oversee the recovery and resumption of each critical business service in the event of a disruption.
Service Recovery Time Objective (SRTO)
FIs should establish a Service Recovery Time Objective (“SRTO”) for each critical business service, and implement recovery strategies to meet the SRTOs.
SRTO refers to the target duration of time to restore a critical business function to a minimum service level that is sufficient to meet the FI’s business obligations. As a time-based metric, the SRTO will provide clarity within the FI on the expected recovery timelines for each business service. This will help to guide the prioritisation of resources during planning, and facilitate decision-making and monitoring of the recovery progress in a disruption.
In establishing SRTOs, the FI should consider its obligations to customers and other FIs that depend on the business services. MAS further expects FIs to put in place recovery strategies to achieve the established SRTOs and recover to the service levels required to meet their business obligations. For critical business services that are supported by a number of business functions, the FI must ensure that the Recovery Time Objectives (“RTOs”) of the underlying business functions and their dependencies will meet the SRTOs.
Clear and defined criteria should also be set out for activation of business continuity plans (“BCP”) in the event the performance of a critical business service is reduced or intermittent, before it is completely unavailable. These could include quantitative thresholds or factors such as nature of disruption, expected damages, impact on safety and well-being of employees. This will guide the FI in activating its BCP in a timely manner before the service degradation results in severe impact.
Dependency mapping
People, processes and technology
As the financial sector has become increasingly interconnected with the growing reliance on common IT systems and third parties, FIs should identify and map the end-to-end dependencies on people, processes, technology and other resources (such as data) and consider the implications of their unavailability, and address any gaps that could hinder the effectiveness and safe recovery of the critical business services. Information derived from the dependency map should be used to verify that the recovery of the business functions and their dependencies can meet the established SRTOs.
Third-party dependencies
Arrangements that FIs have with third parties engaged to support the delivery of their critical business services could increase operational risk arising from the failure, delay, or compromise of the third party in providing the service. Hence, an FI should put in place measures that enable third parties to meet the SRTOs of its critical business services. The Guidelines set out some measures for this purpose, e.g. establishing and regularly reviewing operational level or service level agreements with third parties that set out specific and measurable recovery expectations and support the FI’s BCM.
There should also be plans and procedures in place to address unforeseen disruptions, failure or termination of third-party arrangements, to minimise the impact of such adverse events. FIs should also have measures in place to address disruption of common utility services (e.g. telecommunications networks and power utilities), such as implementing redundancy or alternative contingency arrangements.
Concentration risks
While FIs may gain economic benefits through the centralisation of operations, concentration risk may arise from the concentration of people, technology or other required resources in the same zone. A zone refers to an area or region that shares a similar risk profile such that people, data, systems and other key resources located in the same zone would likely be affected by a disruption.
An FI may also be exposed to concentration risk when several of its critical business services and/or functions are outsourced to a single service provider.
The Guidelines set out several approaches to mitigate the risk of concentration, e.g. separating primary and secondary sites of critical business services and functions, or infrastructure (such as data centres) into different zones to mitigate wide-area disruption, and having cross-border support or alternative service providers as a contingency.
Following experience gained from pandemics, FIs should be cognisant of the resultant risks from the implementation of alternate work arrangements to mitigate the risk of disease transmission at workplaces. Such arrangements may entail changes to policies, operational processes, and use of equipment or IT systems that pose new operational risks and other challenges. The FI should put in place mitigating controls to address such new risks and challenges.
Continuous review and testing
As BCM is an ongoing effort to ensure that measures put in place are able to address operational risks posed by the latest threats as well as plausible threats in the future, an FI should embed BCM into its business-as-usual operations and establish BCPs that address a range of severe and plausible disruption scenarios, which may evolve over time. The FI should actively monitor and identify external threats and developments that could disrupt its normal operation, and have an escalation process to alert internal stakeholders and senior management in a timely manner. Following an operational disruption, the FI should perform a review to identify areas of improvement and address gaps in its BCM measures.
The FI should update its BCM policies, plans, and procedures, including relevant training programmes for staff and test plans, based on changes in its operational environment and the threat landscape. The FI should also review its critical business services and functions, their respective SRTOs/ RTOs and dependencies at least annually, or whenever there are material changes that affect them.
Regular and comprehensive testing should be conducted to validate an FI’s BCM preparedness. The tests must meaningfully test all aspects of the BCM and meet the test objectives listed in the Guidelines, e.g. to validate and measure the effectiveness of the BCPs using appropriate metrics, and remediate any gaps or weaknesses that are identified in the recovery process. Some examples of tests are provided in the Guidelines. FIs should select the type of tests that best meet their test objectives and determine the frequency and scope of these tests to be commensurate with the criticality of the business services.
Audit
An FI should ensure its audit programme adequately covers the assessment of BCM preparedness based on the level of operational risks that it is exposed to. This will provide the FI with independent assessment of the adequacy and effectiveness of its BCM framework.
The FI should audit its overall BCM framework and the BCM of each of its critical business services at least once every three years. The audits should be conducted by a qualified party with the requisite BCM knowledge and expertise to perform the audit, and is independent of the unit or function responsible for the BCM of the FI.
The FI should establish processes to track and monitor the implementation of remedial actions in response to the audit findings. Significant audit findings on lapses that may have severe impact on the FI’s BCM should be escalated to the Board and senior management. Upon request, the FI should submit the BCM audit reports to MAS.
Responsibilities of Board and senior management
The Guidelines set out the responsibilities of the Board and senior management. The Board and senior management are ultimately responsible for the FI’s business continuity and should provide the leadership and strategic direction to establish strong governance over the FI’s BCM.
The senior management should provide an annual attestation to the Board on the state of the FI’s BCM preparedness, the extent of its alignment with the Guidelines, and key issues requiring the Board‘s attention such as significant residual risk. The attestation should also be provided to MAS upon request.
Reference materials
The following materials are available on the MAS website www.mas.gov.sg via the relevant webpage:
