BIA Questionnaires
Part 3: Impact Over Time of Business Functions
Notes for BCM Institute's Course Participants: This is the template for completing the "Part 3: Impact Over Time of Business Functions."
CBF 5: Compliance, Governance & Reporting
In the realm of corporate governance and statutory compliance, time sensitivity plays a crucial role in sustaining the operational integrity and legal standing of an organisation.
For Bandtree, as a government-linked company (GLC) operating under Darussalam Assets, maintaining robust compliance and reporting functions is not only a regulatory necessity but also a pillar of public trust and organisational resilience.
Purpose of Chapter
This chapter presents a detailed assessment of how disruptions to the key sub-functions under CBF-5 —Compliance, Governance, and Reporting — impact the organisation over various time intervals.
The analysis is conducted using a structured Business Impact Analysis (BIA) approach, with impact levels scored on a scale from 1 (lowest) to 5 (highest).
The objective is to determine the criticality of each sub-process over specific periods of disruption, enabling the prioritisation of recovery actions and continuity planning.
Each sub-function—ranging from regulatory compliance to ESG reporting and business continuity governance—is evaluated against its time-sensitive dependencies, legal obligations, and stakeholder expectations.
The analysis considers the Recovery Time Objective (RTO), Maximum Tolerable Period of Disruption (MTPD), and periods of heightened vulnerability for each sub-process.
This structured approach enables Bandtree to prioritise response efforts, allocate resources effectively, and enhance overall resilience in the face of unexpected disruptions.
This table outlines the CBF-5: Compliance, Governance & Reporting and its sub-processes (Sub-CBFs) for Bandtree, following the impact over time methodology from BCM Institute's guidance Notes and using a 1–5 severity scale.
Table 3-1: [BIA] [P3] Impact Over Time of Business Functions (Sub-CBF) for CBF-5 Compliance, Governance & Reporting
|
|
|
Impact Over Time | ||||||||||
Sub-CBF |
Sub-CBF Code |
Highest-Impact Area |
8 Hour |
1 Day |
2 Day |
3 Day |
5 Day |
7 Day |
10 Day |
14 Day |
21 Day |
30 Day |
60 Day |
Regulatory & Legal Compliance |
5.1 |
Legal & Regulatory |
4 |
4 |
5 |
5 |
5 |
5 |
5 |
5 |
4 |
4 |
3 |
Internal Audit & Risk Oversight |
5.2 |
Operational & Financial |
3 |
4 |
4 |
5 |
5 |
5 |
5 |
4 |
4 |
3 |
2 |
Corporate Governance Monitoring |
5.3 |
Reputational & Strategic |
2 |
3 |
4 |
4 |
4 |
4 |
3 |
3 |
3 |
2 |
2 |
ESG Reporting |
5.4 |
Reputational & Regulatory |
2 |
3 |
3 |
3 |
4 |
4 |
4 |
3 |
2 |
2 |
1 |
Business Continuity Governance |
5.5 |
Operational & Compliance |
3 |
4 |
4 |
5 |
5 |
5 |
4 |
3 |
3 |
3 |
2 |
Strategic & Statutory Reporting |
5.6 |
Regulatory & Strategic |
3 |
4 |
5 |
5 |
5 |
4 |
4 |
3 |
3 |
2 |
2 |
Table 3-2: [BIA] [P3] Impact Over Time of Business Functions (Sub-CBF) for CBF-5 Compliance, Governance & Reporting
Sub-CBF |
Sub-CBF Code |
RTO |
MTPD |
Vulnerable Period |
Regulatory & Legal Compliance |
5.1 |
1 Day |
14 Days |
Pre-audit, legal filings |
Internal Audit & Risk Oversight |
5.2 |
2 Days |
21 Days |
Quarterly review cycle |
Corporate Governance Monitoring |
5.3 |
3 Days |
30 Days |
AGM preparation, board review |
ESG Reporting |
5.4 |
5 Days |
30 Days |
Sustainability disclosures |
Business Continuity Governance |
5.5 |
2 Days |
21 Days |
Crisis season, BCP review |
Strategic & Statutory Reporting |
5.6 |
2 Days |
30 Days |
Year-end audit cycles |
Legend – Impact Scores
- 1 = Negligible Impact (Very Low)
- 2 = Minor Impact (Low)
- 3 = Moderate Impact (Medium)
- 4 = Major Impact (High)
- 5 = Critical/Catastrophic Impact (Very High)
Key Notes
- RTO (Recovery Time Objective): Indicates the acceptable downtime before severe impact begins.
- MTPD (Maximum Tolerable Period of Disruption): Maximum allowable time the sub-function can be disrupted before irrecoverable consequences occur.
- Vulnerable Period: Timeframes in which disruption has amplified effects (e.g., audits, contract renewals, public reporting).
Summing Up... Part 3
The findings of this impact assessment underscore the high sensitivity and criticality of Bandtree compliance, governance, and reporting functions across both short-term and extended disruption periods.
Sub-CBFs, such as Regulatory & Legal Compliance and Strategic & Statutory Reporting, exhibit elevated impact ratings within the first 24 to 48 hours of interruption, emphasising their time-critical nature during legal filing periods and reporting cycles.
By identifying the Recovery Time Objectives (RTOs) and the Maximum Tolerable Periods of Disruption (MTPDs) for each sub-CBF, the organisation is better equipped to allocate resources, implement risk mitigation strategies, and align recovery priorities with regulatory mandates and corporate governance standards.
This impact analysis not only reinforces the need for timely and uninterrupted execution of compliance functions but also contributes directly to the development of effective Business Continuity Plans (BCPs) and risk oversight frameworks.
Through this structured understanding, Bandtree strengthens its resilience, safeguards stakeholder confidence, and ensures uninterrupted compliance with Brunei’s legal and governance requirements.
BIA Questionnaires
Part 4: Supporting IT Systems and Applications
Notes for BCM Institute's Course Participants: This is the template for completing the "Part 4: Supporting IT Systems and Applications."
CBF 5: Compliance, Governance & Reporting
In today's data-driven and compliance-centric environment, the integrity and continuity of supporting IT systems play a pivotal role in sustaining the effectiveness of Bandtree Sdn Bhd’s compliance, governance, and reporting functions.
CBF-5 encompasses critical sub-processes, including Regulatory and Legal Compliance, Internal Audit, Corporate Governance Monitoring, ESG Reporting, Business Continuity Governance, and Strategic and Statutory Reporting.
Each of these areas relies on a suite of IT systems and applications to manage information flow, ensure regulatory alignment, generate reports, and support strategic decision-making.
Purpose of Chapter
This chapter identifies the key IT systems and applications supporting each sub-function under CBF-5. It outlines their associated Recovery Point Objectives (RPOs), Recovery Time Objectives (RTOs), and any special equipment or infrastructure dependencies.
The objective is to establish a comprehensive understanding of the technological backbone that enables continuity, accountability, and resilience in Bandtree’s governance and compliance ecosystem.
Here is a detailed table for CBF-5: Compliance, Governance & Reporting and its Sub-CBFs, designed for Bandtree with the specified headers:
Table 4-1: [BIA] [P4] Supporting IT Systems and Applications for CBF-5 Compliance, Governance & Reporting
|
|
Supporting IT Systems | ||
Sub-Critical Business Function |
Sub-CBF Code |
IT Systems and Applications |
RPO |
System RTO |
Regulatory & Legal Compliance |
5.1 |
Document Management System (DMS), Email |
24 hrs |
8 hrs |
Internal Audit & Risk Oversight |
5.2 |
Audit Software, Risk Register Platform |
24 hrs |
12 hrs |
Corporate Governance Monitoring |
5.3 |
Governance Dashboard, MS SharePoint |
48 hrs |
12 hrs |
ESG Reporting |
5.4 |
ESG Reporting Software, Data Analytics Tool |
72 hrs |
24 hrs |
Business Continuity Governance |
5.5 |
BCP Management Platform, Email |
24 hrs |
8 hrs |
Strategic & Statutory Reporting |
5.6 |
Financial Reporting System, Excel |
24 hrs |
12 hrs |
Table 4-2: [BIA] [P4] Supporting IT Systems and Applications for CBF-5 Compliance, Governance & Reporting
|
|
|
|
Sub-Critical Business Function |
Sub-CBF Code |
Supporting Special Equipment or Resources |
Remarks |
Regulatory & Legal Compliance |
5.1 |
Legal reference databases, compliance registers |
Essential for avoiding legal breaches |
Internal Audit & Risk Oversight
|
5.2 |
Secure access to audit trails, risk reports |
Supports internal controls and transparency |
Corporate Governance Monitoring |
5.3 |
Board reporting tools, governance checklists |
Required for executive-level oversight |
ESG Reporting |
5.4 |
Access to ESG metrics sources, data templates |
Supports stakeholder trust and sustainability |
Business Continuity Governance |
5.5 |
BIA & BCP documentation repository |
Ensures BC planning and coordination |
Strategic & Statutory Reporting |
5.6 |
Regulatory filing templates, secure archives |
For compliance with regulatory deadlines |
Summing Up ... for Part 4
The effectiveness of CBF-5 Compliance, Governance & Reporting is inextricably linked to the availability and resilience of its supporting IT systems.
As demonstrated, each sub-function depends on purpose-built applications, from audit software and compliance databases to governance dashboards and ESG analytics platforms.
Ensuring that these systems meet the defined RPOs and RTOs is not merely an operational requirement—it is essential for maintaining Bandtree Sdn Bhd’s regulatory standing, internal control framework, and stakeholder trust.
As we advance, the organisation must continuously assess, update, and test the performance and recovery capability of these systems to align with evolving regulatory requirements and business priorities.
This proactive approach reinforces Bandtree’s commitment to robust governance and operational continuity.
More Information About Business Continuity Management Courses
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].