Business Continuity Management Guidelines by Bank Negara Malaysia
Part B Policy Requirements 9: BCM Framework and Methodology
9a: Risk Assessment, Business Impact Analysis, and Critical Business Functions
Click the icon on the right to download BNM BCM Policy. Below is a sample Table of Content of the downloaded BNM BCM Policy.
Introduction
Bank Negara Malaysia issued the Business Continuity Management (BCM) Policy on 19 Dec 2022, providing guidelines for banks to establish effective business continuity practices.
This report focuses on Part B - Policy Requirement 9, which outlines the BCM framework and methodology banks should consider when developing their business continuity management plans. Specifically, it highlights the requirements for risk assessment, business impact analysis, and critical business functions.
Risk Assessment
Policy Requirement 9 emphasizes the importance of conducting a comprehensive risk assessment within the BCM framework. Banks must identify and assess potential threats, vulnerabilities, and risks that could disrupt their operations.
a. Risk Identification
Banks should identify a wide range of risks, including but not limited to external risks (e.g., natural disasters, cyber-attacks, regulatory changes) and internal risks (e.g., system failures, human errors, supply chain disruptions). It is crucial to have a systematic approach to identify and document these risks.
b. Risk Evaluation
Once risks are identified, banks should assess their potential impact and likelihood of occurrence. This evaluation helps prioritize risks based on severity and provides insights into the potential consequences and vulnerabilities.
c. Risk Mitigation
Based on the risk assessment, banks should develop strategies and implement measures to mitigate the identified risks. This may involve implementing controls, redundancy measures, and safeguards to reduce the likelihood and impact of disruptive events.
Business Impact Analysis (BIA)
Policy Requirement 9 emphasizes the need for banks to conduct a thorough business impact analysis (BIA) as part of their business continuity management. The BIA helps identify critical business functions and assess their dependencies, vulnerabilities, and recovery requirements.
a. Critical Business Functions
Banks should identify and prioritize their critical business functions for maintaining operations and providing vital services.
The BIA helps determine which functions require immediate attention and allocation of resources during a disruptive event.
b. Dependencies and Interdependencies
The BIA should assess the dependencies and interdependencies between critical business functions, processes, systems, and external stakeholders.
This analysis helps identify potential bottlenecks, risks, and areas requiring additional attention for effective continuity planning.
c. Recovery Requirements
The BIA helps determine the recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions. These objectives define the acceptable timeframes for restoring operations and recovering data, ensuring the timely resumption of essential services.
Critical Business Functions (CBF)
Policy Requirement 9 emphasizes identifying and managing critical business functions within the BCM framework. Critical business functions are activities that are essential for the continued operation of the bank.
a. Definition and Prioritisation
Banks should clearly define their critical business functions and assign appropriate priority levels. This prioritization enables effective resource allocation and ensures that the most critical functions are given priority during a disruptive event.
b. Resource Allocation
The policy requires banks to allocate sufficient resources to support the continuity of critical business functions. This includes personnel, technology, infrastructure, and third-party support. Proper resource allocation helps ensure the uninterrupted provision of essential services.
c. Regular Review and Updating
Banks should regularly review and update their assessment of critical business functions to align with changing business priorities, emerging risks, and evolving regulatory requirements. This ensures that the continuity plans remain relevant and effective.
Conclusion
Policy Requirement, 9 of Bank Negara Malaysia's Business Continuity Management Policy underscores the importance of risk assessment, business impact analysis, and critical business functions within the BCM framework.
Banks can identify and prioritize potential risks and develop mitigation strategies by conducting a comprehensive risk assessment. The business impact analysis helps determine critical functions, dependencies, and recovery requirements while identifying and managing critical business functions to ensure the continuity of essential services.
Business Continuity Management Policy by Bank Negara Malaysia Part B Requirement 9 | |||||
R 9A | R 9B | R9C | |||
R 9D | R 9E | R9F | |||
R 9G | R 9H | R9I | |||
R 9J | BCM Policy | Back to R9 | |||
Learn more about BCM-5000 [B-5] and BCM-300 [B-3]
Submit your intention via the "Tell Me More" button above. |
||
Alternatively, feel free to email us if you have any questions. |