BNM R9B Business Continuity Management Policy by Bank Negara Malaysia: Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO)

Business Continuity Management Policy by Bank Negara Malaysia

Part B Policy Requirements 9:  BCM Framework and Methodology

Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO)

Click the icon on the right to download BNM BCM Policy. Below is a sample Table of Content of the downloaded BNM BCM Policy.

Introduction

Bank Negara Malaysia issued the Business Continuity Management (BCM) Policy on 19 Dec 2022, providing guidelines for banks to establish effective business continuity practices.

This report focuses on Part B - Policy Requirement 9, which outlines the BCM framework and methodology banks should consider when developing their business continuity management plans. Specifically, it highlights the requirements for Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO).

Maximum Tolerable Downtime (MTD)

Policy Requirement 9 emphasizes the need for banks to establish Maximum Tolerable Downtime (MTD) within the BCM framework. MTD refers to the maximum duration a critical business function can tolerate being unavailable before severe consequences occur.

MTD refers to the maximum duration a critical business function can tolerate being unavailable before severe consequences occur. Banks need to define MTD quantifiable terms to ensure recovery strategies are designed to restore operations within acceptable timeframes.

a. Definition and Quantification

Banks should clearly define MTD for each critical business function. It is important to establish measurable and quantifiable criteria to determine the allowable duration of downtime based on the impact on the organization, customers, and stakeholders.

b. Risk Assessment and Business Impact Analysis

MTD should be determined through a comprehensive risk assessment and business impact analysis (BIA). Banks can define realistic MTD thresholds by understanding the potential consequences of disruptions and their impact on critical functions.

c. Prioritization of Recovery Efforts

MTD helps prioritize recovery during a disruptive event. It guides allocating resources and efforts towards restoring critical functions within the acceptable timeframes defined by the MTD.

Recovery Time Objective (RTO)

Policy Requirement 9 also emphasizes defining Recovery Time Objectives (RTO) within the BCM framework. RTO represents the targeted duration a critical business function must be restored after a disruption.

RTO represents the targeted duration a critical business function must be restored after a disruption. By defining RTOs, banks can prioritize recovery efforts and allocate resources accordingly. RTOs should be aligned with the MTD and the recovery strategies implemented.

a. Definition and Measurement

Banks should clearly define the desired RTO for each critical business function. RTO is typically measured from the point of disruption to the point of full recovery, including the restoration of data, systems, and processes.

b. Impact Assessment and Dependencies

RTO should be determined based on the impact assessment and dependencies identified during the business impact analysis (BIA). It considers the recovery time requirements for related systems, processes, and external dependencies.

c. Recovery Strategies and Resource Allocation

RTO guides selecting and implementing appropriate recovery strategies. Banks should allocate resources, including personnel, technology, and infrastructure, to ensure the timely recovery of critical functions within the defined RTO.

Regular Review and Updates

Policy Requirement 9 highlights the need for banks to review and update their MTD and RTO definitions regularly. This ensures that the defined thresholds remain relevant, considering changes in business priorities, emerging risks, and evolving regulatory requirements.

a. Changing Business Needs

Banks should review their MTD and RTO as their business needs evolve. This includes considering changes in customer expectations, market conditions, and technology advancements that may impact the acceptable downtime and recovery objectives.

b. Emerging Risks

As new risks and threats emerge, banks should assess their potential impact on MTD and RTO. This proactive approach enables banks to adjust their recovery strategies and resource allocation to effectively address emerging risks.

c. Regulatory Compliance

Regular review of MTD and RTO ensures that banks remain compliant with regulatory requirements related to business continuity management.

Conclusion

Policy Requirement, 9 of Bank Negara Malaysia's Business Continuity Management Policy emphasizes the importance of establishing Maximum Tolerable Downtime (MTD) and Recovery Time Objective (RTO) within the BCM framework.

By defining these thresholds, banks can prioritize recovery efforts, allocate resources effectively, and ensure the timely restoration of critical business functions during disruptive events.