Business Continuity Management
Policy by Bank Negara Malaysia
Part B Policy Requirements 9: BCM Framework and Methodology
Recovery Strategy
Click the icon on the right to download BNM BCM Policy. Below is a sample Table of Content of the downloaded BNM BCM Policy
Introduction
Bank Negara Malaysia issued the Business Continuity Management (BCM) Policy on 19 Dec 2022, providing guidelines for banks to establish effective business continuity practices.
This report focuses on Part B - Policy Requirement 9, which outlines the BCM framework and methodology banks should consider when developing their business continuity management plans.
Specifically, it highlights the requirements related to the recovery strategy.
A recovery strategy outlines the steps and measures to restore critical business functions and operations after a disruptive event.
a. Impact Assessment
Before developing a recovery strategy, banks are required to conduct a comprehensive impact assessment. This involves assessing disruptions' potential consequences and impacts on critical business functions, processes, systems, and stakeholders. The impact assessment helps banks prioritize recovery efforts and allocate resources effectively.
b. Recovery Objectives
Banks should define clear recovery objectives as part of their recovery strategy. These objectives include Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
RTO refers to the targeted duration for restoring critical business functions, while RPO refers to the acceptable maximum data loss during recovery. Clearly defined objectives help guide the recovery process and ensure timely restoration.
c. Recovery Approaches
The policy encourages banks to adopt a multi-faceted approach to recovery. This may involve a combination of strategies, such as:
Backup and Restore
Banks should establish appropriate backup mechanisms to ensure critical data, systems, and infrastructure availability. Regular backups, off-site storage, and periodic restoration tests help facilitate a smooth recovery process.
Alternate Processing Sites
Banks should identify and establish alternate processing sites to serve as backup locations in a disruption. These sites should have the necessary infrastructure, systems, and resources to support critical operations.
Redundancy and Failover
Banks should implement redundancy and failover mechanisms for critical systems and infrastructure. This includes redundant hardware, network connections, and failover processes to minimize downtime and ensure continuous operations.
d. Resource Allocation
Banks should allocate sufficient resources to support the implementation of the recovery strategy. This includes personnel, technology, infrastructure, and third-party support. Adequate resource allocation enables timely and effective execution of recovery activities and minimizes the impact of disruptions.
e. Testing and Validation
Policy Requirement 9 emphasizes the importance of testing and validating the recovery strategy. Banks should conduct regular tests, simulations, and exercises to verify the effectiveness of the recovery plans, identify gaps, and refine the strategies as needed.
Testing helps build confidence in the recovery capabilities and ensures readiness for actual disruptions.
Documentation and Review
The policy requires banks to document the recovery strategy and regularly review and update it. Documentation should include detailed recovery plans, procedures, and associated guidelines.
Regular reviews help ensure the recovery strategy is aligned with changing business needs, emerging risks, and evolving technologies.
Conclusion
Policy Requirement 9 of Bank Negara Malaysia's Business Continuity Management Policy, emphasizes the development of a robust recovery strategy within the BCM framework.
By conducting a comprehensive impact assessment, defining recovery objectives, adopting multi-faceted recovery approaches, allocating resources effectively, and conducting regular testing, banks can enhance their ability to restore critical business functions and operations after a disruptive event.