Business Continuity Management Policy by Bank Negara Malaysia
Part B Policy Requirements 9: BCM Framework and Methodology
Crisis management (CM) plan, business continuity (BC) plan and disaster recovery (DR) plan
Click the icon on the right to download BNM BCM Policy. Below is a sample Table of Content of the downloaded BNM BCM Policy.
Introduction
Bank Negara Malaysia issued the Business Continuity Management (BCM) Policy on 19 Dec 2022, providing guidelines for banks to establish effective business continuity practices.
This report focuses on Part B - Policy Requirement 9, which outlines the BCM framework and methodology banks should consider when developing their business continuity management plans. Specifically, it highlights the requirements related to the crisis management plan (CMP), business continuity plan (BCP), and disaster recovery plan (DRP).
Crisis Management (CM) Plan
Policy Requirement 9 emphasizes the development of a comprehensive Crisis Management Plan (CMP) as a key component of the BCM framework. Banks are expected to have a well-defined CMP that outlines the strategies and procedures to manage crises and emergencies effectively.
The CMP should include the following elements:
a. Crisis Response Structure
The plan should establish a clear organizational structure, roles, and responsibilities for managing crises. It should designate key individuals and teams responsible for crisis decision-making, communication, and coordination.
b. Communication and Stakeholder Management
The CMP should outline communication protocols to ensure timely and accurate dissemination of information to internal and external stakeholders, including employees, customers, regulators, and the media. It should also address stakeholder expectations and engagement during a crisis.
c. Incident Identification and Reporting
The CMP should define processes for identifying and reporting incidents promptly. It should establish mechanisms to assess the severity and impact of incidents and activate the appropriate response and escalation procedures.
d. Crisis Training and Exercises
The policy encourages banks to conduct regular training and exercises to test the effectiveness of the CMP. This includes simulated scenarios, tabletop exercises, and live drills to enhance crisis response capabilities and validate the readiness of the plan.
Business Continuity (BC) Plan
Policy Requirement 9 highlights the importance of developing a robust Business Continuity Plan (BCP) within the BCM framework. The BCP outlines the strategies and procedures to ensure the continuity of critical business functions during disruptions.
The BCP should include the following elements:
a. Business Impact Analysis (BIA)
Banks should conduct a comprehensive BIA to identify critical business functions, dependencies, and the potential impact of disruptions. The BIA helps prioritize resources, recovery strategies, and continuity measures.
b. Recovery Strategies and Alternatives
The BCP should define recovery strategies and alternate arrangements to minimize the impact of disruptions. This includes identifying backup systems, alternate processing sites, redundancy measures, and recovery time objectives (RTOs) to restore critical functions within acceptable timeframes.
c. Resource Allocation and Management
The BCP should address allocating and managing resources during a disruption. This includes identifying resource requirements, establishing resource recovery priorities, and ensuring the availability of necessary resources such as personnel, technology, infrastructure, and third-party services.
d. Testing and Maintenance: The policy emphasizes the need for banks to test and update their BCP regularly. Testing and maintenance activities should include exercises, drills, reviews, and updates to validate the plan's effectiveness, identify gaps, and incorporate lessons learned.
Disaster Recovery (DR) Plan
Policy Requirement 9 also underscores the need for banks to develop a Disaster Recovery Plan (DRP) as part of the BCM framework. The DRP focuses on recovering and restoring IT systems and infrastructure that support critical business functions.
The DRP should include the following elements:
a. Data Backup and Recovery
Banks should establish procedures for regular data backups and secure storage. The DRP should outline the data recovery and restoration processes to ensure the availability and integrity of critical information during and after a disruptive event.
b. IT System Recovery Strategies
The DRP should define IT systems, networks, applications, and database recovery strategies. This includes identifying backup systems, alternative infrastructure, and recovery time objectives (RTOs) to restore IT services within acceptable timeframes.
c. Testing and Validation
Banks are expected to conduct regular testing and validation of the DRP to ensure its effectiveness. This includes testing the recovery procedures, validating data restoration, and verifying the functionality of critical IT systems.
Conclusion
Policy Requirement 9 of Bank Negara Malaysia's Business Continuity Management Policy, emphasizes the importance of a robust BCM framework and methodology for banks.
It highlights the need for banks to develop comprehensive Crisis Management Plans (CMPs), Business Continuity Plans (BCPs), and Disaster Recovery Plans (DRPs) to manage crises effectively, ensure the continuity of critical business functions, and restore IT systems.
![Register [BL-B-3]*](https://no-cache.hubspot.com/cta/default/3893111/ac6cf073-4cdd-4541-91ed-889f731d5076.png)
![FAQ [BL-B-3]](https://no-cache.hubspot.com/cta/default/3893111/b3824ba1-7aa1-4eb6-bef8-94f57121c5ae.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
