BNM R9E Business Continuity Management Policy by Bank Negara Malaysia: CM, BC and DR plans

Business Continuity Management Policy by Bank Negara Malaysia

Part B Policy Requirements 9:  BCM Framework and Methodology

Crisis management (CM) plan, business continuity (BC) plan and disaster recovery (DR) plan

Click the icon on the right to download BNM BCM Policy. Below is a sample Table of Content of the downloaded BNM BCM Policy.

Introduction to Part B Policy Requirements 9

Bank Negara Malaysia issued the Business Continuity Management (BCM) Policy on 19 Dec 2022, providing guidelines for banks to establish effective business continuity practices.

This report focuses on Part B - Policy Requirement 9, which outlines the BCM framework and methodology banks should consider when developing their business continuity management plans. Specifically, it highlights the requirements related to the crisis management plan (CMP), business continuity plan (BCP), and disaster recovery plan (DRP).

Crisis Management (CM) Plan

Policy Requirement 9 emphasizes the development of a comprehensive Crisis Management Plan (CMP) as a key component of the BCM framework.

Banks are expected to have a well-defined CMP that outlines the strategies and procedures to manage crises and emergencies effectively.

The CMP should include the following elements:

a. Crisis Response Structure

The plan should establish a clear organizational structure, roles, and responsibilities for managing crises. It should designate key individuals and teams responsible for crisis decision-making, communication, and coordination.

b. Communication and Stakeholder Management

The CMP should outline communication protocols to ensure timely and accurate dissemination of information to internal and external stakeholders, including employees, customers, regulators, and the media. It should also address stakeholder expectations and engagement during a crisis.

c. Incident Identification and Reporting

The CMP should define processes for identifying and reporting incidents promptly. It should establish mechanisms to assess the severity and impact of incidents and activate the appropriate response and escalation procedures.

d. Crisis Training and Exercises

The policy encourages banks to conduct regular training and exercises to test the effectiveness of the CMP. This includes simulated scenarios, tabletop exercises, and live drills to enhance crisis response capabilities and validate the readiness of the plan.

Business Continuity (BC) Plan

Policy Requirement 9 highlights the importance of developing a robust Business Continuity Plan (BCP) within the BCM framework. The BCP outlines the strategies and procedures to ensure the continuity of critical business functions during disruptions.

The BCP should include the following elements:

a. Business Impact Analysis (BIA)

Banks should conduct a comprehensive BIA to identify critical business functions, dependencies, and the potential impact of disruptions. The BIA helps prioritize resources, recovery strategies, and continuity measures.

b. Recovery Strategies and Alternatives

The BCP should define recovery strategies and alternate arrangements to minimize the impact of disruptions. This includes identifying backup systems, alternate processing sites, redundancy measures, and recovery time objectives (RTOs) to restore critical functions within acceptable timeframes.

c. Resource Allocation and Management

The BCP should address allocating and managing resources during a disruption. This includes identifying resource requirements, establishing resource recovery priorities, and ensuring the availability of necessary resources such as personnel, technology, infrastructure, and third-party services.

d. Testing and Maintenance: The policy emphasizes the need for banks to test and update their BCP regularly. Testing and maintenance activities should include exercises, drills, reviews, and updates to validate the plan's effectiveness, identify gaps, and incorporate lessons learned.

Disaster Recovery (DR) Plan

Policy Requirement 9 also underscores the need for banks to develop a Disaster Recovery Plan (DRP) as part of the BCM framework. The DRP focuses on recovering and restoring IT systems and infrastructure that support critical business functions.

The DRP should include the following elements:

a. Data Backup and Recovery

Banks should establish procedures for regular data backups and secure storage. The DRP should outline the data recovery and restoration processes to ensure the availability and integrity of critical information during and after a disruptive event.

b. IT System Recovery Strategies

The DRP should define IT systems, networks, applications, and database recovery strategies. This includes identifying backup systems, alternative infrastructure, and recovery time objectives (RTOs) to restore IT services within acceptable timeframes.

c. Testing and Validation

Banks are expected to conduct regular testing and validation of the DRP to ensure its effectiveness. This includes testing the recovery procedures, validating data restoration, and verifying the functionality of critical IT systems.

Conclusion

Policy Requirement 9 of Bank Negara Malaysia's Business Continuity Management Policy, emphasizes the importance of a robust BCM framework and methodology for banks.

It highlights the need for banks to develop comprehensive Crisis Management Plans (CMPs), Business Continuity Plans (BCPs), and Disaster Recovery Plans (DRPs) to manage crises effectively, ensure the continuity of critical business functions, and restore IT systems.

Learn more about BCM-5000 [B-5] and BCM-300 [B-3]