Business Continuity Management Policy by Bank Negara Malaysia
Part B Policy Requirements 9: BCM Framework and Methodology
Alternate Site and Recovery Site
Click the icon on the right to download the BNM BCM Policy. Below is a sample Table of Contents of the downloaded BNM BCM Policy.
Introduction
The Business Continuity Management (BCM) Policy issued by Bank Negara Malaysia on 19th December 2022 aims to provide comprehensive guidelines for financial institutions operating in Malaysia to ensure the continuity of their critical business functions in the face of unforeseen disruptions.
Part B of this policy outlines the requirements related to the BCM Framework and Methodology, focusing on establishing and maintaining alternate and recovery sites.
Policy Requirement 9: BCM Framework and Methodology for Alternate Site and Recovery Site.
Alternate Site Identification
Financial institutions must identify alternate sites that can serve as backup locations in case of an incident affecting their primary business premises.
The alternate site should be strategically located to ensure minimal impact on business operations and have the necessary infrastructure to accommodate essential staff and technology systems.
Recovery Site Selection
The policy emphasizes the importance of selecting a suitable recovery site where critical business functions can be resumed after a disruption.
The recovery site should be geographically distant from the primary site to avoid being affected by the same incident. It must also be equipped with the required resources and technology infrastructure to facilitate a smooth transition of operations.
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)
Financial institutions are expected to define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each critical business function.
RTO indicates the maximum acceptable downtime for a function, while RPO represents the maximum amount of data loss that can be tolerated. These objectives help set priorities and plan for the recovery of various business processes.
Data Backup and Replication
To ensure data integrity and availability, banks are required to implement robust data backup and replication procedures.
Critical data should be regularly backed up and stored securely at the recovery site, allowing quick restoration during a disruption.
Alternate Site Activation and Testing
The policy emphasizes the importance of conducting regular tests and simulations to validate the effectiveness of the alternate site and recovery procedures. Institutions must ensure that personnel responsible for implementing the continuity plan are well-trained and familiar with their roles during emergencies.
Risk Assessment and Mitigation
Financial institutions must perform a comprehensive risk assessment to identify potential threats and vulnerabilities that could impact the alternate and recovery sites. Appropriate mitigation measures should be implemented to minimize these risks and enhance the overall resilience of the BCM framework.
Communication and Reporting
Effective communication protocols and reporting lines should be established to inform all relevant stakeholders during a crisis. This includes internal staff, external vendors, regulatory authorities, and customers.
Regulatory Compliance
Financial institutions must adhere to all regulations and guidelines related to business continuity and disaster recovery set forth by Bank Negara Malaysia. Compliance with industry standards and best practices is crucial in maintaining the financial system's resilience.
Conclusion
Part B of the Business Continuity Management Policy issued by Bank Negara Malaysia provides comprehensive guidance on the establishment and maintenance of alternate sites and recovery sites.
Financial institutions can enhance their preparedness and resilience by adhering to these policy requirements, ensuring uninterrupted critical business functions during unforeseen disruptions. The policy's focus on risk assessment, testing, and compliance underscores the importance of a proactive approach to business continuity management in the banking sector.