Business Continuity Management Policy by Bank Negara Malaysia
Part B Policy Requirements 9: BCM Framework and Methodology
Testing and Exercises
Click the icon on the right to download the BNM BCM Policy. Below is a sample Table of Contents of the downloaded BNM BCM Policy.
Introduction
Bank Negara Malaysia issued the Business Continuity Management (BCM) Policy on 19 Dec 2022, providing guidelines for banks to establish effective business continuity practices.
This report focuses on Part B - Policy Requirement 9, which outlines the BCM framework and methodology banks should consider when developing their business continuity management plans. Specifically, it highlights the requirements related to testing and exercises.
Policy Requirement 9 emphasizes the importance of testing and exercises within the BCM framework. These are vital in evaluating the effectiveness of business continuity plans, identifying gaps or weaknesses, and improving preparedness for disruptive events.
a. Types of Testing and Exercises
The policy encourages banks to conduct various types of testing and exercises, including:
i. Desktop Exercises
These exercises involve simulated scenarios and discussions to evaluate the effectiveness of the business continuity plans and procedures.
Desktop exercises help identify plan gaps, clarify roles and responsibilities, and enhance stakeholder coordination.
ii. Functional Testing
Functional testing focuses on validating specific components or functions of the business continuity plans. It includes testing the availability and functionality of backup systems, alternate processing sites, and critical infrastructure.
iii. Full-Scale Exercises
Full-scale exercises simulate real-life scenarios to assess the readiness and effectiveness of the overall business continuity plans.
These exercises involve multiple stakeholders and aim to evaluate the coordination, communication, and response capabilities during a disruptive event.
iv. Live Testing
Live testing involves conducting real-time tests of backup systems, recovery processes, and alternate facilities.
During a crisis, live testing helps validate critical systems, infrastructure performance, and functionality.
b. Objectives of Testing and Exercises
The policy outlines several key objectives of testing and exercises, including:
i. Validation of Plans
Testing and exercises validate the effectiveness and adequacy of the business continuity plans, ensuring that they meet the requirements and expectations outlined in the policy.
ii. Identification of Gaps and Weaknesses
Testing and exercises help identify gaps, weaknesses, or areas for improvement in the business continuity plans. These findings enable banks to refine and enhance their plans, ensuring better preparedness.
iii. Training and Familiarization
Testing and exercises familiarise employees with their roles and responsibilities during a disruptive event. It helps build their capacity to respond effectively and promotes a culture of resilience within the organization.
iv. Stakeholder Coordination
Testing and exercises facilitate coordination and collaboration among internal and external stakeholders, including departments, business units, vendors, service providers, and regulatory authorities. These exercises help improve communication channels and strengthen relationships.
c. Documentation and Reporting
The policy emphasizes the need for banks to document and report the results of testing and exercises. Banks should maintain records of the exercises conducted, including observations, findings, and action plans for improvement.
These records serve as a basis for evaluating the effectiveness of business continuity plans and demonstrating compliance with the policy's requirements.
d. Regularity and Review
Banks are expected to conduct testing and exercises regularly as part of their business continuity management. The policy recommends establishing a schedule and ensuring they are performed at appropriate intervals.
Additionally, banks should review the results and findings of tests and exercises to update and enhance their business continuity plans accordingly.
Conclusion
Policy Requirement 9 of Bank Negara Malaysia's Business Continuity Management Policy highlights the significance of testing and exercising within the BCM framework.
By conducting various tests and exercising, banks can validate the effectiveness of their business continuity plans, identify areas for improvement, and enhance their readiness for disruptive events.
Testing and exercises serve several objectives, including plan validation, identification of gaps and weaknesses, training and familiarisation, and stakeholder coordination.
Documentation and reporting of testing and exercise results are essential for maintaining records, monitoring progress, and demonstrating compliance with the policy's requirements.
Regular testing and review of results enable banks to refine and enhance their business continuity plans, ensuring the continuous improvement of their preparedness and response capabilities. By adhering to these requirements, banks can strengthen their resilience and mitigate the impact of disruptions on their operations.