Explainer: R9A Business Continuity Management Policy: Risk Assessment, Business Impact Analysis and Critical Business Functions

 Disclaimer

This article is provided for general informational and educational purposes only. It summarises publicly available regulatory guidance issued by Bank Negara Malaysia.

BCM Institute is not affiliated with, endorsed by, or acting on behalf of Bank Negara Malaysia. The name “Bank Negara Malaysia” is used strictly for descriptive and reference purposes.

Explainer: R9a Business Continuity Management Guidelines

Part B Policy Requirements 9:  BCM Framework and Methodology

Risk Assessment, Business Impact Analysis, and Critical Business Functions

Click the button to access the official BCM policy document (December 2022 release).

Introduction

The Business Continuity Management (BCM) Policy released on 19 December 2022 provides guidance for banks to establish effective business continuity practices. 

This report focuses on Part B - Policy Requirement 9, which outlines the BCM framework and methodology banks should consider when developing their business continuity management plans. Specifically, it highlights the requirements for risk assessment, business impact analysis, and critical business functions.

Risk Assessment

Policy Requirement 9 emphasizes the importance of conducting a comprehensive risk assessment within the BCM framework. Banks must identify and assess potential threats, vulnerabilities, and risks that could disrupt their operations.

a. Risk Identification

Banks should identify a wide range of risks, including but not limited to external risks (e.g., natural disasters, cyber-attacks, regulatory changes) and internal risks (e.g., system failures, human errors, supply chain disruptions). It is crucial to have a systematic approach to identify and document these risks.

b. Risk Evaluation

Once risks are identified, banks should assess their potential impact and likelihood of occurrence. This evaluation helps prioritize risks based on severity and provides insights into the potential consequences and vulnerabilities.

c. Risk Mitigation

Based on the risk assessment, banks should develop strategies and implement measures to mitigate the identified risks. This may involve implementing controls, redundancy measures, and safeguards to reduce the likelihood and impact of disruptive events.

Business Impact Analysis (BIA)

Policy Requirement 9 emphasises the need for banks to conduct a thorough business impact analysis (BIA) as part of their business continuity management. The BIA helps identify critical business functions and assess their dependencies, vulnerabilities, and recovery requirements.

a. Critical Business Functions

Banks should identify and prioritise their critical business functions for maintaining operations and providing vital services.

The BIA helps determine which functions require immediate attention and allocation of resources during a disruptive event.

b. Dependencies and Interdependencies

The BIA should assess the dependencies and interdependencies between critical business functions, processes, systems, and external stakeholders.

This analysis helps identify potential bottlenecks, risks, and areas requiring additional attention for effective continuity planning.

c. Recovery Requirements

The BIA helps determine the recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical business functions. These objectives define the acceptable timeframes for restoring operations and recovering data, ensuring the timely resumption of essential services.

Critical Business Functions (CBF)

Policy Requirement 9 emphasizes identifying and managing critical business functions within the BCM framework. Critical business functions are activities that are essential for the continued operation of the bank.

a. Definition and Prioritisation

Banks should clearly define their critical business functions and assign appropriate priority levels. This prioritisation enables effective resource allocation and ensures that the most critical functions are given priority during a disruptive event.

b. Resource Allocation

The policy requires banks to allocate sufficient resources to support the continuity of critical business functions. This includes personnel, technology, infrastructure, and third-party support. Proper resource allocation helps ensure the uninterrupted provision of essential services.

c. Regular Review and Updating

Banks should regularly review and update their assessment of critical business functions to align with changing business priorities, emerging risks, and evolving regulatory requirements. This ensures that the continuity plans remain relevant and effective.

Conclusion

Policy Requirement 9 of the Business Continuity Management (BCM) Policy underscores the importance of risk assessment, business impact analysis, and critical business functions within the BCM framework. 

Banks can identify and prioritise potential risks and develop mitigation strategies by conducting a comprehensive risk assessment. The business impact analysis helps determine critical functions, dependencies, and recovery requirements while identifying and managing critical business functions to ensure the continuity of essential services.

 This article is an independent informational summary for educational purposes. It is not affiliated with, endorsed by, or officially representing any regulatory authority. 

Learn more about BCM-5000 [B-5] and BCM-300 [B-3]