Disclaimer
This article is provided for general informational and educational purposes only. It summarises publicly available regulatory guidance issued by Bank Negara Malaysia.
BCM Institute is not affiliated with, endorsed by, or acting on behalf of Bank Negara Malaysia. The name “Bank Negara Malaysia” is used strictly for descriptive and reference purposes.
Explainer: R9d Business Continuity Management
Policy
Part B Policy Requirements 9: BCM Framework and Methodology
Recovery Strategy
Click the button to access the official BCM policy document (December 2022 release).
Introduction
The Business Continuity Management (BCM) Policy released on 19 December 2022 provides guidance for banks to establish effective business continuity practices.
This report focuses on Part B - Policy Requirement 9, which outlines the BCM framework and methodology banks should consider when developing their business continuity management plans.
Specifically, it highlights the requirements related to the recovery strategy.
A recovery strategy outlines the steps and measures to restore critical business functions and operations after a disruptive event.
a. Impact Assessment
Before developing a recovery strategy, banks are required to conduct a comprehensive impact assessment. This involves assessing disruptions' potential consequences and impacts on critical business functions, processes, systems, and stakeholders. The impact assessment helps banks prioritize recovery efforts and allocate resources effectively.
b. Recovery Objectives
Banks should define clear recovery objectives as part of their recovery strategy. These objectives include Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
RTO refers to the targeted duration for restoring critical business functions, while RPO refers to the acceptable maximum data loss during recovery. Clearly defined objectives help guide the recovery process and ensure timely restoration.
c. Recovery Approaches
The policy encourages banks to adopt a multi-faceted approach to recovery. This may involve a combination of strategies, such as:
Backup and Restore
Banks should establish appropriate backup mechanisms to ensure critical data, systems, and infrastructure availability. Regular backups, off-site storage, and periodic restoration tests help facilitate a smooth recovery process.
Alternate Processing Sites
Banks should identify and establish alternate processing sites to serve as backup locations in a disruption. These sites should have the necessary infrastructure, systems, and resources to support critical operations.
Redundancy and Failover
Banks should implement redundancy and failover mechanisms for critical systems and infrastructure. This includes redundant hardware, network connections, and failover processes to minimize downtime and ensure continuous operations.
d. Resource Allocation
Banks should allocate sufficient resources to support the implementation of the recovery strategy. This includes personnel, technology, infrastructure, and third-party support. Adequate resource allocation enables the timely and effective execution of recovery activities and minimizes the impact of disruptions.
e. Testing and Validation
Policy Requirement 9 emphasizes the importance of testing and validating the recovery strategy. Banks should conduct regular tests, simulations, and exercises to verify the effectiveness of the recovery plans, identify gaps, and refine the strategies as needed.
Testing helps build confidence in the recovery capabilities and ensures readiness for actual disruptions.
Documentation and Review
The policy requires banks to document the recovery strategy and regularly review and update it. Documentation should include detailed recovery plans, procedures, and associated guidelines.
Regular reviews help ensure the recovery strategy is aligned with changing business needs, emerging risks, and evolving technologies.
Conclusion
Policy Requirement 9 of the Business Continuity Management Policy emphasises the development of a robust recovery strategy within the BCM framework.
By conducting a comprehensive impact assessment, defining recovery objectives, adopting multi-faceted recovery approaches, allocating resources effectively, and conducting regular testing, banks can enhance their ability to restore critical business functions and operations after a disruptive event.
This article is an independent informational summary for educational purposes. It is not affiliated with, endorsed by, or officially representing any regulatory authority.
![Register [BL-B-3]*](https://no-cache.hubspot.com/cta/default/3893111/ac6cf073-4cdd-4541-91ed-889f731d5076.png)
![FAQ [BL-B-3]](https://no-cache.hubspot.com/cta/default/3893111/b3824ba1-7aa1-4eb6-bef8-94f57121c5ae.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
