[Audit] eBook Chapter 10: [BNM] BCM Policy

Introduction

Financial institutions (FIs) in Malaysia are subject to BNM's BCM Policy, which emphasizes building operational resilience to maintain critical financial services during disruptions. Auditing BCMS within this context requires understanding the specific expectations outlined by BNM, which may differ from a purely ISO 22301-based approach.

Key Considerations for BNM-based BCM Audits

• Alignment with BNM BCM Policy: The primary focus should be on ensuring the BCMS aligns with the latest BNM BCM Policy. This includes:

  • Policy Requirements: Evaluate if the BCMS addresses all policy requirements outlined in Part A and Part B of the BNM BCM Policy. This includes establishing a BCM framework, conducting risk assessments, developing and maintaining BCPs, and implementing a comprehensive testing and exercising program.
  • Crisis Management Plan (CMP), Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP): Assess the BCMS's framework for managing disruptions, ensuring a clear distinction and proper integration of CMP, BCP, and DRP according to BNM's policy requirements (refer to Part B - Policy Requirement 9).

• Risk-Based Approach: Evaluate if the BCMS employs a comprehensive risk assessment that identifies threats and vulnerabilities specific to the Malaysian financial sector as highlighted by BNM. This may include:

  • Cyberattacks targeting financial institutions
  • Operational disruptions impacting core banking services
  • Systemic risks affecting the broader financial system

• Supervisory Priorities: Analyze if the BCMS addresses BNM's current supervisory priorities outlined in their publications and guidelines. These may highlight areas of specific concern for FIs in Malaysia, such as:

  • Third-party vendor risk management
  • Cybersecurity preparedness
  • Operational resilience during technological disruptions

• Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs): Evaluate if the established RTOs and RPOs for critical business functions (CBFs) consider BNM's expectations for timely resumption of operations within the Malaysian financial system. This may involve shorter RTOs for functions crucial for maintaining financial stability.

• Incident Response and Reporting: Analyze the BCMS's incident response procedures, ensuring they align with BNM's expectations for:

  • Prompt notification to BNM as mandated by relevant regulations.
  • Effective escalation protocols for internal response within the FI.
  • Clear communication strategies for stakeholders, including customers and regulators.

Additional Considerations

• Third-Party Dependencies: The Malaysian financial sector relies heavily on third-party vendors. The audit should assess how the BCMS addresses potential disruptions impacting critical third-party relationships, considering BNM's emphasis on supply chain risk management.

  • Evaluate if the BCMS includes provisions for ensuring continuity of service through contracts with third-party vendors or alternative service providers.

• Technology Dependence: Financial services in Malaysia are highly reliant on technology. The audit should evaluate the BCMS's plans for mitigating disruptions impacting critical technological infrastructure, aligned with BNM's focus on cyber resilience:

  • Data center outages and technological obsolescence
  • Cyberattacks targeting financial institutions' systems and data

• Shariah-Compliance Considerations: For Islamic financial institutions, the audit should assess how the BCMS incorporates considerations for maintaining Shariah-compliant operations during disruptions.

  • Evaluate if the BCMS addresses potential disruptions impacting Shariah-compliant products and services.