The bank’s ability to deliver uninterrupted critical banking services—despite disruptions arising from natural disasters, technology failures, cyber threats, or operational incidents—is fundamental to national resilience.
In accordance with ISO 22301:2019 – Security and Resilience – Business Continuity Management Systems (BCMS), Bank of Maldives must adopt a structured, risk-based, and lifecycle-driven Business Continuity Management (BCM) planning methodology.
This chapter presents a seven-phase BCM Planning Methodology, aligned with ISO 22301 clauses and tailored to the operational, regulatory, and environmental realities faced by the Bank of Maldives.
The objective of this chapter is to provide a clear, auditable, and practical BCM planning framework that ensures:
Protection of critical banking services
Compliance with ISO 22301 requirements
Alignment with the Maldives Monetary Authority (MMA) regulatory expectations
Operational resilience across the head office, branches, digital banking, and inter-island operations
Detailed explanation of each phase relating to the Bank of Maldive will be discussed in the following chapters for eBook 2:
|
Chapter |
Phase |
Description |
|
2 |
Project Management (PM) |
Establishes governance, scope, roles, and programme controls |
|
3 |
Risk Analysis and Review (RAR) |
Identifies and evaluates threats to service continuity |
|
4 |
Business Impact Analysis (BIA) |
Determines critical services, recovery priorities, and tolerances |
|
5 |
Business Continuity Strategy (BCS) |
Defines resilience and recovery strategies |
|
6 |
Plan Development (PD) |
Documents actionable continuity and recovery plans |
|
7 |
Testing and Exercising (TE) |
Validates plan effectiveness through exercises |
|
8 |
Program Management (PgM) |
Ensures ongoing maintenance, review, and improvement |
To establish a structured governance framework for the BCM programme, ensuring accountability, consistency, and alignment with organisational objectives.
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Bank of Maldives shall establish a BCMS Steering Committee, chaired by senior management, with representation from:
Retail and Corporate Banking
Digital Banking & IT
Operations and Branch Network
Risk Management & Compliance
Human Resources
Facilities and Security
The committee shall approve the BCM scope covering the head office, all domestic branches, digital banking platforms, data centres, and third-party service providers supporting inter-island operations.
To identify and evaluate internal and external risks that could disrupt BML’s ability to deliver critical services.
Clause 6.1: Actions to address risks and opportunities
The risk analysis shall explicitly assess Maldives-specific threat scenarios, including:
Severe weather events (monsoons, flooding, storm surges)
Inter-island transportation disruptions
Power and telecommunications outages
Cyber-attacks targeting digital and mobile banking platforms
Concentration risk at centralised data centres
Risk assessments shall be reviewed at least annually or following major incidents.
To identify critical business services, assess disruption impacts, and define recovery priorities and tolerances.
BML shall identify Critical Business Services, including but not limited to:
For each critical service, BML shall define:
To define cost-effective strategies that enable the timely recovery of critical services within approved tolerances.
BML shall implement geographically resilient strategies suitable for an island nation, including:
Strategies shall be approved by senior management and aligned with BIA outputs.
To document actionable procedures that enable effective response, continuity, and recovery during disruptions.
BML shall develop and maintain:
Plans shall clearly define roles, escalation paths, decision authority, and inter-island coordination mechanisms.
To validate the effectiveness, readiness, and practicality of BCM strategies and plans.
BML shall conduct at least one BCM exercise annually, including:
Exercise outcomes shall be documented, with corrective actions tracked to closure.
To ensure BCM remains effective, current, and aligned with organisational and regulatory changes.
BML shall establish a BCMS review and improvement cycle, including:
Key BCM metrics shall be reported to senior management and the Board.
|
Phase |
Phase Name |
Purpose |
Key Activities |
ISO 22301 Clause Alignment |
Bank of Maldives–Specific Requirements |
|
1 |
Project Management (PM) |
Establish governance, scope, and structure for the BCMS |
• Define BCMS scope and objectives • Establish BCM governance and roles • Allocate resources and budget • Develop BCM roadmap and milestones |
Clause 5 (Leadership) Clause 6 (Planning) Clause 7 (Support) |
Establish a BCMS Steering Committee with senior management oversight covering head office, all island branches, digital banking platforms, data centres, and critical third-party providers supporting inter-island operations |
|
2 |
Risk Analysis and Review (RAR) |
Identify and assess threats that may disrupt critical services |
• Identify internal and external threats • Assess likelihood and impact • Review existing controls • Document and prioritise risks |
Clause 6.1 (Actions to address risks and opportunities) |
Include Maldives-specific risks such as severe weather, island accessibility disruptions, telecom outages, cyber threats, and centralised infrastructure concentration risks |
|
3 |
Business Impact Analysis (BIA) |
Determine critical business services and recovery priorities |
• Identify critical business services • Assess financial, operational, regulatory, and reputational impacts • Define MTPD, RTO, and RPO • Identify dependencies and resources |
Clause 8.2.2 (Business impact analysis) |
Identify critical services, including payments, ATM and cash services, digital banking, inter-bank settlement, and liquidity operations, with recovery objectives reflecting national financial stability expectations |
|
4 |
Business Continuity Strategy (BCS) |
Define strategies to maintain and recover critical services |
• Evaluate recovery options • Select cost-effective continuity strategies • Define minimum service levels • Obtain management approval |
Clause 8.3 (Business continuity strategy) |
Implement geographically resilient strategies such as alternate processing sites, redundant communications, secondary data centres or cloud recovery, and resource pre-positioning for island branches |
|
5 |
Plan Development (PD) |
Document actionable continuity and recovery procedures |
• Develop enterprise BCM plans • Create crisis management and communication plans • Develop IT disaster recovery plans • Define roles and escalation paths |
Clause 8.4 (Business continuity plans and procedures) |
Maintain enterprise, branch-level, IT DR, and third-party continuity plans, with clear inter-island coordination and escalation mechanisms |
|
6 |
Testing and Exercising (TE) |
Validate the readiness and effectiveness of BCM arrangements |
• Conduct tabletop exercises • Perform IT DR tests • Run scenario-based simulations • Document lessons learned |
Clause 8.5 (Exercising and testing) |
Conduct at least one annual BCM exercise simulating island-wide disruptions, cyber incidents, or data centre outages, involving senior management and key operational units |
|
7 |
Program Management (PgM) |
Ensure ongoing effectiveness and continuous improvement of BCMS |
• Monitor BCM performance metrics • Conduct management reviews • Perform internal audits • Update BCMS based on change |
Clause 9 (Performance evaluation) Clause 10 (Improvement) |
Integrate BCMS with enterprise risk management, perform annual management reviews, and report BCM maturity and resilience posture to senior management and the Board |
The Business Continuity Management Planning Methodology outlined in this chapter provides Bank of Maldives with a structured, ISO 22301-compliant framework to safeguard critical banking services and maintain public confidence during disruptions.
By adopting a seven-phase lifecycle approach, BML can systematically identify risks, prioritise recovery, implement resilient strategies, and continuously improve its operational readiness.
Given the Maldives’ unique geographic, climatic, and infrastructural challenges, effective BCM is not merely a compliance requirement but a strategic imperative.
When fully embedded into governance, operations, and culture, this methodology enables Bank of Maldives to strengthen its resilience, meet regulatory expectations, and fulfil its national responsibility as the country’s leading financial institution.
Ensuring Service Continuity and Compliance: ISO 22301 BCMS at Bank of Maldives |
||||
| eBook 2: Implementing Business Continuity Management for Bank of Maldives | ||||
| C1 | C2 [x] | C3 [x] | C4 [x] | C5 [x] |
| C6 [x] | C7 [x] | C8 [x] | C9 [x] | C10 [x] |
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
|
Please feel free to send us a note if you have any questions. |
||