Implementing Business Continuity and Compliance with Central Bank Policy
Synopsis of Presentation
- Addressing common challenges faced during implementing BCM policies and exploring solutions to overcome them.
- Identifying and prioritizing critical business functions that require safeguarding during disruptions.
- Establishing alternate site and recovery site strategies and establishment
- Understanding and defining RTOs and RPOs for critical business functions to guide recovery efforts.
- Implementing robust data backup and replication procedures to safeguard critical data and information.
- Conducting regular testing and simulation exercises to validate the effectiveness of BC plans.
- Implement strategies for training personnel and creating awareness about BC measures within the organisation.
- Establishing effective communication protocols with internal and external stakeholders during emergency scenarios.
Provide valuable insights into implementing a business continuity management program.
This presentation is not only about adhering to regulatory requirements such as Bank Negara Malaysia’s BCM policy, Siti will also share the requirement to build a robust business continuity framework to safeguard your organisation from unforeseen disruptions.
This is a summary of the presentation by Siti Baizura Yunus, Head of Business Continuity Management, Bank Islam, at the Meet-the-Expert Webinar on 21 September July 2023.
Meet-the-Expert Webinar 21 Sep 2023
The presentation's theme is "Implementing Business Continuity and Compliance with Central Bank Policy."
Navigating Bank Negara Malaysia's Business Continuity Management Policy: A Practical Overview
Bank Negara Malaysia, the central bank of Malaysia, issued a revised Business Continuity Management (BCM) policy in December 2022, aiming to shift focus from business continuity measurement to operational resilience.
The speaker highlighted that this policy aims to guide organisations in aligning their policies and guidelines with Bank Negara's standards and international benchmarks like ISO 22301.
Minor adjustments may suffice for those already aligned with earlier guidelines, but those starting from scratch may face initial implementation challenges.
Critical Content of BMN Policy
The policy emphasises two critical aspects. First, it outlines guidelines and strategies for moving from a business continuity management level to operational resilience. This entails strengthening capabilities and preparedness to respond to operational interruptions effectively.
The policy also encourages proactive testing and evaluation, encouraging organisations to think beyond established scenarios and plan for potential impacts, fostering a proactive, forward-thinking approach.
Three Main Sections
The policy has three main sections: scope and applicability, roles and responsibilities, and the BCM framework and methodology.
It emphasises that adherence to the policy is essential for all financial institutions, ensuring they uphold the resilience of their operations. The precise definition of roles and responsibilities, particularly involving senior management and board directors, emphasises the collective responsibility of ensuring BCM effectiveness within organisations.
Financial institutions in Malaysia, including Maybank, CIMB, Public Bank, Hong Leong Bank, and others, must comply with this policy. The policy underscores the significance of aligning with BCM standards, ensuring operational resilience, and fostering a culture of preparedness and adaptability within the financial sector.
Navigating Compliance with BNM's Enhanced Business Continuity Management Policy
Bank Negara Malaysia has introduced a revamped Business Continuity Management (BCM) policy, impacting organisations under the Development Financial Institution Act and banking industry sectors.
Emphasis on Cybersecurity Incidents Reporting
The policy sets forth crucial mandates necessitating compliance. Notably, it emphasises the need for a comprehensive approach to handling cybersecurity incidents, specifying the Chief Information Security Officer's role in notifying BNM in case of an incident.
The policy also delves into revised recovery time objectives and strategies, providing much-needed clarity on these aspects, particularly vital for the banking sector.
Oversight with Risk Management Function
Furthermore, the policy mandates that effective oversight of business continuity management integrates into risk management departments. This move towards consolidation aims to enhance the robustness of risk management practices, merging operational risk initiatives for a more comprehensive risk assessment.
Aligning strategies and plans with the bank's risk appetite statement becomes imperative, accentuating the need for a cohesive approach towards achieving organisational goals. Moreover, the policy now requires an annual review of the BCM policy, adding a layer of accountability and ensuring continuous alignment with evolving industry standards.
A critical aspect emphasised in the policy involves assessing the potential consequences of various operational risks co-occurring and their cascading effects on business operations. The policy recommends simulation exercises to gauge the impact of different scenarios, aligning with real-life incidents like the COVID-19 pandemic.
The policy focuses on a proactive and holistic approach to business continuity, fostering resilience amidst evolving operational landscapes and potential risks, propelling the financial sector towards enhanced preparedness and adaptability.
Navigating Common Challenges in Achieving Operational Resilience
Achieving operational resilience is a critical concern for organisations today, especially in the complex world of finance. Numerous challenges must be addressed in this endeavour.
Firstly, navigating a complex regulatory environment, like adhering to stringent standards such as the Bank Negara Business Continuity Plan (BCP) and risk management requirements, can be daunting. Striking the right balance between these regulations is essential for effective operational resilience.
Secondly, resource constraints pose a significant hurdle for smaller financial institutions. Budget limitations often result in lean teams responsible for business continuity management (BCM). Delegating responsibilities to department heads can help maximise limited resources. Some organisations appoint Business Continuity Coordinators to oversee BCM-related tasks for each department, enhancing efficiency.
Lastly, organisational culture plays a pivotal role. While regulated sectors like banking have a built-in incentive for BCM, other profit-focused organisations may not prioritise it until faced with a crisis.
Shifting the cultural mindset to emphasise the importance of resilience is vital. Organisations must address these challenges systematically, including regulatory compliance, resource limitations, and cultural shifts, to build operational resilience effectively and thrive in today's ever-changing business landscape.
BCP In Operational Resilience
The concept of operational resilience is essential in today's dynamic business environment. It involves an organisation's ability to withstand disruptions and continue operations effectively in adversity.
A robust Business Continuity (BC) Plan is crucial to achieving operational resilience, which has evolved from the traditional Recovery Time Objective (RTO) concept.
The BC Plan now encompasses three phases:
- the duration from the incident to BCP activation,
- the period from BCP activation to system recovery, and
- the time taken to return to normalcy after system recovery, including clearing the backlog.
This refined approach allows organisations to calculate RTO more accurately, considering all recovery activities.
Operational resilience begins with the board of directors and senior management. They play a pivotal role in understanding the organisation's risk appetite and approving the Business Continuity Framework (BCF). Transparent communication and alignment between the board and operational teams are essential to ensure everyone comprehends the methodology used in risk assessment and mitigation.
Critical components of operational resilience include conducting a comprehensive Business Impact Analysis (BIA), integrating BCM with Risk Management, prioritising risk identification, assessing suppliers' BCM capabilities, developing a versatile risk mitigation strategy, considering insurance coverage, creating emergency response plans, continuous monitoring, regulatory compliance, and regular review and audit.
In Conclusion ...
Operational resilience is achieved through a multifaceted approach that involves the entire organisation. As a good start, a well-structured BCP, aligned with risk management and supported by senior management, is the cornerstone of operational resilience.
By considering the Business Continuity Planning Methodology and addressing critical components, organisations can enhance their ability to withstand disruptions and maintain business continuity in an ever-changing world.
Dr Goh Moh Heng moderated and transcribed the session.
Learn more about BCM-5000 [B-5] and OR-5000 [OR-3]
Submit your intention via the "Tell Me More" button for business continuity "B-5" and Operational Resilience "OR-5" above. |
||
Alternatively, feel free to email us if you have any questions. |