[MTE] [Feb 2025] [P1] Navigating the Challenges in Complying to BCM Regulatory Requirements [Part 1]

Part 1: Understanding BNM Policies: BCM, RMIT & Outsourcing

Bank Negara Malaysia (BNM) has introduced several key policies to enhance risk management and resilience within financial institutions.

The Business Continuity Management (BCM) Policy, Risk Management in Technology (RMiT) Policy, and Outsourcing Policy serve distinct but complementary purposes. Each policy addresses specific risk areas and requires unique management and compliance approaches.

This article summarises Ms Ruzita's presentation and introduces these three policies, highlighting their differences in focus, risk management frameworks, and key implementation elements.

Purpose of the Policies

• BCM Policy: Primarily concerned with ensuring organizations can maintain and restore operations during and after a disaster or significant disruption.
  
  
• RMiT Policy: Focuses on managing technology-related risks, including cybersecurity threats, system failures, and data security.
  
  
• Outsourcing Policy: Governs third-party relationships, ensuring financial institutions properly evaluate, manage, and monitor outsourced services.

Each policy has a distinct objective: to ensure financial institutions are prepared for operational disruptions, technology risks, and third-party dependencies.

Differences in Risk Management Approach

The risk management frameworks and approaches in these policies vary significantly:

• BCM Policy: Emphasises identifying potential disruptions, assessing their impact, and developing response strategies to ensure operational resilience. BCM requires organisations to determine Recovery Time Objectives (RTO), create response and recovery plans, test these plans, and conduct regular monitoring.
  
  
• RMiT Policy: This policy takes a more proactive approach by identifying, assessing, and mitigating technology-related risks before they escalate. It covers incident response to system failures, data security, and ongoing IT risk assessments.
  
  
• Outsourcing Policy: This policy continuously monitors third-party service providers to ensure compliance with contractual obligations and regulatory requirements. It includes risk evaluation of outsourcing partners, legal and contractual agreements, and exit strategies to minimize business disruptions.

Key Elements and Management Processes

Each policy mandates different management processes and control mechanisms:

BCM Policy

• Identifies critical functions within the organization.
• Determines Recovery Time Objectives (RTO) and resilience strategies.
• Develops and tests business continuity plans.
• Provides ongoing training and awareness.

RMiT Policy

• Conducts technology risk assessments to evaluate vulnerabilities.
• Implements incident response plans for cyber threats and IT failures.
• Focuses on data privacy, security controls, and regulatory compliance.
• Requires continuous monitoring and periodic IT system reviews.
  

  Outsourcing Policy

• Defines evaluation criteria for third-party service providers.
• Establishes contractual and legal agreements with vendors.
• Develops a structured exit strategy to manage vendor termination.
• Implements ongoing risk assessments and monitoring of outsourcing
  
  

Summing Up for Part 1 ...

While the BCM, RMiT, and Outsourcing Policies contribute to organizational resilience, they address different aspects of risk management.

BCM ensures business continuity during disruptions, RMiT strengthens cybersecurity and IT resilience, and Outsourcing establishes governance for third-party partnerships.

Understanding these distinctions helps financial institutions develop a comprehensive risk management strategy aligned with BNM’s regulatory framework.

Dr Goh Moh Heng, President of BCM Institute, summarises this webinar. If you have any questions, please speak to the author.

Part 2: Similarities Among BNM’s BCM, RMiT & Outsourcing Policies

Bank Negara Malaysia (BNM) has introduced three key policy documents to guide financial institutions in managing risks: the Business Continuity Management (BCM) Policy, the Risk Management in Technology (RMiT) Policy, and the Outsourcing Policy.

While these policies address different domains—business continuity, technology risk, and third-party management—they share several core principles.

This summary explores the commonalities among these three policies and their overarching objectives.

Emphasis on a Robust Risk Management Framework

The comprehensive risk management framework requirement is a fundamental similarity across all three policies. Each policy stresses the importance of identifying, assessing, mitigating, and monitoring risks within its domain.

A common question is how BNM’s policy documents differ from ISO standards. 

The answer lies in their structure. While ISO standards provide best practices internationally, BNM’s policies derive key principles from ISO standards but establish minimum regulatory requirements tailored for Malaysia’s financial sector.

Regulatory Compliance as a Minimum Standard

BNM’s policies are designed to establish a baseline standard for financial institutions. They set forth the minimum risk management practices required for compliance, but organizations are encouraged to go beyond these standards based on their size, complexity, and risk exposure.

Rather than treating these policies as mere checkboxes for regulatory approval, institutions should view them as foundational guidelines that can be expanded to strengthen their resilience.

Strengthening Operational Resilience

Although Malaysia has yet to introduce a dedicated policy on Operational Resilience, BNM consistently integrates the concept into its regulatory reviews and engagements. Each of the three policies contributes to strengthening operational resilience:

• BCM Policy ensures organisations can recover from disruptions and continue operations.
  
  
• RMiT Policy safeguards technology infrastructure and digital operations from failures and cyber threats.
  
  
• The Outsourcing Policy ensures third-party dependencies do not compromise business operations.

BNM’s regulatory approach subtly reinforces operational resilience, preparing institutions to withstand and adapt to various risks.

Governance and Accountability

All three policies emphasize strong governance structures and clear accountability. Financial institutions must define:

• Roles and responsibilities for risk management.
• Clear reporting lines within the organization.
• Accountability measures to ensure compliance.

BNM ensures that governance structures prevent ambiguity, ensuring that all stakeholders—from senior management to operational teams—understand their responsibilities in risk management.

Documentation and Record-Keeping

Another commonality among the three policies is the requirement for comprehensive documentation. Financial institutions must:

• Maintain risk assessments, plans, and policies.
• Establish clear audit trails to demonstrate compliance.
• Implement internal controls to ensure data integrity and security.

Good documentation supports regulatory compliance and enables institutions to review and improve their risk management processes over time.

Stakeholder Engagement and Industry Collaboration

BNM’s policies encourage financial institutions to engage with industry stakeholders to share insights, challenges, and best practices. Organizations can learn from others to enhance their internal controls and adopt more effective risk mitigation strategies.

Collaboration between institutions strengthens Malaysia’s overall financial stability, ensuring organizations can collectively manage emerging risks.

Continuous Monitoring, Improvement, and Integration

All three policies advocate for continuous monitoring, regular reviews, and improvements in risk management practices. This includes:

• Ongoing training and awareness for employees.
• Periodic assessments to refine risk management strategies.
• Integrating BCM, RMiT, and Outsourcing policies into the organization’s broader governance framework.

These policies do not operate in isolation—they must be embedded within the institution’s overall risk management strategy. For example, BCM is not a standalone function but should be linked to enterprise risk management, just as RMiT aligns with the broader IT governance framework.

Summing Up for Part 2 ...

While BNM’s BCM, RMiT, and Outsourcing policies serve different purposes, they share core principles reinforcing Malaysia’s financial sector resilience.

Their shared focus on risk management, compliance, operational resilience, governance, documentation, stakeholder collaboration, and continuous improvement ensures financial institutions operate with robust safeguards against disruptions, technology risks, and third-party vulnerabilities.

As BNM continues to refine its regulatory landscape, financial institutions must integrate these policies into a holistic risk management framework, strengthening their ability to navigate evolving challenges.

Dr Goh Moh Heng, President of BCM Institute, summarises this webinar. If you have any questions, please speak to the author.