[MTE] [Feb 2025] [P2] Navigating the Challenges in Complying to BCM Regulatory Requirements [Part 2]

Part 2: Key Challenges in Observing Regulatory Requirements in BCM

Regulatory compliance in Business Continuity Management (BCM) presents several challenges for financial institutions, especially in a complex and evolving regulatory landscape.

Organisations must navigate overlapping policies, resource constraints, cultural resistance, ongoing regulatory changes, rigorous testing requirements, and interconnected risks.

Below are the key challenges observed in implementing BCM in compliance with regulatory requirements.

Complexity of Integration: Navigating Multiple and Overlapping Policies

One of the biggest challenges in implementing BCM is the interconnection between business functions and IT systems.

While conducting a Business Impact Analysis (BIA), organisations aim to identify critical business functions and determine their Recovery Time Objectives (RTOs).

However, this process often overlaps with IT risk management policies that require organizations to define and manage critical systems.

For Example

• A BCM practitioner identifies a critical business function, but determining whether its supporting IT system is vital requires additional regulatory assessment.
  
  
• IT departments often operate with high availability measures, leading to discrepancies between BCM-defined RTOs and IT system capabilities.

This overlap makes it challenging to align business continuity planning with IT resilience requirements, resulting in potential gaps in preparedness.

Resource Constraints: Skilled Personnel and Financial Limitations

Interpreting and implementing regulatory requirements demands specialized knowledge in BCM, risk management, IT security, and compliance. However:

• Skilled BCM professionals are scarce and expensive. Small and mid-sized financial institutions struggle to recruit and retain talent.
  
  
• Limited resources force employees to multitask. In smaller banks, one risk management personnel may be responsible for BCM, outsourcing, and IT risk, leading to inadequate oversight.
  
  
• Implementation requires investment. Ensuring compliance with BCM, RMiT, and outsourcing policies involves budgeting for tools, training, and testing—expenses that organizations may find challenging to justify.

Without dedicated resources, financial institutions risk implementing incomplete or ineffective BCM programs.

Organisational Resistance to BCM Implementation

BCM is not a one-time exercise—it requires continuous collaboration across departments. However, organisational resistance can make execution difficult:

• Employees often see BCM as a compliance burden rather than a strategic necessity.
  
  
• Business units may prioritize daily operations over BCM exercises, treating continuity planning as a tick-box exercise.
  
  
• Management buy-in is crucial, but BCM initiatives struggle to gain traction without clear leadership support.

Ensuring organisation-wide participation is a significant hurdle, requiring training, awareness, and cultural change.

Keeping Up with Regulatory Compliance and Monitoring

Regulatory requirements are constantly evolving, making compliance a moving target. For example:

• BNM’s RMiT Policy has been revised multiple times, with a significant update in 2023 and another exposure draft 2024.
  
  
• Organisations must continuously monitor regulatory changes, update policies, and ensure ongoing compliance.
  
  
• Failure to comply can result in regulatory scrutiny, penalties, or reputational damage.

The challenge lies in maintaining continuous compliance without overburdening internal teams.

Testing and Maintenance of BCM Plans

A BCM plan is only effective if regularly tested. However, stringent testing requirements pose significant challenges:

• Frequent testing mandates: In Malaysia, high-value payment systems require testing four times yearly, while other systems have different testing frequencies.
  
  
• Live-run tests under operational conditions: Regulatory requirements now require live-run tests during peak periods, which must last at least three consecutive days.
  
  
• Potential business disruptions: Testing often interrupts regular business operations, increasing the risk of system failures or service disruptions.

Balancing the need for rigorous testing with business continuity remains difficult for financial institutions.

Managing Interconnected Risks: Technology, Third-Party Dependencies, and Operations

BCM is no longer confined to internal processes—third-party and technology risks must also be managed:

• Many organisations outsource critical systems to third-party providers, introducing dependencies on external vendors.
  
  
• Ensuring data privacy, cybersecurity, and operational resilience across third-party services is complex.
  
  
• Regulatory requirements mandate clear accountability for outsourced functions, making governance more challenging.

Financial institutions must take a holistic approach to risk management, ensuring that third-party disruptions do not compromise business continuity.

Summing Up for Part 3 ...

Observing regulatory requirements for BCM is a multifaceted challenge, requiring organisations to:

• Integrate multiple regulatory policies effectively.
• Overcome resource limitations and invest in skilled professionals.
• Drive cultural change to ensure BCM is taken seriously.
• Stay updated with evolving regulations and maintain continuous compliance.
• Meet stringent testing requirements while minimizing business disruption.
• Manage interconnected risks across technology, outsourcing, and operations.

Despite these challenges, a well-executed BCM strategy strengthens organizational resilience, ensuring financial institutions can withstand disruptions while maintaining regulatory compliance.

By adopting a proactive and integrated approach, businesses can turn regulatory compliance into a competitive advantage rather than a mere obligation.

Dr Goh Moh Heng, President of BCM Institute, summarises this webinar. If you have any questions, please speak to the author.

Part 4: Best Practices for Overcoming Challenges in BCM Compliance

Implementing a robust Business Continuity Management (BCM) program while ensuring compliance with regulatory requirements presents numerous challenges.

However, organizations can overcome these obstacles by adopting best practices that enhance leadership commitment, leverage technology, set clear performance metrics, foster collaboration, and engage with industry peers.

Below are the key best practices to strengthen BCM implementation and compliance efforts.

Securing Management Buy-In: Setting the Tone from the Top

Management support is a fundamental factor in the success of any BCM initiative. Without a strong tone from the top, business continuity efforts may lack prioritization and necessary resources. To secure buy-in:

• Present a clear business case to senior leadership, emphasizing the importance of BCM in safeguarding business operations, regulatory compliance, and financial stability.
  
  
• Engage management in BCM activities, such as awareness training sessions and simulation exercises, to help them understand the significance of their role in driving resilience.
  
  
• Demonstrate the impact of BCM through data-driven insights, such as risk assessments and past incidents, to illustrate the potential consequences of insufficient preparedness.

When management actively participates in BCM initiatives, it fosters a culture of resilience, making it easier for practitioners to implement and sustain BCM programs effectively.

Investing in Technology: Automating BCM Processes

Technology is crucial in streamlining BCM activities, reducing administrative burdens, and enhancing risk management capabilities. Organisations should consider:

• Automated risk assessment and reporting tools to simplify data collection, analysis, and reporting, making compliance more efficient.
  
  
• Artificial intelligence (AI) and machine learning applications enhance predictive analysis, scenario modelling, and real-time monitoring of potential disruptions.
  
  
• Cloud-based BCM platforms facilitate collaboration and provide a centralized repository for BCM documentation, ensuring accessibility and version control.

By leveraging technology, organizations can optimize their BCM functions, improve response times, and enhance overall resilience.

Setting Key Performance Indicators (KPIs) for BCM Effectiveness

To move away from a "tick-box" approach to BCM, organizations must establish measurable KPIs that ensure accountability and drive continuous improvement. Effective KPI implementation involves:

• Defining clear BCM objectives that align with organizational goals and regulatory requirements.
  
  
• Assigning KPIs to BCM representatives in each business unit, ensuring that performance is monitored and assessed regularly.
  
  
• Evaluating KPIs based on accuracy, effectiveness, and adherence to BCM protocols.
  
  
• Using KPI results to identify gaps, provide feedback, and enhance training and preparedness efforts.

Setting KPIs ensures that BCM is a dynamic and results-oriented function rather than a compliance-driven exercise.

Enhancing Cross-Departmental Collaboration

Effective BCM implementation requires input and cooperation from multiple departments, including IT, risk management, and third-party vendors. Organizations should:

• Establish cross-functional teams that conduct regular BCM reviews and align continuity planning across business functions.
  
  
• Engage IT teams in risk assessments and recovery planning to ensure alignment between business and technology resilience strategies.
  
  
• Coordinate with third-party risk management teams to ensure that outsourcing arrangements and supply chain dependencies do not compromise business continuity.
  
  
• Conduct regular pulse checks and review meetings to facilitate communication, identify challenges, and refine BCM strategies.

By fostering collaboration, organizations can ensure that BCM practices are effectively interpreted and executed across all functions.

Conducting Thematic Reviews and Internal Audits

Regulatory compliance in BCM requires ongoing assessment and refinement. To avoid non-compliance and strengthen governance frameworks, organizations should:

• Leverage the second line of defence (risk and compliance teams) to conduct thematic reviews focusing on key BCM aspects such as outsourcing, IT resilience, and crisis management.
  
  
• Engage internal and external auditors to assess the effectiveness of BCM policies, test recovery plans, and identify areas for improvement.
  
  
• Ensure alignment with regulatory requirements by incorporating findings from audits and thematic reviews into the BCM program.

Regular assessments help organizations proactively address compliance gaps and enhance the resilience of their BCM framework.

Industry Collaboration and Knowledge Sharing

Given the evolving nature of regulatory requirements and business risks, learning from industry peers can provide valuable insights. Best practices for industry collaboration include:

• Participating in BCM forums, industry associations, and regulatory roundtables to stay informed about emerging trends and regulatory changes.
  
  
• Leveraging professional networks like LinkedIn to engage with BCM practitioners, share experiences, and exchange best practices.
  
  
• Attending training programs and certifications from organisations like BCM Institute to enhance knowledge and skills in business continuity and resilience.
  
  
• Engaging with regulators through direct communication, consultations, and discussions to clarify regulatory expectations and ensure compliance.

By staying connected with industry peers and experts, organisations can refine their BCM strategies effectively and adapt to changing regulatory landscapes.

Summing Up for Part 4 ...

Overcoming challenges in BCM compliance requires a strategic approach that integrates leadership commitment, technological innovation, performance measurement, cross-functional collaboration, rigorous audits, and industry engagement.

By adopting these best practices, organizations can build a resilient BCM framework that meets regulatory requirements and strengthens overall operational resilience.

A proactive, well-structured BCM program ultimately positions organizations to navigate disruptions effectively and sustain long-term business continuity.

Dr Goh Moh Heng, President of BCM Institute, summarises this webinar. If you have any questions, please speak to the author.