As businesses and financial institutions face increasingly complex regulatory landscapes, it's essential to understand how these regulations affect business continuity management (BCM), outsourcing practices, and third-party risk.
We gathered some insightful answers from industry professionals recently participating in a Q&A session on regulatory compliance and BCM strategies.
Below, we highlight key points from this discussion that will help organizations align their operations with local and global standards.
MUFG Bank, a foreign bank incorporated in Malaysia, must comply with local requirements (set by Bank Negara Malaysia) and global standards from its headquarters in Japan.
The bank follows a framework that prioritizes stricter regulatory requirements, ensuring local regulations supersede global standards when necessary.
This dual approach strengthens the internal control system by ensuring compliance with local mandates while aligning with global headquarters’ directives.
Bank Negara Malaysia conducts thematic reviews on business continuity management (BCM).
Last year, they conducted a review focusing on BCM across the banking sector, though the results have yet to be published. These reviews ensure that financial institutions adhere to BCM standards.
However, no specific thematic reviews related to outsourcing practices or third-party risks have been conducted yet, but supervisory reviews are conducted annually.
Managing third-party vendors effectively is crucial for any organisation, especially regarding BCM requirements.
If a third-party vendor fails to meet BCM standards, it’s important to have clear clauses in the contract. Regular reviews and assessments are essential to identify any performance gaps.
Before contract renewals, these vendors should be informed of the discrepancies and be allowed to address them.
Organisations should make BCM compliance mandatory during vendor selection to avoid future challenges.
BCM regulations vary across regions, with different standards and maturity levels.
For instance, countries like India and Hong Kong are moving towards operational resilience, while Malaysia's regulatory framework has not yet fully embraced this shift.
These regional differences can create challenges regarding technical integration, documentation, and resource allocation, mainly when organizations operate across multiple jurisdictions.
Noncompliance with BCM regulations can have significant repercussions.
In Malaysia, Bank Negara has penalized banks for inaccurate regulatory reporting, and companies that fail to meet BCM standards face increased insurance premiums.
In addition to financial penalties, the inability to respond promptly to disruptions can jeopardize critical functions, leading to reputational damage, loss of stakeholder trust, and legal risks.
Financial institutions often face the challenge of navigating numerous regulatory requirements.
To stay compliant, it is vital to understand the regulations and operationalize them within the organization.
This involves collaborating with risk and compliance teams, setting up key risk indicators for high-risk areas, and conducting regular audits and thematic reviews to ensure regulatory compliance.
When working with major cloud service providers like AWS or Microsoft, organizations must verify compliance with BCM regulations.
Although these vendors provide audit assurances, organizations must rely on their IT risk personnel to assess the quality and relevance of the audit reports.
It's essential to perform detailed assessments to ensure that these providers meet the required BCM standards and mitigate concentration risks associated with relying heavily on a small group of large vendors.
Regulatory compliance and third-party risk management are complex, requiring organizations to build robust frameworks that align with local and global standards.
Organisations can mitigate risks and strengthen their resilience in disruptions by prioritizing stricter regulations, conducting regular reviews, and ensuring vendors meet BCM requirements.
Dr Goh Moh Heng, President of BCM Institute, summarises this webinar. If you have any questions, please speak to the author.
Click the icon on the right for the additional questions asked by the participants. However, due to a time shortage, Dr. Goh provided the answers.
Click the icon on the left to continue reading Parts 1 & 2 & 3 of Ruzita Abd Rashid's presentation.
| Navigating the Challenges in Complying to BCM Regulatory Requirements | |||||