The Monetary Authority of Singapore (MAS) has issued comprehensive guidelines on Business Continuity Management (BCM) to assist financial institutions (FIs) in Singapore in effectively managing potential disruptions and ensuring the continuity of critical business services.
The article is also part of the pre-reading for participants attending the operational resilience implementer or expert implementer course to understand the relationship between the MAS's Business Continuity Management guidelines and Operational Resilience guidelines issued by other regulatory jurisdictions.
The first section of the MAS Guidelines on BCM emphasised the application to all financial institutions MAS regulates in Singapore. This includes banks, insurers, and capital market intermediaries.
The guidelines ensure financial institutions have robust and effective BCM frameworks to identify potential risks, implement appropriate risk mitigation measures, and establish resilient business continuity plans.
Do note that there is a difference between CBS and CBF. Click the button below to find out more.
The guidelines provide a framework for identifying these critical services, assessing their impact on the institution and its customers, and establishing appropriate recovery strategies.
Financial institutions must maintain a comprehensive inventory of critical business services and functions and ensure recovery plans are in place to minimise disruption and ensure timely recovery.
| |
The MAS Guidelines on BCM emphasise the importance of setting realistic and achievable recovery time objectives to minimise the impact of disruptions.
Financial institutions must define RTOs for their critical services and functions based on their business impact analysis.
The RTOs should be regularly reviewed and tested to ensure their effectiveness.
|
Notes on OR Vs BCM: These are similar terminology used by regulators from other jurisdictions. It is also helpful to understand the difference between SRTO issued by MAS and the actual RTO from the BCM practices with the Impact Tolerance spelt out by the other regulators. Below are some of the similar definitions. |
Financial institutions must conduct dependency mapping exercises to identify critical dependencies, including technology systems, infrastructure, third-party service providers, and key personnel.
The guidelines emphasise the need for financial institutions to establish contingency plans to mitigate potential risks associated with these dependencies and ensure alternative arrangements are in place.
Concentration risk refers to the exposure an organisation faces due to a significant reliance on a single point of failure.
The MAS Guidelines on BCM stress the importance of identifying and mitigating concentration risk as a critical component of business continuity planning.
Financial institutions must thoroughly assess their operations, processes, systems, and third-party dependencies to identify risk concentrations.
By diversifying critical services and functions, financial institutions can reduce their vulnerability to disruptions caused by a single event or failure.
The guidelines recommend implementing appropriate risk mitigation strategies, such as redundancy, alternate sites, and contingency plans, to address concentration risk effectively.
The MAS Guidelines on BCM emphasise the need for financial institutions to adopt a proactive approach by continuously reviewing and improving their BCM frameworks.
BCM is not a one-time exercise but a dynamic process that should evolve alongside changes in the business environment and emerging risks.
Financial institutions are encouraged to establish robust governance mechanisms to monitor the effectiveness of their BCM frameworks and ensure regular updates.
The guidelines also highlight the importance of feedback loops, incident reporting, and lessons-learned exercises to identify areas for improvement and drive continuous enhancements in BCM capabilities.
Testing is a critical aspect of BCM and plays a vital role in validating the effectiveness of business continuity plans.
The MAS Guidelines on BCM emphasise the importance of regular testing to ensure that plans are practical, executable, and aligned with recovery time objectives.
Financial institutions must conduct comprehensive and realistic testing exercises, including tabletop exercises, simulation drills, and full-scale recovery tests.
Testing should encompass various scenarios, including different types of disruptions, to assess the resilience and responsiveness of critical business services and functions.
The guidelines also emphasise the involvement of key stakeholders, including internal teams, external vendors, and regulatory authorities, in testing exercises to ensure coordination and collaboration.
| Related Topics |
The MAS Guidelines on BCM emphasise the importance of conducting regular audits to assess the effectiveness and adequacy of a financial institution's BCM framework.
Audits play a crucial role in verifying the implementation of BCM measures, identifying gaps or weaknesses, and recommending improvements. Financial institutions should establish an independent internal audit function or engage external auditors to conduct comprehensive audits.
These audits should cover all aspects of the BCM framework, including risk assessments, business impact analysis, recovery strategies, and documentation of policies and procedures. Audit findings and recommendations should be reported to the appropriate levels of management and the board for prompt action.
Incident and crisis management is a critical component of BCM that involves effectively responding to and managing disruptions and crises when they occur.
Financial institutions should also establish incident identification, reporting, and resolution processes. Regular training and drills should be conducted to enhance the readiness and capability of staff to respond to incidents and crises promptly and effectively.
The MAS Guidelines on BCM highlight the crucial role of the board and senior management in ensuring the effectiveness of the BCM framework.
Financial institutions should establish a clear governance structure and assign accountability to the board and senior management for BCM.
The board and senior management are responsible for setting the strategic direction, providing oversight, and allocating adequate resources for BCM initiatives.
They should also ensure BCM policies and procedures align with the institution's risk appetite and regulatory requirements.
Regular reporting on BCM performance, including key metrics and progress against action plans, should be provided to the board and senior management.
Notes on OR Vs BCM: The challenge in implementing OR is that despite the COVID experiences, the board and most senior management are informed of the response after an event.
To achieve this requirement, the board of directors and senior management must actively oversee the organisation’s operational resilience framework concerning its strategy and risk appetite, which empowers them to make the correct investment and risk decisions.
The MAS Guidelines on Business Continuity Management provide a comprehensive framework for financial institutions in Singapore to establish effective BCM practices.
By adhering to these guidelines, financial institutions can enhance their resilience and ability to respond to disruptions, thereby ensuring the continuity of critical business services.
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
| If you have any questions, click to contact us. |