Operational Resilience Audit

Summary of Guidelines on Business Continuity Management Guidelines issued by the Monetary Authority of Singapore

Written by Moh Heng Goh | Jun 9, 2023 5:09:16 AM

Key Focus Areas for Guidelines on Business Continuity Management by the Monetary Authority of Singapore

The Monetary Authority of Singapore (MAS) has issued comprehensive guidelines on Business Continuity Management (BCM) to assist financial institutions (FIs) in Singapore in effectively managing potential disruptions and ensuring the continuity of critical business services. 

Objective

This blog aims to provide an overview of the key aspects of the MAS Guidelines on BCM, with a specific focus on the ten areas mentioned in the guidelines.  Refer to the guideline by clicking on the MAS's webpage.

The article is also part of the pre-reading for participants attending the operational resilience implementer or expert implementer course to understand the relationship between the MAS's Business Continuity Management guidelines and Operational Resilience guidelines issued by other regulatory jurisdictions.

Application of MAS Guidelines

The first section of the MAS Guidelines on BCM emphasised the application to all financial institutions MAS regulates in Singapore. This includes banks, insurers, and capital market intermediaries.

The guidelines ensure financial institutions have robust and effective BCM frameworks to identify potential risks, implement appropriate risk mitigation measures, and establish resilient business continuity plans.

Compliance with these guidelines is mandatory, and institutions are expected to maintain a state of readiness to respond to and recover from disruptions.

Notes on OR Vs BCM: These are the related regulatory requirements or guidelines (Click the "Regulatory Requirement" icon on the right) issued by the other central banks worldwide.  These regulations will be under your purview if you have global or regional responsibilities. 

Critical Business Services and Functions

Financial institutions must identify and prioritise their critical business services (CBS) and critical business functions (CBF) essential for maintaining financial stability and providing uninterrupted services to customers.

Do note that there is a difference between CBS and CBF.  Click the button below to find out more.

The guidelines provide a framework for identifying these critical services, assessing their impact on the institution and its customers, and establishing appropriate recovery strategies.

Financial institutions must maintain a comprehensive inventory of critical business services and functions and ensure recovery plans are in place to minimise disruption and ensure timely recovery.

Notes on OR Vs BCM: These are similar terminology used by regulators from other jurisdictions.  It is also helpful to understand Critical Business Services is issued by MAS.  Critical Operations is from the US FED and Hong Kong Monetary Authority.  Below are some of the similar definitions published by the other regulators. 

Service Recovery Time Objective (SRTO)


The Service Recovery Time Objective (SRTO) refers to the timeframe within which critical business services and functions should be recovered following a disruption.

The MAS Guidelines on BCM emphasise the importance of setting realistic and achievable recovery time objectives to minimise the impact of disruptions.

Financial institutions must define RTOs for their critical services and functions based on their business impact analysis.

The RTOs should be regularly reviewed and tested to ensure their effectiveness.

 

Notes on OR Vs BCM: These are similar terminology used by regulators from other jurisdictions.  It is also helpful to understand the difference between SRTO issued by MAS and the actual RTO from the BCM practices with the Impact Tolerance spelt out by the other regulators.  Below are some of the similar definitions.

Dependency Mapping

Dependency mapping is a crucial aspect of BCM that involves identifying and understanding the interdependencies between various systems, processes, and external parties.

Financial institutions must conduct dependency mapping exercises to identify critical dependencies, including technology systems, infrastructure, third-party service providers, and key personnel.

The guidelines emphasise the need for financial institutions to establish contingency plans to mitigate potential risks associated with these dependencies and ensure alternative arrangements are in place.

Concentration Risk

Concentration risk refers to the exposure an organisation faces due to a significant reliance on a single point of failure.

The MAS Guidelines on BCM stress the importance of identifying and mitigating concentration risk as a critical component of business continuity planning.

Financial institutions must thoroughly assess their operations, processes, systems, and third-party dependencies to identify risk concentrations.

By diversifying critical services and functions, financial institutions can reduce their vulnerability to disruptions caused by a single event or failure.

The guidelines recommend implementing appropriate risk mitigation strategies, such as redundancy, alternate sites, and contingency plans, to address concentration risk effectively.

Continuous Review and Improvement

The MAS Guidelines on BCM emphasise the need for financial institutions to adopt a proactive approach by continuously reviewing and improving their BCM frameworks.

BCM is not a one-time exercise but a dynamic process that should evolve alongside changes in the business environment and emerging risks.

Financial institutions are encouraged to establish robust governance mechanisms to monitor the effectiveness of their BCM frameworks and ensure regular updates.

The guidelines also highlight the importance of feedback loops, incident reporting, and lessons-learned exercises to identify areas for improvement and drive continuous enhancements in BCM capabilities.

Notes on OR Vs BCM: The word "continuous improvement" is published as part of the standard in most published regulations.  The key is to learn from lessons from past incidents and deficiencies identified as part of testing and exercising.

Testing

Testing is a critical aspect of BCM and plays a vital role in validating the effectiveness of business continuity plans.

The MAS Guidelines on BCM emphasise the importance of regular testing to ensure that plans are practical, executable, and aligned with recovery time objectives.

Financial institutions must conduct comprehensive and realistic testing exercises, including tabletop exercises, simulation drills, and full-scale recovery tests.

Testing should encompass various scenarios, including different types of disruptions, to assess the resilience and responsiveness of critical business services and functions.

The guidelines also emphasise the involvement of key stakeholders, including internal teams, external vendors, and regulatory authorities, in testing exercises to ensure coordination and collaboration.

Notes on OR Vs BCM: Testing of end-to-end based on the scenario is called Scenario Testing.  It is helpful to review the difference between operational resilience and BC testing.

Related Topics  

Audit

The MAS Guidelines on BCM emphasise the importance of conducting regular audits to assess the effectiveness and adequacy of a financial institution's BCM framework.

Audits play a crucial role in verifying the implementation of BCM measures, identifying gaps or weaknesses, and recommending improvements. Financial institutions should establish an independent internal audit function or engage external auditors to conduct comprehensive audits.

These audits should cover all aspects of the BCM framework, including risk assessments, business impact analysis, recovery strategies, and documentation of policies and procedures. Audit findings and recommendations should be reported to the appropriate levels of management and the board for prompt action.

Incident and Crisis Management

Incident and crisis management is a critical component of BCM that involves effectively responding to and managing disruptions and crises when they occur.

The MAS Guidelines on BCM emphasise the need for financial institutions to establish robust incident and crisis management frameworks. This includes defining roles and responsibilities, establishing communication protocols, and implementing escalation procedures.

Financial institutions should also establish incident identification, reporting, and resolution processes. Regular training and drills should be conducted to enhance the readiness and capability of staff to respond to incidents and crises promptly and effectively.

Responsibilities of Board and Senior Management

The MAS Guidelines on BCM highlight the crucial role of the board and senior management in ensuring the effectiveness of the BCM framework.

Financial institutions should establish a clear governance structure and assign accountability to the board and senior management for BCM.

The board and senior management are responsible for setting the strategic direction, providing oversight, and allocating adequate resources for BCM initiatives.

They should also ensure BCM policies and procedures align with the institution's risk appetite and regulatory requirements.

Regular reporting on BCM performance, including key metrics and progress against action plans, should be provided to the board and senior management.

Notes on OR Vs BCM: The challenge in implementing OR is that despite the COVID experiences, the board and most senior management are informed of the response after an event.

To achieve this requirement, the board of directors and senior management must actively oversee the organisation’s operational resilience framework concerning its strategy and risk appetite, which empowers them to make the correct investment and risk decisions.

Conclusion

The MAS Guidelines on Business Continuity Management provide a comprehensive framework for financial institutions in Singapore to establish effective BCM practices.

By adhering to these guidelines, financial institutions can enhance their resilience and ability to respond to disruptions, thereby ensuring the continuity of critical business services. 

 

Learn more about Blended Learning OR-300 [BL-OR-3] and OR-5000 [BL-OR-5]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.