Operational disruptions, if not recovered speedily, may compromise the ability of financial institutions (“FIs”) to meet their business obligations, resulting in financial and reputational damage, as well as inconvenience to customers.
MAS is concerned with both the soundness of individual FIs and the stability of the financial system. FIs are thus expected to have controls in place to minimise the occurrence of operational disruptions, including the identification of potential single points of failure early on and their elimination, where possible.
Application of Guideline
This set of MAS BCM (Business Continuity Management) Guidelines (hereafter referred as “the Guidelines”) contains sound BCM principles that FIs are encouraged to adopt. FIs are ultimately responsible for their business continuity preparedness and recovery from operational disruptions. FIs should establish policies, plans and procedures to ensure that their critical business services and functions can be promptly resumed following a disruption.
The Guidelines is applicable to all FIs as defined in Section 27A(6) of the Monetary Authority of Singapore Act.
Critical Business Services and Functions
Functions underpin the provision of business services to an FI’s customers. When a business function is disrupted, all the business services that are dependent on it could be disrupted, and as a result, amplify the operational or business impact to the FI. There may also be some business functions that do not directly contribute to business services, but their disruption could impact an FI’s safety and soundness.
Service Recovery Time Objective
The FI should establish a Service Recovery Time Objective (SRTO) for each critical business service. The SRTO, being a time-based metric, provides clarity within the FI on the expected recovery timelines for each business service. This will help to guide the prioritisation of resources during the planning and facilitate decision-making and monitoring of the recovery progress in a disruption.
Dependency Mapping
The financial sector has become increasingly interconnected with the growing reliance on common IT systems and third parties. As a first step to mitigate the risks arising from these linkages, the FI should identify and map the end-to-end dependencies covering people, processes, technology and other resources7 (including those involving third parties) that support each critical business service.
Concentration Risk
While there are economic benefits to be gained through the centralisation of operations, concentration risk may arise when there is concentration of people, technology or other required resources in the same zone. FIs may also be exposed to concentration risk when several of its critical business services and/or functions are outsourced to a single service provider.
Continuous Review and Improvement
BCM is an ongoing effort to ensure that the measures put in place are able to address operational risks posed by the latest threats, as well as plausible threats in the future. The FI should adopt a proactive business continuity posture by embedding BCM into its business-as-usual operations and establish BCPs that address a range of severe and plausible disruption scenarios, which may evolve over time.
Testing
Testing is crucial in validating an FI’s BCM preparedness. The FI should conduct regular and comprehensive testing to gain assurance that its response and recovery arrangements are robust, and enable them to continue the delivery of critical business services and functions in a timely and reliable manner following a disruption.
Audit
BCM audit is an important means to provide the FI with an independent assessment on the adequacy and effectiveness of the implementation of its BCM framework. The FI should ensure that its audit programme adequately covers the assessment of BCM preparedness based on the level of operational risks that it is exposed to.
Incident and Crisis Management
The FI should have robust processes to manage incidents in order to resume critical business services and functions within the stipulated SRTOs/RTOs. Where the delivery of a business service depends on multiple business functions, an overall coordinator should be appointed to coordinate incident management and recovery across affected functions.
Responsibilities of Board and Senior Management
The Board and senior management are ultimately responsible for the FI’s business continuity. A prolonged disruption in the performance of the FI’s critical business services and functions could significantly impair its reputation, financial safety and soundness, or in some instances, the proper functioning of the financial ecosystem.
You can read the full report in the link below:
https://www.mas.gov.sg/regulation/guidelines/guidelines-on-business-continuity-management
