Monetary Authority of Singapore – Business Continuity Management Guidelines: Overview and Summary of Requirements

• By: Staff Editor
• Date: March 28, 2013

The Monetary Authority of Singapore published its Business Continuity Management guidelines in 2003. These guidelines consist of sound BCM principles that businesses should adopt in order to ensure business recovery and preparedness in case of any disruption to their operations.

Business Continuity Management

According to the guidelines, Business Continuity Management or BCM is an overarching framework that that aims to minimize the impact to businesses due to operational disruptions. It not only addresses the restoration of IT infrastructure, but also focuses on the rapid recovery and resumption of critical business functions for the fulfillment of business obligations. A BCM framework should include:

• Policies
• Standards
• Procedures

These should ensure that an institution is able to carry on operations despite disruptions.

Business Continuity Management Principles

Principle 1: Board of Directors and Senior Management should be responsible for their institution’s business continuity management

• Senior management is responsible for steering BCM with policies and strategies that are necessary for continuity of critical business functions
• Senior management should be aware of the risks, mitigating measures and state of readiness. This in turn should be communicated as an attestation to the Board of Directors
• The attestation, an internal document prepared by senior management and addressed to the Board, should state clearly:
  • Preparedness of the institutions
  • Extent of alignment with guidelines, taking into consideration the institution’s nature, scale and complexity of operations
• The attestation can be in any form that the senior management deems best in terms of level of comfort and need for further assurance
• Residual risk should be disclosed in the attestation
• The attestation should be updated at least once a year – if there’s material change in the institution, it must be updated more frequently
• Institutions should decide on disclosing the attestation to customers and counterparties
   

Principle 2: Institutions should embed Business Continuity Management into their business-as-usual operations, incorporating sound practices

• BCM practices adopted by an institution should include the following components:
  • A clear BCM policy as well as strategy and budget
  • Well-defined roles and responsibilities of those involved in the BCM program
  • A Business Continuity Plan or BCP that includes detailed tasks and activities
  • Succession plans for critical staff and senior management
  • Business impact analysis or a similar process
  • A BCP development, implementation and testing program
  • Training and awareness programs
  • Emergency responses
  • External communications program
  • Crisis management coordination program
  • Coordination with external parties such as authorities and independent parties
• The BCP is an integral part of the BCM framework and the most tangible. It should:
  • Be practical to operate
  • Regularly reviewed
  • Updated as the business changes
  • Tested in order to ensure it is relevant, effective and operationally viable
     

Principle 3: Institutions must test their Business Continuity Plan regularly, completely and meaningfully

• Institutions must execute different tests, taking into consideration the criticality of business functions, complexities and resources required
• Tests can be conducted in modules at different but regular intervals
• Those taking part in the tests must be aware of their roles and responsibilities
• Tests should be conducted on the connectivity, functionality and load capacity of infrastructure provided at the recovery sites
• Tests should also be conducted at an institution’s offices, branches or services providers located outside Singapore in order to be considered complete
• Institution-wide tests should also be carried out, besides modular tests. These may include exercises such as:
• Desk-top walk-through exercise to full system test
• Staff call-tree activation (with and without mobilization)
• Back-up site to back-up site exercise (including with external service providers)
• Alternative arrangement of shared services
• Back-up tape restoration
• Retrieval of vital records
• Tests should be documented and post mortem reviews listing lessons learned carried out
• Industry-wide tests should be properly coordinated and carried out between key financial utility providers and institutions

Principle 4: Institutions should develop recovery strategies and set recovery time objectives for critical business functions

• As all business functions cannot be recovered in times of crisis, institutions must identify functions that are critical such as support operations and related IT systems.
• Institutions should also identify potential losses if these functions are disrupted
• Critical business functions vary from institution to institution, but they may include:
  • completing payment instructions,
  • clearing and settling transactions,
  • ulfilling end-of-day funding and collateral obligations,
  • managing customers’ risk positions and
  • maintaining customer, investor or public confidence
• Recovery time objectives must be made transparent and shared so as to improve service level expectation and increase understanding among institutions
• Institutions are responsible for determining their critical business functions, recovery strategies and the corresponding recovery time objectives
• There should be a continuum of recovery time objectives for different business functions that is proportionate with institutions’ obligations to the market, customers and industry.
   

Principle 5: Institutions should understand and appropriately mitigate interdependency risk of critical business functions

• When planning for the business continuity of critical business functions, institutions should take into account the interdependencies of these functions, and the extent to which they depend on other parties. Examples of dependencies include:
  • Within the institution - Treasury, custody services and so on
  • Between institutions – for US Dollar clearing, etc
  • On financial utility providers – clearing and settlement providers etc
  • On vendors – IT or disaster recovery providers etc
  • On infrastructure providers – telecommunications etc
• Institutions should mitigate the risk arising from these complex dependencies as far as practically possible
• They should consider such dependencies in their recovery strategies and recovery time objectives
• Institutions are responsible for ensuring their key service providers are capable of supporting their operations even in the case of disruptions
• Before contracting with external service providers, institutions should satisfy themselves that the risk resulting from outsourcing remains within levels permitted by their operational risk management policies
• They should ensure that their service providers have BCP in place that is equal to, if not more robust than, their own.
• This BCP should be regularly tested and institutions must seek proof/assurances that they are
• The well-being and financial state of external service providers should be monitored in case of any sudden termination or liquidation of these key service providers

Principle 6: Institutions should plan for wide-area disruptions

• Planning for wide-area disruptions should be included in the BCM.
• Planning parameters to be considered include:
  • geographical concentration of institutions
  • transactional processing activities
  • dependencies on internal or external service providers
• Risks relating to wide-spread disruption (telecommunications, transport) should be mitigated appropriately
• Institutions are responsible for deciding on the need to cater for multiple zones outage scenarios, taking into consideration their respective levels of critical business activities and prudent risk management policies
• The BCM can be expanded in scope to include prolonged operational disruptions

Principle 7: Institutions should practice a separation policy to mitigate concentration risk of critical business functions

• To mitigate concentration risk of critical business functions, institutions should consider:
  • Primary-secondary site separation: Separate the primary and secondary sites of critical business functions into different zones.
  • Critical business functions separation and intra-function separation: Separating critical business functions into different zones would mitigate the risk of losing multiple critical business functions from a single-zone disruption.
• Institutions should design and determine the most appropriate approach or combination of approaches that best balances cost and risk exposure that provides an adequate level of comfort and assurance. The approach should be proportionate to the business’s scale and complexity.
   

Additional Resources

Read the full Singapore Business Continuity Management Guidelines here.