Cambridge Advisers has a wealth of expertise and experience helping financial institutions to setup, stress-test and update their Business Continuity Management (BCM) framework and plan to remain compliant with MAS’s guidelines. Generally, clients approach us for the following:
Ensure that your business have in place proper policies and procedures, monitoring structures, and attestation reports.
Assist your business with performance and documentation of the results of a gap analysis comparing your current BCM framework and policies with those recommended in the BCM Guidelines for 2022.
Prepare for the independent audit of your business continuity management (BCM) framework and practices (and introduce you to trusted partners who can deliver this).
Please email us at BCM@caglobe.com for a complimentary consultation clinic.
The following is a short article regarding the latest developments of BCM in Singapore and why you should be dedicating time and resources to ensure you can comply with the new regulatory requirements.
Financial institutions in Singapore have 12 months to comply with the Monetary Authority of Singapore (MAS)’s Business Continuity Management Guidelines (the “BCM Guidelines”) recently issued in June 2022. The MAS has emphasized that it does not anticipate a “one size fits all” strategy and that the Rules must be applied in a manner that is proportionate with size, nature, and complexity – this is a well-celebrated approach for smaller institutions who often have resource constraints.
The revised set BCM Guidelines came about upon conclusion of 2 consultation rounds with the industry in March 2019 and December 2021. In accordance with the new guidelines, Financial Institutions (FIs) will be required to devise an audit strategy within the next year and conduct their very first BCM audit within the next two years.
BCM is not a new topic for FIs in Singapore, of course. In June 2003, the MAS published its initial set of BCM Guidelines, followed by a supplementary guidance in 2006. On June 6, 2022, the MAS released its updated Business Continuity Management Recommendations in response to the technological advancements that have happened in the industry over the past 2 decades and considering the lessons learned from the COVID-19 pandemic. In keeping with what was stated in the two consultation papers, the MAS now expects FIs to evaluate BCM not based on systems but through the perspective of business services and functions.
Key Areas of the June 2022 BCM Guidelines
Building on the foundation of the 2003 BCM Guidelines, the 2022 BCM Guidelines provides further emphasis on key areas to help FIs towards implementation, broaden the scope of BCM, and include certain new subjects (such as the audit requirement). The following is a list of the important areas set out in the new BCM Guidelines:
Identify Critical Business Services and Functions
Establish Service Recovery Time Objective
Identify and Mitigate Concentration Risk
Continual Review and Enhancement
Testing of Business Continuity Plan
Establish Incident and Crisis Management
Set out the Responsibilities of Board and Senior Management
1. Critical Business Services, Critical Business Functions, and the Interdependencies
The concept of key business functions has been expanded in the 2022 BCM Guidelines, and a new idea known as critical business services has also been included in the revised Guidelines. This is designed to enable a more comprehensive evaluation of the interdependencies between functions and services.
Critical business service(s) is defined as a business service which, if disrupted, is likely to have a significant impact on the FI’s safety and soundness, its customers or other FIs that depend on the business service. Critical business service(s) is further defined to be external-facing services that are provided to the customers of an FI. FIs must determine which of their business services and operations are mission-critical by analyzing the impact of an outage on their clientele.
When assessing the safety and soundness of the FI, the relevant considerations are the extent of damage to the FI’s financial and liquidity position, any loss of assets and revenue, loss of business and investments, and any inability to meet legal obligations.
On the other hand, critical business functions do not interact directly with the outside world but, if they were interrupted, would still have a substantial effect on the FI, either financially or in some other way. While gathering feedback from stakeholders, the MAS presented an example of “Legal and Compliance.”
It is important to consider the interdependencies that exist between the various business functions that are used to support service delivery. When designing a Business Continuity Plan (BCP) for any service provided to a client, the MAS requires FIs to consider the whole process from beginning to completion. It is important to create a map that depicts the end-to-end interdependencies between the people, technology, and other resources necessary to support each critical business service.
2. Mitigating Concentration Risk
Concentration risk may arise when there is concentration of people, technology, or other required resources in the same zone. For instance, where several business functions are outsourced to a single service provider, FIs may be exposed to concentration risk.
MAS suggested a few approaches to mitigate the risk of concentration thereby reducing the impact in the event of disruption:
Separate primary and secondary sites of operation
Separate critical business function
Deploy split-team and back-up team arrangements
Develop cross-training programs
Activate cross-border support
Engage alternative service provider
3. Continuous Improvements and Ongoing Monitoring Capabilities
In the 2022 Guidelines, the MAS emphasizes improving and monitoring BCM more consistently. In keeping with the idea of interdependence, it is more crucial than ever to monitor the situation and plan for any problems that may arise. Companies must be provided with capabilities for continuous monitoring to discover issues with important business services at an early stage, respond in an appropriate manner, and maintain an escalation mechanism to notify senior management of pertinent concerns. Such monitoring scope may encompass public warnings, cyber events, pandemic breakouts, natural catastrophes, terrorist acts and outbreaks of epidemic diseases.
4. Testing and Audit
The testing of BCM plans is a crucial type of assurance that may determine whether the system is operating as expected. The revised Guidelines call for extra assurance from a third party not affiliated with the organization, which is intended to significantly raise the bar for quality.
At the very least once every three years, FIs will be subjected to an audit of their overall BCM framework and the BCPs for their critical business services. BCM audits shall be carried out by a competent independent third party (for example, the external or internal auditor or a sufficiently qualified and independent internal department).
5. Incident and Crisis Management
An overall coordinator must be appointed to coordinate incident management and recovery across affected functions as the delivery of a business service often depends on multiple business functions. The roles and responsibilities, reporting lines and chain of command must be established in a crisis management structure. FIs should clearly define the triggers and criteria for timely activation of crisis management structure.
In times of an incident or a crisis, FIs should ensure timely sharing of information with staff to ensure their safety and manage staff morale. FIs should also identify the designated spokesperson who will be responsible for addressing the media and the public in the event of a widespread disruption.
FIs must notify MAS no later than one hour upon discovery of incident that will lead to severe disruption of the business operations or activation of BCP.
6. The Board and Executive Management’s Role
Successful BCM requires the involvement of the Board and upper management. The Senior Management team is tasked with reviewing BCM procedures at least once a year and providing an attestation as to their efficacy and alignment with the BCM Guidelines requirements to the Board. Such attestations must be supplied to the MAS upon request.
MAS expects compliance with the Guidelines within a year of the BCM Guidelines’ release in 2022. Within the first 12 months, FIs should develop an audit strategy, and within the first 24 months, the first BCM audit should be carried out. The following are important dates upon which to take action:
Compliance with 2022 BCM Guidelines – June 2023
Establish audit plan – June 2023
Complete first audit – June 2024