New Singapore BCM Guidelines look to a “commensurate” approach

The MAS has issued the long-awaited update to its Business Continuity Management Guidelines, giving financial institutions 12 months for implementation. Crucially for smaller institutions, the MAS has emphasised that it does not expect a “one size fits all” approach, and that the Guidelines should be applied in a way which is commensurate with size, nature and complexity.

The updated version of the Business Continuity Management (BCM) guidelines follows consultations on this topic in March 2019 and December 2021. As part of the new rules Financial Institutions (FIs) will need to have established an audit plan within a year and have carried out the first BCM audit within 2 years.

BCM of course is not a new concept in Singapore. The MAS first issued BCM guidelines in June 2003 supplemented by additional guidance on pandemic and physical security measures in 2006.  In response to technological changes in the industry in the past 20 years, and undoubtedly taking into consideration experiences from the COVID pandemic, the MAS issued its new Business Continuity Management Guidelines on 6 June 2022.  As promised in the two consultation papers, the MAS requires FIs to now consider BCM through the lens of business services and functions, rather than on a systems basis.  Naturally, business services and functions that are deemed critical will require the most detailed attention.

BCM Guidelines – June 2003

The BCM guidelines issued in June 2003 provided an overarching framework on effective business continuity management practices covering the following key areas:

  • Role of Board of Directors and Senior Management
  • Adoption of sound BCM practices
  • Testing of BCM plan
  • Recovery objectives
  • Mitigate interdependency risks
  • Planning for wide area disruptions
  • Mitigate concentration risks of critical business functions

BCM Guidelines – June 2022

The 2022 BCM Guidelines expands on the scope of BCM and introduce some new topics (such as the audit requirement) and provide additional specific guidance on each key area to guide FIs towards implementation. The key areas are as follows:

  • Critical business services and functions
  • Service recovery time objective
  • Dependency mapping
  • Concentration risk
  • Continuous review and improvement
  • Testing
  • Audit
  • Incident and crisis management
  • Responsibilities of Board and Senior Management

Critical business functions and mapping of interdependencies

The 2022 BCM Guidelines enhances the definition of critical business functions and introduces a new concept – critical business services. This is intended to enable a more holistic review of interdependencies between functions and services.

FIs should identify critical business services and functions by considering the impact of unavailability on customers. Critical business services are external facing services the disruption of which would have a significant impact on the FI’s safety and soundness, its customers, or other FIs that place reliance on the business service.  All FIs are expected to have at least one critical business service. For example, for FMCs this could be portfolio management and trading. On the other hand, critical business functions are not externally facing, but if disrupted would nonetheless have a significant impact on the FI, whether financially or otherwise.  An example provided by the MAS during the consultation process is Legal and Compliance.

Interdependencies of the complete set of processes supporting the delivery of services should be considered. The MAS expects FIs to take an end-to-end perspective when developing a Business Continuity Plan (BCP) for each service delivered to their customers. The interdependencies should be mapped covering people, technology and other resources which support each critical business service.

Monitoring capabilities

The MAS has placed enhanced emphasis on continuous improvement and monitoring of BCM in the 2022 Guidelines. In line with the concept of interdependencies, the ability to monitor and foresee potential issues is more important than ever. Firms should have ongoing monitoring capabilities for early detection of problems in the critical business services and respond appropriately and have an escalation process to alert senior management about relevant threats.

The scope of monitoring may include natural disasters, terrorism, pandemic outbreaks, cyber incidents and public advisories.

Responsibility of Board and Senior Management

The Board and Senior Management are responsible for the implementation of effective BCM. The Guidelines reemphasise the role of the leadership team and in particular highlight the need for the Senior Management team to review BCM processes at least annually and attest on the effectiveness of these. The attestation is required to be provided to the MAS upon request.

Testing and audit

Testing of BCM plans is an important form of assurance to determine if it is working as intended. To further raise standards, the new Guidelines introduce the need for additional assurance to be sought from an independent party.

To this end, FIs will be required to undergo an audit of their overall BCM framework and the BCP of critical business services at least once every 3 years.  The MAS has confirmed that the audit plan should be in place within a year of the issuance of the Guidelines, and that the first audit should have taken place by 12 months later.

Such audits are to be conducted by a qualified independent party (such as the external or internal auditor, or an appropriately expert internal department) and should achieve the following objectives:

  • Validate and measure the effectiveness of the BCPs using appropriate metrics
  • Remediate any gaps or weaknesses that are identified in the recovery process
  • Familiarity of senior management and crisis management personnel with the plan
  • Practise decision making under simulated conditions
  • Stress test BCPs by incorporating plausible scenarios
  • Verify that recovery time objectives can be met

Timeline for implementation

MAS expects firms to meet the requirements of the 2022 BCM Guidelines within 12 months following its issuance. An audit plan should be established by FIs within 12 months and the first BCM audit should be conducted within 24 months.

The following are key dates to action upon:

  • Compliance with 2022 BCM Guidelines – 5 June 2023
  • Establish audit plan – 5 June 2023
  • Complete first audit – 5 June 2024

How we can help

  • Assist you in performing a gap analysis of your existing BCM framework and policies against the 2022 BCM Guidelines, and documenting this gap analysis
  • Design an appropriate policy, procedure and oversight framework and attestation reports
  • Help you to get ready for the independent audit of your BCM framework and processes (and introduce you to trusted partners who can deliver this).