Business Continuity Management changes on the horizon

The proposed MAS changes to its guidelines on Business Continuity Management will impact all financial institutions in Singapore. The recently released second consultation addresses feedback from the first, incorporates learnings from the Covid 19 pandemic and outlines some specific changes that are likely to be on the horizon. MAS says a financial institution’s approach to BCM should be based on the nature, size and complexity of its business operations. A proportionate and practical approach is key.

The Guidelines on Business Continuity Management (BCM) were last updated in June 2003. In March 2019, the MAS released its original consultation paper proposing changes to these BCM guidelines which it has now revisited. There are several notable proposals in this latest release. Once the guidelines are formalised, the MAS are likely to provide transition period of around a year.

Revised taxonomy

MAS proposes that Financial Institutions (FIs) assess their BCM measures from a service delivery perspective. To broaden the scope of business continuity plans, the MAS has now included a new term, “business service”. This is consistent with the feedback received from the industry and seems a sensible suggestion. For instance, the investment cycle of a Fund Management Company would include the investment function and other back-office functions, for example, settlements or reconciliation, to complete the entire investment cycle.

Business Continuity Plan and mapping of interdependencies

This proposal is to better account for interdependencies across all business functions in BCPs. The MAS expects FIs to take an end-to-end perspective when developing BCPs for each service delivered to their customers.

FIs are now required to add a dependency map to existing BCPs. This should be useful for all FIs; for larger FIs, a single business service may involve inputs from several internal business functions within the FI and for smaller FIs who outsource most of their functions to third parties. The dependency map will help identify all parties involved in the final delivery of business service. Hence the objective of the dependency map is to provide FIs with a clear “end-to-end” perspective on parties responsible for processes. Doing so will allow FIs to design their BCPs better to identify alternatives and plan accordingly.

The MAS proposes that in its dependency map, FIs should identify and map its dependencies on people, processes, and technology, including third parties, that support each critical business service when developing its dependency map. This will help FIs identify resources critical to the final delivery of business services and, indeed, more information to establish more accurate SRTOs objectives.

Formal training on business continuity planning should be conducted for all relevant staff of the company to ensure that staff can carry out their BCM roles and responsibilities effectively. This makes a lot of sense. It’s also worth considering running BCM training alongside testing so that employees can implement the plan. Separately, a grading system according to the FIs Service Recovery Time Objective (SRTO) should be in place to measure the effectiveness of the BCP.

Testing and Audit

The MAS proposes that FIs conduct annual crisis management and communications exercises and test the BCP for each critical business function. After receiving feedback from the industry, the MAS has scrapped the annual requirement and will now allow FIs to conduct the various types and frequency of tests to be commensurate with the criticality of the services and functions instead of having such tests fixed annually. This makes sense – an annual review requirement may be slightly rigid considering the varying sizes and business models of FIs subject to these BCM guidelines. FIs should take a risk-based approach towards their audit policy, and the type and frequency tests should remain fluid and change accordingly with the risk faced by the FIs.

The MAS also proposes that FIs conduct BCM audits through a unit independent of the staff involved in the planning and execution of the BCM itself. For example, BCM audits can be done by the FIs internal auditor. The MAS has clarified that FIs can leverage their internal audit plan, audit methodology and audit cycle to determine the scope and frequency of BCM audit instead of having a BCM specific audit. Nevertheless, any BCM audit should still be conducted by an independent party. This makes sense when it comes to cost efficiency, particularly for smaller FIs that outsource their audit function. Having a specific BCM audit may not be commercially viable.

The MAS proposes that FIs obtain independent assessments on the adequacy and effectiveness of implementing their BCM framework and ensure the scope of the audit programme adequately covers the assessment of BCM preparedness based on the level of operational risks exposed. This will be a relief for Fund Management Companies who have low portfolio turnover or for FIs who have little or no change to their business activities.

Prioritising critical business services and functions 

FIs may not recover all business services and functions simultaneously due to time and resource constraints in the event of a disruption. Therefore, FIs should prioritise the business services based on their criticality. The MAS sensibly proposes that FIs identify their critical business services and functions by considering the impact of their unavailability based on (1) the FI’s safety and soundness, (2) number and profile of customers affected and (3) the FI’s counterparties and other participants in the financial ecosystem.

To ensure clear accountability and responsibility for the overall business continuity of each critical business service, the MAS proposes that FIs identify an overall manager in charge of each business service to coordinate incident management across the affected functions and oversee the resumption of the business service in the event of a disruption. This is particularly important for large FIs with various parties from various business functions involved in the final delivery of business service. Having a common direction from a single continuity manager should prove beneficial for efficiency in the recovery process.

Service recovery time objective

The MAS proposes for each critical business service identified to establish a Service Recovery Time Objective (SRTO) and have a recovery strategy to achieve their SRTO to the service levels required to meet their business obligations.

The move is likely to prove useful to clarify decision-making and monitor recovery progress following a disruption. However, we would caution FIs when developing their SRTO to consider its internal practical and resource considerations. This is particularly the case for small FIs where most of their functions are outsourced. Some services providers may be based overseas or smaller in size and unable to fulfil their obligations. Separately, third party vendors may not be agreeable to the SRTO set, or it may not be commercially viable for the FI to achieve the SRTO required.

Third-party dependency

The MAS proposes that FIs conduct due diligence to ensure that the third parties meet the SRTOs of the critical business service. This is an additional consideration when FIs conduct their outsourcing due diligence by widening the scope to include a business service level perspective. Practically, this may be difficult for small FIs where third party vendors may not be agreeable to specific terms, or it may not be commercially viable to achieve the SRTO required.

Timeline

MAS has revised the BCM Guidelines to take in feedback and is conducting a second consultation. When formalised, the MAS are likely to provide a 12-month transition period.

We can help

The papers might still be under consultation, but it’s now likely that the changes will be approved sooner rather than later. Now would be a good time to consider a gap analysis against the MAS proposals and your BCM risks. Our team of regulatory experts are here to help.

 

Menu