MAS issues second consultation paper and response to feedback on proposed revisions to Guidelines on Business Continuity Management
21 October 2021
On 15 October 2021, the Monetary Authority of Singapore (“MAS”) issued a second consultation paper on proposed revisions to the Guidelines on Business Continuity Management (“Guidelines”).
This second consultation includes revisions to address feedback received from the first consultation published in 2019 and incorporates key learnings from the Covid-19 pandemic. Changes are proposed to further emphasise the need for financial institutions (“FIs”) to take an end-to-end view in ensuring the continuous delivery of critical business services, and introduce principles and practices that FIs can implement to strengthen operational resilience. The consultation closes on 15 November 2021.
FIs will be expected to adopt the revised Guidelines within a year following their publication. The revised Guidelines will supersede the Guidelines published in June 2003 and MAS Circular SRD BCM 01/2006 on Further Guidance on Business Continuity Management.
MAS also issued its Response to feedback from the first consultation on 15 October 2021. For more information about the first consultation, please see our article titled “MAS proposes revisions to Technology Risk Management Guidelines and Business Continuity Guidelines”.
The following are the key proposed changes to the Guidelines.
Critical business services and functions
MAS seeks comments on the proposed identification and prioritisation of critical business services in addition to critical business functions.
A business function could concurrently support a few different business services provided by the FI. An FI may also have business functions that do not directly contribute to a business service, such as IT support and human resources, but could impact the FI’s safety and soundness if disrupted. As a disruption to a business function may disrupt all the business services that are dependent on it, FIs should prioritise the recovery of its business services and functions based on their criticality to determine the appropriate recovery strategies and resource allocation. Critical business services and functions can be identified by considering the impact of their unavailability on (a) the FI’s safety and soundness, (b) the number and profile of customers affected, and (c) the FI’s counterparties and other participants in the financial ecosystem.
MAS expects FIs to have the necessary recovery strategies in place for these critical business functions to maintain public confidence in the FI, mitigate the impact of service disruption to its customers and prevent any contagion effects on the financial system.
To minimise the degree of disruption, safeguard customer interests, and maintain the safety and soundness of FIs, FIs establishing recovery strategies should adopt an end-to-end view of the critical business services’ dependencies, and not only consider the recovery of individual processes, but the complete set of processes supporting the delivery of the service. There should also be clear accountability and responsibility for the overall business continuity of each critical business service. Where the delivery of a business service depends on multiple business functions, the FI should appoint an overall manager to coordinate incident management across the affected functions, and oversee the resumption of the business service in the event of a disruption.
Service recovery time objective
MAS proposes the establishment of Service Recovery Time Objectives (“SRTO”) by FIs for each critical business service, and the implementation of recovery strategies to meet the SRTOs.
SRTO refers to the target time to recover a critical business service to a level sufficient to meet its business obligations, or the acceptable duration before the disruption of a critical business service would result in severe business impact and losses to the FI and any of its customers.
As a time-based metric, the SRTO will provide clarity between FIs and their third parties on the recovery expectation of the business service, thereby facilitating decision-making and monitoring of the progress of its recovery. In establishing SRTOs, FIs should consider its obligations to customers, the financial ecosystem, and its participants.
MAS further expects FIs to put in place recovery strategies to achieve the established SRTOs and recover to the service levels required to meet their business obligations. For critical business services that are supported by a number of business functions, FIs must ensure that the recovery time objectives of the underlying business functions and their dependencies will meet its SRTOs.
FIs should also set out clear and defined thresholds for activation of business continuity plans (“BCP”) in the event the performance of a critical business service is reduced or intermittent, but not to the extent that it is completely unavailable. This will guide the FI in activating its BCP in a timely manner, before the performance degradation becomes prolonged or results in severe impact.
Mapping of interdependencies
People, processes and technology
Observing that the financial sector has become increasingly interconnected with the growing reliance on IT systems and common third parties, MAS proposes that FIs should identify and map the end-to-end dependencies on people, processes, and technology, including those involving third parties that support each critical business service. In this way, FIs will be able to identify resources critical to the service delivery, consider the implications of their unavailability, and address any gaps that could hinder the effectiveness and safe recovery of the critical business services. FIs should use the information derived from the dependency mapping to verify that the recovery of the business functions and their dependencies will meet the established SRTOs.
Third party dependencies
Arrangements that FIs have with third parties engaged to support the delivery of their critical business services could increase operational risk arising from the failure, delay, or compromise of a third party in providing the service. Hence, FIs should perform due diligence to obtain assurance that the SRTOs of the critical business service can be met by these third parties. This assurance can be obtained through the following measures:
- Establish and regularly review operational level or service level agreements with third parties that set out specific and measurable recovery expectations;
- Request dedicated manpower from their third party service providers for specialist functions that cannot be performed in-house; or
- Conduct audits, regular tests, or joint tests with third parties to ensure the third parties have the ability to support FIs even if the third parties experience disruptions.
There should also be plans and procedures in place to manage and address any unforeseen disruption, failure or termination of third party arrangements, to minimise the impact of such adverse events. Some interdependency risks (e.g. unavailability of telecommunications networks, power utilities, etc.) may be beyond an FI’s direct control to mitigate completely. FIs should put in place risk mitigating measures, such as implementing redundancy or back-up arrangements, to address the interdependency risks posed by the disruption of these services.
Audit
An FI should ensure its audit programme adequately covers the assessment of business continuity management (“BCM”) preparedness based on the level of operational risks that it is exposed to. This will provide the FI with independent assessment of the adequacy and effectiveness of its BCM framework.
The scope and frequency of BCM audits should be commensurate with the criticality of the business services and functions and should be conducted by a qualified independent party (e.g. qualified internal or external auditor). Examples include institutional-wide BCM audits, specific service or function-level audits covering BCM preparedness, or thematic audits. An FI can leverage their internal audit plan, audit methodology and audit cycle to determine the scope and frequency of BCM audit.
The FI should establish processes to track and monitor the implementation of remedial actions in response to the audit findings. Significant audit findings on lapses that may have severe impact on the FI’s BCM should be escalated to the Board and senior management. Upon request, the FI should submit the BCM audit reports to MAS.
MAS Response
In its Response to feedback from the first consultation paper, MAS provided, among other things, clarification regarding the responsibility of the Board and senior management:
- Oversight by the Board: The responsibility of the Board has been clarified in the revised Guidelines. The Board should provide oversight by ensuring that senior management has allocated adequate budget and resources to implement effective business continuity measures to achieve the desired state of preparedness, commensurate with its business needs and obligations. For FIs headquartered outside Singapore, the responsibility of the Board may be delegated to a management committee or body responsible for the supervision and oversight for the FI’s operations in Singapore. For smaller FIs, the responsibility of the Board can be assumed by local senior management provided the responsibilities of the Board can be effectively discharged.
- Responsibility of senior management: The Guidelines have been revised to focus on the responsibility of senior management on the FI’s BCM that includes putting in place a programme for the development, implementation and maintenance of BCPs, the assessment of the overall business continuity preparedness, and addressing gaps and weaknesses identified.
- Support from group or regional office: FIs may adopt and adapt the BCM frameworks, policies, and procedures that have been instituted at the Group or Regional level, as long as these arrangements would enable the FIs’ Singapore operations to comply with the Guidelines. Senior management, who are based overseas and are responsible for the implementation of BCM in the Singapore operations, can continue to be responsible for the BCM implementation of the FI in Singapore under a regional or global management arrangement.
Reference materials
The Second Consultation Paper and Response to Feedback Received on Proposed Revisions to Guidelines on Business Continuity Management is available on the MAS website www.mas.gov.sg.