On 6 June 2022, following two rounds of consultations, the Monetary Authority of Singapore (MAS) published revised Guidelines on Business Continuity Management (BCM), updating the existing patchwork of primary and subsidiary legislation. This iteration of the guidelines (2022 Guidelines) introduces a slew of changes which are expected to be adopted by 6 June 2023 and is the biggest update in nearly two decades – since the initial release in 2003.
Critical business services and functions
Under the 2022 Guidelines, Financial Institutions (FIs) should identify their critical business services because various constraints prevent FIs from resuming all business services and functions quickly when disruptions occur.
However, FIs can formulate recovery strategies that prioritise critical services. In formulating these strategies, FIs should adopt an end-to-end view of the critical business services’ dependencies, considering both the individual processes and the other processes supporting the delivery of the critical services.
FIs should consider:
- their safety and soundness;
- their customers, having regard to the number and profile of customers affected, as well as the manner in which they are impacted; and
- other FIs that depend on the business services.
With the onus on FIs to ensure clear accountability and responsibility for the business continuity of their critical business services, FIs should also ensure that there are personnel appointed to oversee the recovery and resumption of each critical business service in the event of a disruption.
Service recovery time objective (SRTO)
Once the critical business services have been identified, the FI should establish an SRTO for each of these services. In establishing the SRTOs, the FI should consider:
- its obligations to its customers;
- the other FIs that depend on the business services; and
- the feasibility of achieving the set SRTO, especially for critical business services that involve more dependencies.
Thus, the recovery strategies in place should enable FIs to achieve the established SRTOs and restore the disrupted services to the level required to meet their business obligations.
FIs should also be prepared for the possibility of partial disruptions (which would include intermittent or reduced performance that is not tantamount to a complete unavailability of service). When faced with such a prospect, FIs should have clear criteria to determine if their business continuity plans (BCPs) should be activated before the situation results in a severe impact.
Amid an increasingly interconnected financial ecosystem, the 2022 Guidelines highlight risks arising from the growing reliance on common IT systems and third parties. To mitigate these risks, FIs are recommended to identify and map the end-to-end dependencies covering people, processes, technology and other resources (including those involving third parties) that support each critical business service.
By doing so, FIs will be able to identify resources critical to service delivery and address any potential gaps that could hinder the effectiveness and safe recovery of the critical business services. This information can also assist in formulating the recovery strategies discussed above.
As for dependence on third parties, the 2022 Guidelines recognise the reality of ever-increasing interconnectivity within the financial system. However, FIs should still ensure that third parties are able to meet the SRTOs of their critical business services. This can be achieved by:
- reviewing the agreements with third parties to include specific and measurable recovery expectations that support the FI’s BCM;
- ensuring that the BCPs of third parties meet appropriate standards and are regularly tested;
- establishing arrangements with third parties to safeguard the availability of key resources;
- conducting audits on the third parties; or
- performing joint tests with third parties.
Risk of concentration
When several critical business services and/or functions are outsourced to a single service provider, there is an increased risk of concentration. Hence, the 2022 Guidelines recommend the following approaches to mitigate the risk of concentration and reduce the impact in the event of a disruption:
- have separate primary and secondary sites for critical business services and functions, or infrastructure (such as data centres) in different zones, to mitigate wide-area disruption;
- separate critical business functions into different zones to mitigate the risk of losing multiple critical business functions, and the critical business services that they support, following wide-area disruption;
- deploy critical personnel across different zones, or establish reserve team arrangements to eliminate dependency on a single labour pool;
- identify critical skills or roles, and develop cross-training programmes to build versatility for key personnel involved in these roles;
- activate cross-border support as a contingency during disruptions; or
- engage an alternative service provider to allow for redundancy, or so that they can be activated to provide immediate support when the primary service provider is unavailable.
Continuous review and improvement
While it is natural for FIs to continuously improve their business processes by incorporating new parties or technology, the reliance on technology and third parties is accompanied by greater risk exposure, which FIs should address proactively by:
- actively monitoring and identifying external threats and developments that could disrupt normal operations as well as any emerging threats that could pose a risk to business continuity;
- having in place a process to alert internal stakeholders and senior management to the existence of threats in a timely manner;
- regularly reviewing their BCM measures to identify areas of improvement and address any gaps. This should be done in particular following operational disruption, near misses, or incidents in other organisations, to enhance business continuity preparedness; and
- regularly assessing the need for additional tools and automation to enable them to manage incidents or disruption more effectively.
Generally, it is suggested that FIs review their critical business services and functions, and the respective SRTOs and recovery time objectives (RTOs) and their dependencies, at least annually or whenever there are material changes that affect them.
As part of its BCM preparedness, the FI should conduct regular and comprehensive testing. However, for the testing to be effective, the 2022 Guidelines recommend that the proposed test activities meet the following objectives:
- the tests should validate and measure the effectiveness of the BCPs using appropriate metrics, and remediate any gaps or weaknesses that are identified in the recovery process;
- personnel (including those of relevant third parties) who are involved in business continuity and crisis management should be familiar with their roles and responsibilities so as to improve coordination and ensure seamless execution of the various plans;
- to prepare senior management and staff involved in crisis management, the proposed test should not only inform them of potential areas of concern that could arise in a crisis, but also allow them to practise making decisions under simulated conditions, including scenarios that require prioritising the recovery of competing critical business services and functions;
- to ensure the relevance and effectiveness of the FI’s BCPs, the plans should be stress-tested under extreme, but plausible, scenarios so as to better mitigate the impact of severe disruptions; and
- the FI should verify that the established recovery strategies can achieve the SRTOs of its critical business services and RTOs of its critical business functions.
The FI should also properly document all its test records in detail, including the test objectives, scope, scenario design, participants involved, results and follow-ups for each test. Gaps and weaknesses identified from the FI’s business continuity testing should then be reported to senior management.
In response to these findings, remedial actions should be taken to improve the existing recovery processes. There should also be a formal process to follow up on the remedial actions, and the efficacy of the remediation measures undertaken should also be validated at subsequent tests.
The 2022 Guidelines also strongly urge FIs to participate in industry and cross-sector exercises to strengthen joint response and coordination, and improve the effectiveness of the financial sector’s overall business continuity capability.
Under the 2022 Guidelines, it is recommended that FIs audit their overall BCM framework and the BCM of each of their critical business services at least once every three years. The audit should be done by a qualified party that is independent and has the necessary BCM knowledge and expertise to perform the audit. While the audit should assess the adequacy and effectiveness of the FI’s BCM, particular attention should be given to higher risk areas identified from the FI’s risk assessment, previous audit findings, and relevant incidents.
Once the audit findings have been released, the FI should track and monitor the implementation of sustainable remedial actions. Any significant audit findings on lapses that may have a severe impact on the FI’s BCM should also be escalated to the board and senior management. Furthermore, the FI should submit the BCM audit reports to MAS upon request.
Incident and crisis management
To ensure that senior management is well placed to respond to a crisis, the 2022 Guidelines suggest that the FI should have in place:
- a crisis management structure with clearly defined roles and chain of command (including designating alternatives to primary representatives);
- a set of pre-defined triggers and criteria for timely activation of the crisis management structure;
- plans and procedures to guide the FI on the course of action and decisions to be made during a crisis;
- tools and processes to facilitate timely updating and assessment of the latest situation to support decision-making during a crisis;
- a list of all internal and external stakeholders that need to be informed when a critical business service is disrupted, as well as communication plans and requirements (drawer plans, notification criteria, notification timelines, update frequency, etc.) for each stakeholder;
- communication channels, including mainstream and social media, to effectively communicate with its stakeholders, including alternative channels that can be used when the primary communication channel is unavailable;
- a communication channel with staff to update them on developments during an incident; and
- an overall coordinator to coordinate incident management and recovery where the delivery of a business service depends on multiple business functions.
In addition, the FI should notify MAS as soon as possible, but not later than one hour, following the discovery of incidents where business operations have been severely disrupted, or when the BCP is going to be activated in response to an incident. When notifying MAS, the FI should provide information as per the MAS incident reporting template.
Responsibilities of board and senior management
In a departure from the previous guidelines, the 2022 Guidelines place a greater focus on the responsibilities of the board and senior management. The responsibilities of both organs, while related, are distinct.
The board, or the committee delegated by it, must ensure that:
- the established BCM framework is able to manage potential operational disruptions and to meet the FI’s business needs and obligations;
- a BCM function is established and sufficiently resourced to oversee the organisation-wide implementation of the BCM framework and achieve the desired state of business continuity preparedness;
- senior management, which is responsible for executing the FI’s BCM framework, has sufficient authority, competency, resources, and access to the board;
- the effectiveness of the BCM framework is regularly reviewed and evaluated against external events, changes in risk profiles and business priorities, or new processes, systems, or products or services; and
- an independent audit is performed to assess the effectiveness of controls, risk management and governance of the FI’s business continuity preparedness.
As for senior management, they have the responsibility to ensure:
- the BCM framework is established to support and manage the development, implementation, and maintenance of effective BCPs and measures, taking into consideration third parties’ recovery arrangements;
- sound and prudent policies, standards and procedures for managing operational disruptions are established and maintained, and standards and procedures are implemented effectively;
- roles and responsibilities for maintaining the FI’s business continuity preparedness are established and defined clearly;
- measurable goals and metrics are used to assess the FI’s overall business continuity preparedness;
- business services and functions that are critical to the FI are identified, and their SRTOs and RTOs are commensurate with its business needs and obligations;
- the BCPs and the crisis management and communications structure are tested on a regular basis to validate their effectiveness against extreme, but plausible, operational disruption scenarios and verify that the critical business services and functions are able to recover in line with their SRTOs and RTOs;
- gaps and weaknesses identified from the FI’s business continuity testing, post-mortems of incidents, audits, or other risk management programmes (e.g., risk and control self-assessments) are remediated in a timely manner; and
- a training programme is established and reviewed annually to ensure that all staff who have a role in the FI’s BCM are familiar with their roles and responsibilities.
Senior management should provide an annual attestation to the board as to the state of the FI’s BCM preparedness, the extent of its alignment with the 2022 Guidelines, and key issues requiring the board’s attention, such as significant residual risk. The attestation should also be provided to MAS upon request.
Our lawyers are experienced and highly familiar with the latest developments in the financial sector. If you wish to discuss any issues raised above, please reach out to our team below or to your usual Reed Smith contact.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, “Reed Smith”). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith’s Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.