Introduction
The Monetary Authority of Singapore (MAS) published revised Business continuity Management (BCM) guidelines on 6th June 2022, to enhance operational resilience for financial institutions. These guidelines emphasise the importance of taking an end-to-end view to ensure the continuous delivery of critical business services.
As part of the new guidelines, all financial institutions are required to meet the new guidelines and establish a BCM audit plan within a year from issuance as well as conduct an internal audit session by June 2024. As such, it is vital for financial institutions to thoroughly understand the new guidelines, its requirements, and the internal auditing process. In this article, we will answer some frequently asked questions around the new BCM guidelines and how it impacts relevant companies.
1. What is considered a financial institution?
According to the guidelines, businesses that are providing the services listed here are recognised as financial institutions.
2. Why do financial institution’s need to do auditing under the new guidelines?
Financial institutions have the responsibility of handling the assets of their clients and customers. Thus, they should adopt a service-centric approach in re-framing their BCM programmes and implementing recovery strategies around customers.
Internal auditing helps organisations achieve their objectives by evaluating and improving the effectiveness of risk management processes while providing objective feedback. Conducting the BCM audit will assure management, directors, and MAS that the BCM in place is appropriate and effective.
3. What are the key BCM requirements?
The new guidelines aim to promote operational resilience in the face of disruptions such as pandemic outbreaks, cyber-attacks, and physical threats to ensure financial institutions can recover quickly and maintain business continuity.
As such, the key requirements include Service Recovery Time Objective, clear accountability and responsibility, identification of critical business services, dependency mapping, and continuous review and improvement.
4. How is the new guideline different from ISO22301:2019 Standard?
While most common BC practitioners will be familiar with using the ISO standard ISO22301:2019 as the framework to implement or benchmark their BC, this can be supplemented with the Business Continuity Institute (BCI) Good Practise Guide (GPG) or Disaster Recovery Institute (DRI) 10 professional Practices.
The Monetary Authority of Singapore (MAS) guideline does have some different emphasises on resource focused and concentration risk identification should be to resources instead of critical business functions (CBF) or Priority activities (PA). Dependency mapping is also emphasised to focus on resources instead of departments or external operations.
Our conclusion is that the MAS guidelines focus on resources is to ensure the BCP required resources are resilient enough to ensure that the financial institution has sufficient capabilities to recover its critical business function or priority activities within the desired timeframe.
While the MAS guidelines do not explicitly mention the requirement of Business Continuity Objective (BCO), Minimum Business Continuity Objective (MBCO), or Maximum Tolerable Period of Disruption (MTPD), it does explicitly mention that Service Recovery Time Objectives are critical for all financial institution services.
5. Who will conduct the auditing?
The internal auditing process will either be undertaken by the internal audit department, or the organisation can choose to engage with an independent auditor.
It is important that the auditor is familiar with BCM specifically and the financial industry that need to be evaluated. Auditors should also be armed with extensive knowledge of Business continuity, industry regulations, industry good practise and the respective company policies to identify potential instances of risk and noncompliance. On top of that, they need to operate independently from the organisation.
6. What to expect during the auditing process?
Internal auditors will examine and analyse company records and relevant documents. They will identify issues like compliance concerns, risks, fraud, and any data inaccuracies. After reviewing all the records, they may investigate further any problems they find.
7. What happens if my organisation doesn’t comply with the guidelines?
The BCM guidelines have been issued by the Monetary Authority of Singapore to give financial institutions a clear direction on how to prepare for any unforeseen disruptions. Non-compliance can lead to several consequences including regulatory scrutiny, quality assessment by MAS, operational risks, and possible notification to regulators.
8. How often do I need to conduct a review?
It is stated in the BCM guidelines that financial institutions must do a review on Risk Analysis and Business Impact Analysis annually. As for conducting exercises and audits, the guidelines recommend it to be done regularly, which according to industry common practise will be at every two to three years.
Conclusion
With the deadline approaching for financial institutions to conduct the required BCM auditing process, organisations will need to begin the process of engaging their own auditor to review their Business Continuity capability. We are open to discuss and assist with Financial Institutions to be in compliance with the new BCM guidelines issued by the Monetary Authority of Singapore.