You are on page 1of 42

MANAGEMENT POWERTOOLS

BCM INSTITUTE

ON
BUSINESS CONTINUITY MANAGEMENT (BCM)

GUIDELINES ON BUSINESS
CONTINUITY MANAGEMENT (BCM)

BANK NEGARA MALAYSIA


CENTRAL BANK OF MALAYSIA

Downloaded from BCM Institute Forum:


bcmi.collectivex.com

ONLINE RESOURCES
 BCM Institute : www.bcm-institute.org
 Business Continuity & Disaster Recovery Forum: bcmi.collectivex.com
 BCMpedia: www.bcmpedia.org

BCM Institute Offices Worldwide:


Singapore | Australia | Africa | China | Thailand | Hong Kong | Pakistan | Middle East | Malaysia
A. OVERVIEW................................................................................................................. 1
A.1 Introduction…………………………………………………………………………...1
A.2 Objective of Guidelines ……………………………………………………………..1
A.3 Application and Effective Date of Guidelines ……………………………………..2
A.4 BCM Life Cycle ……………………………………………………………………..3
B. BCM PRINCIPLES AND REQUIREMENTS .............................................................. 4
B.1 BCM Framework……………………………………………………………………..4
B.1.1 Board and Management Oversight..................................................... 4
B.1.2 BCM Policy ......................................................................................... 5
B.1.3 Roles and Responsibilities.................................................................. 5
B.1.4 BCM Culture ....................................................................................... 7
B.2 BCM Methodology…………………………………………………………………...8
B.2.1 Risk Assessment and Business Impact Analysis ............................... 8
B.2.2 Critical Business Functions ................................................................ 9
B.2.3 Recovery Strategy ........................................................................... 10
B.2.4 Maximum Tolerable Downtime and Recovery Time Objectives ....... 11
B.2.5 Level of Disruption ........................................................................... 11
B.2.6 Formulation of Plan.......................................................................... 12
B.2.7 Alternate and Recovery Sites........................................................... 14
B.2.8 Critical Business Information Records ............................................. 15
B.2.9 Testing of Plan ................................................................................. 16
C. COMMUNICATION................................................................................................... 19
D. INTERNAL AUDIT .................................................................................................... 20
E. OUTSOURCING ....................................................................................................... 21
F. SUBMISSION LIST ................................................................................................... 22
G.GLOSSARY............................................................................................................... 23
H. APPENDICES........................................................................................................... 28
Appendix 1 – Level of Disruption (LoD) Matrix………………………………………...28
Appendix 2 – National Influenza Pandemic Preparedness Plan (NIPPP)……….…29
Appendix 3 – BCP and DRP Test Matrix………………………………..……………...31
Appendix 4 – BCP and DRP Post Test Analysis Report…………..………………….32
Appendix 5 – List of Bank Negara Malaysia’s Contact Numbers…..………………..38
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 1 / 39
Department Continuity Management

A. OVERVIEW

A.1 Introduction

1. Business continuity management (BCM) entails enterprise-wide planning and


arrangements of key resources and procedures that enable the institution to
respond and continue to operate critical business functions across a broad
spectrum of interruptions to the business, arising from internal or external events.
2. Continuous availability of critical and essential services is a necessity for the
institution to promote customer confidence, ensure regulatory compliance and
protect its reputation. It is therefore crucial for the institution to continuously
enhance its capabilities to respond swiftly and to ensure the continuity of critical
business processes in the event of a major disruption.
3. The Guidelines outline BCM principles and specific requirements with regard to
the formulation of business continuity plan (BCP) and disaster recovery plan
(DRP), implementation, testing and maintenance of the plans by the institution.
4. The Guidelines should be read in conjunction with other relevant guidelines or
circulars issued by Bank Negara Malaysia (the Bank) from time to time.
5. With the issuance of these Guidelines, Part VII on Business Resumption and
Contingency Plan in the “GPIS1 - Guidelines on Management of IT Environment”
issued in May 2004 is superseded.

A.2 Objective of Guidelines

6. The primary objective of the Guidelines is to outline and enforce minimum BCM
requirements on the institution so as to ensure the continuity of critical business
functions and essential services within a specified timeframe in the event of a
major disruption. Minimum disruption to essential business services would in turn
enhance public confidence in the institution and the financial system, and
mitigates reputational risk to the institution.
7. The Guidelines set out the Bank’s expectations for the institution to adopt sound
and effective BCM procedures and practices to improve its resilience and be
prepared for any eventualities. Broadly, the Guidelines aim to ensure that the
institution:-
(i) Has in place a comprehensive BCM framework which includes a business
continuity policy;
(ii) Establishes a comprehensive BCM programme to formulate, implement
and test the BCP;
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 2 / 39
Department Continuity Management

(iii) Reviews and updates the BCP and DRP continuously to reflect changes in
the operating environment; and
(iv) Provides sufficient information to the Board of Directors (Board) to enable
them to discharge their responsibilities under the Guidelines.

A.3 Application and Effective Date of Guidelines

8. The Guidelines are applicable to all institutions under the purview of the Bank,
with effect from 1 January 2008, which include:
(i) Institutions licensed under the Banking and Financial Institutions Act 1989
(BAFIA);
(ii) Islamic banks licensed under the Islamic Banking Act 1983 (IBA);
(iii) Institutions licensed under the Insurance Act 1996 (IA);
(iv) Entities regulated under the Takaful Act 1984 (TA); and
(v) Development financial institutions prescribed under the Development
Financial Institutions Act 2002 (DFIA).
9. The institution is required to comply with the Guidelines. Nevertheless, the
institution is encouraged to adopt more stringent measures in addition to the
requirements prescribed in the Guidelines.
10. Any non-observance of or deviation from the Guidelines should be based on
proper risk assessment and risk management process, taking into account the
nature, scale and complexity of the institution’s business operations as well as
risk tolerance. The Guidelines operate on the premise that the Board retains
ultimate accountability for the implementation and effectiveness of BCM.
11. Given that BCM also encompasses disaster recovery for IT systems, crisis
management and contingency planning, the institution should ensure that
internal linkages with crisis management and emergency response procedures
as well as external dependencies on key service providers/vendors are
adequately considered during business continuity planning. In addition,
safeguard measures should also be undertaken on human life and business
assets/premises.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 3 / 39
Department Continuity Management

A.4 BCM Life Cycle

12. The Guidelines are formulated based on the principles and best practices of
BCM life cycle, comprising:
(i) Analysing the institution’s business functions and their criticality through
risk assessment (RA) and business impact analysis (BIA);
(ii) Formulating appropriate and workable BCM recovery strategies based on
the risk assessment and business impact analysis;
(iii) Developing and implementing BCP and DRP;
(iv) Testing the plans;
(v) Reviewing and maintaining the plans;
(vi) Auditing the plans; and
(vii) Conducting ongoing awareness programmes and communication, training
and education on BCM.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 4 / 39
Department Continuity Management

B. BCM PRINCIPLES AND REQUIREMENTS

B.1 BCM Framework

B.1.1 Board and Management Oversight

Principle: The Board and Management are responsible for ensuring the
implementation of effective BCM framework within the institution.

13. The Board and Management are responsible to ensure enterprise-wide


implementation of sound BCM practices as part of good corporate governance
and prudent risk management.
14. The Board and Management should be aware of and assess the potential threats
and risks to the institution and the corresponding impact on critical business
functions as well as their responsibilities with regard to BCM. The Board should
provide leadership, direction and oversight in ensuring that effective BCM
practices, recovery and resumption procedures are in place for the continuation
of critical business functions should a major operational disruption occur.
15. The Board and Management should also be aware of potential impact on the
institution’s operations of any potential failure or disruption in services provided
by vendors and other third-party or intra-group service providers. They should
ensure that the expectations and obligations of each party are clearly defined,
understood and enforceable to ensure smooth implementation during a business
disruption.
16. The Board is expected to approve the overall BCM policy and strategies by
ensuring that the BCM policy is consistent with the institution’s risk tolerance
level as well as the nature, complexity and materiality of the institution’s business
operations, while Management is responsible to effectively implement the BCM
policy and strategies set out by the Board.
17. As part of its governance responsibility, the Board or a committee of the Board is
expected to ensure that the institution has a workable BCP in place for all critical
business functions and that the plan is consistent with the institution’s overall
business objectives.
18. The Board should ensure that the BCP is adequately tested and regularly
updated as per the requirements set forth in the Guidelines, to reflect changes in
the operational environment and business activities and the level of risk that the
institution represents to the operation of the financial system.
19. Management should periodically assess the institution’s readiness for effective
response to major disruption.
20. As executive level support and commitment is a critical aspect of BCM,
Management should articulate clear expectation for business continuity
preparedness throughout the institution to foster BCM effectiveness.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 5 / 39
Department Continuity Management

21. The Board and Management should provide sufficient annual budget allocation
and resources for effective implementation and maintenance of BCM. This may
vary according to the size and complexity of the institution’s BCM arrangement.
22. In the case where the institution’s BCP arrangement is outsourced to a third
party, the responsibilities of the Board and Management shall remain in ensuring
that sound and effective BCM practices are being adopted by the service
provider.

B.1.2 BCM Policy

Principle: The institution should have clearly defined policies for business
continuity management.

23. The institution should have in place a properly documented BCM policy, which is
essential to reinforce the importance of BCM and to commit the institution to a
structured and consistent approach in implementing effective BCM practices.
24. Management is responsible for developing the BCM policy for Board’s approval,
implementing the approved policy and associated processes, conducting
periodic review on the BCM’s effectiveness, and communicating BCM issues or
concerns to the Board in a timely manner.
25. At a minimum, the BCM policy should set out the objective, scope, strategies,
inter-linkages with other contingency and emergency response procedures as
well as delineate the lines of authority and responsibility for effective
implementation of BCM throughout the institution.
26. The BCM policy should be periodically reviewed and updated to ensure its
relevance and that it reflects the current risk tolerance of the Board and business
goals of the institution.
27. Management should ensure that the BCM policy is clearly communicated to staff
at all levels so that they are aware of their respective roles, responsibilities and
accountability with respect to BCM.

B.1.3 Roles and Responsibilities

Principle: The institution should clearly define the roles and reporting lines of
individuals and/or committee responsible for BCM.

28. The institution should establish a formal and permanent Business Continuity
Management (BCM) Committee, represented by senior management from
various business and technical departments, which is appropriate with the size
and complexity of the institution to effectively deal with a business disruption.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 6 / 39
Department Continuity Management

Where appropriate, the committee should report directly to a committee of the


Board in order to promote and maintain effective BCM practices.
29. The BCM Committee should have documented terms and reference.
30. To support and provide feedback to the high-level BCM Committee, the
institution may establish a working level committee. The committee should
comprise a BCM coordinator (who is assigned to monitor the business continuity
project) and representatives which include, but not limited to:
(i) Major business units;
(ii) IT;
(iii) Internal audit (on an advisory capacity only);
(iv) Quality assurance / compliance;
(v) Legal;
(vi) Human resource;
(vii) Security;
(viii) Property management and services; and
(ix) Corporate services/communication.
31. The institution should establish a dedicated BCM function for the effective
coordination and supervision of all BCM activities, which reports directly to the
BCM Committee.
32. Management should ensure that BCM activities are conducted by competent
staff with technical knowledge and experience consistent with the nature and
complexity of the institution’s business activities.
33. In ensuring that due attention is accorded to BCM, business continuity planning
should reside with the business units and involve those who carry out the critical
business functions. This approach places ownership and accountability for
business continuity preparedness on the heads of business units who are
expected to assess and declare their state of readiness to Management
periodically.
34. For smooth handling of a major disruption, the institution should consider
establishing a crisis management team to coordinate the recovery and
resumption of all critical business functions. Among others, the team should:
(i) Assume the central role in monitoring and assessing the impact of the
disruption;
(ii) Provide appropriate advice to Management on the need to invoke the
BCP;
(iii) Make operational decisions in response to the disruption; and
(iv) Communicate with internal and external stakeholders.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 7 / 39
Department Continuity Management

B.1.4 BCM Culture

Principle: BCM practices should be embedded into business operations and


corporate culture of the institution.

35. Management should progressively promote an organisational culture that places


high priority on enhancing business continuity capability and ensures BCM
becomes an integral part of strategic management process and routine business
operations.
36. Prior to undertaking new activities, procurement or strategies, Management
should ensure that business continuity requirements are given adequate
consideration at the planning and development stages.
37. The institution should ensure that staff are equipped with proper understanding
of their respective roles and trained to perform their responsibilities with respect
to prevention of crisis and recovery of business operations in times of disruptions.
All staff, including new recruits, should be briefed on the institution’s business
continuity arrangement to better prepare for all eventualities. Where possible,
specific training requirements should be included in the performance objectives
of staff involved in BCM activities.
38. Awareness and periodic briefings for the Board and Management are equally
important to ensure continuing commitment and support for the BCM.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 8 / 39
Department Continuity Management

B.2 BCM Methodology

B.2.1 Risk Assessment and Business Impact Analysis

Principle: The institution should identify and assess potential threats that could
severely interrupt operations and business activities. Institutions
should also evaluate the business impact of the threats on all business
functions and the financial system in general.

39. The institution should undertake a structured risk assessment (RA) process to
identify potential threats that could cause material business disruptions, resulting
in the inability to fulfill business obligations.
40. In undertaking the risk assessment, scenario analysis and planning should be
conducted based on the potential loss, inaccessibility or unavailability of the
following resources:
(i) Key personnel, including decision makers and recovery personnel;
(ii) Office premises (including branch, locally or abroad) and facilities within
the same or nearby geographical location or region;
(iii) Critical business information and records;
(iv) IT systems and infrastructure, including network devices and peripherals
as well as other support facilities; and
(v) Services of key suppliers, service providers or vendors, including
outsourcing vendors.
41. Risk assessment should be carried out at least annually or more frequently if
there are significant changes to the internal operating or external environments.
42. The institution should assess the likelihood of the identified threats occurring and
determine the impact on the institution. In this regard, the institution is expected
to carry out a business impact analysis (BIA), annually which forms the
foundation of developing the BCP and whenever there are material changes to
the institution’s business activities.
43. The BIA exercise should be conducted for all business functions in a structured
and systematic manner, so as to identify critical business functions, resources
and infrastructure of the institution.
44. The institution should determine the potential financial and non-financial impacts
(i.e. legal, operational and reputational) on the institution if the critical business
functions, resources and infrastructure are unavailable for a given period of time
during a major disruption.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 9 / 39
Department Continuity Management

45. The institution should also assess the impact of an outbreak of a pandemic or
infectious diseases on their critical business operations and ensure that
appropriate measures are in place to ensure continuity of critical business
functions and that such functions can be sustained over a prolonged period of
disruption due to high absenteeism and/or relatively large geographical areas are
under quarantine/isolation.
46. Management should ensure the adequate participation and involvement of all
business units in the BIA process. The heads of business units should be
responsible and accountable for the RA, BIA and BCP.

B.2.2 Critical Business Functions

Principle: The institution should identify the critical business functions essential
for the development of recovery strategy to ensure resumption of its
operations.

47. Given the impracticality and high cost involved in order to recover all business
functions during a crisis, the institution should define the critical business
functions that must continue in the event of a major disruption and establish the
priorities for recovery. With the recovery priorities in place, the institution would
then be able to determine the appropriate strategy and resource requirements
(people, technology, equipment, facilities, etc.) to enable a phased recovery of
the critical business functions within an acceptable timeframe.
48. In determining the criticality of business functions, focus should be accorded to
business functions, which may involve among others the following:
(i) Large-value and time-sensitive payment instructions;
(ii) Clearing and settlement of material transactions;
(iii) Fulfillment of material end-of-day funding and collateral obligations;
(iv) Management of customers’ risk positions;
(v) Provision of essential banking services and payments such as cash
withdrawals, deposits and remittances through various delivery channels
that are necessary to maintain public confidence;
(vi) Provision of essential insurance/takaful services;
(vii) Provision of other services that may have systemic impact to other market
participants or financial system; and
(viii) Communication with the regulator and stakeholders, including counter-
parties.
Apart from the above, the institution may include other services or activities that
are deemed critical to their business functions.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 10 / 39
Department Continuity Management

49. The institution should take into account the interdependencies of all critical
business functions, and the extent to which they depend upon internal and/or
external parties such as utilities and telecommunication service providers.

B.2.3 Recovery Strategy

Principle: The institution should develop recovery strategies and procedures for
all critical business functions derived from the BIA exercise.

50. The institution should formulate and document appropriate recovery strategies
for all critical business functions to ensure the continuity or recovery of essential
services within the acceptable timeframe.
51. The recovery strategies should, amongst others indicate the recovery timeframe,
delivery of the minimum level of essential services, functional relocation, the
alternate and recovery sites, mode of processing, key recovery personnel
including the decision makers, work area, data, facility and technology
requirements, where appropriate.
52. In developing recovery strategies, adequate consideration and succession
planning should be accorded to scenario where the workforce and productivity
may be substantially reduced as a consequence of a significant increase in
mortality and morbidity.
53. For technology requirements, the recovery strategy should clearly indicate the
type of recovery site to be adopted that commensurates with the nature, scale
and complexity of the institution’s business operations.
54. For human resource requirements, the institution should also include recovery
strategy pertaining to pandemic or infectious diseases threat. Where necessary,
the institution should refer to the National Health Council or Ministry of Health
Malaysia (MOH) and always be vigilant of any advisories or notification by these
or other authorities.
55. The recovery strategies should be regularly reviewed to ensure their continued
relevance as business activities and operating environment change.
56. The recovery strategies and resource requirements should be approved by
Management and the relevant committees to ensure alignment with corporate
goals and business objectives.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 11 / 39
Department Continuity Management

B.2.4 Maximum Tolerable Downtime and Recovery Time Objectives

Principle: The institution should determine maximum tolerable downtime (MTD)


and recovery time objectives (RTO) for all critical business functions.

57. Based on the BIA results, the institution should determine the MTD and RTO for
each critical business function. The goal is to develop a BCP that details the
procedures and the minimum level of resources required to recover the critical
business functions within the recovery timeframe and maintain services at an
acceptable level.
58. The institution should ascertain the targeted MTD and RTO for all critical
business functions in consultation with various affected parties, including the IT
Department, taking into consideration the nature, scale and complexity of
business functions and their dependencies and impact on other parties.
59. The MTD and RTO set should practically correspond with the importance and
criticality of the business functions. In particular, the institution should set shorter
MTD and RTO for business functions that have significant impact on customer
services and RTO should not exceed MTD. All MTDs and RTOs of critical
business functions should be validated and approved by Management or the
relevant committees and endorsed by the Board.
60. The institution is expected to recover important payment systems and critical
business functions that could pose systemic impact on other market participants
within the specified MTD and RTO.
61. The institution should consider incorporating specific RTO requirements in
contractual arrangements with key service providers, suppliers, counterparties,
etc.

B.2.5 Level of Disruption

Principle: The institution should identify the minimum services and the recovery
strategy for critical business functions that correspond to each level of
disruption.

62. In the event of a major disruption, it is important that the scale of the disruption
be assessed in terms of its severity. Correspondingly, this would facilitate the
appropriate remedial actions and the type of essential services to be rendered
under various scenarios.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 12 / 39
Department Continuity Management

63. For this purpose, the institution should identify the minimum essential services
and the recovery strategy for all the critical business functions, based on the
suggested level of disruption (LoD) given below. The institution is also required
to maintain a record depicting the LoD and the corresponding minimum essential
services and recovery strategy as outlined in the LoD Matrix (refer to Appendix
1).

LoD Description
Affect isolated areas of the business operations such as a branch,
1 department, and the situation is well contained within the area.
Probability of exceeding MTD/RTO is Low.
Affect a number of branches or departments.
2
Probability of exceeding MTD/RTO is Moderate.

Affect head office business premises or the production data centre


3 (single branch institution)
Probability of exceeding MTD/RTO is High.

Affect region or entire state where the institution operates. May


4 cause systemic impact.
Probability of exceeding MTD/RTO is High.

Affect nationwide or regional


5
Probability of exceeding MTD/RTO is High.

64. The institution is required to complete the LoD matrix and submit to Pengarah,
Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia before 31 January of
each year.

B.2.6 Formulation of Plan

Principle: A business continuity plan and disaster recovery plan should be


formulated and approved by Management. The institution should
ensure that the plan is effectively implemented and properly maintained
by all business units.

65. The institution should develop a workable business continuity plan (BCP) and
disaster recovery plan (DRP) for at least all critical business functions, including
domestic and overseas branches or subsidiaries operations.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 13 / 39
Department Continuity Management

66. Management should be involved in business continuity planning. In the case


where the BCP and DRP formulation is undertaken by a consultant, the
responsibility of Management does not diminish in ensuring that a well-designed
plan is developed.
67. The BCP and DRP should include, at least:
(i) Procedures to be followed in response to a major disruption to business
operations. The procedures should enable the institution to respond swiftly
to a crisis situation, recover and resume the critical business functions,
resources and infrastructure outlined in the BCP within the stipulated
timeframe.
(ii) Escalation, declaration and notification procedures. The institution should
maintain a call tree and contact list.
(iii) The conditions for BCP activation and the individual who has the authority
to declare a disaster and grant permission to execute the recovery
processes.
(iv) A list of all resources required to recover critical business functions in the
face of a major disruption. This would include, but not limited to, key
recovery personnel, computer hardware and software, office equipment
and relevant documentation.
(v) Relevant information about the alternate and recovery sites.
(vi) Procedures for restoring normal business operations. This should include
the orderly entry of all business transactions and records into the relevant
IT systems and the completion of all verification and reconciliation
procedures.
68. Given that the threat of a pandemic or infectious disease poses unique
challenges, the institution should also ensure that their BCPs have adequate
arrangements and resources to deal with a possible emergence of a pandemic
or infectious disease. In this regard, the institution is encouraged to align their
preparatory and response measures to the outbreak stages used by the Ministry
of Health Malaysia. The institution could refer to Appendix 2 on the measures to
be undertaken in the event of an outbreak of a pandemic or infectious disease.
69. The institution should ensure that recovery personnel’s responsibilities are
clearly documented in the BCP. During a major disruption, staff could be
unavailable for various reasons. As such, it is important that alternate recovery
personnel be identified for all critical business functions.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 14 / 39
Department Continuity Management

B.2.7 Alternate and Recovery Sites

Principle: The institution should make arrangements for alternate and recovery
sites should the business premise, infrastructure and systems
supporting critical business functions become unavailable in the event
of a major disruption.

70. The institution should make available a functional alternate and recovery site for
their business functions and technology in the event the business premises, key
infrastructure and systems supporting critical business functions become
unavailable.
71. The alternate and recovery sites could either be in-house arrangements, or
available through agreement with third-party recovery facility provider, or a
combination of both options.
72. The institution should assess the suitability and capacity of the alternate and/or
recovery site to ensure that the site is:
(i) Sufficiently distanced from the primary site to avoid being affected by the
same disaster or source of disruption;
(ii) Using a separate or alternative telecommunication network and power grid
from the primary site to avoid single point of failure; and
(iii) Readily accessible and available for occupancy, taking into consideration
the logistic requirements within the recovery timeframe stipulated in the
BCP and DRP.
73. For technology requirements, the institution should ensure that the IT systems at
the recovery sites are:
(i) Compatible with the institution’s primary systems (in terms of capacity and
capability) to adequately support the critical business functions; and
(ii) Continuously updated with current version of systems and application
softwares to reflect any changes to the institution’s system configurations
(e.g. hardware or software upgrades or modifications).
The institution should provide a recovery facility (hot-site, online mirroring, etc),
which commensurates with its established MTD/RTO and for critical business
functions that pose systemic risks.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 15 / 39
Department Continuity Management

74. For the use of a third-party alternate site or recovery facility, the institution
should :
(i) Establish a written contract to safeguard the institution’s interest;
(ii) Provide a service level agreement (SLA) between the institution and the
third party to ascertain the level and type of services to be provided to the
institution. The SLA should be properly documented and approved by the
Management;
(iii) Mitigate concentration risks, where the service provider renders the
recovery facilities to several customers or to customers within the same
locality or industry. In this regard, the agreement should specifically identify
the conditions under which the recovery facility may be used and specify
how customers would be accommodated if simultaneous disruptions affect
several customers of the recovery facility provider;
(iv) Assess the capacity and capability of the third party sites for use for a
reasonable prolonged period; and
(v) Ensure that adequate physical and logical access control is provided by
the service provider to safeguard the recovery facility.
The institution should ensure that a periodic and continuous review and
monitoring be undertaken on the service level provided by the third party and the
measures mentioned in items (iii), (iv) and (v) above.

B.2.8 Critical Business Information Records

Principle: Proper procedures should be put in place to ensure the availability of


systems and critical business information records for the recovery of
critical business functions in the event of a major disruption.

75. The institution should ensure that sufficient number of backup copies of critical
business information, software and related hardcopy documentation (for systems
and users) are available for the recovery of critical business functions. A copy of
the information, documentation and software should be made available at an off-
site premise or backup site, and any changes or updates should be done
periodically and reflected in all copies.
76. A full systems backup should be periodically conducted and should at least
consist of the updated version of the operating system software, production
programs, system utilities and all master and transaction files. The frequency of
backup would depend on its criticality and should be performed after critical
modification or updates.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 16 / 39
Department Continuity Management

77. All backup media should be properly labelled using standard naming conventions
that at least indicate usage, date and retention schedules. Backup media should
also be regularly tested, where practicable, to ensure that they can be restored
when necessary. All backup media should also be rotated in a systematic and
timely cycle.
78. Backup media should also be stored off-site in a secure and access-controlled
environment, which is of consistent standard to the main site and in accordance
with manufacturer’s recommendations. The backup site should also be located at
a distance that would protect it from damage resulting from any incident at the
primary site, but facilitates quick retrieval process.
79. Transportation to the backup site should be done in a controlled and secured
manner with proper authorisation and record. Procedures for disposal of backup
media should also be in place.

B.2.9 Testing of Plan

Principle: The BCP and DRP must be tested regularly to ensure the functionality
and effectiveness of the recovery strategies and procedures,
preparedness of staff and other recovery resources.

80. The institution should test the BCP and DRP for all critical business functions
and application systems.
81. BCP should be tested at least once a year for all critical business functions,
while the DRP for all critical application systems should be tested at least twice
a year, of which one of the tests should be a “live run”. Where necessary, the
institution is also encouraged to conduct periodic BCP and DRP testings for the
critical business functions.
82. For RENTAS system (where applicable), due to its criticality, the institution is
required to conduct "live run" testing from the institution’s recovery site in
accordance with prevailing guidelines on RENTAS.
83. The scope of testing should be sufficiently comprehensive to cover the major
components of the BCP and DRP as well as coordination and interfaces among
important parties.
84. The type of BCP and DRP testing should include both functional (e.g. simulated,
“live”, full blown, etc) and non-functional testing (call tree and desktop exercises
or walkthrough).
85. Large and complex institution should at least conduct an integrated testing on a
reasonable wide-scale for all the critical business functions, using back up IT
systems to gauge and assess the application system linkages and network
connectivity. Load/capacity requirements that are required to support minimum
services level to be provided during a disaster should also be included during
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 17 / 39
Department Continuity Management

testing. Where possible, the involvement of key service providers/vendors in


BCP testing should be considered to evaluate the adequacy and availability of
external services that might be required. However, the institution is reminded to
exercise due care when undertaking the above testing in view of the risk involved
and to ensure minimal inconvenience to the public.
86. Test plans with predetermined test goals and test criteria, using realistic
simulations and activity volumes should be developed for the testing. Formal
testing documentation (including test plan, objectives, scenarios, procedures and
results) should be produced to ensure thoroughness and effectiveness of testing,
and properly maintained for audit purposes.
87. Management should be involved in the annual testing process to demonstrate
their commitment as well as to familiarize themselves with their recovery roles.
In addition, Management should ensure that all relevant staff (i.e. recovery and
alternate personnel) participate in the testing exercises.
88. Minimum BCP and DRP testing requirements include, but not limited to:
(i) Verifying completeness of the plan and adequacy of recovery procedures;
(ii) Assessing familiarity of staff with their business continuity responsibilities
and the institution’s evacuation procedures;
(iii) Evaluating connectivity, functionality, performance and load capacity of
alternate and recovery sites;
(iv) Assessing adequacy of security implementation and staff awareness;
(v) Assessing effectiveness of communication plan and coordination with
relevant parties;
(vi) Evaluating response time; and
(vii) Recommending remedial actions for future tests.
89. The institution is expected to prepare a post-test analysis report, where
evaluation of the testing performance against the testing goals is made. This is to
ensure adequacy and integrity of testing, to identify problems and to develop the
necessary corrective action plans. The analysis could also be used to eliminate
redundancies and any waste of resources.
90. BCP and DRP test results for critical business function and application should be
timely communicated to the Board.
91. The institution is required to submit to Pengarah, Jabatan Penyeliaan IT dan
IKP, Bank Negara Malaysia the following documents:
(i) Annual BCP and DRP test matrix before 31 January of every calendar
year (refer to Appendix 3); and
(ii) BCP and DRP post-test analysis report within two months after the date
of testing (refer to Appendix 4)
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 18 / 39
Department Continuity Management

B.2.10 Maintenance of Plan

Principle: The institution must carry out periodic review of the BCP and DRP. The
plan must be updated to reflect changes in the operating environment
and business activities.

92. The BCP and DRP should be reviewed and updated regularly. The plans
including risk assessment and BIA should be reviewed and updated on an
ongoing basis (at least annually or when necessary) so that they are consistent
with the institution’s current operations and business strategies. The institution is
expected to employ a formal process for maintaining the plan where regular
reviews, validations and updates are conducted to ensure their continued
relevance and effectiveness. This includes addressing gap(s) identified during
BCP and DRP testings.
93. Ongoing review of the adequacy of backup systems, software, applications, and
other resources should also be included in the BCP and DRP update cycle.
94. Management must review the final revised BCP and DRP and endorse the
changes to the recovery strategies and procedures.
95. Management is responsible and accountable for ensuring that the BCP and DRP
are up-to-date, effective and tested periodically. As such, periodic reporting on
the progress and strategic issues or concerns with regard to BCM should be
communicated to the Board on a timely manner.
96. An updated copy of the BCP and DRP should be provided to the relevant parties
and should be stored at an off-site premise or backup site that can be easily
accessed during a disaster/prolonged disruption.
97. The institution is required to adopt version control to facilitate updating and
maintenance of the plans.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 19 / 39
Department Continuity Management

C. COMMUNICATION

Principle: The BCP should incorporate strategy and approach for communication
with relevant internal and external stakeholders. The institution must
maintain an updated emergency contact list of key personnel and
relevant parties.

98. Communication is of the utmost importance especially during a business


disruption or a crisis. Clear and effective communication would help to alleviate
anxiety or rumours and assist in promoting public confidence.
99. In this respect, the institution should include in the BCP, a communication plan
for notifying all relevant internal and external stakeholders (e.g. home and host
regulators, counterparties, key service providers, media and the public) following
a major disruption to the operations of the institution.
100. The institution should consider preparing predetermined messages tailored to a
number of plausible disruption scenarios to ensure consistent and effective
messages are conveyed in a timely manner to the various stakeholders.
101. The institution must notify the Bank immediately or not exceeding two hours
after experiencing a major disruption (LoD 2 and above) that has the potential to
materially impact customer service. Using the LoD matrix, the institution should
notify the severity of the disruption, essential services to be provided, the actions
being taken and the timeframe for returning to normal operations. The institution
should also notify the Bank when normal operations have resumed. Refer to
Appendix 5 for the list of Bank Negara Malaysia’s contact number.
102. The institution must maintain an emergency contact list of all relevant parties and
key recovery personnel essential for the swift response and recovery of critical
business functions. The contact list should be regularly updated.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 20 / 39
Department Continuity Management

D. INTERNAL AUDIT

Principle: The institution’s internal audit should conduct regular independent


evaluation of the adequacy and relevance of BCM policy, strategies,
procedures and testing of the BCP and DRP.

103. Internal auditors should periodically verify that sound and effective BCM
practices are implemented in the institution, in line with the principles and
requirements stipulated within the Guidelines and the institution’s BCM policies
and procedures.
104. In line with BNM/GP10 – Guidelines on Minimum Audit Standards for
Internal Auditors of Financial Institutions, internal auditors should participate
as observers during the development of BCP and DRP. The internal auditors
are to maintain objectivity and independence from any operational responsibility
of BCM being developed.
105. Internal auditors should be involved in major functional BCP and DRP testing as
observers to provide an independent evaluation of the testing preparation and
exercise performance. A written assessment report should be prepared and
submitted to the Audit Committee for review.
106. On an annual basis, internal auditors should review the level of commitment to
BCM and overall preparedness against the institution’s BCM policies and
regulatory requirements. For outsourced services, the auditors or other
independent party should periodically review the BCP testing undertaken by the
outsourcing vendor to ensure their business continuity preparedness. Gaps
identified should be documented in the audit report together with action plans for
further improvement by the respective business functions or outsourcing vendor.
The audit report should be submitted to the Audit Committee.
107. An executive summary of the audit report, which includes comments from the
Audit Committee, should be forwarded to Pengarah, Jabatan Penyeliaan IT
dan IKP, Bank Negara Malaysia not exceeding two months after being
presented to the Audit Committee.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 21 / 39
Department Continuity Management

E. OUTSOURCING

Principle: In the event that some parts of the business functions are outsourced,
the institution should ensure that risk arising from outsourcing does
not compromise its business continuity preparedness.

108. The institution is expected to address all issues relevant to managing the risks
associated with each outsourcing arrangement to the extent reasonable given
the unique circumstances and having regard to the interests of the institution.
109. The institution should ensure that the outsourcing vendor is subjected to the
BCM Guidelines, where appropriate.
110. The outsourcing contract should specify the requirements for ensuring the
continuity of the outsourced business function in the event of a major disruption
affecting the outsourcing vendor’s services. Recovery time objectives (RTO)
should be built into the outsourcing contract, with provisions for legal liability
should the RTO not be achieved.
111. The institution should ensure that the outsourcing vendor has in place fully
documented and adequately resourced BCP and DRP. The institution should
ensure that periodic testing is conducted by the outsourcing vendor on its BCP
and DRP at least annually and twice a year, respectively. The vendor should
notify the institution of the test results and action to be undertaken to address
any gap. The institution may also require its outsourcing vendor to declare their
state of business continuity readiness to the institution, annually.
112. The institution should include a clause in the outsourcing agreement, which
allows the institution’s internal auditor or other independent party appointed to
review the BCM of the outsourcing vendor.
113. The institution should be notified in the event that the outsourcing vendor makes
significant changes to its BCP and DRP, or encounters other circumstances that
might have a serious impact on its services.
114. The institution’s own BCP should address reasonably foreseeable situations
where the outsourcing vendor fails to provide the required services, causing
disruptions to the institution’s operations. In particular, the plan should ensure
that the institution has in its possession, or can readily access, all records
necessary for it to sustain business operations and meet obligations in the event
the outsourcing vendor is unable to provide the contracted services.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 22 / 39
Department Continuity Management

F. SUBMISSION LIST

The institution is required to submit the following documents to Pengarah,


Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia.

Frequency
Date of
of Submission of Sign-Off By Page Format
Submission
Submission

LoD Matrix Before 31 Chief 12, item Refer to


January of Executive no. 64 Appendix
every Officer 1
calendar
year
Annually
BCP and DRP Before 31 Chief 17, item Refer to
Test Matrix January of Executive no. 91(i) Appendix
every Officer 3
calendar
year

BCP and DRP Within two BCM 17, item Refer to


Post-Test months after Coordinator no. 91(ii) Appendix
Analysis Report the test has / DRP 4
been Coordinator
conducted -
for each
BCP and
Once DRP test
Available conducted

Executive Within two Chief 20, item -


Summary of months after Internal no. 107
BCP and DRP being Auditor
Audit Report formally
endorsed by
Audit
Committee
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 23 / 39
Department Continuity Management

G. GLOSSARY

Alternate Site
Refers to as an alternate site for business units to resume critical operation during
disaster.
A site held in readiness for use during a business continuity event to maintain an
institution’s business continuity. An organisation may have more than one alternate site.
In some cases, an alternate site may involve facilities that are used for normal day-to-
day operations but which are able to accommodate additional business functions when a
primary location becomes inoperable.

Board
Refers to the institution’s Board of Directors.

Business Continuity
The ability of an institution to ensure continuity of service and support for its customers
and to maintain its viability before, after and during an event.

Business Continuity Management (BCM)


A whole-of-business approach that includes policies, standards, and procedures for
ensuring that specified operations can be maintained or recovered in a timely fashion in
the event of a disruption. Its purpose is to minimize the operational, financial, legal,
reputational and other material consequences arising from a disruption. BCP and DRP
are the key components of BCM.

Business Continuity Plan (BCP)


A comprehensive documented action plan that outlines the procedures, processes and
systems necessary to resume or restore the business operation of an institution in the
event of a disruption.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 24 / 39
Department Continuity Management

Business Impact Analysis (BIA)


A component of business continuity management. BIA is the process of measuring
(quantitatively and qualitatively) the business impact or loss of business processes in the
event of a disruption. It is used to identify recovery priorities, recovery resource
requirements and essential staff and to help shape a business continuity plan
.

Call Tree
A document that graphically depicts the calling responsibilities and the calling order used
to contact management, employees, customers, vendors and other key contacts in the
event of an emergency, disaster or severe outage situation.

Card Services
Include credit card and bankcard services.

Critical Business Function (CBF)


Business function that is considered crucial for an institution based on the BIA and risk
assessment performed. Classification of CBF should be based on the following criteria:
a) Crucial and required to support customer services
b) Generate highly significant income
c) Required by related regulatory bodies
d) Might cause systemic impact
e) Disruption which will result in substantial business losses in terms of revenue,
customer and reputation

Critical Business Information Record


A record that is critical for the institutions that must be preserved and available for
retrieval if needed.

Desktop Exercise
One method of exercising teams in which participants review and discuss the actions
they would take per their plans, but do not perform any of these actions. The exercise
can be conducted with a single team, or multiple teams, typically under the guidance of
exercise facilitators.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 25 / 39
Department Continuity Management

Disaster Recovery Plan (DRP)


A comprehensive written plan of action that sets out the procedures and establishes the
processes for IT systems and requirements that are necessary to support and restore
the business operation of an institution in the event of a disruption.

Essential Services
Vital services that need to be provided by an institution either during normal business
day or during disaster.

Full-Blown Testing
Involves large or wide scope/scale of testing of all IT systems, including network
infrastructure and connectivity using production data and resources on IT recovery sites.
Basically, the objective of the test is to gauge load handling and capacity of the recovery
site. Where necessary, business operations are shifted to the recovery site in
accordance with the disaster recovery plan. This test is clearly a very thorough test, but
one which must be carefully planned and has the capacity to cause a major disruption to
operations, if the test fails.

Integrated Testing
An exercise conducted on multiple interrelated components of a Business Continuity
Plan, can be either under simulated or live operating environment. Examples of
interrelated components may include interdependent departments or interfaced systems.

“Live” Run Testing


Involves the use of production data and resources for testing on IT recovery sites in a
live environment. Where necessary, business operations are shifted to the recovery site
in accordance with the disaster recovery plan. This test is clearly a very thorough test,
but one which must be carefully planned and has the capacity to cause a major
disruption of operations, if the test fails.

Management
Refers to the institution’s senior management, which also include the Chief Executive
Officer and President as well as their deputies, etc.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 26 / 39
Department Continuity Management

Maximum Tolerable Downtime (MTD)


This is the timeframe during which a recovery must become effective before an outage
compromises the ability of an institution to achieve its business objectives and survival.

Recovery Site
Refers to recovery (backup) site for IT system as an alternate to primary data centre.
Also known as disaster recovery (DR) site. Examples of recovery site arrangement are:
a) Replacement - do nothing but replace the system after disaster.
b) Cold site - completed data centre infrastructure but without equipment.
c) Warm site - capable of providing backup operating support but would require (at a
minimum) the restoration of current data.
d) Hot site - fully equipped, operationally ready data centre.
e) Reciprocal arrangement - mutual backup between institutions.
f) Full redundancy - dual production systems configuration, where the production
system is duplicated at recovery site.
g) Commercial recovery facility - subscribe to third party service provider or relocate
staff to the alternate processing site

Recovery Time Objective (RTO)


The timeframe required for IT systems and applications to be recovered and
operationally ready to support business functions after an outage. (See illustration
below)

Recovery Time Objective (RTO)

ESCALATION RECOVERY CLEAR


BACKLOG
Outage Invoke System Data
Outage Invoke
DRP System Data
Occurs DRP Recovered Current

Maximum Tolerable Downtime (MTD)


IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 27 / 39
Department Continuity Management

Risk Assessment
Process of identifying the risks to an institution, assessing the critical functions
necessary for an institution to continue its business operations, defining the controls in
place to reduce organization exposure and evaluating the cost for such controls. Risk
analysis often involves an evaluation of the probabilities of a particular event.

Simulation Testing
Involves bringing the recovery site to a state of operational readiness, but maintaining
operations at the primary site. Thus staff are relocated, backup tapes transferred, and
operational readiness established in accordance with the disaster recovery plan while
operations at the primary site continue normally.

Structured Walkthrough
An exercise in which team members physically implement the business continuity plans
and verbally review each step to assess its effectiveness, identify enhancements,
constraints and deficiencies.

Systemically Important Payment System


Defined as the payment and settlement system that plays a critical role in preserving the
systemic stability of the financial system. It would present systemic risk and/or affect
public or investor confidence should the system is unable to complete (recover) and
resume critical functions and activities in a timely manner.

Systemic Risk
Includes the risk that the failure of one institution in the financial system to meet its
required obligations will cause other institutions to be unable to meet their obligations
when due, thereby potentially causing significant liquidity dislocations or credit problems
and threatening the stability of the financial markets.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 28 / 39
Department Continuity Management

APPENDICES

Appendix 1 – Level of Disruption (LoD) Matrix

Institution : XYZ Berhad


Critical Business Function : <Name of Critical Business Function>
Date : _______________

Minimum Essential MTD RTO


LoD Business Continuity Strategy
Services Provided (hour) (hour)

Prepared by : < Name >


< Designation >
< Date >

Concurred by : < Name >


< Designation >
< Date >

* The MTD and RTO of the same essential service(s) at different LoD should
be the same.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 29 / 39
Department Continuity Management

Appendix 2 – National Influenza Pandemic Preparedness Plan (NIPPP)

WHO Alert Phases Transmission Objectives


Levels
Inter-pandemic Phase 1 Influenza virus Strengthening pandemic
period (planning subtype in animals preparedness at all levels
and only (risk to humans
preparedness) low)

Phase 2 Influenza virus Minimize the risk of


subtype in animals transmission to humans;
only (risk to humans Detect and report rapidly,
substantial) if it occurs
Confirm pandemic Detect and report rapidly,
outside Malaysia if it occurs

Pandemic Alert Phase 3 Human infection Ensure rapid characterization


(emergency and (transmission in close of new virus
pre-emptive contacts only)
response) Confirm Pandemic Detect, notify and respond to
within Malaysia. additional cases
3a: imported
3b: within Malaysia

Phase 4 Limited human-to- Contain the virus or delay its


human spread; small spread
clusters <25 cases
lasting < 2 weeks

Second waves or
other waves of
pandemic.
4a: outside Malaysia
4b: inside Malaysia

Phase 5 Localized human to Maximum efforts to contain or


human spread; delay the spread
Larger clusters 25-50
cases over 2-4 weeks
Pandemic Phase 6 Widespread in Minimize the impact of the
(minimizing general population pandemic
impact)
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 30 / 39
Department Continuity Management

The following table provides a summary of the stages before and during a pandemic:

MOH Alert Level Definition


Phase 1 and Phase 2 { Pre-pandemic stages

1. Action to be taken during this stage includes


planning, communication, personal active
equipment, screening tools, antiviral agents and
vaccination recommendations.

2. Audit or self evaluation also may be conducted


to gauge the preparedness.

Phase 3 to Phase 6 { Pandemic stage

1. This stage occurs when the Government of


Malaysia declares a pandemic. Influenza
symptoms need to be screened during this
stage, communications to staff on the next
action plan, medication processes ongoing for
those contracted with the disease.

Notes:
This level is additional to the levels provided in the Ministry of Health’s
Guidelines. At this stage, morbidity rates are exceedingly high, economic
activities are severely affected and emergency measures are needed to bring
the situation under control.

Source: “Recommendations on Influenza Pandemic Preparedness For Industry in Malaysia”,


Ministry of Health Malaysia and The Society of Occupational and Environmental Medicine
(SOEM) of the Malaysian Medical Association (MMA), March 2006.
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 31 / 39
Department Continuity Management

Appendix 3 – BCP and DRP Test Matrix

ADMINISTRATIVE INFORMATION

Name of Institution Contact Tel. No

Name of Contact Person Fax No

Designation Email Address

BCP DRP

BCP/DRP PRE-TEST PLAN INFORMATION

Name of Critical Business Function:


State the following:

Objectives of testing Scope of Testing Type of Testing Expected MTD Expected


Date of (Hours) RTO
Functional Testing Non-Functional Testing (Hours)
(e.g. Integrated Test; Full (e.g. Call tree; Walkthrough;
Blown; Simulated) Desk-top)

List of personnel involved (please indicate the department name & designation)
List of external dependencies involved e.g. third party service provider, Telco (please indicate the company’s name and service provided)

Sign Off By: ________________________ ________________________


CEO/ MD/ President BCM/DRP Coordinator
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 32 / 39
Department Continuity Management

Appendix 4 – BCP and DRP Post Test Analysis Report

ADMINISTRATIVE INFORMATION

Name of Institution Contact Tel. No

Name of Contact Person Fax No

Designation Email Address

BUSINESS / DISASTER RECOVERY TEST GENERAL INFORMATION

Objectives of Test Test Scenario

Test 1

Test 2

Test 3

No of Staff Involved: Please tick 9 whichever applicable:

IT Non-IT (Please list the details as per the BRCP DRP Date(s) of Test:_______________
attachment)

Internal Audit

Other Parties e.g 3rd party service provider; Vendor, Telco


IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 33 / 39
Department Continuity Management

TYPE OF TESTING
(You may tick 9 more than one)
CRITICAL
BUSINESS MTD Functional Testing Non-functional Testing
FUNCTIONS Walk-
Integrated
Unit Test Full Blown Simulated Live Run Call Tree Through /
Test
Desk-Top
E.g. branch
operations

No. of branches involved (if applicable) = ____________________________

Scope of Test : < Please describe here - refer to the Guidelines >
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 34 / 39
Department Continuity Management

Test Location & Address


Application Systems Expected Type of
Recovery Strategy Primary Data Computer Business
Systems Criticality RTO Recovery Site
Centre Recovery Site Recovery Site

System Recovery Time Objective (RTO) (hours/days)


Systems Criticality Classification
The timeframe required for IT systems and applications to be recovered and
(a) Very critical operationally ready to support business functions after an outage
- Crucial and critically required to support customer services.
- Generate highly significant income. Maximum Tolerable Downtime (MTD)
- To comply with related regulatory requirements. The timeframe during which a recovery must become effective before an
- Might cause systemic impact. outage compromises the ability of an organization to achieve its business
- Disruption which will result in substantial business losses in terms of objectives
revenue, customer and reputation
Recovery Strategy
(b) Critical
- Required to support customer services. (There could be more than one strategy used for one application system)
- Generate significant income.
(a) Backup and restore - Using end of day backup and stored offsite.
- To comply with related regulatory requirements.
- Disruption will result in business losses in terms of revenue, (b) Journaling / Forward recovery - Journal log kept and taken offsite
customer and reputation. periodically in a day.
(c) Required (c) Electronic Vaulting - Routine backups transmitted via network to offsite
- Indirectly support customer services. direct access storage device.
- Comply with related regulatory requirements. (d) Electronic Journaling - Journal log transmitted periodically to backup site
- Disruption to business functions could be tolerated using other via network.
alternate mode of processing. (e) Data mirroring - Data is transmitted real time via dedicated network to a
(d) Non-Critical disk array at backup site.
- Not affecting customer services, compliant with regulatory (f) System Failover - Entire system component is duplicated at hot site, real-
requirements is not necessary time data replication. Near zero data loss, virtually instant recovery
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 35 / 39
Department Continuity Management

Type of Recovery Site


(a) Replacement - do nothing but replace after disaster.
(b) Cold site - completed data centre infrastructure but without equipment.
(c) Reciprocal arrangement - mutual backup between companies.
(d) Warm site - capable of providing backup operating support but would require (at a minimum) the restoration of current data.
(e) Hot site - fully equipped, operationally ready data centre.
(f) Full redundancy - dual production systems configuration, production system is duplicated at recovery site.
(g) Commercial recovery facility - subscribe to third party service provider or relocate staff to the alternate processing site
IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 36 / 39
Department Continuity Management

Application System: ______________________________

Date & Start End Time


Activities Problem Encountered Action Taken Remarks
Day Time Time Taken

Disaster Declaration

Movement to recovery site:

(a) People: IT Staff

Business Users

(b) Backup Tapes

System
Preparation/Restoration

Data Preparation/Restoration

Connectivity

User logon

Transaction testing

Actual RTO

Overall Test Result


IT and DFI Supervision Guidelines on Business
BNM/RH/GL/ 013-3 Page 37 / 39
Department Continuity Management

System Preparation / Restoration Data Preparation / Restoration


Covers all activities required to bring up the DR system from the Covers all activities required for data preparation and database restoration
time relocation to DR site has completed, including preparation for
network and branch connectivity, system preparation, system
restoration (Operating System and Application System) and other
necessary activities until the system is ready for normal transaction

Overall Test Result


(a) Successful, if (b) Partially successful, if
all test objectives are fully met, and test objectives are partially met, and
able to meet expected RTO, and problems encountered are more serious in nature which require more time
and effort to rectify, need collaboration with third party (example Telekom)
no problems encountered, or
or require Senior Management’s involvement (for example need investment
only minor problems encountered which could be rectified to increase capacity of the DR system).
immediately or within short period of time.
(c) Fail, if
test objectives are not met at all, or
unable to proceed with the test and requires a re-test.
Note: For tests which had failed, please state the re-test date.

INTERNAL AUDIT ASSESSMENT

Prepared By:
………………………………….………………………
Name : ______________________________ Designation : ______________________________
IT and DFI Supervision Guidelines for Business
BNM/RH/GL/ 013-3 Page 38 / 39
Department Continuity Management

Appendix 5 – List of Bank Negara Malaysia’s Contact Numbers

Department Contact Person Telephone Number


(a) During Office Hours
03 – 26988044 ext. 7315
Director
03 - 26989167 (DL)
03 – 26988044 ext. 7359
Deputy Director – Division 1
03 – 26913685 (DL)
Financial
Conglomerate 03 – 26988044 ext. 8047
Deputy Director – Division 2
Supervision 03 - 26910845 (DL)
Department – JP1
03 – 26988044 ext. 8382
Deputy Director – Division 3
03 - 26982294 (DL)
03 – 26988044 ext. 7588
Deputy Director – Division 4
03 – 26982917 (DL)
03 – 26988044 ext. 7579
Director
03 – 26943926 (DL)
Deputy Director – Division 1 03 – 26988044 ext. 7316
Banking Supervision
Department – JP2 03 – 26988044 ext. 7949
Deputy Director – Division 2
03 – 26910720 (DL)
03 – 26988044 ext. 7278
Deputy Director – Division 3
03 – 26985745 (DL)
03 – 22635000 ext. 2703
Director
03 – 2031 1794 (DL)
03 – 22635000 ext. 2138
Insurance and Deputy Director – Division 1
03 – 20313509 (DL)
Takaful Supervision
Department – JP3 03 – 22635000 ext. 1841
Deputy Director – Division 2
03 - 20313507 (DL)
03 – 22635000 ext. 1321
Deputy Director – Division 3
03 – 20311787 (DL)
03 – 22635000 ext. 3333
Director
03 - 20312200 (DL)
IT and Development
Financial Institution 03 – 22635000 ext. 3305
Deputy Director – IT Risk
Supervision (DFI) 03 - 20317788 (DL)
Department – JP4
03 – 22635000 ext. 1010
Deputy Director – DFI
03 - 22746340 (DL)
IT and DFI Supervision Guidelines for Business
BNM/RH/GL/ 013-3 Page 39 / 39
Department Continuity Management

Department Contact Person Telephone Number


Investment
Operations and 03 - 26922343
Financial Market Dealing Room
Department – 03 - 26915695
JOPPK
Risk Management
The Bank’s BCM Coordinator 03 - 22635000 ext. 1388
Unit
(b) After Office Hours

Security Department Operations Room of Security 03 - 26988044 ext. 8999

Note :

DL - Direct Line