The
Presidents/ Chief Executives
All Banks/DFIs
Dear
Sirs/Madam,
Guidelines
on Business Continuity Planning
In the present day world, ‘Business
Continuity Planning’ is becoming more and more important.
Today, we are faced with multiple internal as well as external
threats, some of which are man-made and others are natural.
e. g; earthquakes, fire, wars, terrorists attacks, etc.
In the fast changing, but highly vulnerable environment,
‘emergency preparedness’ deserves attention
while strategic planning for the business is underway.
2
Therefore, there is a need for making comprehensive arrangements
for Business Continuity Planning in the form of instituting
physical security measures so that operational sustainability
of individual institutions and that of the industry is ensured.
In terms of Para 5.10.1 of “Risk Management Guidelines”
issued vide BSD Circular No.07 dated August 15, 2003, it
has already been advised that banks should have in place
contingency and business continuity plans to ensure their
ability to operate as going concerns and minimize losses
in the event of severe business disruptions.
3
Business Continuity Planning (BCP) means the level of readiness
in the face of any actual or potential danger, damage, and
disaster. BCP, being a risk-based framework, is a proactive
process and deals with operational risk by developing policies,
strategies, and specific responsibilities for the recovery
of critical business functions. Most importantly, it should
be commensurate with the institutions’ nature, scale
and complexity of business activities.
4
Following recommendations/guidelines are put forth to facilitate
the banks/DFIs in building or improving upon their BCP:
a)
Responsibility: The ultimate responsibility for business
continuity planning (preparedness and recovery) following
any operational disruptions rests with the institutions’
Board of Directors and the Senior Management. Therefore,
both groups should familiarize themselves with the objectives,
issues and techniques of BCP. Further, the Senior Management
will be the architect of the policies, procedures and documents,
and the Board of Directors will approve them and ensure
their regular updation and improvement.
b)
Components of BCP: Depending on the size, scale and complexity
of the business, institutions may adopt BCP having following
components: clear-cut policy and adequate budget; key persons’
detailed description of roles/responsibilities; emergency
plan for accessibility or movement of staff to primary/backup
sites; succession plans for critical staff and senior management;
business impact analysis; detailed program for the development,
implementation, and maintenance of BCP; program for training
and awareness of staff; and coordination with external parties
and maintenance contracts / service level agreements (including
authorities, interdependent parties, etc.)
In
addition to above, BCP organization & policy decision
making in emergencies include: identification of organization
which will handle the emergency at the main site and at
the back-up site; identification of critical (time sensitive)
functions; location & suitability of operations back-up
site and availability of necessary facilities for resuming
critical functions within 24 hours; identification of critical
documents / data which needs to be regularly backed up and
arrangement of storage of backups on offsite location or
disaster recovery site; emergency call tree; recovery time
objectives; evacuation plans; and updation & testing
of BCP.
c)
Critical Business Line: On account of different business
focus, market niche and customers’ expectations, critical
business functions differ among institutions. It must be
clear that institutions themselves are responsible for determining
their critical business functions. e.g; completing payment
instructions, clearing and settling transactions, fulfilling
end-of-day funding and collateral obligations, managing
customers’ risk positions and investor or public confidence,
etc. In case of any emergency, banking institutions should
ensure that their critical and time sensitive business functions
resume at the earliest. With reference to technology-based
services/products, there should be arrangements for ensuring
their delivery manually when the technology is unavailable
or not working during the system downtime.
d)
Geographic Concentration: The vulnerabilities are associated
with the current geographic concentration of market participants
and some of their backup facilities. The geographic diversity
for critical operations and backup facilities should be
a key consideration of BCP.
e)
Centralization of Operations: Financial institutions tend
to get economic benefit of centralization of critical business
functions but it should be noted that in case of disruptions
it becomes more difficult to recover or replace critical
information and staff. In such an event, the likelihood
of quick recovery is low. It is, therefore, important to
find the right balance between mitigating concentration
risk and not losing the efficiencies gained from the centralization
of business processes and critical staff. Institutions are
encouraged to innovate and explore different possibilities
of mitigating concentration risk.
f)
Recovery Time Targets: Institutions need to define their
targets for resumption of their core business operations
as well as full fledged functioning of their business. Although
in practice, depending on the situation, expectations for
recovery time may differ. However, some critical functions
should continue with minimal, if any, disruption, even in
the event of a major challenge. Moreover, the plan should
have the capacity to deal with the possibility of longer-term
disruptions and to accommodate normal or increased volume
of transactions.
g)
Testing: Regular, complete and meaningful testing/validation
of BCP should not be taken just as a compliance issue or
an item on the checklist, but as a critical part of business
operations. Institutions must ensure that at the time of
need, operations from their active and backup sites do not
face problems of connecting and communicating. The internal
auditor should verify that the drilling exercise has been
conducted as per the plan.
h)
Updation & Improvement: All of us understand that changes
in technology, business processes and staffs’ roles
and responsibilities can affect the appropriateness of the
BCP. Ultimately, all this may affect the institutions’
state of preparedness. It is, therefore, important to regularly
update and improve the functionality and effectiveness of
their BCP. This will not only ensure their relevance and
operational viability, but also familiarize the staff with
the location of the recovery site as well as the recovery
procedures.
i)
Compliance: At this point in time it is beneficial for the
banks / DFIs to take appropriate measures for compliance
with these guidelines depending upon the factors like size
of the institution, complexity of activities the institutions
engage in, the different markets in which they conduct transactions,
etc. We encourage banks/DFIs to keep themselves abreast
of the best international practices and revise their BCP
as and when circumstances warrant.
5
It may be noted that the above guidelines are issued with
a view to help strengthen overall resilience of the financial
system. Development of robust and practical contingency
and security plans, involving participation from all concerned
areas of organization, will ensure that banks / DFIs have
the capacity to deal with an unexpected situation that might
flow from sudden, internal as well as external events. Some
institutions might have already planned and achieved much,
yet all of us must view the developments, both at home and
abroad, as a wake-up call and ensure that an optimal combination
of plans, tools, systems and people exists with the ability
to survive any tribulations.
6
Banks/DFIs are advised to incorporate BCP in their regular
business operations, within six months of the date of issue
of these guidelines. During the course of inspection of
banks / DFIs, our Banking Inspection Department will look
into the adequacy of the BCP and the arrangements thereof.