(Mr. Krirk Vanikkul) Assistant Governor, Financial Institutions Policy Group Governor For

Transcription

1 Unofficial Translation by the courtesy of The Foreign Banks' Association This translation is for the convenience of those unfamiliar with the Thai language. Please refer to the Thai text for the official version BANK OF THAILAND To Managers All Commercial Banks 5 July 2006 No.: ThorPorTor. ForNorSor. (21) Wor. 896/2549 Re: Submission of the Draft of the Guideline on Business Continuity Management (BCM) and Preparation of Business Continuity Plan (BCP) of Financial Institutions At present, events and external factors, which may impact financial institutions operations, have become volatile; such [factors] are floods, hurricanes, fires, acts of terrorism, epidemics, etc. These disastrous events may render a financial institution incapable of providing continuing services to the customers, which in turn may affect the reputation of and confidence on such financial institution. It also may produce a knock-on effect on the entire financial institution system. As such, the Bank of Thailand (BOT) deems appropriate that financial institutions should prepare business continuity plans to enable their businesses to be continued during disastrous events and to restore normality to their operations within suitable time. The BOT hence issued this drafted guideline with the objective of making financial institutions aware of the importance of having sound BCM and BCP as well as to serve as guidance for the development of the management system and for preparing the BCM and BCP for those financial institutions currently in the preparation process or those that have not yet developed any BCM or BCP. This drafted guideline provides guidance and addresses crucial issues in preparing of the BCM and BCP of financial institutions; whereas each financial institution must determine how to adapt it, and specify details commensurate with the nature and sophistication of its businesses. The BOT hereby submits the drafted guideline for financial institutions to express their opinions on the said draft. Should a financial institution have any comment or suggestion, please submit them in writing to the Operational and Liquidity Risk Division, Risk Policy Department of the BOT, via fax, no or via addresses listed in the drafted guideline no later than 15 August The BOT will collect and use the comments and suggestions to improve the clarity and suitability of the drafted guideline. Financial institutions may further study the principle from the website of the Basel Committee on Banking Supervision at Risk Policy Department Tel.: and Note: Yours Sincerely, (Mr. Krirk Vanikkul) Assistant Governor, Financial Institutions Policy Group Governor For [ ] The BOT will arrange a clarification meeting on at. [X] No clarification meeting will be arranged BOT Notification No ( ).doc Page 1 of 1

2 Draft Guideline on Business Continuity Management (BCM) and Preparation of Business Continuity Plan (BCP) of Financial Institutions Prepared by Operational and Liquidity Risk Division Risk Policy Department Financial Institutions Policy Group The Bank of Thailand Tel: (02) , , Fax: (02) BOT Notification No ( ).doc Page 2 of 2

3 EXECUTIVE SUMMARY This guideline contains the guidance and key issues to the preparation of BCM and BCP of financial institutions. Each financial institution must determine how to adapt it and specify details appropriate to the nature and sophistication of its business. Important Codes to be Observed by Financial Institutions The board of directors and senior management are responsible for formulating strategies and policy of the business continuity management of the financial institution and consider the risk of managing and supervising such business continuity as a part of the overall risk management of the bank, which may be considered as a part of operational risk management. Moreover, adequate resources shall be allocated to support the management of the said risk. Financial institutions should identify the critical business functions and assess the risk and impact that may occurs from the disruption of these crucial business functions, as well as specify strategies to restore the systems to normality and set a recovery time suitable to each function. Financial institutions should have written business continuity plans. The plans must cover all critical business functions of the organization including subsidiaries or affiliated companies which provide specific services to the financial institution and other key the service providers related to the crucial functions, resources or utility systems. Financial institutions should conduct testing and reviewing on the business continuity plans on the functional level and organizational level at least once a year or upon changes of factors which materially affect the risk of disruption to the business operations. In the event of a disruption to the service of any critical business function, the financial institution should notify the Bank of Thailand at the first opportunity but not exceeding 24 hours. In addition, detailed report of the event, procedures and period expected to resolve the problems as well as when the operations may return to normal shall also be reported to the Bank of Thailand. Financial institutions should set policies for business continuity management and prepare the business continuity plans within 12 months. If any financial institution is unable to complete it within the specified deadline, it shall advise the reasons and make progress report to the Bank of Thailand. BOT Notification No ( ).doc Page 3 of 3

4 Table of Contents Subject Page Number 1. Rationale for the Guideline 1 2. Definitions 2 3. Details of Guideline 3 Board and Senior Management Responsibility 4 Analysis and Evaluation of the Impact of Major Operational Disruptions 4 Recovery Objectives 5 Business Continuity Planning 6 Communications and Trainings 7 Testing and Reviewing 7 Reporting to the Bank of Thailand 8 BOT Notification No ( ).doc Page 4 of 4

5 -Draft- Guideline on Business Continuity Management (BCM) and Preparation of Business Continuity Plan (BCP) of Financial Institutions 1. Rationale for the Guideline In present days, financial institutions in conducting their business must confront significant risks in several areas. Operational risk is considered one of the important risks for financial institutions. Although financial institutions may already have effective control systems but certain risks are unpreventable such as accidents, natural disasters, fires, hurricanes, acts of terrorism and epidemics, etc. A crucial measure to alleviate the degree of the impact from the occurrences of such events is business continuity management (BCM) and business continuity plan (BCP). Previously the Bank of Thailand (BOT) had issued a guideline on the preparation of contingency plan for information technology on 12 October 2005 and the financial institutions have already undertaken a certain level of preparation. Moreover, the Basel Committee on Banking Supervision (BCBS) recognizes the necessity and importance of business continuity management by issuing a consultative paper on High-Level Principles for Business Continuity in December The BOT hence prepared this guideline to serve as a guide for the boards of directors and senior managements of financial institutions in formulating business continuity management policies, which shall mean the guideline for setting policies, standards and operating procedures of the entire organization, to ensure that in the event of a disruption of the operations, critical business functions shall be continued or resumed in a timely fashion. A sound business continuity management will alleviate the financial, legal, reputational or other impacts that may occur to financial institutions. 2. Scope of Application It is applicable to all commercial banks under the law governing commercial banking. 3. Effective Date The guideline on business continuity management (BCM) and preparation of business continuity plan of financial institutions shall be effective from onward. BOT Notification No ( ).doc Page 5 of 5

6 4. Definitions Term Definition Particular Business Continuity Management (BCM) Business continuity management Guideline for setting policies, standards and procedures for the entire organization to ensure that upon a disruption the critical business functions will be able to be maintained or recovered in a timely fashion. Business Continuity Plan (BCP) Business continuity plan A written plan that sets out the procedures and processes to maintain or restore the systems to normality enabling business to be continued in the event of disruption. Critical Business Functions Critical business functions Functions which, upon a disruption, may have material impact on the operations, business, reputation, standings and performance of the financial institution. Business Impact Analysis (BIA) Business impact analysis A process of analyzing and measuring the business impact or loss, both quantitative and qualitative, incurred from the disruption. Recovery Objectives Recovery objectives A goal for recovering the system which consists of recovery strategy and recovery time objectives. Recovery Strategy Recovery strategy A guideline to respond to the disruption of critical operations. Recovery Time Objectives Minimum downtime A pre-specified duration which operations may be allowed to be interrupted. Alternative Sites Alternative operating center A site used to conduct substituting operations and continue business upon an event of disruption. BOT Notification No ( ).doc Page 6 of 6

7 Details of Guideline The business continuity management (BCM) consists of the following components. Business Continuity Management (BCM) Formulation of Policies on Business Continuity Managemen 1. Board and Senior Management Responsibility Identifying and Assessing Risks 2. Analysis and Evaluation of the Impact of Major Operational Disruptions - Identifying Critical Business Functions - Risk Assessment - Business Impact Analysis 3. Setting Recovery Objectives - Setting Recovery Strategy - Setting Recovery Time Objectives Preparation of the Plan 4. Business Continuity Planning 5. Communications and Trainings Monitoring and Evaluating Outcomes 6. Testing and Reviewing of the Business Continuity Plans BOT Notification No ( ).doc Page 7 of 7

8 Board and Senior Management Responsibility The board and senior management are responsible for formulating strategies and policies of business continuity management of the financial institution. The board may assign the task to a working committee or the senior management. However, the assignment must be in writing. The senior management must set a clear structure, duties and line of authority of relevant personnel based on the approved business continuity management policies. In addition, the board and senior management must consider the business continuity risks and controls as a part of the risk management. Large financial institutions with complex operations may establish specific units to oversee their business continuity management. 2. Analysis and Evaluation of the Impact of Major Operational Disruptions Analysis and assessment of the impact of major operational disruptions comprise of the following processes. 1. Identifying Critical Business Functions Financial institutions should identify critical business functions of which a disruption may have material impact on the operations, reputation and performance of the financial institutions. The financial institutions must specify clear criteria for determining priority of each of the critical functions. 2. Risk Assessment Financial institutions should conduct risk assessment from the disruption of critical business functions at least once a year or upon significant changes of internal or external factors which may affect these risks. They should identify possible irregular events that may impact them in short, medium and long runs as well as assess the probability of the occurrence of such events. Examples of possible critical disruptions are buildings and surrounding areas are damaged, buildings are inaccessible for a length of time, information technology systems are damaged, loss of crucial personnel either temporarily and permanently, etc. 3. Business Impact Analysis Financial institutions should analyze the impact from the possible events that may occur to the critical business functions. Such analyses should take into account the effects on depositors, financial and reputational impact, loss of income, degree of difficulty and recovery time or other alternatives, and impact on compliance with regulations of the authorities, etc. The business impact analyses should be conducted for all functions in the organization including subsidiaries or affiliated companies providing specific services for the financial institution and other main service providers related to the functions. These units should also take part in the business impact analyses. BOT Notification No ( ).doc Page 8 of 8

9 BOT Notification No ( ).doc Page 9 of 9-5- Financial institutions should conduct gap analyses between the business continuity plans currently being used and actions required for restoring the business to normality within the target time and meeting the stipulated goals. 3. Setting Recovery Objectives 1. Setting Recovery Strategy Financial institutions should take the outcomes derived from the business impact analyses into consideration in setting recovery strategies. The senior management must allocate adequate resources and budget for the relevant units to implement such strategies. Furthermore financial institutions may consider getting insurance to reduce loss from the irregular events that may occur. Nevertheless, insurance is not a replacement for the business continuity management because restoring business is not the main objective of insurance. 2. Setting Recovery Time Objectives Financial institutions should establish recovery time objectives for the critical business functions as well as prioritize the functions required to be restored to the normal situation and within relevant timeframe. The recovery time objectives must be approved by the board of directors and senior management of the financial institution. Additionally a comparison should be made between its recovery time objectives and those of other financial institutions. 4. Business Continuity Planning The business continuity plan (BCP) is a written plan that sets out the procedures and processes to maintain or recover systems enabling business to be continued in the event of a disruption. A business continuity plan includes repairing and rebuilding of damaged systems, premises or utility systems back to the normal operable condition. A financial institution should always possess a current business continuity plan that is already approved by its board of directors, authorized working committee or senior management. The business continuity plan should cover all critical functions in the organization including subsidiaries or affiliated companies providing specific services for the financial institution and other key service providers related to the crucial functions, resources or utility systems. A business continuity plan should at least consist of the following. 1. Detailed procedures for implementing the recovery in the event of a disruption to restore the operations within the specified time. 2. Necessary resources to the operations including personnel, various computer equipments, telephones, facsimile machines, office supplies, contract documents, insurance policies, etc. 3. A plan to notify and communicate with relevant parties internal and external to the financial institution. It should specify names and contact numbers of the employees, customers, counterparties, service providers, supervisory authority and various important media and should be updated on an ongoing basis. Additionally it should specify the decision-making authority in order to maintain communication.

10 A plan to establish alternate sites. An alternative site should be located at a certain distance from the main site, far enough to avoid being similarly affected as the main site and not serviced by the same utility sources in order to prevent widespread effects. Furthermore, each function must take part in the business continuity planning for its unit. One set of all business continuity plans should be kept with the authorized person and another set should be kept off-site. In the case of outsourcing, the financial institution should instruct the key service providers to prepare their own business continuity plans as well. 5. Communications and Trainings Financial institutions should set plans for communicating within their organizations and with relevant external parties. The communication plan should clearly specify authorized staff, scope of responsibilities related to communication, names and contact numbers of the staff and relevant external parties, which may be set up as a call tree, procedures and communication channels as well as types of information that may be disclosed. Financial institutions should take into consideration the possibility of impact on relevant parties across national borders in the event of a disruption. The communication plan should specify the communication procedures with relevant cross-border parties in the event that such disruption affects the international financial system. Financial institutions should publicize and conduct trainings on the business continuity procedures to relevant parties on a regular basis. The training plan should address training for the entire organization and training of each business function to ensure that all relevant parties understand and are aware of their roles upon disastrous events. 6. Testing and Reviewing of the Business Continuity Plans Financial institutions responsible senior management should conduct testing and reviewing of the business continuity plans at least once a year or more, upon changes to the factors that materially impact the risk of disruption to ensure that the business continuity plans are effective and operable. Financial institutions should conduct regular testing and reviewing of the business continuity plans on the organizational level as well as the functional level. The testing should be conducted in conjunction with relevant parties such as the communication and telecommunication companies, other service providers and important counterparties, etc. It is to ensure that all related parties are familiar with the plans and sites and are capable of implementing the plans as intended. It should include the developing of the business continuity plans to improve effectiveness, suitability with the changing technology, operating processes, structure of commands or key personnel. Financial institutions should use the standards of the financial system as a framework. issues. The testing and reviewing of business continuity plans should address the following 1. Procedures for staff evacuation 2. Notification and communication plan 3. Ability to activate alternative sites within a specified time 4. Data backup and recovery 5. Security of premises and computer systems 6. Recovery of critical business functions BOT Notification No ( ).doc Page 10 of 10

11 - 7- In case of outsourcing, financial institutions must instruct the key service providers to conduct testing and reviewing of their business continuity plans at least once a year and to allow the financial institutions to participate in the testing to observe or monitor the outcome of the testing and reviewing of the service providers business continuity plans on a regular basis. For the purpose of check and balance, financial institutions may arrange for external experts to periodically evaluate their business continuity plans. Reporting to the Bank of Thailand In the event of a disruption of the service of any critical business functions which materially affects the depositors or customers of a financial institution, the financial institution should notify the Bank of Thailand at the first opportunity but not exceeding 24 hours as well as providing detail of the event, implementing procedures and period expected to rectify the problem. The financial institution shall notify the central point of contact (CPC) responsible for the financial institution. Upon restoring such financial service back to normal, the financial institution shall duly notify the Bank of Thailand. Financial institutions should complete establishing the business continuity management policies and business continuity plans within 12 months. If it is unable to complete it within the deadline, the financial institution shall advise the reasons and make progress report to the Bank of Thailand. Furthermore, financial institutions should also study the guideline for IT contingency plan and principles related to business continuity management issued by other relevant parties such as the Basel Committee on Banking Supervision (BCBS), Federal Financial Institutions Examination Council (FFIEC) and the Business Continuity Institute (BCI), etc. BOT Notification No ( ).doc Page 11 of 11