July Introduction Sound Risk Management

Transcription

1 Risk Management Practices Business Continuity Management Guidelines Introduction Sound Risk Management...1 Management And Planning To provide financial institutions with the principles for establishing sound risk management practices, the Monetary Authority of Singapore on 30 June 2003 issued guidelines on inter alia, Management ( BCM Guidelines ), which is the focus of this Update. Comprising of seven key principles, the BCM Guidelines provide guidance to financial institutions on establishing a framework that would enable them to be prepared for operational disruptions as well as quickly recover and resume critical business functions following disruptions. Application Of BCM Guidelines Principle 1: Board And Senior Management Should Be Responsible For Their Institution s Management Principle 2: Institutions Should Embed Management Into Their Business- As-Usual Operations, Incorporating Sound Practices...3 Principle 3: Institutions Should Test Their BCP Regularly, Completely, And Meaningfully...3 Principle 4: Institutions Should Develop Recovery Strategies And Set Recovery Time Objectives For Principle 5: Institutions Should Understand And Appropriately Mitigate Interdependency Risk Of Principle 6: Institutions Should Plan For Wide-Area Disruptions Principle 7: Institutions Should Practise A Separation Policy To Mitigate Concentration Risk Of...5 Conclusion...5 Introduction Sound Risk Management The Monetary Authority of Singapore ( MAS ) on 30 June 2003, issued guidelines which set out the objectives for sound risk management practices ( Risk Management Guidelines ) which essentially involve the following: identifying various risks that financial institutions face and offering guidance on best practices to deal with them. Some of these risks and best practices are dealt with in two separate finalised guidelines which were also issued on 30 June The two guidelines, which are part of the Risk Management Guidelines framework, are as follows: guidelines on business continuity management ( BCM Guidelines ); and updated guidelines on internet banking technology risk management ( IBTRM Guidelines ). This Client Update will focus on the BCM Guidelines while a separate Update will deal at length with the IBTRM Guidelines. Keeping with MAS policy, all the guidelines issued do not prescribe in detail how financial institutions should ensure sound risk management. Instead, the Risk Management Guidelines emphasis the following four key pillars for effective risk management: adequate oversight by the board of directors ( Board ); senior management accountability; sound risk management policies and operating procedures; and strong risk measurement, monitoring and control capabilities commensurate with the risk taken. Recognising the diversity in the nature, size, and complexity of the operations of financial institutions, MAS has made it clear that the Risk Management Guidelines are not meant to be exhaustive nor are they meant to apply uniformly to all financial institutions. In fact, financial institutions are not expected to comply with every aspect of the Risk Management Guidelines. However, as they embody best practices, the Risk Management Guidelines will serve as benchmarks in any assessment of the quality of a financial institution s risk management framework. Page 1

2 Further, given the high degree of interdependence in the global marketplace today and the resultant integration of functions among institutions, the risk management issues facing institutions will be similar to a large extent. Hence the Risk Management Guidelines will have broad applicability. So what is expected of financial institutions? Basically, they should observe the principles set out in the Risk Management Guidelines and prepare Board-approved documents detailing the internal framework that incorporates these principles. These Board-approved documents will be used in conjunction with the Risk Management Guidelines in assessing the quality of the institution s risk management practices. Management And Planning BCM in essence is an over-arching framework that includes policies, standards, and procedures that aim to minimise the impact to businesses arising from operational disruptions. It not only addresses the restoration of information technology ( IT ) infrastructure, but also focuses on the quick recovery and resumption of critical business functions so that institutions can fulfill their business obligations. Business continuity planning ( BCP ) on the other hand, is a plan of action that sets out the procedures and establishes the processes and systems necessary to restore the orderly and expeditious operation of the financial institution in the event of disruptions to the operations of the institution. BCP is an important integral element of the BCM Guidelines. Having a BCP in place would be important evidence that the financial institution has embraced BCM. The BCP will in fact be reviewed by MAS in the course of its supervision of financial institutions. Such supervision will take into account, inter alia, the extent to which the institution observed the BCM Guidelines, and its risk profile. Application Of BCM Guidelines The financial institutions to which the BCM Guidelines apply include regulated financial institutions and financial utility providers (in this Update the term institutions would be used to refer to both). Financial utility providers are organisations that provide specialised financial services such as cheque clearing and settlement. The BCM Guidelines recognise that certain institutions can be expected to maintain a higher state of business continuity preparedness because of the extent to which other institutions depend on them to fulfill their obligations. Some of these institutions play such a critical role that their failure to recover from operational disruption may contribute towards the amplification of systemic risk. For the purpose of the BCM Guidelines, such institutions are collectively referred to as Significantly Important Institutions ( SII ). SII are expected to be better prepared and adhere more closely to the BCM Guidelines. MAS will, in due course, be in contact with those institutions considered by MAS to be SII, and discuss with them MAS expectations regarding adherence to the BCM Guidelines. In view of the best practices that they embody, which are encapsulated in seven principles, the BCM Guidelines are standards that institutions should, as far as possible, adopt. These principles are discussed in the paragraphs that follow. MAS will try to update the BCM Guidelines to take into account international developments. Principle 1: Board And Senior Management Should Be Responsible For Their Institution s Management The BCM Guidelines clearly place the ultimate responsibility for business continuity preparedness on the Board and senior management of the financial institution. To demonstrate that senior management are sufficiently aware of the risks, mitigating measures and state of readiness of the institution, they should provide the Board with an attestation that clearly states the: preparedness of the institution; and the extent to which the institution adheres to the BCM Guidelines, taking into account the institution s nature, scale and complexity of business activities. It would also be preferable if the attestation includes disclosure of residual risk, ie risk that remains after mitigating measures have been applied. The attestation is an internal document, and it is for senior management to determine the form which best suits them. It should be updated at least once a year or more frequently if there is material change within the institution. The BCM Guidelines do not make it mandatory for institutions to disclose the attestation to customers and counterparties. It is thus for the institutions to decide whether to do so. Page 2

3 Soon Choo Hock Direct: (65) Facsimile: (65) Rajesh Sreenivasan Direct: (65) Facsimile: (65) Lionel Tan I Kwok Direct: (65) Facsimile: (65) lionel.tan@rajahtann.com Principle 2: Institutions Should Embed Management Into Their Business-As-Usual Operations, Incorporating Sound Practices BCM is meant to be a proactive process. To be truly effective, it should be part of the business-as - usual operations and day-to-day risk management of the institution. Sound BCM practices that an institution could adopt include the following components: clear BCM policy, strategy and budget; well-defined roles and responsibilities for the BCM programme; BCP comprising of detailed tasks and activities; succession plans for critical staff and senior management; business impact analysis or similar process; programme for the development, implementation, testing and maintenance of BCP; programmes for training and awareness; emergency responses; external communications and crisis management coordination programmes; and coordination with external parties (including authorities, interdependent parties, etc). As the BCP is a key aspect of BCM, and in order to ensure its relevancy and effectiveness, the BCP should be practical in operation, reviewed and updated regularly, and meaningfully tested. Principle 3: Institutions Should Test Their BCP Regularly, Completely, And Meaningfully Principle 3 further elaborates on the need to meaningfully and regularly test the BCP. Such testing will firstly, help ensure that the plan is up-to-date with changes in technology, business processes and staffs roles and responsibilities, all of which can affect the appropriateness of the BCP. Secondly, it will familiarise staff with the location of the recovery site, as well as the recovery procedures. The testing or exercise should be conducted in modules and at different but regular intervals with participation by senior management and staff. In order for the testing to be complete and meaningful, all components of a business process should be meaningfully tested (eg from front-line through to supporting and processing components, etc). The testing should encompass the connectivity, functionality and load capacity of the infrastructure provided at the recovery site(s). Other matters that should be tested include the awareness and preparedness of staff and how they coordinate with external parties such as the institution s offices, branches or service providers based outside Singapore. The BCM Guidelines also encourage institution-wide tests as they provide a different perspective from that of modular tests. Exercises may include: desk-top walk-through exercise to full system test; staff call-tree activation (with and without mobilisation); back-up site to back-up site exercise (including with external service providers); Page 3

4 alternative arrangements of shared services; back-up tape restoration; and retrieval of vital records. In view of the inter-dependency of institutions, exercises should also be conducted on an industry-wide scale. At the minimum, the key financial utility providers and the institutions they service should participate in such exercises which will help to increase the confidence in the financial service sector. The tests or ex ercises should be subject to post mortem reviews that deal with the lessons learnt and highlight any new risk mitigating measures that should be prepared. The review should be set out in a formal document which senior management should sign-off on, and concur with the proposed new mitigating measures. Principle 4: Institutions Should Develop Recovery Strategies And Set Recovery Time Objectives For Critical Business Functions Institutions should set clear markers in terms of recovery strategies and recovery time objectives. The latter essentially refers to the target duration of time to recover a specific business function. It is the acceptable duration of time that can elapse before the non-continuation of the specific business function would result in severe business impact and losses to the institution. Having the above markers will help ensure that scarce resources are not inappropriately diverted to less important activities. Institutions have to identify business functions that are critical (including support operations and related IT systems) and the potential losses (in monetary and non-monetary terms) they would incur should their operations be disrupted. Some of the more common critical business functions would include the following; completing payment instructions; clearing and settling transactions; fulfilling end-of-day funding and collateral obligations; managing customers risk positions; and maintaining customer, investor or public confidence. Recovery Time Objectives With respect to recovery time objectives, this may range from hours to minutes, or even longer depending on the sectors and function. However, it is important for SII to recover and resume their critical business functions faster than the institutions or the industry that depend on them. Institutions should set their own critical recovery strategies and recovery time objectives corresponding to the nature, scale and complexity of their business functions and business obligations. Principle 5: Institutions Should Understand And Appropriately Mitigate Interdependency Risk Of Critical Business Functions In planning for the business continuity of critical business functions, institutions should take into account the interdependencies of these business functions, and the extent to which they depend on other parties. Such dependencies include the following: within an institution - eg Treasury, custody services, etc; between institutions - eg for US Dollar clearing, etc; on financial utility providers - eg clearing and settlement providers; on vendors - eg IT or disaster recovery service providers; and on infrastructure providers - eg telecommunication. Institutions should also take reasonable steps to ensure that their key service providers are capable of supporting their businesses, even in disruptions. Institutions should also proactively seek assurances from their key service providers that: they have a BCP in place that is equal to, if not more robust than, their own; and their service providers BCPs are regularly tested. As to the form of assurance that best provides an adequate level of comfort, this is a matter that institutions have to decide for themselves when engaging a particular service provider. This is because no one method can satisfactorily apply across all institutions and circumstances. In addition, institutions should also provide for the risk of unexpected termination or liquidation of key service providers that their critical business functions depend on. To this end, institutions should take reasonable steps to retain some level of control, and reserve the right to intervene with appropriate measures to continue their critical business operations. Principle 6: Institutions Should Plan For Wide- Area Disruptions Disruptions, if they do occur, may affect a wide-area ( zone ) as was Page 4

5 dramatically demonstrated by the events of September 11. Hence, institutions will have to demonstrate to MAS that they have planned and catered for a wide-area disruption in their BCM. Some planning parameters that institutions can consider include the following: the geographical concentration of institutions; transactional processing activities; and dependencies on internal or external service providers. In addition, institutions, when drafting their BCM policies and procedures, should also provide for the contingency of prolonged operational disruptions. Principle 7: Institutions Should Practise A Separation Policy To Mitigate Concentration Risk Of Critical Business Functions The commentary to this principle acknowledges the economic benefits of centralisation of critical business and support functions such as treasury, front and backoffice as well as IT data centre. However, critical staff and information are important assets that are difficult to replace quickly and institutions cannot assume that the same pool of staff will be available to recover their critical business functions at the recovery sites since disruptions may result in such staff being unavailable. Thus concentrating critical business functions together carries risk, and institutions must consider how best to reduce that risk, without affecting the efficiency that results from centralising such functions. Some of the approaches that they can adopt include the following: Primary-secondary site separation - separating the primary and secondary sites of critical business functions into different zones. This would mitigate the risk of losing both sites in a wide-area disruption. Critical business functions separation and intra-function separation - separating critical business functions into different zones would reduce the risk of losing multiple critical business functions from a single-zone disruption. Similarly, having another pool of people in a different zone able to take over critical business functions during disruptions, would remove the dependency on a single labour pool. All this would only be possible if critical business functions (eg backoffice settlement operations and critical IT support) are diversified. Different approaches have different cost implications and it is for the institutions to be innovative and explore different avenues for mitigating concentration risk. Conclusion With the global financial system comprising of a set of interlinked networks of markets, systems, and participants, institutions recognise the need to strengthen their resilience against disruptions and recover business functions quickly after a disruption. This would be crucial in maintaining confidence in the institution. While it is easy enough to see the need for an effective BCM framework, a key challenge for institutions is to establish and maintain a comprehensive BCM which is also cost-effective. Rajah & Tann is one of the largest law firms in Singapore. It is a full service firm and given its alliances, including US premier firm Weil, Gotshal & Manges, is able to tap into resources in a number of countries. Rajah & Tann is firmly committed to the provision of high quality legal services. It places strong emphasis on promptness, accessibility and reliability in dealings with clients. At the same time, the firm strives towards a practical yet creative approach in dealing with business and commercial problems. The information contained in this Update is correct to the best of our knowledge and belief at the time of writing. The contents of the above are intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice for any particular course of action as the information above may not necessarily suit your specific business and operational requirements. It is to your advantage to seek legal advice for your specific situation. In this regard, you may call the lawyer you normally deal with in Rajah & Tann or the Knowledge & Risk Management Group at eoasis@rajahtann.com. Page 5