Critical business services and functions
Under the 2022 Guidelines, Financial Institutions (FIs) should identify their critical business services because various constraints prevent FIs from resuming all business services and functions quickly when disruptions occur.
However, FIs can formulate recovery strategies that prioritise critical services. In formulating these strategies, FIs should adopt an end-to-end view of the critical business services’ dependencies, considering both the individual processes and the other processes supporting the delivery of the critical services.
FIs should consider:
- their safety and soundness;
- their customers, having regard to the number and profile of customers affected, as well as the manner in which they are impacted; and
- other FIs that depend on the business services.
With the onus on FIs to ensure clear accountability and responsibility for the business continuity of their critical business services, FIs should also ensure that there are personnel appointed to oversee the recovery and resumption of each critical business service in the event of a disruption.
Service recovery time objective (SRTO)
Once the critical business services have been identified, the FI should establish an SRTO for each of these services. In establishing the SRTOs, the FI should consider:
- its obligations to its customers;
- the other FIs that depend on the business services; and
- the feasibility of achieving the set SRTO, especially for critical business services that involve more dependencies.
Thus, the recovery strategies in place should enable FIs to achieve the established SRTOs and restore the disrupted services to the level required to meet their business obligations.
FIs should also be prepared for the possibility of partial disruptions (which would include intermittent or reduced performance that is not tantamount to a complete unavailability of service). When faced with such a prospect, FIs should have clear criteria to determine if their business continuity plans (BCPs) should be activated before the situation results in a severe impact.
Amid an increasingly interconnected financial ecosystem, the 2022 Guidelines highlight risks arising from the growing reliance on common IT systems and third parties. To mitigate these risks, FIs are recommended to identify and map the end-to-end dependencies covering people, processes, technology and other resources (including those involving third parties) that support each critical business service.
By doing so, FIs will be able to identify resources critical to service delivery and address any potential gaps that could hinder the effectiveness and safe recovery of the critical business services. This information can also assist in formulating the recovery strategies discussed above.
As for dependence on third parties, the 2022 Guidelines recognise the reality of ever-increasing interconnectivity within the financial system. However, FIs should still ensure that third parties are able to meet the SRTOs of their critical business services. This can be achieved by:
- reviewing the agreements with third parties to include specific and measurable recovery expectations that support the FI’s BCM;
- ensuring that the BCPs of third parties meet appropriate standards and are regularly tested;
- establishing arrangements with third parties to safeguard the availability of key resources;
- conducting audits on the third parties; or
- performing joint tests with third parties.
Risk of concentration
When several critical business services and/or functions are outsourced to a single service provider, there is an increased risk of concentration. Hence, the 2022 Guidelines recommend the following approaches to mitigate the risk of concentration and reduce the impact in the event of a disruption:
- have separate primary and secondary sites for critical business services and functions, or infrastructure (such as data centres) in different zones, to mitigate wide-area disruption;
- separate critical business functions into different zones to mitigate the risk of losing multiple critical business functions, and the critical business services that they support, following wide-area disruption;
- deploy critical personnel across different zones, or establish reserve team arrangements to eliminate dependency on a single labour pool;
- identify critical skills or roles, and develop cross-training programmes to build versatility for key personnel involved in these roles;
- activate cross-border support as a contingency during disruptions; or
- engage an alternative service provider to allow for redundancy, or so that they can be activated to provide immediate support when the primary service provider is unavailable.
Continuous review and improvement
While it is natural for FIs to continuously improve their business processes by incorporating new parties or technology, the reliance on technology and third parties is accompanied by greater risk exposure, which FIs should address proactively by:
- actively monitoring and identifying external threats and developments that could disrupt normal operations as well as any emerging threats that could pose a risk to business continuity;
- having in place a process to alert internal stakeholders and senior management to the existence of threats in a timely manner;
- regularly reviewing their BCM measures to identify areas of improvement and address any gaps. This should be done in particular following operational disruption, near misses, or incidents in other organisations, to enhance business continuity preparedness; and
- regularly assessing the need for additional tools and automation to enable them to manage incidents or disruption more effectively.
Generally, it is suggested that FIs review their critical business services and functions, and the respective SRTOs and recovery time objectives (RTOs) and their dependencies, at least annually or whenever there are material changes that affect them.