Bank Negara Malaysia BCM Guidelines 2008

November 13, 2017 | Author: achile_007 | Category: Business Continuity, Internal Audit, Strategic Management, Audit, Risk

Share Embed Donate

Report this link

Short Description

Download Bank Negara Malaysia BCM Guidelines 2008...

Description

MANAGEMENT POWERTOOLS

BCM INSTITUTE

ON BUSINESS CONTINUITY MANAGEMENT (BCM)

GUIDELINES ON BUSINESS CONTINUITY MANAGEMENT (BCM) BANK NEGARA MALAYSIA CENTRAL BANK OF MALAYSIA

Downloaded from BCM Institute Forum: bcmi.collectivex.com

ONLINE RESOURCES   

BCM Institute : www.bcm-institute.org Business Continuity & Disaster Recovery Forum: bcmi.collectivex.com BCMpedia: www.bcmpedia.org

BCM Institute Offices Worldwide: Singapore | Australia | Africa | China | Thailand | Hong Kong | Pakistan | Middle East | Malaysia

A. OVERVIEW................................................................................................................. 1 A.1

Introduction…………………………………………………………………………...1

A.2

Objective of Guidelines ……………………………………………………………..1

A.3

Application and Effective Date of Guidelines ……………………………………..2

A.4

BCM Life Cycle ……………………………………………………………………..3

B. BCM PRINCIPLES AND REQUIREMENTS .............................................................. 4 B.1

B.2

BCM Framework……………………………………………………………………..4 B.1.1

Board and Management Oversight..................................................... 4

B.1.2

BCM Policy ......................................................................................... 5

B.1.3

Roles and Responsibilities.................................................................. 5

B.1.4

BCM Culture ....................................................................................... 7

BCM Methodology…………………………………………………………………...8 B.2.1

Risk Assessment and Business Impact Analysis ............................... 8

B.2.2

Critical Business Functions ................................................................ 9

B.2.3

Recovery Strategy ........................................................................... 10

B.2.4

Maximum Tolerable Downtime and Recovery Time Objectives ....... 11

B.2.5

Level of Disruption ........................................................................... 11

B.2.6

Formulation of Plan.......................................................................... 12

B.2.7

Alternate and Recovery Sites........................................................... 14

B.2.8

Critical Business Information Records ............................................. 15

B.2.9

Testing of Plan ................................................................................. 16

C. COMMUNICATION................................................................................................... 19 D. INTERNAL AUDIT .................................................................................................... 20 E. OUTSOURCING ....................................................................................................... 21 F. SUBMISSION LIST ................................................................................................... 22 G.GLOSSARY............................................................................................................... 23

H. APPENDICES........................................................................................................... 28 Appendix 1 – Level of Disruption (LoD) Matrix………………………………………...28 Appendix 2 – National Influenza Pandemic Preparedness Plan (NIPPP)……….…29 Appendix 3 – BCP and DRP Test Matrix………………………………..……………...31 Appendix 4 – BCP and DRP Post Test Analysis Report…………..………………….32 Appendix 5 – List of Bank Negara Malaysia’s Contact Numbers…..………………..38

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 1 / 39

A.

OVERVIEW

A.1

Introduction

1.

Business continuity management (BCM) entails enterprise-wide planning and arrangements of key resources and procedures that enable the institution to respond and continue to operate critical business functions across a broad spectrum of interruptions to the business, arising from internal or external events.

2.

Continuous availability of critical and essential services is a necessity for the institution to promote customer confidence, ensure regulatory compliance and protect its reputation. It is therefore crucial for the institution to continuously enhance its capabilities to respond swiftly and to ensure the continuity of critical business processes in the event of a major disruption.

3.

The Guidelines outline BCM principles and specific requirements with regard to the formulation of business continuity plan (BCP) and disaster recovery plan (DRP), implementation, testing and maintenance of the plans by the institution.

4.

The Guidelines should be read in conjunction with other relevant guidelines or circulars issued by Bank Negara Malaysia (the Bank) from time to time.

5.

With the issuance of these Guidelines, Part VII on Business Resumption and Contingency Plan in the “GPIS1 - Guidelines on Management of IT Environment” issued in May 2004 is superseded.

A.2

Objective of Guidelines

6.

The primary objective of the Guidelines is to outline and enforce minimum BCM requirements on the institution so as to ensure the continuity of critical business functions and essential services within a specified timeframe in the event of a major disruption. Minimum disruption to essential business services would in turn enhance public confidence in the institution and the financial system, and mitigates reputational risk to the institution.

7.

The Guidelines set out the Bank’s expectations for the institution to adopt sound and effective BCM procedures and practices to improve its resilience and be prepared for any eventualities. Broadly, the Guidelines aim to ensure that the institution:(i) (ii)

Has in place a comprehensive BCM framework which includes a business continuity policy; Establishes a comprehensive BCM programme to formulate, implement and test the BCP;

BNM/RH/GL/ 013-3

(iii) (iv)

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 2 / 39

Reviews and updates the BCP and DRP continuously to reflect changes in the operating environment; and Provides sufficient information to the Board of Directors (Board) to enable them to discharge their responsibilities under the Guidelines.

A.3

Application and Effective Date of Guidelines

8.

The Guidelines are applicable to all institutions under the purview of the Bank, with effect from 1 January 2008, which include: (i) (ii) (iii) (iv) (v)

Institutions licensed under the Banking and Financial Institutions Act 1989 (BAFIA); Islamic banks licensed under the Islamic Banking Act 1983 (IBA); Institutions licensed under the Insurance Act 1996 (IA); Entities regulated under the Takaful Act 1984 (TA); and Development financial institutions prescribed under the Development Financial Institutions Act 2002 (DFIA).

9.

The institution is required to comply with the Guidelines. Nevertheless, the institution is encouraged to adopt more stringent measures in addition to the requirements prescribed in the Guidelines.

10.

Any non-observance of or deviation from the Guidelines should be based on proper risk assessment and risk management process, taking into account the nature, scale and complexity of the institution’s business operations as well as risk tolerance. The Guidelines operate on the premise that the Board retains ultimate accountability for the implementation and effectiveness of BCM.

11.

Given that BCM also encompasses disaster recovery for IT systems, crisis management and contingency planning, the institution should ensure that internal linkages with crisis management and emergency response procedures as well as external dependencies on key service providers/vendors are adequately considered during business continuity planning. In addition, safeguard measures should also be undertaken on human life and business assets/premises.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 3 / 39

A.4

BCM Life Cycle

12.

The Guidelines are formulated based on the principles and best practices of BCM life cycle, comprising: (i)

Analysing the institution’s business functions and their criticality through risk assessment (RA) and business impact analysis (BIA); (ii) Formulating appropriate and workable BCM recovery strategies based on the risk assessment and business impact analysis; (iii) Developing and implementing BCP and DRP; (iv) Testing the plans; (v) Reviewing and maintaining the plans; (vi) Auditing the plans; and (vii) Conducting ongoing awareness programmes and communication, training and education on BCM.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

B.

BCM PRINCIPLES AND REQUIREMENTS

B.1

BCM Framework

B.1.1

Page 4 / 39

Board and Management Oversight

Principle: The Board and Management are responsible for ensuring the implementation of effective BCM framework within the institution. 13.

The Board and Management are responsible to ensure enterprise-wide implementation of sound BCM practices as part of good corporate governance and prudent risk management.

14.

The Board and Management should be aware of and assess the potential threats and risks to the institution and the corresponding impact on critical business functions as well as their responsibilities with regard to BCM. The Board should provide leadership, direction and oversight in ensuring that effective BCM practices, recovery and resumption procedures are in place for the continuation of critical business functions should a major operational disruption occur.

15.

The Board and Management should also be aware of potential impact on the institution’s operations of any potential failure or disruption in services provided by vendors and other third-party or intra-group service providers. They should ensure that the expectations and obligations of each party are clearly defined, understood and enforceable to ensure smooth implementation during a business disruption.

16.

The Board is expected to approve the overall BCM policy and strategies by ensuring that the BCM policy is consistent with the institution’s risk tolerance level as well as the nature, complexity and materiality of the institution’s business operations, while Management is responsible to effectively implement the BCM policy and strategies set out by the Board.

17.

As part of its governance responsibility, the Board or a committee of the Board is expected to ensure that the institution has a workable BCP in place for all critical business functions and that the plan is consistent with the institution’s overall business objectives.

18.

The Board should ensure that the BCP is adequately tested and regularly updated as per the requirements set forth in the Guidelines, to reflect changes in the operational environment and business activities and the level of risk that the institution represents to the operation of the financial system.

19.

Management should periodically assess the institution’s readiness for effective response to major disruption.

20.

As executive level support and commitment is a critical aspect of BCM, Management should articulate clear expectation for business continuity preparedness throughout the institution to foster BCM effectiveness.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 5 / 39

21.

The Board and Management should provide sufficient annual budget allocation and resources for effective implementation and maintenance of BCM. This may vary according to the size and complexity of the institution’s BCM arrangement.

22.

In the case where the institution’s BCP arrangement is outsourced to a third party, the responsibilities of the Board and Management shall remain in ensuring that sound and effective BCM practices are being adopted by the service provider.

B.1.2

BCM Policy

Principle: The institution should have clearly defined policies for business continuity management. 23.

The institution should have in place a properly documented BCM policy, which is essential to reinforce the importance of BCM and to commit the institution to a structured and consistent approach in implementing effective BCM practices.

24.

Management is responsible for developing the BCM policy for Board’s approval, implementing the approved policy and associated processes, conducting periodic review on the BCM’s effectiveness, and communicating BCM issues or concerns to the Board in a timely manner.

25.

At a minimum, the BCM policy should set out the objective, scope, strategies, inter-linkages with other contingency and emergency response procedures as well as delineate the lines of authority and responsibility for effective implementation of BCM throughout the institution.

26.

The BCM policy should be periodically reviewed and updated to ensure its relevance and that it reflects the current risk tolerance of the Board and business goals of the institution.

27.

Management should ensure that the BCM policy is clearly communicated to staff at all levels so that they are aware of their respective roles, responsibilities and accountability with respect to BCM.

B.1.3

Roles and Responsibilities

Principle: The institution should clearly define the roles and reporting lines of individuals and/or committee responsible for BCM. 28.

The institution should establish a formal and permanent Business Continuity Management (BCM) Committee, represented by senior management from various business and technical departments, which is appropriate with the size and complexity of the institution to effectively deal with a business disruption.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 6 / 39

Where appropriate, the committee should report directly to a committee of the Board in order to promote and maintain effective BCM practices. 29.

The BCM Committee should have documented terms and reference.

30.

To support and provide feedback to the high-level BCM Committee, the institution may establish a working level committee. The committee should comprise a BCM coordinator (who is assigned to monitor the business continuity project) and representatives which include, but not limited to: (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) (ix)

Major business units; IT; Internal audit (on an advisory capacity only); Quality assurance / compliance; Legal; Human resource; Security; Property management and services; and Corporate services/communication.

31.

The institution should establish a dedicated BCM function for the effective coordination and supervision of all BCM activities, which reports directly to the BCM Committee.

32.

Management should ensure that BCM activities are conducted by competent staff with technical knowledge and experience consistent with the nature and complexity of the institution’s business activities.

33.

In ensuring that due attention is accorded to BCM, business continuity planning should reside with the business units and involve those who carry out the critical business functions. This approach places ownership and accountability for business continuity preparedness on the heads of business units who are expected to assess and declare their state of readiness to Management periodically.

34.

For smooth handling of a major disruption, the institution should consider establishing a crisis management team to coordinate the recovery and resumption of all critical business functions. Among others, the team should: (i) (ii) (iii) (iv)

Assume the central role in monitoring and assessing the impact of the disruption; Provide appropriate advice to Management on the need to invoke the BCP; Make operational decisions in response to the disruption; and Communicate with internal and external stakeholders.

BNM/RH/GL/ 013-3

B.1.4

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 7 / 39

BCM Culture

Principle: BCM practices should be embedded into business operations and corporate culture of the institution. 35.

Management should progressively promote an organisational culture that places high priority on enhancing business continuity capability and ensures BCM becomes an integral part of strategic management process and routine business operations.

36.

Prior to undertaking new activities, procurement or strategies, Management should ensure that business continuity requirements are given adequate consideration at the planning and development stages.

37.

The institution should ensure that staff are equipped with proper understanding of their respective roles and trained to perform their responsibilities with respect to prevention of crisis and recovery of business operations in times of disruptions. All staff, including new recruits, should be briefed on the institution’s business continuity arrangement to better prepare for all eventualities. Where possible, specific training requirements should be included in the performance objectives of staff involved in BCM activities.

38.

Awareness and periodic briefings for the Board and Management are equally important to ensure continuing commitment and support for the BCM.

BNM/RH/GL/ 013-3

B.2 B.2.1

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 8 / 39

BCM Methodology Risk Assessment and Business Impact Analysis

Principle: The institution should identify and assess potential threats that could severely interrupt operations and business activities. Institutions should also evaluate the business impact of the threats on all business functions and the financial system in general. 39.

The institution should undertake a structured risk assessment (RA) process to identify potential threats that could cause material business disruptions, resulting in the inability to fulfill business obligations.

40.

In undertaking the risk assessment, scenario analysis and planning should be conducted based on the potential loss, inaccessibility or unavailability of the following resources: (i) (ii) (iii) (iv) (v)

Key personnel, including decision makers and recovery personnel; Office premises (including branch, locally or abroad) and facilities within the same or nearby geographical location or region; Critical business information and records; IT systems and infrastructure, including network devices and peripherals as well as other support facilities; and Services of key suppliers, service providers or vendors, including outsourcing vendors.

41.

Risk assessment should be carried out at least annually or more frequently if there are significant changes to the internal operating or external environments.

42.

The institution should assess the likelihood of the identified threats occurring and determine the impact on the institution. In this regard, the institution is expected to carry out a business impact analysis (BIA), annually which forms the foundation of developing the BCP and whenever there are material changes to the institution’s business activities.

43.

The BIA exercise should be conducted for all business functions in a structured and systematic manner, so as to identify critical business functions, resources and infrastructure of the institution.

44.

The institution should determine the potential financial and non-financial impacts (i.e. legal, operational and reputational) on the institution if the critical business functions, resources and infrastructure are unavailable for a given period of time during a major disruption.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 9 / 39

45.

The institution should also assess the impact of an outbreak of a pandemic or infectious diseases on their critical business operations and ensure that appropriate measures are in place to ensure continuity of critical business functions and that such functions can be sustained over a prolonged period of disruption due to high absenteeism and/or relatively large geographical areas are under quarantine/isolation.

46.

Management should ensure the adequate participation and involvement of all business units in the BIA process. The heads of business units should be responsible and accountable for the RA, BIA and BCP.

B.2.2

Critical Business Functions

Principle: The institution should identify the critical business functions essential for the development of recovery strategy to ensure resumption of its operations. 47.

Given the impracticality and high cost involved in order to recover all business functions during a crisis, the institution should define the critical business functions that must continue in the event of a major disruption and establish the priorities for recovery. With the recovery priorities in place, the institution would then be able to determine the appropriate strategy and resource requirements (people, technology, equipment, facilities, etc.) to enable a phased recovery of the critical business functions within an acceptable timeframe.

48.

In determining the criticality of business functions, focus should be accorded to business functions, which may involve among others the following: (i) (ii) (iii) (iv) (v)

Large-value and time-sensitive payment instructions; Clearing and settlement of material transactions; Fulfillment of material end-of-day funding and collateral obligations; Management of customers’ risk positions; Provision of essential banking services and payments such as cash withdrawals, deposits and remittances through various delivery channels that are necessary to maintain public confidence; (vi) Provision of essential insurance/takaful services; (vii) Provision of other services that may have systemic impact to other market participants or financial system; and (viii) Communication with the regulator and stakeholders, including counterparties. Apart from the above, the institution may include other services or activities that are deemed critical to their business functions.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 10 / 39

49.

The institution should take into account the interdependencies of all critical business functions, and the extent to which they depend upon internal and/or external parties such as utilities and telecommunication service providers.

B.2.3

Recovery Strategy

Principle: The institution should develop recovery strategies and procedures for all critical business functions derived from the BIA exercise. 50.

The institution should formulate and document appropriate recovery strategies for all critical business functions to ensure the continuity or recovery of essential services within the acceptable timeframe.

51.

The recovery strategies should, amongst others indicate the recovery timeframe, delivery of the minimum level of essential services, functional relocation, the alternate and recovery sites, mode of processing, key recovery personnel including the decision makers, work area, data, facility and technology requirements, where appropriate.

52.

In developing recovery strategies, adequate consideration and succession planning should be accorded to scenario where the workforce and productivity may be substantially reduced as a consequence of a significant increase in mortality and morbidity.

53.

For technology requirements, the recovery strategy should clearly indicate the type of recovery site to be adopted that commensurates with the nature, scale and complexity of the institution’s business operations.

54.

For human resource requirements, the institution should also include recovery strategy pertaining to pandemic or infectious diseases threat. Where necessary, the institution should refer to the National Health Council or Ministry of Health Malaysia (MOH) and always be vigilant of any advisories or notification by these or other authorities.

55.

The recovery strategies should be regularly reviewed to ensure their continued relevance as business activities and operating environment change.

56.

The recovery strategies and resource requirements should be approved by Management and the relevant committees to ensure alignment with corporate goals and business objectives.

BNM/RH/GL/ 013-3

B.2.4

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 11 / 39

Maximum Tolerable Downtime and Recovery Time Objectives

Principle: The institution should determine maximum tolerable downtime (MTD) and recovery time objectives (RTO) for all critical business functions. 57.

Based on the BIA results, the institution should determine the MTD and RTO for each critical business function. The goal is to develop a BCP that details the procedures and the minimum level of resources required to recover the critical business functions within the recovery timeframe and maintain services at an acceptable level.

58.

The institution should ascertain the targeted MTD and RTO for all critical business functions in consultation with various affected parties, including the IT Department, taking into consideration the nature, scale and complexity of business functions and their dependencies and impact on other parties.

59.

The MTD and RTO set should practically correspond with the importance and criticality of the business functions. In particular, the institution should set shorter MTD and RTO for business functions that have significant impact on customer services and RTO should not exceed MTD. All MTDs and RTOs of critical business functions should be validated and approved by Management or the relevant committees and endorsed by the Board.

60.

The institution is expected to recover important payment systems and critical business functions that could pose systemic impact on other market participants within the specified MTD and RTO.

61.

The institution should consider incorporating specific RTO requirements in contractual arrangements with key service providers, suppliers, counterparties, etc.

B.2.5

Level of Disruption

Principle: The institution should identify the minimum services and the recovery strategy for critical business functions that correspond to each level of disruption. 62.

In the event of a major disruption, it is important that the scale of the disruption be assessed in terms of its severity. Correspondingly, this would facilitate the appropriate remedial actions and the type of essential services to be rendered under various scenarios.

BNM/RH/GL/ 013-3

63.

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 12 / 39

For this purpose, the institution should identify the minimum essential services and the recovery strategy for all the critical business functions, based on the suggested level of disruption (LoD) given below. The institution is also required to maintain a record depicting the LoD and the corresponding minimum essential services and recovery strategy as outlined in the LoD Matrix (refer to Appendix 1). LoD

Description

1

Affect isolated areas of the business operations such as a branch, department, and the situation is well contained within the area. Probability of exceeding MTD/RTO is Low.

2

Affect a number of branches or departments. Probability of exceeding MTD/RTO is Moderate.

3

Affect head office business premises or the production data centre (single branch institution) Probability of exceeding MTD/RTO is High.

4

Affect region or entire state where the institution operates. May cause systemic impact. Probability of exceeding MTD/RTO is High.

5

Affect nationwide or regional Probability of exceeding MTD/RTO is High.

64.

The institution is required to complete the LoD matrix and submit to Pengarah, Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia before 31 January of each year.

B.2.6

Formulation of Plan

Principle: A business continuity plan and disaster recovery plan should be formulated and approved by Management. The institution should ensure that the plan is effectively implemented and properly maintained by all business units. 65.

The institution should develop a workable business continuity plan (BCP) and disaster recovery plan (DRP) for at least all critical business functions, including domestic and overseas branches or subsidiaries operations.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 13 / 39

66.

Management should be involved in business continuity planning. In the case where the BCP and DRP formulation is undertaken by a consultant, the responsibility of Management does not diminish in ensuring that a well-designed plan is developed.

67.

The BCP and DRP should include, at least: (i)

(ii) (iii)

(iv)

(v) (vi)

Procedures to be followed in response to a major disruption to business operations. The procedures should enable the institution to respond swiftly to a crisis situation, recover and resume the critical business functions, resources and infrastructure outlined in the BCP within the stipulated timeframe. Escalation, declaration and notification procedures. The institution should maintain a call tree and contact list. The conditions for BCP activation and the individual who has the authority to declare a disaster and grant permission to execute the recovery processes. A list of all resources required to recover critical business functions in the face of a major disruption. This would include, but not limited to, key recovery personnel, computer hardware and software, office equipment and relevant documentation. Relevant information about the alternate and recovery sites. Procedures for restoring normal business operations. This should include the orderly entry of all business transactions and records into the relevant IT systems and the completion of all verification and reconciliation procedures.

68.

Given that the threat of a pandemic or infectious disease poses unique challenges, the institution should also ensure that their BCPs have adequate arrangements and resources to deal with a possible emergence of a pandemic or infectious disease. In this regard, the institution is encouraged to align their preparatory and response measures to the outbreak stages used by the Ministry of Health Malaysia. The institution could refer to Appendix 2 on the measures to be undertaken in the event of an outbreak of a pandemic or infectious disease.

69.

The institution should ensure that recovery personnel’s responsibilities are clearly documented in the BCP. During a major disruption, staff could be unavailable for various reasons. As such, it is important that alternate recovery personnel be identified for all critical business functions.

BNM/RH/GL/ 013-3

B.2.7

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 14 / 39

Alternate and Recovery Sites

Principle: The institution should make arrangements for alternate and recovery sites should the business premise, infrastructure and systems supporting critical business functions become unavailable in the event of a major disruption. 70.

The institution should make available a functional alternate and recovery site for their business functions and technology in the event the business premises, key infrastructure and systems supporting critical business functions become unavailable.

71.

The alternate and recovery sites could either be in-house arrangements, or available through agreement with third-party recovery facility provider, or a combination of both options.

72.

The institution should assess the suitability and capacity of the alternate and/or recovery site to ensure that the site is: (i) (ii) (iii)

73.

Sufficiently distanced from the primary site to avoid being affected by the same disaster or source of disruption; Using a separate or alternative telecommunication network and power grid from the primary site to avoid single point of failure; and Readily accessible and available for occupancy, taking into consideration the logistic requirements within the recovery timeframe stipulated in the BCP and DRP.

For technology requirements, the institution should ensure that the IT systems at the recovery sites are: (i) (ii)

Compatible with the institution’s primary systems (in terms of capacity and capability) to adequately support the critical business functions; and Continuously updated with current version of systems and application softwares to reflect any changes to the institution’s system configurations (e.g. hardware or software upgrades or modifications).

The institution should provide a recovery facility (hot-site, online mirroring, etc), which commensurates with its established MTD/RTO and for critical business functions that pose systemic risks.

BNM/RH/GL/ 013-3

74.

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 15 / 39

For the use of a third-party alternate site or recovery facility, the institution should : (i) (ii)

(iii)

(iv) (v)

Establish a written contract to safeguard the institution’s interest; Provide a service level agreement (SLA) between the institution and the third party to ascertain the level and type of services to be provided to the institution. The SLA should be properly documented and approved by the Management; Mitigate concentration risks, where the service provider renders the recovery facilities to several customers or to customers within the same locality or industry. In this regard, the agreement should specifically identify the conditions under which the recovery facility may be used and specify how customers would be accommodated if simultaneous disruptions affect several customers of the recovery facility provider; Assess the capacity and capability of the third party sites for use for a reasonable prolonged period; and Ensure that adequate physical and logical access control is provided by the service provider to safeguard the recovery facility.

The institution should ensure that a periodic and continuous review and monitoring be undertaken on the service level provided by the third party and the measures mentioned in items (iii), (iv) and (v) above.

B.2.8

Critical Business Information Records

Principle: Proper procedures should be put in place to ensure the availability of systems and critical business information records for the recovery of critical business functions in the event of a major disruption. 75.

The institution should ensure that sufficient number of backup copies of critical business information, software and related hardcopy documentation (for systems and users) are available for the recovery of critical business functions. A copy of the information, documentation and software should be made available at an offsite premise or backup site, and any changes or updates should be done periodically and reflected in all copies.

76.

A full systems backup should be periodically conducted and should at least consist of the updated version of the operating system software, production programs, system utilities and all master and transaction files. The frequency of backup would depend on its criticality and should be performed after critical modification or updates.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 16 / 39

77.

All backup media should be properly labelled using standard naming conventions that at least indicate usage, date and retention schedules. Backup media should also be regularly tested, where practicable, to ensure that they can be restored when necessary. All backup media should also be rotated in a systematic and timely cycle.

78.

Backup media should also be stored off-site in a secure and access-controlled environment, which is of consistent standard to the main site and in accordance with manufacturer’s recommendations. The backup site should also be located at a distance that would protect it from damage resulting from any incident at the primary site, but facilitates quick retrieval process.

79.

Transportation to the backup site should be done in a controlled and secured manner with proper authorisation and record. Procedures for disposal of backup media should also be in place.

B.2.9

Testing of Plan

Principle: The BCP and DRP must be tested regularly to ensure the functionality and effectiveness of the recovery strategies and procedures, preparedness of staff and other recovery resources. 80.

The institution should test the BCP and DRP for all critical business functions and application systems.

81.

BCP should be tested at least once a year for all critical business functions, while the DRP for all critical application systems should be tested at least twice a year, of which one of the tests should be a “live run”. Where necessary, the institution is also encouraged to conduct periodic BCP and DRP testings for the critical business functions.

82.

For RENTAS system (where applicable), due to its criticality, the institution is required to conduct "live run" testing from the institution’s recovery site in accordance with prevailing guidelines on RENTAS.

83.

The scope of testing should be sufficiently comprehensive to cover the major components of the BCP and DRP as well as coordination and interfaces among important parties.

84.

The type of BCP and DRP testing should include both functional (e.g. simulated, “live”, full blown, etc) and non-functional testing (call tree and desktop exercises or walkthrough).

85.

Large and complex institution should at least conduct an integrated testing on a reasonable wide-scale for all the critical business functions, using back up IT systems to gauge and assess the application system linkages and network connectivity. Load/capacity requirements that are required to support minimum services level to be provided during a disaster should also be included during

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 17 / 39

testing. Where possible, the involvement of key service providers/vendors in BCP testing should be considered to evaluate the adequacy and availability of external services that might be required. However, the institution is reminded to exercise due care when undertaking the above testing in view of the risk involved and to ensure minimal inconvenience to the public. 86.

Test plans with predetermined test goals and test criteria, using realistic simulations and activity volumes should be developed for the testing. Formal testing documentation (including test plan, objectives, scenarios, procedures and results) should be produced to ensure thoroughness and effectiveness of testing, and properly maintained for audit purposes.

87.

Management should be involved in the annual testing process to demonstrate their commitment as well as to familiarize themselves with their recovery roles. In addition, Management should ensure that all relevant staff (i.e. recovery and alternate personnel) participate in the testing exercises.

88.

Minimum BCP and DRP testing requirements include, but not limited to: (i) (ii)

Verifying completeness of the plan and adequacy of recovery procedures; Assessing familiarity of staff with their business continuity responsibilities and the institution’s evacuation procedures; (iii) Evaluating connectivity, functionality, performance and load capacity of alternate and recovery sites; (iv) Assessing adequacy of security implementation and staff awareness; (v) Assessing effectiveness of communication plan and coordination with relevant parties; (vi) Evaluating response time; and (vii) Recommending remedial actions for future tests. 89.

The institution is expected to prepare a post-test analysis report, where evaluation of the testing performance against the testing goals is made. This is to ensure adequacy and integrity of testing, to identify problems and to develop the necessary corrective action plans. The analysis could also be used to eliminate redundancies and any waste of resources.

90.

BCP and DRP test results for critical business function and application should be timely communicated to the Board.

91.

The institution is required to submit to Pengarah, Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia the following documents: (i) (ii)

Annual BCP and DRP test matrix before 31 January of every calendar year (refer to Appendix 3); and BCP and DRP post-test analysis report within two months after the date of testing (refer to Appendix 4)

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 18 / 39

B.2.10 Maintenance of Plan Principle: The institution must carry out periodic review of the BCP and DRP. The plan must be updated to reflect changes in the operating environment and business activities. 92.

The BCP and DRP should be reviewed and updated regularly. The plans including risk assessment and BIA should be reviewed and updated on an ongoing basis (at least annually or when necessary) so that they are consistent with the institution’s current operations and business strategies. The institution is expected to employ a formal process for maintaining the plan where regular reviews, validations and updates are conducted to ensure their continued relevance and effectiveness. This includes addressing gap(s) identified during BCP and DRP testings.

93.

Ongoing review of the adequacy of backup systems, software, applications, and other resources should also be included in the BCP and DRP update cycle.

94.

Management must review the final revised BCP and DRP and endorse the changes to the recovery strategies and procedures.

95.

Management is responsible and accountable for ensuring that the BCP and DRP are up-to-date, effective and tested periodically. As such, periodic reporting on the progress and strategic issues or concerns with regard to BCM should be communicated to the Board on a timely manner.

96.

An updated copy of the BCP and DRP should be provided to the relevant parties and should be stored at an off-site premise or backup site that can be easily accessed during a disaster/prolonged disruption.

97.

The institution is required to adopt version control to facilitate updating and maintenance of the plans.

BNM/RH/GL/ 013-3

C.

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 19 / 39

COMMUNICATION

Principle: The BCP should incorporate strategy and approach for communication with relevant internal and external stakeholders. The institution must maintain an updated emergency contact list of key personnel and relevant parties. 98.

Communication is of the utmost importance especially during a business disruption or a crisis. Clear and effective communication would help to alleviate anxiety or rumours and assist in promoting public confidence.

99.

In this respect, the institution should include in the BCP, a communication plan for notifying all relevant internal and external stakeholders (e.g. home and host regulators, counterparties, key service providers, media and the public) following a major disruption to the operations of the institution.

100.

The institution should consider preparing predetermined messages tailored to a number of plausible disruption scenarios to ensure consistent and effective messages are conveyed in a timely manner to the various stakeholders.

101.

The institution must notify the Bank immediately or not exceeding two hours after experiencing a major disruption (LoD 2 and above) that has the potential to materially impact customer service. Using the LoD matrix, the institution should notify the severity of the disruption, essential services to be provided, the actions being taken and the timeframe for returning to normal operations. The institution should also notify the Bank when normal operations have resumed. Refer to Appendix 5 for the list of Bank Negara Malaysia’s contact number.

102.

The institution must maintain an emergency contact list of all relevant parties and key recovery personnel essential for the swift response and recovery of critical business functions. The contact list should be regularly updated.

BNM/RH/GL/ 013-3

D.

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 20 / 39

INTERNAL AUDIT

Principle: The institution’s internal audit should conduct regular independent evaluation of the adequacy and relevance of BCM policy, strategies, procedures and testing of the BCP and DRP. 103.

Internal auditors should periodically verify that sound and effective BCM practices are implemented in the institution, in line with the principles and requirements stipulated within the Guidelines and the institution’s BCM policies and procedures.

104.

In line with BNM/GP10 – Guidelines on Minimum Audit Standards for Internal Auditors of Financial Institutions, internal auditors should participate as observers during the development of BCP and DRP. The internal auditors are to maintain objectivity and independence from any operational responsibility of BCM being developed.

105.

Internal auditors should be involved in major functional BCP and DRP testing as observers to provide an independent evaluation of the testing preparation and exercise performance. A written assessment report should be prepared and submitted to the Audit Committee for review.

106.

On an annual basis, internal auditors should review the level of commitment to BCM and overall preparedness against the institution’s BCM policies and regulatory requirements. For outsourced services, the auditors or other independent party should periodically review the BCP testing undertaken by the outsourcing vendor to ensure their business continuity preparedness. Gaps identified should be documented in the audit report together with action plans for further improvement by the respective business functions or outsourcing vendor. The audit report should be submitted to the Audit Committee.

107.

An executive summary of the audit report, which includes comments from the Audit Committee, should be forwarded to Pengarah, Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia not exceeding two months after being presented to the Audit Committee.

BNM/RH/GL/ 013-3

E.

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 21 / 39

OUTSOURCING

Principle: In the event that some parts of the business functions are outsourced, the institution should ensure that risk arising from outsourcing does not compromise its business continuity preparedness. 108.

The institution is expected to address all issues relevant to managing the risks associated with each outsourcing arrangement to the extent reasonable given the unique circumstances and having regard to the interests of the institution.

109.

The institution should ensure that the outsourcing vendor is subjected to the BCM Guidelines, where appropriate.

110.

The outsourcing contract should specify the requirements for ensuring the continuity of the outsourced business function in the event of a major disruption affecting the outsourcing vendor’s services. Recovery time objectives (RTO) should be built into the outsourcing contract, with provisions for legal liability should the RTO not be achieved.

111.

The institution should ensure that the outsourcing vendor has in place fully documented and adequately resourced BCP and DRP. The institution should ensure that periodic testing is conducted by the outsourcing vendor on its BCP and DRP at least annually and twice a year, respectively. The vendor should notify the institution of the test results and action to be undertaken to address any gap. The institution may also require its outsourcing vendor to declare their state of business continuity readiness to the institution, annually.

112.

The institution should include a clause in the outsourcing agreement, which allows the institution’s internal auditor or other independent party appointed to review the BCM of the outsourcing vendor.

113.

The institution should be notified in the event that the outsourcing vendor makes significant changes to its BCP and DRP, or encounters other circumstances that might have a serious impact on its services.

114.

The institution’s own BCP should address reasonably foreseeable situations where the outsourcing vendor fails to provide the required services, causing disruptions to the institution’s operations. In particular, the plan should ensure that the institution has in its possession, or can readily access, all records necessary for it to sustain business operations and meet obligations in the event the outsourcing vendor is unable to provide the contracted services.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 22 / 39

F. SUBMISSION LIST The institution is required to submit the following documents to Pengarah, Jabatan Penyeliaan IT dan IKP, Bank Negara Malaysia.

Frequency of Submission

Submission of

Date of Submission

Sign-Off By

Page

Format

LoD Matrix

Before 31 January of every calendar year

Chief Executive Officer

12, item no. 64

Refer to Appendix 1

BCP and DRP Test Matrix

Before 31 January of every calendar year

Chief Executive Officer

17, item no. 91(i)

Refer to Appendix 3

BCP and DRP Post-Test Analysis Report

Within two months after the test has been conducted for each BCP and DRP test conducted

BCM Coordinator / DRP Coordinator

17, item no. 91(ii)

Refer to Appendix 4

Executive Summary of BCP and DRP Audit Report

Within two months after being formally endorsed by Audit Committee

Chief Internal Auditor

20, item no. 107

-

Annually

Once Available

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 23 / 39

G. GLOSSARY Alternate Site Refers to as an alternate site for business units to resume critical operation during disaster. A site held in readiness for use during a business continuity event to maintain an institution’s business continuity. An organisation may have more than one alternate site. In some cases, an alternate site may involve facilities that are used for normal day-today operations but which are able to accommodate additional business functions when a primary location becomes inoperable.

Board Refers to the institution’s Board of Directors.

Business Continuity The ability of an institution to ensure continuity of service and support for its customers and to maintain its viability before, after and during an event.

Business Continuity Management (BCM) A whole-of-business approach that includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimize the operational, financial, legal, reputational and other material consequences arising from a disruption. BCP and DRP are the key components of BCM.

Business Continuity Plan (BCP) A comprehensive documented action plan that outlines the procedures, processes and systems necessary to resume or restore the business operation of an institution in the event of a disruption.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 24 / 39

Business Impact Analysis (BIA) A component of business continuity management. BIA is the process of measuring (quantitatively and qualitatively) the business impact or loss of business processes in the event of a disruption. It is used to identify recovery priorities, recovery resource requirements and essential staff and to help shape a business continuity plan . Call Tree A document that graphically depicts the calling responsibilities and the calling order used to contact management, employees, customers, vendors and other key contacts in the event of an emergency, disaster or severe outage situation.

Card Services Include credit card and bankcard services.

Critical Business Function (CBF) Business function that is considered crucial for an institution based on the BIA and risk assessment performed. Classification of CBF should be based on the following criteria: a) Crucial and required to support customer services b) Generate highly significant income c) Required by related regulatory bodies d) Might cause systemic impact e) Disruption which will result in substantial business losses in terms of revenue, customer and reputation

Critical Business Information Record A record that is critical for the institutions that must be preserved and available for retrieval if needed.

Desktop Exercise One method of exercising teams in which participants review and discuss the actions they would take per their plans, but do not perform any of these actions. The exercise can be conducted with a single team, or multiple teams, typically under the guidance of exercise facilitators.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 25 / 39

Disaster Recovery Plan (DRP) A comprehensive written plan of action that sets out the procedures and establishes the processes for IT systems and requirements that are necessary to support and restore the business operation of an institution in the event of a disruption. Essential Services Vital services that need to be provided by an institution either during normal business day or during disaster.

Full-Blown Testing Involves large or wide scope/scale of testing of all IT systems, including network infrastructure and connectivity using production data and resources on IT recovery sites. Basically, the objective of the test is to gauge load handling and capacity of the recovery site. Where necessary, business operations are shifted to the recovery site in accordance with the disaster recovery plan. This test is clearly a very thorough test, but one which must be carefully planned and has the capacity to cause a major disruption to operations, if the test fails.

Integrated Testing An exercise conducted on multiple interrelated components of a Business Continuity Plan, can be either under simulated or live operating environment. Examples of interrelated components may include interdependent departments or interfaced systems.

“Live” Run Testing Involves the use of production data and resources for testing on IT recovery sites in a live environment. Where necessary, business operations are shifted to the recovery site in accordance with the disaster recovery plan. This test is clearly a very thorough test, but one which must be carefully planned and has the capacity to cause a major disruption of operations, if the test fails.

Management Refers to the institution’s senior management, which also include the Chief Executive Officer and President as well as their deputies, etc.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 26 / 39

Maximum Tolerable Downtime (MTD) This is the timeframe during which a recovery must become effective before an outage compromises the ability of an institution to achieve its business objectives and survival.

Recovery Site Refers to recovery (backup) site for IT system as an alternate to primary data centre. Also known as disaster recovery (DR) site. Examples of recovery site arrangement are: a) Replacement - do nothing but replace the system after disaster. b) Cold site - completed data centre infrastructure but without equipment. c) Warm site - capable of providing backup operating support but would require (at a minimum) the restoration of current data. d) Hot site - fully equipped, operationally ready data centre. e) Reciprocal arrangement - mutual backup between institutions. f) Full redundancy - dual production systems configuration, where the production system is duplicated at recovery site. g) Commercial recovery facility - subscribe to third party service provider or relocate staff to the alternate processing site

Recovery Time Objective (RTO) The timeframe required for IT systems and applications to be recovered and operationally ready to support business functions after an outage. (See illustration below)

Recovery Time Objective (RTO)

Outage Outage Occurs

CLEAR BACKLOG

RECOVERY

ESCALATION Invoke

Invoke DRP DRP

System

System Recovered

Maximum Tolerable Downtime (MTD)

Data

Data Current

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 27 / 39

Risk Assessment Process of identifying the risks to an institution, assessing the critical functions necessary for an institution to continue its business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

Simulation Testing Involves bringing the recovery site to a state of operational readiness, but maintaining operations at the primary site. Thus staff are relocated, backup tapes transferred, and operational readiness established in accordance with the disaster recovery plan while operations at the primary site continue normally.

Structured Walkthrough An exercise in which team members physically implement the business continuity plans and verbally review each step to assess its effectiveness, identify enhancements, constraints and deficiencies.

Systemically Important Payment System Defined as the payment and settlement system that plays a critical role in preserving the systemic stability of the financial system. It would present systemic risk and/or affect public or investor confidence should the system is unable to complete (recover) and resume critical functions and activities in a timely manner.

Systemic Risk Includes the risk that the failure of one institution in the financial system to meet its required obligations will cause other institutions to be unable to meet their obligations when due, thereby potentially causing significant liquidity dislocations or credit problems and threatening the stability of the financial markets.

IT and DFI Supervision Department

BNM/RH/GL/ 013-3

Guidelines on Business Continuity Management

Page 28 / 39

APPENDICES Appendix 1 – Level of Disruption (LoD) Matrix Institution

: XYZ Berhad

Critical Business Function

:

Date

: _______________

LoD

Minimum Essential Services Provided

Business Continuity Strategy

MTD (hour)

RTO (hour)

1

2

3

4

5

Prepared by :

<

Name

>

< Designation >

Concurred by :

<

Date

>

<

Name

>

< Designation > <

Date

>

* The MTD and RTO of the same essential service(s) at different LoD should be the same.

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 29 / 39

Appendix 2 – National Influenza Pandemic Preparedness Plan (NIPPP) WHO Alert Levels

Phases

Transmission

Objectives

Inter-pandemic period (planning and preparedness)

Phase 1

Influenza virus subtype in animals only (risk to humans low)

Strengthening pandemic preparedness at all levels

Phase 2

Influenza virus subtype in animals only (risk to humans substantial) Confirm pandemic outside Malaysia

Minimize the risk of transmission to humans; Detect and report rapidly, if it occurs Detect and report rapidly, if it occurs

Phase 3

Human infection (transmission in close contacts only) Confirm Pandemic within Malaysia. 3a: imported 3b: within Malaysia

Ensure rapid characterization of new virus

Limited human-tohuman spread; small clusters

Simulated

Non-functional Testing Live Run

Call Tree

WalkThrough / Desk-Top

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 34 / 39

Test Location & Address Application Systems

Systems Criticality

Expected RTO

Recovery Strategy

Systems Criticality Classification (a) Very critical - Crucial and critically required to support customer services. - Generate highly significant income. - To comply with related regulatory requirements. - Might cause systemic impact. - Disruption which will result in substantial business losses in terms of revenue, customer and reputation (b) Critical - Required to support customer services. - Generate significant income. - To comply with related regulatory requirements. - Disruption will result in business losses in terms of revenue, customer and reputation. (c) Required - Indirectly support customer services. - Comply with related regulatory requirements. - Disruption to business functions could be tolerated using other alternate mode of processing. (d) Non-Critical - Not affecting customer services, compliant with regulatory requirements is not necessary

Type of Recovery Site

Primary Data Centre

Computer Recovery Site

Business Recovery Site

System Recovery Time Objective (RTO) (hours/days) The timeframe required for IT systems and applications to be recovered and operationally ready to support business functions after an outage Maximum Tolerable Downtime (MTD) The timeframe during which a recovery must become effective before an outage compromises the ability of an organization to achieve its business objectives Recovery Strategy (There could be more than one strategy used for one application system) (a) Backup and restore - Using end of day backup and stored offsite. (b) Journaling / Forward recovery - Journal log kept and taken offsite periodically in a day. (c) Electronic Vaulting - Routine backups transmitted via network to offsite direct access storage device. (d) Electronic Journaling - Journal log transmitted periodically to backup site via network. (e) Data mirroring - Data is transmitted real time via dedicated network to a disk array at backup site. (f) System Failover - Entire system component is duplicated at hot site, realtime data replication. Near zero data loss, virtually instant recovery

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 35 / 39

Type of Recovery Site (a)

Replacement - do nothing but replace after disaster.

(b)

Cold site - completed data centre infrastructure but without equipment.

(c)

Reciprocal arrangement - mutual backup between companies.

(d)

Warm site - capable of providing backup operating support but would require (at a minimum) the restoration of current data.

(e)

Hot site - fully equipped, operationally ready data centre.

(f)

Full redundancy - dual production systems configuration, production system is duplicated at recovery site.

(g)

Commercial recovery facility - subscribe to third party service provider or relocate staff to the alternate processing site

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

Page 36 / 39

Application System: ______________________________

Activities Disaster Declaration Movement to recovery site: (a) People: IT Staff Business Users (b) Backup Tapes System Preparation/Restoration Data Preparation/Restoration Connectivity User logon Transaction testing Actual RTO Overall Test Result

Date & Day

Start Time

End Time

Time Taken

Problem Encountered

Action Taken

Remarks

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines on Business Continuity Management

System Preparation / Restoration

Page 37 / 39

Data Preparation / Restoration

Covers all activities required to bring up the DR system from the Covers all activities required for data preparation and database restoration time relocation to DR site has completed, including preparation for network and branch connectivity, system preparation, system restoration (Operating System and Application System) and other necessary activities until the system is ready for normal transaction Overall Test Result (a) Successful, if

(b) Partially successful, if

all test objectives are fully met, and

test objectives are partially met, and

able to meet expected RTO, and

problems encountered are more serious in nature which require more time and effort to rectify, need collaboration with third party (example Telekom) no problems encountered, or or require Senior Management’s involvement (for example need investment only minor problems encountered which could be rectified to increase capacity of the DR system). immediately or within short period of time. (c) Fail, if test objectives are not met at all, or unable to proceed with the test and requires a re-test. Note: For tests which had failed, please state the re-test date.

INTERNAL AUDIT ASSESSMENT

Prepared By: ………………………………….……………………… Name

: ______________________________ Designation

: ______________________________

BNM/RH/GL/ 013-3

IT and DFI Supervision Department

Guidelines for Business Continuity Management

Page 38 / 39

Appendix 5 – List of Bank Negara Malaysia’s Contact Numbers

Department

Contact Person

Telephone Number

(a) During Office Hours

Financial Conglomerate Supervision Department – JP1

Banking Supervision Department – JP2

Insurance and Takaful Supervision Department – JP3

IT and Development Financial Institution Supervision (DFI) Department – JP4

Director

03 – 26988044 ext. 7315 03 - 26989167 (DL)

Deputy Director – Division 1

03 – 26988044 ext. 7359 03 – 26913685 (DL)

Deputy Director – Division 2

03 – 26988044 ext. 8047 03 - 26910845 (DL)

Deputy Director – Division 3

03 – 26988044 ext. 8382 03 - 26982294 (DL)

Deputy Director – Division 4

03 – 26988044 ext. 7588 03 – 26982917 (DL)

Director

03 – 26988044 ext. 7579 03 – 26943926 (DL)

Deputy Director – Division 1

03 – 26988044 ext. 7316

Deputy Director – Division 2

03 – 26988044 ext. 7949 03 – 26910720 (DL)

Deputy Director – Division 3

03 – 26988044 ext. 7278 03 – 26985745 (DL)

Director

03 – 22635000 ext. 2703 03 – 2031 1794 (DL)

Deputy Director – Division 1

03 – 22635000 ext. 2138 03 – 20313509 (DL)

Deputy Director – Division 2

03 – 22635000 ext. 1841 03 - 20313507 (DL)

Deputy Director – Division 3

03 – 22635000 ext. 1321 03 – 20311787 (DL)

Director

03 – 22635000 ext. 3333 03 - 20312200 (DL)

Deputy Director – IT Risk

03 – 22635000 ext. 3305 03 - 20317788 (DL)

Deputy Director – DFI

03 – 22635000 ext. 1010 03 - 22746340 (DL)

BNM/RH/GL/ 013-3

Department

IT and DFI Supervision Department

Guidelines for Business Continuity Management

Contact Person

Page 39 / 39

Telephone Number

Investment Operations and Financial Market Department – JOPPK

Dealing Room

03 - 26922343 03 - 26915695

Risk Management Unit

The Bank’s BCM Coordinator

03 - 22635000 ext. 1388

(b) After Office Hours Security Department Note : DL - Direct Line

Operations Room of Security

03 - 26988044 ext. 8999

Bank Negara Malaysia BCM Guidelines 2008

Short Description

Description

Comments

We need your help!