New Developments in Business Continuity Management: New Prescriptive BCM Regulations within Asia-Pacific Countries Will Have Significant Implications for Many Financial Institutions That Are Outsourcing Large Parts of Their Operations within the Region
Marrison, Richard, Journal of Banking and Financial Services
Business Continuity Management (BCM) is the process of minimising the interruption of business operations and services in the event of a major incident.
Whereas previously BCM planning had been a relatively straightforward matter, in recent years, financial services organisations and regulators globally have been forced to re-address these issues in the wake of September 11, utilities failures, electronic attacks and SARS. Operators in the Asia-Pacific region are also facing new BCM compliance requirements and there is no room for complacency on this.
Financial services have a relatively high level of BCM capability
A recent KPMG Asia-Pacific BCM Benchmarking survey of 249 organisations from all of the major industries in the region found that the financial services have a mature approach to BCM compared with other sectors (see Figure 1).
The survey indicated that 51 per cent of financial services participants had corporate-wide business continuity plans in effect, compared with only 33 per cent of the total survey population.
Regulators are raising the bar, however, and expect increasing and ongoing attention to be given to BCM. In the past three to four years there has been a significant change in the attitude to BCM within business and, as a result of recent world events, regulators are introducing 'black letter' law for BCM, requiring that it be approached in a very defined way.
Increased awareness of business continuity practices occurred within many organisations in the lead-up to the year 2000 as part of the planning for the necessary electronic changes required by the new millennium. Y2K preparations, for example, provided a significant boost for information technology disaster recovery planning. The events of September 11 were a further catalyst for businesses to change their priorities around continuity and business disruption planning.
Now, the major challenge faced by many organisations going forward is applying an end-to-end approach to BCM. This means going beyond traditional IT recovery plans or short-term alternate site plans for business resumption.
New prescriptive BCM regulations in the Asia-Pacific region
A number of financial regulators in the Asia-Pacific region have released guidance notes and regulations specifically on business continuity. The prescriptive nature of these regulations signals the significance regulators are placing on BCM and underscores a number of areas requiring further attention for financial services organisations.
The Monetary Authority of Singapore, for example, suggests that BCM 'not only addresses the restoration of information technology infrastructure, but also focuses on the rapid recovery and resumption of critical business functions for the fulfilment of business obligations'. The Hong Kong Monetary Authority (HKMA) is looking at developing BCM further, stating that 'the traditional scope of business continuity planning for inaccessibility of a single building for a short period is not adequate'.
In Australia, the Australian Prudential Regulatory Authority is seeking a 'whole-of-business approach to BCM', with the aim of ensuring BCM practices are adopted as part of business-as-usual procedures.
Global BCM themes
Corporate governance is at the top of the list of priorities for regulators. Regulators are assigning ultimate responsibility for BCM to the board of directors of individual organisations, and require annual attestations by the board about their BCM practices.
In its most basic form, BCM has three key components:
* Prevention--developing robust systems to minimise the risk of catastrophe impacting on a business;
* Recovery--how business operations are resumed effectively following a major incident; and
* Communications strategy--to convince regulators and customers that the organisation is in control of the crisis. …