Skip to main content
Entire section Custom print Text Only Rich Text Print

Article 7: Disaster Recovery and Business Continuity Management

C 163/2019 STA
  1. 1.Disaster recovery and business continuity planning must consider the whole of the Bank or Group, if applicable, to identify, assess and mitigate potential business continuity risks and ensure that the Bank is able to meet its financial and service obligations in the event of business disruptions.
  2. 2.A Bank’s business continuity management (BCM) policy must be documented, set out its objectives and approach to BCM and be up-to-date. The BCM policy must clearly state the roles, responsibilities and authorities to act in relation to the BCM policy.
  3. 3.A Bank must conduct business impact analysis (BIA) and risk assessment on an ongoing basis. A BIA involves identifying all critical business functions and assessing the impact of a disruption on these.
  4. 4.Critical business functions are the business operations, resources and infrastructure that may, if disrupted, have a material impact on the Bank’s business functions, reputation, profitability or customers.
  5. 5.When conducting the BIA, a Bank must consider at a minimum:
    1. a.Disruption scenarios over varying periods of time;
    2. b.The period of time for which the Bank could not operate without each of its critical business operations;
    3. c.The extent to which a disruption to the critical business operations might have a material impact on customers of the Bank; and
    4. d.The financial, legal, regulatory and reputational impact of a disruption to a Bank’s critical business operations over varying periods.
  6. 6.A Bank must identify and document appropriate recovery objectives and implementation strategies based on the results of the BIA, taking into account the risk profile, nature, size and complexity of the Bank's business and structure. Recovery objectives are pre-defined goals for restoring critical business operations to a specified level of service (recovery level) within a defined period (recovery time) following a disruption.
  7. 7.A Bank must maintain at all times a documented business continuity plan (BCP) that meets the objectives of the BCM policy. The BCP must reflect the specific requirements of the Bank and must identify:
    1. a.Critical business operations;
    2. b.Recovery levels and time targets for each critical business operation;
    3. c.Recovery strategies for each critical business operation;
    4. d.Infrastructure and resources required to implement the BCP;
    5. e.Roles, responsibilities and authorities to act in relation to the BCP; and
    6. f.Communication plans with staff and external stakeholders.
  8. 8.A Bank must review and test its BCP at least annually or more frequently if there are material changes to business operations, to ensure that staff can effectively execute contingency plans and that recovery and resumption objectives and timeframes can be met. The results of the testing must be reported formally to the Board or to designated Senior Management in line with the BCM policy. The BCP must be updated if shortcomings are identified as a result of the review and testing.