Talk about getting my comeuppance.
This week, I received new "Guidelines on Business Continuity Management for Banking Institutions" issued by Bank Negara Malaysia (BNM), the country's central bank and regulator, and they require precisely that. The document stated: "The primary objective of the Guidelines is to enforce minimum BCM requirements on BI' (banking institutions)."
It also stated that a bank's Board of Directors must attest that the bank's BCP is adequate--every year.
Now, that's serious.
The guidelines are being circulated as a "consultative paper" (I believe the Bahasa word is "terhad") for comment. I wasn't able to find the guidelines on BNM's Web site. They may not be publicly available yet. This is the link to Bank Negara's Contact Us page if you'd like to request a copy.
The high-level highlights:
• the guidelines are not about IT disaster recovery, but business continuity planning;
• all BI's--Islamic and non-Islamic--are required to comply;
• a bank's directors are on the hook: "the Board retains ultimate accountability for the effectiveness of BCM";
• BI's have six months to comply, and to submit reports of their progress;
• and those reports must be signed by the Chairman of the Board.
The guidelines prescribe in detail the international-standard BCM methodology: risk assessment, impact assessment, strategies, implementation, testing, maintenance. I thought these points noteworthy:
• These are the only national guidelines for banks that I've ever read that mention death and illness (Section 2.3.3): disaster scenarios considered should include "a significant increase in mortality and morbidity." BI's should have continuity strategies for a disease pandemic, and there's a 4-page appendix of recommended actions from Malaysia's Ministry of Health.
Side note: here are the Malaysia Medical Association's Society of Occupational and Environmental Medicine influenza guidelines for companies in Malaysia.
• BNM acknowledges (Section 2.6.2) that BI's can outsource planning to BCP consultants, but notes that doing so doesn't reduce a Board's accountability. I have a maxim for this (I am a BCP consultant): '"you can outsource the work, but not the responsibility."
• Section 2.4 introduces the term "Maximum Tolerable Downtime" (MTD), and says that MTD's and Recovery Time Objectives (RTO's) must be "validated and approved by Management...and endorsed by the Board." Gotcha! The RTO for payment systems and "critical business functions" is "expected" to be 4 hours.
• The guidelines also introduce five "Levels of Disruption" (LoD), from a department outage to a "nationwide" disaster, and require BI's to make plans to respond to all of them (Section 2.5).
• A BI's recovery site should be "sufficiently distanced" from its production site to avoid both being affected by the same disaster (Section 2.7.3), but that will be very challenging in a nationwide disaster. Perhaps recovery sites will spring up in eastern Malaysia's Sabah state...
Side note: Take a look at this map, for example, of the Hurricane Katrina impact area laid over lower peninsular Malaysia.
• Section 2.7.3 encourages use of an alternative electric power grid, but there is none in Malaysia. The national electricity company, Tenaga Nasional Berhad, "holds a monopoly on electricity generation, transmission and distribution in Peninsular Malaysia."
• Section 2.7.5 warns of concentration risk at commercial recovery facilities (too many banks using the same recovery facility). I know of only three commercial recovery sites in Kuala Lumpur, and only two of those meets standards expected by multinational banks.
• There are detailed requirements for vital records storage and transportation (Section 2.8), including use of an "environmentally secure" back up site. I know of only one records management vendor in Malaysia; are there others?
• BCP testing is required once a year, and IT disaster recovery testing twice a year. The DR test must include a "live run" at least once a year, and I assume that means running the business from the backup systems. Every bank must submit its test plan for the year to BNM in January each year, and submit a report of the testing within one month after the testing. There are templates for both submissions in the guidelines.
A wave of good governance, risk management and corporate accountability is definitely appearing on the horizon in Asia.
I say: "Malaysia boleh!"
Footnote: Click for information about Malaysia. A country of 20 million people where Malays in baju kebaya and Arab women in full bourka sit next to Westerners in t-shirts and shorts in restaurants, each happy for the chance to mix with the others in peace. A beacon of Islam hadhari (moderate Islam).