business continuity plan mas

This site has not been designed for your version of Internet Explorer. To get the best experience we recommend you upgrade to the latest version of Internet Explorer , Firefox or Chrome ..

• Skip to navigation
• Skip to main content (accesskey s)
• Skip to footer (accesskey x)

MAS issues revised Business Continuity Management Guidelines for FIs

22 June 2022

On 6 June 2022, the Monetary Authority of Singapore (“ MAS ”) issued a revised version of the Business Continuity Management Guidelines (“ Guidelines ”) to help financial institutions (“ FIs ”) strengthen their resilience against service disruptions arising from IT outages, pandemic outbreaks, cyber-attacks and physical threats. To enable the continuous delivery of services to customers, FIs should adopt a service-centric approach through timely recovery of critical business services facing customers, identify end-to-end dependencies that support critical business services and address any gaps that could hinder recovery of such services, and enhance threat monitoring and environmental scanning, and conduct regular audits, tests, and industry exercises.

MAS expects FIs’ senior management and personnel who are responsible for implementing business continuity management (“ BCM ”) to familiarise themselves with the Guidelines and understand their intent and implications.

This article provides a brief overview of the revised Guidelines.

Effective date of the Guidelines

FIs are expected to meet the Guidelines within 12 months following their issuance. FIs should establish their BCM audit plan within 12 months, and the first BCM audit should be conducted within 24 months of the issuance of the Guidelines.

The Guidelines take into account feedback received from two rounds of public consultation in March 2019 and October 2021. On 6 June 2022, MAS issued its response to feedback received on the second round of public consultation (“ Response ”).

For more information about the public consultations, please see our articles titled “ MAS proposes revisions to Technology Risk Management Guidelines and Business Continuity Guidelines ” and “ MAS issues second consultation paper and response to feedback on proposed revisions to Guidelines on Business Continuity Management ”.

Critical business services and functions

Critical business services and functions are those that, if unavailable, could pose a risk to the FI’s safety and soundness, or adversely impact its customers or other FIs. In the event of a disruption, an FI should prioritise the recovery of its business services and functions based on their criticality and determine the appropriate recovery strategies and resource allocation.  

The FI should identify its critical business services and functions by considering the impact of their unavailability on:

• FI’s safety and soundness: Examples of adverse impact include damage to the FI’s financial and liquidity position, loss of assets and revenue, loss of business and investments, and inability to meet legal and regulatory obligations (including sanctions compliance).
• FI’s customers: Besides considering the number of customers that a business service supports, FIs should also consider the type of customers (e.g. retail, corporate or interbank customers.) impacted and how they may be affected when the business service is unavailable.
• Other FIs that depend on the business service: FIs should also consider the extent of systemic impact on the financial sector at large. As an example provided by MAS in its Response, an FI appointed as the sole agent to settle USD cheque clearing obligations across the financial sector could impact multiple FIs when its service is unavailable.

To assist FIs in determining their critical business services, MAS has provided examples of business services in the Appendix of the Guidelines.

FIs should review their critical business services and functions at least annually, or whenever there are material changes to the people, process, technology, or other resources that support the delivery of critical business services.

To minimise the degree of disruption, safeguard customer interests and maintain the safety and soundness of the FI, the FI establishing recovery strategies should adopt an end-to-end view of the critical business services’ dependencies, and not only consider the recovery of individual processes, but the complete set of processes supporting the delivery of the service.

For clear accountability and responsibility for the business continuity of critical business services, the FI should appoint personnel to oversee the recovery and resumption of each critical business service in the event of a disruption.

Service Recovery Time Objective (SRTO)

FIs should establish a Service Recovery Time Objective (“ SRTO ”) for each critical business service, and implement recovery strategies to meet the SRTOs.

SRTO refers to the target duration of time to restore a critical business function to a minimum service level that is sufficient to meet the FI’s business obligations. As a time-based metric, the SRTO will provide clarity within the FI on the expected recovery timelines for each business service. This will help to guide the prioritisation of resources during planning, and facilitate decision-making and monitoring of the recovery progress in a disruption.

In establishing SRTOs, the FI should consider its obligations to customers and other FIs that depend on the business services. MAS further expects FIs to put in place recovery strategies to achieve the established SRTOs and recover to the service levels required to meet their business obligations. For critical business services that are supported by a number of business functions, the FI must ensure that the Recovery Time Objectives (“ RTOs ”) of the underlying business functions and their dependencies will meet the SRTOs.

Clear and defined criteria should also be set out for activation of business continuity plans (“ BCP ”) in the event the performance of a critical business service is reduced or intermittent, before it is completely unavailable. These could include quantitative thresholds or factors such as nature of disruption, expected damages, impact on safety and well-being of employees. This will guide the FI in activating its BCP in a timely manner before the service degradation results in severe impact.

Dependency mapping  

People, processes and technology

As the financial sector has become increasingly interconnected with the growing reliance on common IT systems and third parties, FIs should identify and map the end-to-end dependencies on people, processes, technology and other resources (such as data) and consider the implications of their unavailability, and address any gaps that could hinder the effectiveness and safe recovery of the critical business services. Information derived from the dependency map should be used to verify that the recovery of the business functions and their dependencies can meet the established SRTOs.

Third-party dependencies

Arrangements that FIs have with third parties engaged to support the delivery of their critical business services could increase operational risk arising from the failure, delay, or compromise of the third party in providing the service. Hence, an FI should put in place measures that enable third parties to meet the SRTOs of its critical business services. The Guidelines set out some measures for this purpose, e.g. establishing and regularly reviewing operational level or service level agreements with third parties that set out specific and measurable recovery expectations and support the FI’s BCM.

There should also be plans and procedures in place to address unforeseen disruptions, failure or termination of third-party arrangements, to minimise the impact of such adverse events. FIs should also have measures in place to address disruption of common utility services (e.g. telecommunications networks and power utilities), such as implementing redundancy or alternative contingency arrangements.

Concentration risks

While FIs may gain economic benefits through the centralisation of operations, concentration risk may arise from the concentration of people, technology or other required resources in the same zone. A zone refers to an area or region that shares a similar risk profile such that people, data, systems and other key resources located in the same zone would likely be affected by a disruption.

An FI may also be exposed to concentration risk when several of its critical business services and/or functions are outsourced to a single service provider.

The Guidelines set out several approaches to mitigate the risk of concentration, e.g. separating primary and secondary sites of critical business services and functions, or infrastructure (such as data centres) into different zones to mitigate wide-area disruption, and having cross-border support or alternative service providers as a contingency.

Following experience gained from pandemics, FIs should be cognisant of the resultant risks from the implementation of alternate work arrangements to mitigate the risk of disease transmission at workplaces. Such arrangements may entail changes to policies, operational processes, and use of equipment or IT systems that pose new operational risks and other challenges. The FI should put in place mitigating controls to address such new risks and challenges.

Continuous review and testing

As BCM is an ongoing effort to ensure that measures put in place are able to address operational risks posed by the latest threats as well as plausible threats in the future, an FI should embed BCM into its business-as-usual operations and establish BCPs that address a range of severe and plausible disruption scenarios, which may evolve over time. The FI should actively monitor and identify external threats and developments that could disrupt its normal operation, and have an escalation process to alert internal stakeholders and senior management in a timely manner. Following an operational disruption, the FI should perform a review to identify areas of improvement and address gaps in its BCM measures.

The FI should update its BCM policies, plans, and procedures, including relevant training programmes for staff and test plans, based on changes in its operational environment and the threat landscape. The FI should also review its critical business services and functions, their respective SRTOs/ RTOs and dependencies at least annually, or whenever there are material changes that affect them.

Regular and comprehensive testing should be conducted to validate an FI’s BCM preparedness. The tests must meaningfully test all aspects of the BCM and meet the test objectives listed in the Guidelines, e.g. to validate and measure the effectiveness of the BCPs using appropriate metrics, and remediate any gaps or weaknesses that are identified in the recovery process. Some examples of tests are provided in the Guidelines. FIs should select the type of tests that best meet their test objectives and determine the frequency and scope of these tests to be commensurate with the criticality of the business services.

An FI should ensure its audit programme adequately covers the assessment of BCM preparedness based on the level of operational risks that it is exposed to. This will provide the FI with independent assessment of the adequacy and effectiveness of its BCM framework.

The FI should audit its overall BCM framework and the BCM of each of its critical business services at least once every three years. The audits should be conducted by a qualified party with the requisite BCM knowledge and expertise to perform the audit, and is independent of the unit or function responsible for the BCM of the FI.

The FI should establish processes to track and monitor the implementation of remedial actions in response to the audit findings. Significant audit findings on lapses that may have severe impact on the FI’s BCM should be escalated to the Board and senior management. Upon request, the FI should submit the BCM audit reports to MAS.

Responsibilities of Board and senior management

The Guidelines set out the responsibilities of the Board and senior management. The Board and senior management are ultimately responsible for the FI’s business continuity and should provide the leadership and strategic direction to establish strong governance over the FI’s BCM.

The senior management should provide an annual attestation to the Board on the state of the FI’s BCM preparedness, the extent of its alignment with the Guidelines, and key issues requiring the Board‘s attention such as significant residual risk. The attestation should also be provided to MAS upon request.

Reference materials

The following materials are available on the MAS website www.mas.gov.sg via the relevant webpage :

• Press release
• Guidelines on Business Continuity Management
• Response to feedback received on Second Consultation Paper on Business Continuity Management
• Instructions on Incident Notification and Reporting to MAS

This site uses cookies and by using the site you are consenting to this. Find out why we use cookies and how to manage your settings. More about cookies

• ISO22301 BCMS Audit
• Business Continuity Management
• Crisis Management
• Crisis Communication
• IT Disaster Recovery
• Operational Resilience
• Operational Resilience Audit

Operational Resilience Audit Series

Summary of Guidelines on Business Continuity Management Guidelines issued by the Monetary Authority of Singapore

The Monetary Authority of Singapore (MAS) has issued comprehensive guidelines on Business Continuity Management (BCM) to assist financial institutions (FIs) in Singapore in effectively managing potential disruptions and ensuring the continuity of critical business services. 

This blog will discuss how management can perform these activities and provide the steps to comply with the MAS BCM guidelines.  

It also provides a simplified comparison of related regulations issued as "Operational Resilience."

The content is developed to provide participants attending the Operational Resilience Implementer and Expert Implementer course with global or regional responsibilities to understand how the management of FIs in Singapore can perform these activities and provide the steps to comply with the MAS BCM guidelines. It also allows practitioners to understand better and compare with guidelines issued by other central banks from other regional justifications.

Operational Resilience Audit-Specialist-Expert

Key focus areas for guidelines on business continuity management by the monetary authority of singapore.

The article is also part of the pre-reading for participants attending the operational resilience implementer or expert implementer course to understand the relationship between the MAS's Business Continuity Management guidelines and Operational Resilience guidelines issued by other regulatory jurisdictions.

Application of MAS Guidelines

The first section of the MAS Guidelines on BCM emphasised the application to all financial institutions MAS regulates in Singapore. This includes banks, insurers, and capital market intermediaries.

The guidelines ensure financial institutions have robust and effective BCM frameworks to identify potential risks, implement appropriate risk mitigation measures, and establish resilient business continuity plans.

Critical Business Services and Functions

Do note that there is a difference between CBS and CBF.  Click the button below to find out more.

The guidelines provide a framework for identifying these critical services, assessing their impact on the institution and its customers, and establishing appropriate recovery strategies.

Financial institutions must maintain a comprehensive inventory of critical business services and functions and ensure recovery plans are in place to minimise disruption and ensure timely recovery.

Service Recovery Time Objective (SRTO)

The MAS Guidelines on BCM emphasise the importance of setting realistic and achievable recovery time objectives to minimise the impact of disruptions.

Financial institutions must define RTOs for their critical services and functions based on their business impact analysis.

The RTOs should be regularly reviewed and tested to ensure their effectiveness.

Dependency Mapping

Financial institutions must conduct dependency mapping exercises to identify critical dependencies, including technology systems, infrastructure, third-party service providers, and key personnel.

The guidelines emphasise the need for financial institutions to establish contingency plans to mitigate potential risks associated with these dependencies and ensure alternative arrangements are in place.

Concentration Risk

Concentration risk refers to the exposure an organisation faces due to a significant reliance on a single point of failure.

The MAS Guidelines on BCM stress the importance of identifying and mitigating concentration risk as a critical component of business continuity planning.

Financial institutions must thoroughly assess their operations, processes, systems, and third-party dependencies to identify risk concentrations.

By diversifying critical services and functions, financial institutions can reduce their vulnerability to disruptions caused by a single event or failure.

The guidelines recommend implementing appropriate risk mitigation strategies, such as redundancy, alternate sites, and contingency plans, to address concentration risk effectively.

Continuous Review and Improvement

The MAS Guidelines on BCM emphasise the need for financial institutions to adopt a proactive approach by continuously reviewing and improving their BCM frameworks.

BCM is not a one-time exercise but a dynamic process that should evolve alongside changes in the business environment and emerging risks.

Financial institutions are encouraged to establish robust governance mechanisms to monitor the effectiveness of their BCM frameworks and ensure regular updates.

The guidelines also highlight the importance of feedback loops, incident reporting, and lessons-learned exercises to identify areas for improvement and drive continuous enhancements in BCM capabilities.

Testing is a critical aspect of BCM and plays a vital role in validating the effectiveness of business continuity plans.

The MAS Guidelines on BCM emphasise the importance of regular testing to ensure that plans are practical, executable, and aligned with recovery time objectives.

Financial institutions must conduct comprehensive and realistic testing exercises, including tabletop exercises, simulation drills, and full-scale recovery tests.

Testing should encompass various scenarios, including different types of disruptions, to assess the resilience and responsiveness of critical business services and functions.

The guidelines also emphasise the involvement of key stakeholders, including internal teams, external vendors, and regulatory authorities, in testing exercises to ensure coordination and collaboration.

The MAS Guidelines on BCM emphasise the importance of conducting regular audits to assess the effectiveness and adequacy of a financial institution's BCM framework.

Audits play a crucial role in verifying the implementation of BCM measures, identifying gaps or weaknesses, and recommending improvements. Financial institutions should establish an independent internal audit function or engage external auditors to conduct comprehensive audits.

These audits should cover all aspects of the BCM framework, including risk assessments, business impact analysis, recovery strategies, and documentation of policies and procedures. Audit findings and recommendations should be reported to the appropriate levels of management and the board for prompt action.

Incident and Crisis Management

Incident and crisis management is a critical component of BCM that involves effectively responding to and managing disruptions and crises when they occur.

Financial institutions should also establish incident identification, reporting, and resolution processes. Regular training and drills should be conducted to enhance the readiness and capability of staff to respond to incidents and crises promptly and effectively.

Responsibilities of Board and Senior Management

The MAS Guidelines on BCM highlight the crucial role of the board and senior management in ensuring the effectiveness of the BCM framework.

Financial institutions should establish a clear governance structure and assign accountability to the board and senior management for BCM.

The board and senior management are responsible for setting the strategic direction, providing oversight, and allocating adequate resources for BCM initiatives.

They should also ensure BCM policies and procedures align with the institution's risk appetite and regulatory requirements.

Regular reporting on BCM performance, including key metrics and progress against action plans, should be provided to the board and senior management.

Notes on OR Vs BCM : The challenge in implementing OR is that despite the COVID experiences, the board and most senior management are informed of the response after an event.

To achieve this requirement, the board of directors and senior management must actively oversee the organisation’s operational resilience framework concerning its strategy and risk appetite, which empowers them to make the correct investment and risk decisions.

The MAS Guidelines on Business Continuity Management provide a comprehensive framework for financial institutions in Singapore to establish effective BCM practices.

By adhering to these guidelines, financial institutions can enhance their resilience and ability to respond to disruptions, thereby ensuring the continuity of critical business services. 

Learn more about Blended Learning OR-300 [BL-OR-3] and OR-5000 [BL-OR-5 ]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

• Skip to primary navigation
• Skip to main content
• Skip to primary sidebar
• Skip to footer

Conventus Law

More results...

Business Continuity Planning Requirements in Singapore.

May 19, 2023 by Rohin Pujari

Business Continuity Planning (BCP) requirements by Monetary Authority of Singapore (MAS) in Singapore have been operational since 2003.  However, in June 2022, the requirements were revised and updated to take into account the deluge of changes in the last two decades.  The thrust of the new framework is the requirement to consider an end-to-end service-centric view on operational risks in order to ensure continuous delivery of critical business services to customers.

Action required:  The new Guideline will be effective on 6 June 2023 where an audit plan must also be ready.  The audit must be conducted by 6 June 2024.

As the Compliance Officer, what does this mean for you?

Ten months have already passed since the final requirements were published.  Will you be ready if not now, with the next month or two to comply with the new requirements of the  Business Continuity Management Guidelines  (“BCMG”) ?

Have you scheduled training not just for those involved in BCP, but also for your Board and senior management so they all understand the intent and implications of the BCMG as it applies to your firm?

Have you clearly articulated how the BCMG applies to your firm, and put in place records of all Suspicious Transactions Reporting Office (STRO) and strategies, taken into account all dependences and reliances on third parties?

Most importantly, is the audit plan formulated as this must be ready by 6 of June 2023? 

How Reglex can help

In partnership with  Leaman Crellin , we have designed a Business Continuity Management Template (“BCM Template”) that is Singapore-centric to help guide you to navigate the BCMG, and serves as a master document from which you will be able to use as  a definitive source of record of compliance.

Used correctly, it is dynamic and will serve as your most current and definitive source for BCP Management thus enabling it to be used unquestionably during a crisis or sent promptly to MAS upon request without having to carry out major updating. 

The BCMG’s are not just a requirement to draw up policy and procedures for BCP.  It is about how you have put together an end-to-end holistic plan which will kick into action when a disruption occurs.  It is about getting all critical services and functions which you have pre-identified as critical business services recovered within a pre-set time period (aka STRO).  Our BCM Template includes:

• Business Continuity Management Framework  (Framework)– an overarching base template policy that can serve as the backbone of your BCP.  
• Business Continuity Management Schedules  (Schedules) – a set of 15 schedules including templates for reporting purposes to support your framework.  Our selection of templates will help you decide what records you need.
• A complimentary ‘Tip Sheet’ with comments and guidance on not only how to use the Framework and Schedules, but insight and market considerations from our in-house experts as this can be a complicated and tricky exercise.

Do use the internal experts you have to make this BCM Template work for you.  This way, you will hit the Goldilocks ratio.  

We will also provide you with updates and changes free of charge.

Your next steps

• Purchase the  Framework  and  Schedules
• Tailor the Framework
• Populate the Schedules

Ongoing tips

• Work with your internal teams, such as your heads of business lines for impact analysis on their business and customers during a disruption. Check in with your IT and Operations teams for risk assessments, and with relevant heads of functions and business for crisis management planning.
• Secure the engagement of your senior management and Board of Directors, and make sure you communicate the BCM policy and provide training so that everyone knows their role.
• Work with your auditor to see areas need to be fleshed out by June 2024, which is when you will need to complete your first audit.
• You may wish to approach an independent expert to review your BCM policy, to help you identify any gaps in the requirements and decide on clear actions to put in place. If you do not have an independent internal auditor or reviewer, you may need to seek outside experts such as a compliance consultancy firm.

“Find out how we are democratizing compliance, visit  www.reglex.io “

For further information, please contact:

Kate Wombell – Chief Compliance Advocate, [email protected]

Kate has a long background in regulatory compliance starting with work at the AFBD(Association of Futures Brokers and Dealers predecessor to the FCA in the UK)and then with several major Global Investment Banks in UK, Hong Kong and Singapore.  

As a regulator, she was instrumental in drafting and implementing reporting for the sector’s first set of financial resources and client money rules. She then turned from game keeper to poacher by joining various global banks and had first hand experience of significant market events, not least the Lehman collapse in 2008 where she enabled incoming ex-Lehman teams to be quickly on-boarded (licencing and undergoing necessary training on their new employers’ policies and controls).

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

India – SEBI’s ESG Disclosure Mandates: Unveiling The Value Chain.

India – Ayurvedic Medicine In Contemporary Times: Part 1 – Understanding Clinical Evaluation And Drug Development.

Why Performing Competitor Analysis Is Essential For Law Firms’ Marketing Strategies.

CONVENTUS LAW

CONVENTUS DOCS CONVENTUS PEOPLE

3/f, Chinachem Tower 34-37 Connaught Road Central, Central, Hong Kong

[email protected]

ComplianceTransparency

MAS Business Continuity Management Guidelines (June 2022)

The Monetary Authority of Singapore (MAS) issued the revised Business Continuity Management Guidelines (Guidelines) on 6 June 2022 and will take effect on 6 June 2023. The overarching requirements include:

• Adopt a service-centric approach through timely recovery of critical business services facing customers
• Identify end-to-end dependencies that support critical business services, and address any gaps that could hinder the effective recovery of such services
• Enhance threat monitoring and environmental scanning, and conduct regular audits, tests, and industry exercises

Some of the key takeaways include:

• Identify critical business services and set Service Recovery Time Objectives (SRTO)
• Map out “end-to-end dependencies” covering the people, processes, technology, and other resources that support each critical service
• For partial disruptions to critical business services, set out the criteria for activation
• Identify third party providers and ensure SRTO can be met
• Mitigate the risk of concentration and reduce the impact in the event of a disruption
• Monitor and identify external threats and developments, and conduct environmental scanning
• Review critical business services and functions and dependencies at least annually, or whenever there are material changes that affect them
• Conduct testing periodically that commensurate with the criticality of the business services and functions
• Establish a crisis management structure with clearly defined roles
• Audits on business continuity plans at least once every three years, with the first audit due in June 2024
• Provide an annual attestation to the Board

The extent and degree to which a financial institution implements the Guidelines should be commensurate with the nature, size, risk profile and complexity of its business operations.

For details, please refer to https://www.mas.gov.sg/regulation/guidelines/guidelines-on-business-continuity-management

Disclaimer: The information, views or opinions expressed are provided for general information and should not be relied upon as legal or professional advice.

Share this:

Leave a reply cancel reply, discover more from compliancetransparency.

Subscribe now to keep reading and get access to the full archive.

Type your email…

Continue reading

REMINDER: MAS Revised Guidelines on Business Continuity Management (BCM)

Although customers are the primary objective to be protected, it should be noted that employees and the market itself are also protected.

MAS Deadlines

The revised MAS Guidelines issued on 6 June 2022 replace all previous versions that were published by MAS (including “Further Guidance on BCM”).

FIs must meet the new Guidelines by June 2023 and establish a BCM audit plan, with the first BCM audit to take place by June 2024.

The key message for firms is that there are new principles and practices that must be implemented in order to strengthen their operational resilience.

Revised BCM requirements for Financial Institutions

The new guidelines require FIs to go further, much further than before, to adopt a service centric approach. The new guidelines demand that the customer is the focal point of all decisions in respect of potentials risks and failings:

• FIs must take a step back, identify those critical business services, unique to the FIs, but in addition to critical business functions, the FIs must safeguard the delivery of services to customers, on an ongoing basis and customers must have confidence that if an event occurs, the FIs have resilience built into their plans.
• FIs must assess the critical Business Services, external facing service, which, if disrupted on short term or long term, is likely to have a significant impact on the FI’s safety and soundness, its customers or other FIs that depend on the business service.
• FIs must undertake robust assessments of critical business functions, which is activity performed by individual organisational lines, such as department or unit, which, if disrupted, is likely to have a significant impact on the FI, whether directly or indirectly, financially, or non-financially.
• FIs must set target recovery times and establish service recovery times, with the objectives to provide clarity on the recovery expectations for critical business services.
• FIs must identify and map end-to-end dependencies, and through this it should cover people, processes, technology and other resources (including those involving third parties) that support each critical business service.
• Significantly, FIs must conduct a BCM audit, to cover the FI’s overall BCM framework and the BCM of each of its critical business services, concentrating on the adequacy and effectiveness of its BCM framework, at least once every three years.
• FIs must continuously review and improve throughproactively monitoring and scanning for relevant threats that could disrupt its normal operations andthey mustcontinuously seek out areas to enhance and ensure that their BCM remains relevant and forward looking.
• FI’s Board and Senior Management have full responsibility and the Board and Senior Management are ultimately responsible for the FI’s BCM, they MUST (a) have in place crisis management structure, plans and procedures. (b) conduct regular and comprehensive testing (d) validate the effectiveness of the FI’s response and recovery arrangements (d) remediate any gaps or weaknesses identified (e) mitigate concentration risk, by reducing exposure to risk arising from the concentration of people, technology, or other required resources in the same zone, or reliance on a single service provider.

What is the timeline?

As we start the new year FIs should consider the revised BCM requirements and actions required.

How can Waystone Compliance Solutions help?

Our APAC Compliance Solutions team of experts can assist your firm at every stage, by assisting with a new or enhanced robust BCM policy, audit framework and providing a mock regulatory audit. Please reach out to your usual Waystone Compliance Solutions representative or contact us.

More like this

Regulatory outlook and trends for 2023, regulatory compliance updates january 2023 – apac region, compliance obligation reminders for licensed venture capital fund managers (vcfms), the personal data protection act (pdpa) singapore – what are the requirements, regulatory compliance updates december 2022 – apac region, mas guidelines on environmental risk management for asset managers, quick navigation link.

US Solutions UK / EU Solutions Cyber & Data Protection Middle East Solutions APAC Solutions

Not sure what you are looking for?

Presenting Waystone Compliance Solutions More about Waystone Our global clients Subscribe to the latest Waystone updates

Business Continuity Management changes on the horizon

13 December 2021 | Asia | Articles

The proposed MAS changes to its guidelines on Business Continuity Management will impact all financial institutions in Singapore. The recently released second consultation addresses feedback from the first, incorporates learnings from the Covid 19 pandemic and outlines some specific changes that are likely to be on the horizon. MAS says a financial institution’s approach to BCM should be based on the nature, size and complexity of its business operations. A proportionate and practical approach is key.

The Guidelines on Business Continuity Management (BCM) were last updated in June 2003. In March 2019, the MAS released its original consultation paper proposing changes to these BCM guidelines which it has now revisited. There are several notable proposals in this latest release . Once the guidelines are formalised, the MAS are likely to provide transition period of around a year.

Revised taxonomy

MAS proposes that Financial Institutions (FIs) assess their BCM measures from a service delivery perspective. To broaden the scope of business continuity plans, the MAS has now included a new term, “business service”. This is consistent with the feedback received from the industry and seems a sensible suggestion. For instance, the investment cycle of a Fund Management Company would include the investment function and other back-office functions, for example, settlements or reconciliation, to complete the entire investment cycle.

Business Continuity Plan and mapping of interdependencies

This proposal is to better account for interdependencies across all business functions in BCPs. The MAS expects FIs to take an end-to-end perspective when developing BCPs for each service delivered to their customers.

FIs are now required to add a dependency map to existing BCPs. This should be useful for all FIs; for larger FIs, a single business service may involve inputs from several internal business functions within the FI and for smaller FIs who outsource most of their functions to third parties. The dependency map will help identify all parties involved in the final delivery of business service. Hence the objective of the dependency map is to provide FIs with a clear “end-to-end” perspective on parties responsible for processes. Doing so will allow FIs to design their BCPs better to identify alternatives and plan accordingly.

The MAS proposes that in its dependency map, FIs should identify and map its dependencies on people, processes, and technology, including third parties, that support each critical business service when developing its dependency map. This will help FIs identify resources critical to the final delivery of business services and, indeed, more information to establish more accurate SRTOs objectives.

Formal training on business continuity planning should be conducted for all relevant staff of the company to ensure that staff can carry out their BCM roles and responsibilities effectively. This makes a lot of sense. It’s also worth considering running BCM training alongside testing so that employees can implement the plan. Separately, a grading system according to the FIs Service Recovery Time Objective (SRTO) should be in place to measure the effectiveness of the BCP.

Testing and Audit

The MAS proposes that FIs conduct annual crisis management and communications exercises and test the BCP for each critical business function. After receiving feedback from the industry, the MAS has scrapped the annual requirement and will now allow FIs to conduct the various types and frequency of tests to be commensurate with the criticality of the services and functions instead of having such tests fixed annually. This makes sense – an annual review requirement may be slightly rigid considering the varying sizes and business models of FIs subject to these BCM guidelines. FIs should take a risk-based approach towards their audit policy, and the type and frequency tests should remain fluid and change accordingly with the risk faced by the FIs.

The MAS also proposes that FIs conduct BCM audits through a unit independent of the staff involved in the planning and execution of the BCM itself. For example, BCM audits can be done by the FIs internal auditor. The MAS has clarified that FIs can leverage their internal audit plan, audit methodology and audit cycle to determine the scope and frequency of BCM audit instead of having a BCM specific audit. Nevertheless, any BCM audit should still be conducted by an independent party. This makes sense when it comes to cost efficiency, particularly for smaller FIs that outsource their audit function. Having a specific BCM audit may not be commercially viable.

The MAS proposes that FIs obtain independent assessments on the adequacy and effectiveness of implementing their BCM framework and ensure the scope of the audit programme adequately covers the assessment of BCM preparedness based on the level of operational risks exposed. This will be a relief for Fund Management Companies who have low portfolio turnover or for FIs who have little or no change to their business activities.

Prioritising critical business services and functions 

FIs may not recover all business services and functions simultaneously due to time and resource constraints in the event of a disruption. Therefore, FIs should prioritise the business services based on their criticality. The MAS sensibly proposes that FIs identify their critical business services and functions by considering the impact of their unavailability based on (1) the FI’s safety and soundness, (2) number and profile of customers affected and (3) the FI’s counterparties and other participants in the financial ecosystem.

To ensure clear accountability and responsibility for the overall business continuity of each critical business service, the MAS proposes that FIs identify an overall manager in charge of each business service to coordinate incident management across the affected functions and oversee the resumption of the business service in the event of a disruption. This is particularly important for large FIs with various parties from various business functions involved in the final delivery of business service. Having a common direction from a single continuity manager should prove beneficial for efficiency in the recovery process.

Service recovery time objective

The MAS proposes for each critical business service identified to establish a Service Recovery Time Objective (SRTO) and have a recovery strategy to achieve their SRTO to the service levels required to meet their business obligations.

The move is likely to prove useful to clarify decision-making and monitor recovery progress following a disruption. However, we would caution FIs when developing their SRTO to consider its internal practical and resource considerations. This is particularly the case for small FIs where most of their functions are outsourced. Some services providers may be based overseas or smaller in size and unable to fulfil their obligations. Separately, third party vendors may not be agreeable to the SRTO set, or it may not be commercially viable for the FI to achieve the SRTO required.

Third-party dependency

The MAS proposes that FIs conduct due diligence to ensure that the third parties meet the SRTOs of the critical business service. This is an additional consideration when FIs conduct their outsourcing due diligence by widening the scope to include a business service level perspective. Practically, this may be difficult for small FIs where third party vendors may not be agreeable to specific terms, or it may not be commercially viable to achieve the SRTO required.

MAS has revised the BCM Guidelines to take in feedback and is conducting a second consultation. When formalised, the MAS are likely to provide a 12-month transition period.

We can help

The papers might still be under consultation, but it’s now likely that the changes will be approved sooner rather than later. Now would be a good time to consider a gap analysis against the MAS proposals and your BCM risks. Our team of regulatory experts are here to help.

Get in touch

Billie-Jo Dixon

Practice lead, singapore, send a message:, want more insights like this, our insights.

3 May 2024 | Asia

Asia Newsletter | April 2024

NEWSLETTER: I was delighted to spend some quality time with clients, colleagues and partners acro...

17 April 2024 | Asia

MAS finalises crypto segregation and custody regulations

With its response to the July 2023 consultation paper, the MAS has now finalised the key segregat...

8 April 2024 | Asia

MAS to repeal RFMC regime

The MAS has issued its response to the Consultation Paper on Repeal of Regulatory Regime for Regi...

• Bovill UK & Europe
• Bovill Asia
• Bovill Americas

Javascript is required to enable full functionality of this website.

You are using an outdated browser. If things don't look quite right that's probably why. Please upgrade your browser to improve your experience.

• Make a Claim
• General Insurance
• Motor Vehicle Insurance
• House Insurance
• Contents Insurance
• Boat Insurance
• Life & Income
• Life Insurance
• Income Security Insurance
• Recovery Insurance
• Total & Permanent Disablement Insurance
• Business Insurance
• Business Advisory Services
• HealthyPractice
• Our Business Team
• Investments
• Retirement Savings Scheme
• Investment Funds
• Manage my investments
• Responsible Investing
• Our Investment Approach
• Fund Finder
• MAS Foundation
• Careers at MAS
• Member Benefits
• MAS for Students
• Financial Strength Ratings and Solvency
• Claims Information
• Insurance Resources
• Documents & Forms
• Publications
• Medical Protection Society (MPS)
• General Enquiries
• Claims Enquiries
• Investment Enquiries
• Office Locations
• Make a Complaint

How to create a business continuity plan

• Get a Motor Vehicle Insurance Quote
• Make a Change to a Motor Vehicle Policy
• Motor Vehicle Insurance Policy Details
• Vehicle Quick Estimate
• House Insurance Policy Details
• Residential Rental Insurance
• Lifestyle Property Insurance
• Contract Works Insurance
• Get a House Insurance Quote
• Get a Goods in Transit/Storage Quote
• Get a Contract Works Insurance Quote
• Make a Change to a House Policy
• Contents Insurance Policy Details
• Get a Contents Insurance Quote
• Make a Change to a Contents Policy
• Make a Change to a Boat Policy
• Medical Conditions Covered
• Get a Business Insurance Quote
• Make a Change to a Business Risk Policy
• MAS KiwiSaver Scheme Funds
• Fees and Charges
• Buying your first home with KiwiSaver
• Making contributions
• Government Contributions
• Transferring your superannuation from Australia
• KiwiSaver for Te Whatu Ora - Health New Zealand Employees
• Employer Chosen KiwiSaver Scheme
• KiwiSaver Calculator
• About the Calculator
• UK Pension Transfers
• Retirement Savings Scheme Funds
• Investment Funds & Performance
• Fees and charges
• Making investments
• How your investment is taxed
• Make a difference
• Influence positive change
• Investment market update for the month ended 30 April 2024
• MAS brings the fun and financial know-how to O-Week
• Life & Income Policy Changes
• Changes to your Income Security premiums
• Historical Life & Income Policy Changes
• Join us for an in-person Member Connect function in May
• Investment market commentary for the month ended 31 March 2024
• Suzanne Wolton appointed new MAS Chief Executive Officer
• MAS launches MAS Investment Funds offering easier and more flexible investing
• Report on funds performance for the quarter ended 31 December 2023
• Introducing the new MAS Investor Portal
• Pioneering programme supports dentists towards better wellbeing
• Tackling antibiotic resistance with the winner of MAS Best Presentation Award
• Government’s new land categorisation for regions impacted by recent severe weather events
• MAS measures its carbon footprint with Toitū Envirocare
• We’ve lowered our fees for the MAS KiwiSaver Scheme and MAS Retirement Savings Scheme
• Report on funds performance for the quarter ended 30 September 2023
• Income Security Insurance product enhancements
• MAS Wins Gold at the 2023 Brandon Hall Group HCM Excellence Awards
• The NZDA Employment Fair: Smiles meet opportunities in record numbers
• Building a better world: Top engineer recognised at industry awards
• Report on the MAS Annual General Meeting 2023
• MAS Annual General Meeting 2023
• Annual Reports 2023 – the MAS KiwiSaver Scheme and the MAS Retirement Savings Scheme
• STONZ and MAS working together to support RMOs
• Report on funds performance for the quarter ended 30 June 2023
• MAS helping you address climate change with $650 million investment
• MAS a finalist for Best Ethical KiwiSaver provider in Aotearoa
• Talent galore at the annual Doctors Concert and Art Exhibition
• MAS’s response on FMA proceedings
• Unclaimed monies register
• Call for Nominations 2023
• Sustainable Business Awards entries open
• Investment performance commentary for the year ended 31 March 2023
• Annual statement and tax certificates for the year ended 31 March 2023
• Report on Funds Performance for the Quarter Ended 31 March 2023
• MAS receives Consumer NZ People’s Choice Award seventh year in a row
• HR excellence honoured at annual NZ HR Awards
• Watch our latest webinar, Navigating Volatility: Investment Strategies for Turbulent Times
• Navigating Volatility - Investment Strategies for Turbulent Times
• MAS supporting and trialling new sustainability resource
• Going the extra mile: MAS helps hundreds join the fun run
• New Life and Income Security Policies to support Sustainability
• Flood and weather damage: important information
• Funds performance for the quarter ended 31 December 2022
• Life and Income Insurance Policy Changes
• Karma Drinks celebrated at Sustainable Business Awards
• MAS New In-House Lawyer of the Year Award
• MAS supports iconic fun run for third year
• MAS commitment to Members recognised at 2022 Plain Language Awards
• MAS Presents: Nicola Turner and Celebrating Sustainability
• Graduate dentists matched with roles at employment fair
• New MAS Head of Investments and Business Development
• Why rising interest rates reduce your fixed interest returns
• Funds performance for the quarter ended 30 September 2022
• Appointment of new Chief Executive Officer for MAS
• What’s happening in investment markets?
• MAS and SBN celebrate organisations making social impact
• Privacy Statement Changes 16 September 2022
• EQC cap and levy rate changes
• Report on MAS Annual General Meeting 2022
• MAS Annual General Meeting 2022
• Annual Reports 2022 – MAS KiwiSaver Scheme and the MAS Retirement Savings Scheme
• Medical students pull off pandemic-era conference
• MAS supports leading Pacific researcher at NZ Women in Medicine conference
• Top ethical investors recognised at MAS-supported Mindful Money Awards
• Funds performance for the quarter ended 30 June 2022
• ILANZ and MAS partner to support in-house lawyers
• Investment market update - June 2022
• NZ HR Award winner "chuffed" with recognition
• Call for Nominations 2022
• MAS Investor News - Market Update May 2022
• MAS Life & Disability Insurance – Inflation adjustments
• Wellington tamariki off to a running start despite Omicron
• Surging inflation is driving interest rates higher
• Your money is now mindful
• Funds performance for the quarter ended 31 March 2022
• MAS Presents: Jehan Casinader and The Power of Stories
• Iconic Wellington event moves to digital model during outbreak
• MAS is supporting Dave Letele's BBM Foodshare Programme
• Is your KiwiSaver scheme funding the war in Ukraine?
• MAS Investor News update - market correction
• MAS receives Consumer NZ People’s Choice Award for sixth consecutive year
• MAS Talks postponed to spring 2022
• Funds performance for the quarter ended 31 December 2021
• Run and Become helps Wellington tamariki get active
• Gap Filler celebrated at Sustainable Business Awards
• Life & Disability Claims related FAQs
• MAS supports musical medical students
• MAS proud to support Brendan Foot Supersite Round the Bays for second year
• Entries open for New Zealand Primary Healthcare Awards
• Entries for NZ HR Awards closing soon
• Funds performance for the quarter ended 30 September 2021
• MAS invests in Sustainable Business Network
• Top young engineer recognised
• MAS Talks postponed till new year
• Changes to your Life Insurance premiums
• Report on the MAS Annual General Meeting 2021
• MAS Annual General Meeting 2021
• Funds performance for the quarter ended 30 June 2021
• New natural disaster claims process launched
• We’ve made some changes to the MAS KiwiSaver Scheme and Retirement Savings Scheme
• Privacy Statement Changes
• Connecting with rural healthcare
• MAS Supports 9th Annual Teddy Bear Hospital
• Meet this year’s top in-house lawyers
• Call for Nominations 2021
• Policy Changes
• Report on fund investment performance for the year ended 31 March 2021
• Annual Statements 2021
• 100 years young and heading for the future
• Report on fund investment performance for the quarter ended 31 March 2021
• MAS leads the car insurance pack
• MAS Foundation tackles implicit bias in the health sector
• We're phasing out cheques
• MAS staff and Members turn out in force for the Brendan Foot Supersite Round the Bays 2021
• New Year Honours for MAS Members
• Report on fund investment performance for the quarter ended 31 December 2020
• MAS receives Consumer NZ People’s Choice Award for fifth consecutive year
• We've updated our privacy policy
• Winners announced for the Sustainable Business Awards
• Tell us your stories
• MAS Members discount for Brendon Foot Supersite Round the Bays 2021
• Changes coming for how we deal with natural disaster claims
• Report on investment performance for the quarter ended 30 September 2020
• MAS proud to sponsor classic Wellington summer event - Round the Bays 2021
• Information for Members about incorrect car parts
• MAS celebrates Kiwi organisations making a social impact
• Changes to your life insurance premiums
• Report on the MAS Annual General Meeting 2020
• MAS passing back motor vehicle savings to Members
• MAS Annual General Meeting 2020
• Report on investment performance for the quarter ended 30 June 2020
• Automated income assessments and PIR updates
• MAS Members receive Queen's Birthday Honours
• MAS Foundation supports research to find safe ways to disinfect PPE for potential reuse
• Call for Nominations 2020
• Annual Statements 2020
• Get your MAS policy documents by email
• MAS proud to sponsor the 36th World Veterinary Association Congress
• More financial support for our Members
• Annual Statements and Tax Certificates for the year ended 31 March 2020
• Report on investment performance for the quarter ended 31 March 2020
• COVID-19: Updates from MAS
• MAS is monitoring the reaction of financial markets to coronavirus
• MAS changes pricing to more fairly allocate costs for house insurance
• Changes to KiwiSaver withdrawal rules
• New Year's financial resolutions
• Report on investment performance for the quarter ended 31 December 2019
• New Year's Honours for MAS Members
• People's Choice Award for MAS. Yet again.
• Trustees appointed to the MAS Foundation
• Report on investment performance for the quarter ended 30 September 2019
• Cyber Smart Week, 14-18 October 2019
• Networking event: Developing resilient marketers in the age of disruption
• Income Security Premiums
• We're making some changes to your policies
• Update from the 2019 AGM
• MAS Annual General Meeting 2019
• Report on investment performance for the quarter ended 30 June 2019
• Changes to the EQC Act
• Marketing Association and MAS announce new partnership
• Call for Nominations 2019
• Changes to KiwiSaver - What you need to know
• Buying your first home? We can help!
• Funds under management exceed $1.5bn for the first time
• Report on Investment Performance: from Easy Chair to Electric Chair
• Investment Returns – Good news for shares
• Investor News - July 2018
• Brexit - What does it mean to my investment?
• Consumer NZ People's Choice 2016, 2017 & 2018
• MAS welcomes life insurance industry report.
• Kaikoura Earthquake
• Student Membership
• Student Insurance Package
• MAS Here for Good Scholarship
• Celebrating Grads
• MAS Student Advisers
• Claims Photo Guide
• Kaikoura 2016 Resources and Assistance
• MAS Claims Process for Income Security Claims
• Claims Guide
• Fair Insurance Code
• House Insurance Application Guide
• FAQs: EQC Act Changes 2019
• General Insurance Forms
• KiwiSaver Documents & Forms
• Retirement Savings Scheme Documents & Forms
• Direct Debit Authority
• Investment Funds Documents & Forms
• Financial Advice Disclosure
• Anti Money Laundering
• Āki Wellbeing Hub registration T&Cs
• Motor Vehicle Quote Outside of Hours T&Cs
• Terms of Business
• Summary of key matters about the Fair Conduct Programme
• Make a change to your insurance policy
• Need an insurance quote?
• Report suspected insurance fraud
• Christchurch
• Hawke's Bay
• Manawatū-Wanganui

#businessriskinsurance

By HealthyPractice | 14 September 2023

Make sure you can keep your business running during unexpected events.

It’s in every business owner’s best interest to understand the risks or threats that could disrupt your most important business activities. And if a disaster does strike, you need to have a plan in place to enable your business to get back on its feet as quick and easy as possible.  

This is where a business continuity plan (BCP) comes into action. Use this step-by-step guide to get your plan sorted. It’s vital to your business’s survival.

What is a BCP ?

A BCP is a comprehensive strategy to help make sure that in the event of a major disruption, an organisation can continue to function and run its main day-to-day operations . It’s an essential part of running a business to mitigate and lessen risk, and it is applicable to all organisations, whether a private-sector company, public sector organisation , or a practice. 

Why do you need a BCP ?

If a major disruption happens, such as a natural disaster or cyber attack , having a b usiness c ontinuity p lan will increase the likelihood of being able to continue running your business . It can save a business significant time and money and may help a business to recover faster after a disruption .

What are the types of threats to business continuity? 

There are 4 key threats to business continuity: 

• IT security 
• Adverse weather events 
• Seismic activity 

Other risks include: 

• Supply chain disruption 
• Loss of a key staff member 
• Loss of a key customer 
• Supplier outages 

What should a BCP include?

MAS’s Business Advisory Service says that it’s a good idea for New Zealand businesses to proactively develop a business continuity plan before they need to use it. A plan will need to identify the most important things you’ll need to continue running your business. For example, communication, facilities and access to them, resources (equipment and documentation), and technology. You also need to factor in who you have a responsibility to, which may include customers, staff, contractual partners, and the wider community. 

Who and how will you communicate with those you have a responsibility towards, such as staff?  

As part of your plan, you need to decide on the best avenues and tools to communicate with your staff, for example, MS Teams, a social media app. It’s important as part of these communications to have staff emergency contact details readily available, such as home and cell phone numbers and personal email addresses. If your organisation has a website and/or social media platform, you’ll also want to have a plan to keep your staff and customers updated through these communication avenues.     In addition to staff and customers, you will also need to keep details you can access for a range of other contacts such as your insurer, maintenance contractors, utility providers etc. and ensure you can access these off-site.  

How will your business operate if you cannot use your business space and facilities?  

Is it possible to develop an agreement with a business close by so that you could work from their premises? Are there other locations in the community to work from such as local community halls? Here is a list of some of what to add to your business continuity plan. 

• Resources – This will cover a wide range of areas, from IT to stock. 
• IT  – Backing up data is one of the simplest ways to ensure business continuity. Is your network cloud based? Have you tested to see if your backup would restore your data and whether you have a backup off site? Or do you have an off-site back up arrangement? Do you have a list of software installed in each workstation? 
• Fixed Asset register – This is to identify all fixed assets of a business. 
• Equipment – Do you have a list of all necessary equipment for each area of the business, so that if you need to replace any equipment you know what was there? 
• Stock – Do you know how much stock you have on hand and its value? 
• Your suppliers – Develop a list of your most used contact details and customer numbers. What are their business continuity plans? 

How long should a BCP be? 

There’s no set size as it will depend on the nature of your business, but it’s important to keep your plan short and usable. You don’t need to create a hefty 20-page document if it’s not needed. 

Your plan needs to be easily accessible by all staff. A good BCP needs to be short enough to convert to a PDF that all staff members can easily store and access on their mobile phone. It could even be a short as a double-sided A4 or A3 document.

Test your BCP before it’s needed 

Like your other emergency preparedness plans, it’s a good idea to put your BCP into practice to make sure everything is covered. It’s recommended that you have your BCP tried and tested with relevant staff at least once a year.  

Instead of focussing on the cause of the disruption, such as a power outage or natural disaster, ask your staff to run through how they’d manage the consequences of the disruption. For example: 

• What will they do if the power is out for multiple days preventing the use of important machinery?  
• What are the options if the premises are closed for a week or longer? 

Your plan will likely change as your business evolves, so make sure you debrief after each test and update the plan if necessary. 

The role of business insurance in business continuity

Business Insurance is designed to protect your business – such as building and contents – against unexpected events. Replacing these items can add up in cost, not to mention the time needed to replace them. Business insurance provides peace of mind. The type of cover and the amount needed will depend on your business. Find out more about business insurance offered by MAS .  

There is the option to take out Natural Disaster cover to protect against loss or damage caused by earthquakes and other natural disasters, depending on where your business is located. And for a full comprehensive protection plan, Business Interruption (BI) is designed to cover your lost income if you need to temporarily close your doors due to an event covered under your policy.    Some questions to consider in relation to business insurance include:  

• Do you have business interruption cover?  
• Do you know what business insurance covers?   
• Does it include loss of earnings, and does it cover staff wages? 

Some key resources for business continuity 

The Resilient Business website offers resources to help you create a resilience strategy and the Wellington Region Emergency Management Office website has downloadable business continuity plans for you to customise for the needs of your business. 

Finally, remember that once you’ve developed your plan, it needs to be a living document and regularly reviewed.  

If you have any questions regarding your business continuity plan you can contact our MAS HealthyPractice team at [email protected] , and if you need to review your MAS business insurance covers you can email [email protected] . 

MAS staff are happy to answer any questions you have on practice issues or dilemmas. Email your questions to [email protected] .

This article is of a general nature and is not a substitute for professional and individually tailored business or legal advice. © Medical Assurance Society New Zealand Limited 2023.  

You might also like

5 fundamentals to create a positive workplace culture

21 August 2023

Creating a positive workplace culture is crucial for fostering happiness, satisfaction, and productivity among employees. This blog explores five fundamentals that can help you create a positive workplace.

Protecting health and wellbeing

19 February 2020

Occupational and environmental physician Dr Alexandra Muthu believes more needs to be done to protect the physical, mental and emotional health and wellbeing of New Zealand workers.

Ten ways to protect your business from cybercrime

19 October 2020

Cybercrime continues to increase and Kiwi businesses need to protect themselves and their businesses' data. MAS Senior System Support Administrator Sydney Kanda says there are ten things business owners can do to make their networks harder to attack.

Strengthen your business with MAS insurance.

• Search Search Please fill out this field.
• Business Continuity Plan Basics
• Understanding BCPs
• Benefits of BCPs
• How to Create a BCP
• BCP & Impact Analysis
• BCP vs. Disaster Recovery Plan

Frequently Asked Questions

• Business Continuity Plan FAQs

The Bottom Line

What is a business continuity plan (bcp), and how does it work.

Investopedia / Ryan Oakley

What Is a Business Continuity Plan (BCP)? 

A business continuity plan (BCP) is a system of prevention and recovery from potential threats to a company. The plan ensures that personnel and assets are protected and are able to function quickly in the event of a disaster.

Key Takeaways

• Business continuity plans (BCPs) are prevention and recovery systems for potential threats, such as natural disasters or cyber-attacks.
• BCP is designed to protect personnel and assets and make sure they can function quickly when disaster strikes.
• BCPs should be tested to ensure there are no weaknesses, which can be identified and corrected.

Understanding Business Continuity Plans (BCPs)

BCP involves defining any and all risks that can affect the company's operations, making it an important part of the organization's risk management strategy. Risks may include natural disasters—fire, flood, or weather-related events—and cyber-attacks . Once the risks are identified, the plan should also include:

• Determining how those risks will affect operations
• Implementing safeguards and procedures to mitigate the risks
• Testing procedures to ensure they work
• Reviewing the process to make sure that it is up to date

BCPs are an important part of any business. Threats and disruptions mean a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition. It is generally conceived in advance and involves input from key stakeholders and personnel.

Business impact analysis, recovery, organization, and training are all steps corporations need to follow when creating a Business Continuity Plan.

Benefits of a Business Continuity Plan

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic. Business continuity planning is typically meant to help a company continue operating in the event of major disasters such as fires. BCPs are different from a disaster recovery plan, which focuses on the recovery of a company's information technology system after a crisis.

Consider a finance company based in a major city. It may put a BCP in place by taking steps including backing up its computer and client files offsite. If something were to happen to the company's corporate office, its satellite offices would still have access to important information.

An important point to note is that BCP may not be as effective if a large portion of the population is affected, as in the case of a disease outbreak. Nonetheless, BCPs can improve risk management—preventing disruptions from spreading. They can also help mitigate downtime of networks or technology, saving the company money.

How To Create a Business Continuity Plan

There are several steps many companies must follow to develop a solid BCP. They include:

• Business Impact Analysis : Here, the business will identify functions and related resources that are time-sensitive. (More on this below.)
• Recovery : In this portion, the business must identify and implement steps to recover critical business functions.
• Organization : A continuity team must be created. This team will devise a plan to manage the disruption.
• Training : The continuity team must be trained and tested. Members of the team should also complete exercises that go over the plan and strategies.

Companies may also find it useful to come up with a checklist that includes key details such as emergency contact information, a list of resources the continuity team may need, where backup data and other required information are housed or stored, and other important personnel.

Along with testing the continuity team, the company should also test the BCP itself. It should be tested several times to ensure it can be applied to many different risk scenarios . This will help identify any weaknesses in the plan which can then be corrected.

In order for a business continuity plan to be successful, all employees—even those who aren't on the continuity team—must be aware of the plan.

Business Continuity Impact Analysis

An important part of developing a BCP is a business continuity impact analysis. It identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis. The worksheet should be completed by business function and process managers who are well acquainted with the business. These worksheets will summarize the following:

• The impacts—both financial and operational—that stem from the loss of individual business functions and process
• Identifying when the loss of a function or process would result in the identified business impacts

Completing the analysis can help companies identify and prioritize the processes that have the most impact on the business's financial and operational functions. The point at which they must be recovered is generally known as the “recovery time objective.”

Business Continuity Plan vs. Disaster Recovery Plan

BCPs and disaster recovery plans are similar in nature, the latter focuses on technology and information technology (IT) infrastructure. BCPs are more encompassing—focusing on the entire organization, such as customer service and supply chain. 

BCPs focus on reducing overall costs or losses, while disaster recovery plans look only at technology downtimes and related costs. Disaster recovery plans tend to involve only IT personnel—which create and manage the policy. However, BCPs tend to have more personnel trained on the potential processes. 

Why Is Business Continuity Plan (BCP) Important?

Businesses are prone to a host of disasters that vary in degree from minor to catastrophic and business continuity plans (BCPs) are an important part of any business. BCP is typically meant to help a company continue operating in the event of threats and disruptions. This could result in a loss of revenue and higher costs, which leads to a drop in profitability. And businesses can't rely on insurance alone because it doesn't cover all the costs and the customers who move to the competition.

What Should a Business Continuity Plan (BCP) Include?

Business continuity plans involve identifying any and all risks that can affect the company's operations. The plan should also determine how those risks will affect operations and implement safeguards and procedures to mitigate the risks. There should also be testing procedures to ensure these safeguards and procedures work. Finally, there should be a review process to make sure that the plan is up to date.

What Is Business Continuity Impact Analysis?

An important part of developing a BCP is a business continuity impact analysis which identifies the effects of disruption of business functions and processes. It also uses the information to make decisions about recovery priorities and strategies.

FEMA provides an operational and financial impact worksheet to help run a business continuity analysis.

These worksheets summarize the impacts—both financial and operational—that stem from the loss of individual business functions and processes. They also identify when the loss of a function or process would result in the identified business impacts.

Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.  

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15 - 17.

Ready. “ IT Disaster Recovery Plan .”

Federal Emergency Management Agency. " Business Process Analysis and Business Impact Analysis User Guide ." Pages 15-17.

• Terms of Service
• Editorial Policy
• Privacy Policy
• Your Privacy Choices

What Is A Business Continuity Plan? [+ Template & Examples]

Published: December 30, 2022

When a business crisis occurs, the last thing you want to do is panic.

The second-to-last thing you want to do is be unprepared. Crises typically arise without warning. While you shouldn't start every day expecting the worst, you should be relatively prepared for anything to happen.

A business crisis can cost your company a lot of money and ruin your reputation if you don't have a business continuity plan in place. Customers aren't very forgiving, especially when a crisis is influenced by accidents within the company or other preventable mistakes. If you want your company to be able to maintain its business continuity in the face of a crisis, then you'll need to come up with this type of plan to uphold its essential functions.

In this post, we'll explain what a business continuity plan is, give examples of scenarios that would require a business continuity plan, and provide a template that you can use to create a well-rounded program for your business.

Table of Contents:

What is a business continuity plan?

• Business Continuity Types
• Business Continuity vs Disaster Recovery

Business Continuity Plan Template

How to write a business continuity plan.

• Business Continuity Examples

A business continuity plan outlines directions and procedures that your company will follow when faced with a crisis. These plans include business procedures, names of assets and partners, human resource functions, and other helpful information that can help maintain your brand's relationships with relevant stakeholders. The goal of a business continuity plan is to handle anything from minor disruptions to full-blown threats.

For example, one crisis that your business may have to respond to is a severe snowstorm. Your team may be wondering, "If a snowstorm disrupted our supply chain, how would we resume business?" Planning contingencies ahead of time for situations like these can help your business stay afloat when you're faced with an unavoidable crisis.

When you think about business continuity in terms of the essential functions your business requires to operate, you can begin to mitigate and plan for specific risks within those functions.

Crisis Communication and Management Kit

Manage, plan for, and communicate during your corporate crises with these crisis management plan templates.

• Free Crisis Management Plan Template
• 12 Crisis Communication Templates
• Post-Crisis Performance Grading Template
• Additional Crisis Best Management Practices

You're all set!

Click this link to access this resource at any time.

Business Continuity Planning

Business continuity planning is the process of creating a plan to address a crisis. When writing out a business continuity plan, it's important to consider the variety of crises that could potentially affect the company and prepare a resolution for each.

Don't forget to share this post!

Related articles.

How to Navigate Customer Service During a Business Closure

10 Crisis Communication Plan Examples (and How to Write Your Own)

I Tried 7 Crisis Management Software to See if They’re Worth It (Results & Recommendations)

20 Crisis Management Quotes Every PR Team Should Live By

Social Media Crisis Management: Your Complete Guide [Free Template]

De-Escalation Techniques: 19 Best Ways to De-Escalate [Top Tips + Data]

Situational Crisis Communication Theory and How It Helps a Business

What Southwest’s Travel Disruption Taught Us About Customer Service

Showcasing Your Crisis Management Skills on Your Resume

What Is Contingency Planning? [+ Examples]

Manage, plan for, and communicate during a corporate crisis.

Service Hub provides everything you need to delight and retain customers while supporting the success of your whole front office

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Business Continuity Planning

Organize a business continuity team and compile a  business continuity plan  to manage a business disruption. Learn more about how to put together and test a business continuity plan with the videos below.

Business Continuity Plan Supporting Resources

• Business Continuity Plan Situation Manual
• Business Continuity Plan Test Exercise Planner Instructions
• Business Continuity Plan Test Facilitator and Evaluator Handbook

Business Continuity Training Videos

The Business Continuity Planning Suite is no longer supported or available for download.

Business Continuity Training Introduction

An overview of the concepts detailed within this training. Also, included is a humorous, short video that introduces viewers to the concept of business continuity planning and highlights the benefits of having a plan. Two men in an elevator experience a spectrum of disasters from a loss of power, to rain, fire, and a human threat. One man is prepared for each disaster and the other is not.

View on YouTube

Business Continuity Training Part 1: What is Business Continuity Planning?

An explanation of what business continuity planning means and what it entails to create a business continuity plan. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about what business continuity planning means to them.

Business Continuity Training Part 2: Why is Business Continuity Planning Important?

An examination of the value a business continuity plan can bring to an organization. This segment also incorporates an interview with a company that has successfully implemented a business continuity plan and includes a discussion about how business continuity planning has been valuable to them.

Business Continuity Training Part 3: What's the Business Continuity Planning Process?

An overview of the business continuity planning process. This segment also incorporates an interview with a company about its process of successfully implementing a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 1

The first of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “prepare” to create a business continuity plan.

Business Continuity Training Part 3: Planning Process Step 2

The second of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “define” their business continuity plan objectives.

Business Continuity Training Part 3: Planning Process Step 3

The third of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “identify” and prioritize potential risks and impacts.

Business Continuity Training Part 3: Planning Process Step 4

The fourth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “develop” business continuity strategies.

Business Continuity Training Part 3: Planning Process Step 5

The fifth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should define their “teams” and tasks.

Business Continuity Training Part 3: Planning Process Step 6

The sixth of six steps addressed in this Business Continuity Training, which detail the process of building a business continuity plan. This step addresses how organizations should “test” their business continuity plans. View on YouTube

Last Updated: 12/21/2023

Return to top

Business Continuity Plan Disclosure

Madison Avenue Securities, LLC (Madison), otherwise referred to as “MAS”, has developed a Business Continuity Plan (“BCP”) as a contingency to mitigate any impact of possible future business interruptions. In our BCP, we outline how we continue to conduct business in the event of a Significant Business Disruption (“SBD”). MAS plans to quickly recover and resume business operations should there be an SBD and respond by safeguarding employees’ lives and firm property, making a financial and operational assessment, protecting the firm’s books and records, and allowing our clients to transact business.

Contacting Us

Our Headquarters is located at: Madison Avenue Securities, LLC, 13500 Evening Creek Drive N, Suite 555, San Diego, CA 92128. Our main number is 888-627-7323. If after a significant business disruption you cannot contact us as you usually do, you should contact your personal investment professional directly, or may go to our website at www.mas-bd.com to obtain alternative contact information if available.

Business Continuity Plan

Our Business Continuity Plan addresses data backup and recovery, all mission critical systems, financial and operational assessments; alternative communication with our clients, employees, regulators; alternative physical locations of employees, critical suppliers, contractors, banks and counterparty impact; regulatory reporting and assuring clients of prompt access to their funds and securities if we are unable to continue business due to an SBD. Our clearing firm, Pershing, LLC backs up its important records in a geographically separate area.

Our firm’s BCP is designed to meet our existing obligations to clients in the event of an emergency or significant business disruption; however, it is not infallible. The unpredictable nature of some events may make it impossible to anticipate every scenario that could cause a business disruption. Although we are confident in our own preparedness, MAS has no control over the third party entities that we must rely upon in the event of an emergency. We test our Business Continuity Plan from time to time to ensure our readiness; yet these tests may not replicate conditions we would experience in a real emergency. Our BCP is subject to change without notice. This is provided to you for informational purposes only.

Oliverwood Finance

Quos mollis incididunt culpa officia dignissimos necessitatib.