Getting your BCM audit on track

With the 6 June audit deadline behind us, firms should have conducted their first Business Continuity Management audit to ensure they comply with the regulatory guidelines, and that the plan they put in place is adequate and effective.

Am I ready for the BCM audit?

Since late last year, we have conducted many Business Continuity Management (BCM) audits for various financial institutions. The objective of an audit is to establish whether the BCM framework of the financial institutions in relation to its critical business services is adequate and effective. While regulated firms regularly undergo audits for their business operations and financials, the BCM audit is a new regulatory expectation imposed by the MAS.

What should the BCM audit fulfil?

BCM audits may vary in terms of scope and procedures. Nevertheless, the design of the audit program should fulfil the following aspects:

  • Provide an independent assessment of the adequacy and effectiveness of your BCM framework across each critical business service.
  • Examine risks highlighted from risk assessments, previous audit findings and relevant incidents.
  • Assess the operational preparedness of BCM processes and procedures.

What are the key learnings from a BCM audit?

Below are some of the key observations from the BCM audits we conducted:

Key areas Observations
Framework and plan design There was no “one size fits all” approach in terms of the framework and documentation as they depend on a firm’s size, investment strategies, and operation complexity.
Threat assessment and business impact analysis The details of the assessment and impact analysis vary in proportion to the business nature, complexity, and size of the financial institutions. Most have a good understanding of their business and operation risks and can adopt appropriate methodologies to identify and evaluate the relevant business disruption threats, and critical business services and functions.
Training

 

General awareness training of the BCM should be provided to all staff. Some provide further training is required for their key BCM stakeholders (e.g. BCP coordinators and crisis management team).
Recovery time objective (RTO) RTO should be realistic and achievable in consideration of the operational constraints. Some financial institutions misunderstood the concept of recovery time objective and the set the actual recovery time in practice as the RTO.

How can Bovill Newgate help your BCM plan meet regulatory expectations?

Since the BCM guidelines were updated in June 2022, we have been actively supporting clients to:

  • perform gap analysis and enhance their existing BCM framework and business continuity plans
  • conduct business impact, threat and risk assessments and help them in putting in place appropriate crisis management and continuity plans
  • plan and conduct BCM audits.

You can find out more about our support here or get in touch below.