• CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON


  •   
  • FileName: Business_Continuity_Management.pdf [read-online]
    • Abstract: CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ONBUSINESS CONTINUITY MANAGEMENT (BCM) FORINSTITUTIONS LICENSED UNDER THE BANKING ACTJANUARY 2008 GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14PART I Preliminary

Download the ebook

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON
BUSINESS CONTINUITY MANAGEMENT (BCM) FOR
INSTITUTIONS LICENSED UNDER THE BANKING ACT
JANUARY 2008
GUIDELINE ON BUSINESS CONTINUITY GUIDELINE CBK/PG/14
PART I Preliminary
1.1 Title
1.2 Authorization
1.3 Application
1.4 Definitions
PART II Statement of Policy
2.1 Purpose
2.2 Scope
2.3 Responsibility
PART III Specific Requirements
3.1 Boards and Senior Management
3.2 Business Continuity Management Team
PART IV Remedial Measures
4.1 Remedial Measures
PART V Effective Date
5.1 Effective Date
2
PART I : PRELIMINARY
1.1 Title – Guideline on Business Continuity Management (BCM).
1.2 Authorisation – This Guideline is issued under Section 33(4) of the Banking
Act, which empowers the Central Bank of Kenya to issue guidelines to be
adhered to by institutions in order to maintain a stable and efficient
banking system.
1.3 Application – This Guideline applies to all institutions licensed under the
Banking Act (Cap. 488).
1.4 Definitions – The terms used in this Guideline shall be taken to have the
meaning as assigned to them in the glossary.
PART II: STATEMENT OF POLICY
2.1 Purpose
This Guideline outlines the minimum requirements that financial institutions
shall implement to ensure that business operations are not adversely
affected in the event of a disruption. It is envisaged that by implementing
this Guideline, supervised financial institutions will both reduce the likelihood
and impact of operational disruption and ensure business continuity in order
to maintain public trust and confidence in the financial system.
2.2 Scope
This Guideline sets the minimum requirements for establishing sound and
effective business continuity management practices in financial institutions
in Kenya.
3
2.3 Responsibility
The responsibility for business continuity management ultimately rests with
the board of directors and the senior management of an institution who are
expected to formulate business continuity policy, procedures, guidelines
and set minimum standards for an institution. All of these must be
documented and available for review by an external auditor and the
Central Bank of Kenya.
PART III SPECIFIC REQUIREMENTS
3.1 Board of Directors and Senior Management
3.1.1 Major duties and responsibilities
A financial institution’s board and senior management are responsible for
the development, implementation and maintenance of policies that ensure
the resilience and continuity of an institution, in the event of major
operational disruptions . The board fulfils its business continuity planning
responsibilities by setting policy ,prioritizing critical business functions,
allocating sufficient resources and personnel, providing oversight
,approving the Busines s Continuity Plan(BCP), reviewing test results and
ensuring maintenance of the current plan. These responsibilities include but
are not limited to the following: -
3.1.1.1 Ensure that business continuity planning forms an integral part of the overall
risk management of an institution and that business continuity processes are
documented and embedded in an organisation’s operations.
In connection to this the board of directors and senior management are
required to:
a) Ensure a documented Policy on BCM is put in place.
4
b) Define the roles, responsibilities and authority to act in the event of a
major disruption, namely:
i. At the organizational level, overall management of the business
continuity function on a day-to day basis should be assigned to a
Business Continuity Management Team. The selection of the team
should be contingent upon the nature of business activities, size,
complexity, and geographical location of an institution.
The basic composition of the Business Continuity Management Team
should at a minimum constitute the following;
1. Co-ordinator (drawn from the senior management).
2. Functional Department Heads.
3. Line Managers.
4. Risk Management Officer.
ii. Establish a Crisis Management Team, consisting of key executives
and functional heads of critical operational areas who will be
responsible for dealing with crisis management and business
continuity during a crisis. This will require the institution to re-prioritise
and re-allocate resources in order to expedite recovery. The roles
and responsibilities o each individual member / team should be
f
clearly defined.
iii. In the event that a financial institution opts to outsource the business
continuity function, it should ensure that accountability for business
continuity management ultimately rests with the board of directors
and senior management.
iv. in cases where institutions share a disaster recovery site, there must be
service level agreements in place that clearly outline the terms that
govern these arrangements between the parties .
5
v. In cases where recovery sites are outsourced to a vendor or
supplier, a signed contract must exist with service level
agreements that support such an arrangement.
vi. In outsourced solutions that are syndicated, care must be taken
not to syndicate services between banks where they have
normal business functions close or adjacent to each other i.e. a
bank back office operation in Nairobi which is next to or a few
blocks away from another bank and uses the same vendor
should not have syndicated solutions utilising the same
syndicated infrastructure. For the above, dedicated options
should be taken to ensure recovery in the event of a city wide
incident.
vii. Office, data centre or server room recovery must not be in the
same building or close to the normal business operation.
viii. Distance from the normal business and recovery facility will
depend on individual needs but it is proposed that if a bank has
its head office or back office function within the city limits, they
should have their recovery facilities outside of the city centre.
Care should be taken to look at other factors such as a second
power grid and telecommunications infrastructure i.e. a power
outage of the normal business functions should not be able to
affect the recovery facility.
ix. Recovery facilities must include all the necessary backup power
generation and supply (Generator, UPS and adequate fuel
supply).
x. Utilisation of alternate sites for recovery within the same
organisation must be at an adequate distance from the
operation based on above criteria. If the alternate site is utilised
for normal and recovery operations a documented and tested
plan must be in place to support such an arrangement.
xi. Recovery solutions must be based on Business Impact Assessment
(BIA) information.
6
xii. Documented pr e and post test reports are to be completed for
all recovery testing.
c) Ensure that employees are trained and made aware of their roles in the
implementation of the Business Continuity Plan.
d) Ensure that sufficient human and financial resources are made available
to provide support for Business Continuity Management.
e) Ensure that the business continuity plans not only consider the business
process and technical aspects, but also recognise and addresses the
human element. The overriding consideration in formulating an
institution’s business continuity plan should be for the preservation of
human life.
3.1.1.2 Establish a framework for review and monitoring by the Board of Directors
and Senior Management
a) Business Continuity Plans should be reviewed and approved by the
Board of Directors on an annual basis. Some information such as
contact details should be reviewed on a monthly or quarterly basis.
However, certain events may trigger the need for an immediate review
of the BCP. These include significant changes in the following ;
• Business strategy and risk appetite of an institution.
• Restructuring of an institution, either through expansion or through a
merger or acquisition.
• Key technology and telecommunications.
• Service providers.
• Regulatory and legislative requirements.
• Composition and size of staff.
b) An institution’s business continuity plan should be subject to an
independent review on an annual basis and the findings reported to the
board of directors on a timely basis. This is through assurance and
7
business continuity management audits conducted at a predetermined
frequency.
3.1.1.3 Ensure compliance with all Prudential Guidelines and all other regulatory
and legal requirements related to Business Continuity Management.
A financial institution should comply with the Banking Act, Prudential
Guidelines and all other applicable laws and regulations which fall under
jurisdiction of other regulatory authorities.
3.2 Business Continuity Management Team
The major roles and responsibilities of the Business Continuity Management
Team should be as follows;
3.2.1 To develop and approve a business continuity management process and
plan.
An institution’s business continuity plan should be developed along the
following five levels which reflect the business continuity management life
cycle;
i. Strategic level; Examine the organisational framework taking note of
the key business stakeholder s , legislative and regulatory requirements in
relation to business continuity.
ii. Process level; - Develop resumption strategies for business processes
and activities.
iii. Resource Recovery; Ensure the deployment of appropriate resources
to ensure appropriate continuity across all business processes and
activities.
iv. Awareness and Education; Develop a business continuity culture
8
through assessment of business continuity awareness campaigns. Ensure
that the BCM Management Team are trained and that appropriate skills
are in place.
v. Testing, Maintenance, Measurement and Audit; Ensure reliability of the
business continuity plan of an organisation through independent review
and testing.
3.2.2 Ensure that the Business Continuity Plan (BCP) is updated to reflect the
changes in a financial institution’s risk profile.
The Business Continuity Management Team should ensure that the (BCP)
business continuity plan is reviewed annually, though the frequency may be
modified to take into account changes in the business strategy, business
processes, personnel, location or technology and changes in the external
business environment.
3.2.3 Ensure the implementation of the business continuity plan by periodically
conducting a business impact analysis, (at least once a year) an enterprise
– wide risk assessment, risk management and risk monitoring to identify the
mission critical activities and potential for major disruptions. Business Impact
Analysis(BIA’s) must be signed off by department or functional heads
through a formal functional process stipulating that they understand,
accept and verify BIA’s are correct.
3.2.3.1 Business Impact Analysis(BIA)
Major operational disruptions pose a substantial risk to the continued
operation of a financial institution. The extent to which a financial institution
incorporates the risk of a major operational disruption in its business
continuity plan is dependent upon its risk profile.
9
Business impact analysis forms the foundation upon which the business
continuity plan is developed. It identifies critical business functions and
operations that need to be recovered on a priority basis and establishes
appropriate recovery objectives for those operations. It should be
completed in advance of a risk assessment in order to identify the urgent
functions upon which a risk assessment should be focused. At a minimum a
business impact analysis is expected to;
i. Provide an understanding of an institution’s most critical objectives,
the priority, and the timeframes for resumption of each (recovery
objective and recovery time)
ii. Provide information about resource requirements over time to enable
each business function within the organisation achieve continuity or
resumption of activity within the established timeframes. It should at a
minimum identify;
§ Staff numbers and key skills.
§ Data applications and systems.
§ Facilities including alternative location needs, backup strategy
policy and schedule.
§ Vendors/suppliers of various services.
§ Constraints.
§ Mission Critical Activities (MCA’s) or tasks that need to be recorded
to ensure continuity of the process and business.
§ Dependencies on people, systems, processes, internal and external
parties.
§ Recovery Time Objective (RTO) and Recovery Point Objective
(RPO) for every MCA or business.
§ Systems impact assessment highlighting:
• Location.
• Department unit owners, system information, commissioning
dates.
10
• Technical person responsible.
• RTO, RPO and dependences.
iii. Provide a list of recovery options for each business process.
Methods and techniques
A combination of the following tools and techniques may used to carry
out Business Impact Analysis;
(i) Questionnaires.
(ii) I nterviews.
(iii) Workshops.
Generally a combination of all the above methods should provide an
adequate source of information from which to base the Business Continuity
Plan. All relevant information should be stored for reference for at least one
year or until the next BIA.
3.2.3.2 Risk Assessment
A risk assessment examines the most urgent business functions identified
during business impact analysis. It looks at the probability and impact of a
variety of specific threats that could cause a business disruption. A risk
assessment is at a minimum expected to achieve the f ollowing;
i. Identify unacceptable concentrations of risk and what are known as
‘single points of failure’.
ii. Identify internal and external threats that could cause a disruption and
assess their probability and impact.
iii. Prioritise threats according to the institution.
iv. Provide information for a risk control management strategy and an
11
action plan for risks to be addressed.
v. Mitigation of risks through a documented remediation plan.
Methods and Techniques
The methods and techniques to be used to provide a risk assessment
include;
• Insurance statistics.
• Published disaster frequency statistics.
• Scoring systems for impact and probability.
• Gap analysis.
• Stress testing.
3.2.3.3 Recovery objective s
Financial institutions should develop recovery objectives that reflect the risk
they represent to the operation of the financial system. Institutions should
factor in interdependency risks when developing their recovery objectives.
Consequently, supervised financial institution’s business continuity
management team should:
a) Make an assessment of the risks they pose to the financial sector based
on critical services they provide and their significance to the financial
system.
b) Identify those business functions and operations to be recovered on a
priority basis and establish recovery objectives.
c) Establish recovery objectives proportional to the risk they pose to the
financial system.
12
When evaluating whether an institution’s business continuity plan can
accommodate major operational disruptions an institution should review
the adequacy of recovery arrangements in areas such as;
i. The alternate site should be sufficiently remote from the main branch of
a financial institution.
ii. The alternate site should be sufficiently equipped with the necessary
equipment, data and to maintain critical operations and services for a
sufficient time period. An inventory of assets (backup tapes,
communication links, operating systems, hardware) needed for offsite
recovery should be generated.
iii. The business continuity plan should address staff requirements and
reallocation to the alternate site in the event of a major disruption. A
detailed list of tasks for offsite recovery should be made available to all
concerned staff.
3.2.4 Report on the status of business continuity management to the board
and senior management on a regular basis, highlighting where there are
identified gaps. This is through implementation status reports, incident
reports, testing results and related plans for strengthening the business
continuity plan. Institutions should also report activation/invocation of
their BCP’s to the Central Bank of Kenya within 24 hours of the
activation/invocation.
3.2.5 Facilitate testing of plans to ensure that crisis and recovery teams are
aware of their roles and responsibilities in the event of a disruption
Testing the ability of an institution to recover critical operations is an
essential component of effective business continuity management.
Though emphasis is made on testing technical recovery, the key
13
element to be examined is human resource, ensuring that skills,
knowledge, management and decision making ability is assessed. An
institution should ensure that;
a) Testing of the overall business continuity management of an
institution should at a minimum be conducted at least once a year.
The frequency of testing should be dependent upon the nature, size,
risks and complexity of the financial institution. The amount of tests
should depend on the criticality of the business process.
b) The frequency of testing for key functional areas is determined by
how critical they are to an institution and any material changes to an
institution’s internal and external environment.
c) There are measures for the quality of planning, competency of staff
and effectiveness of the business continuity plan.
d) There is organisational awareness of emergency procedures and
team members and staff are familiar with their roles, accountability,
responsibilities and authority in response to an incident.
e) All technological, logistical and administration aspects of the
business continuity plan have been tested.
f) The recovery of infrastructure including command centres and off
site work area is assured.
g) The opportunity to identify shortcomings and improvements to the
organisation’s business continuity readiness is a continuous process.
h) The availability and relocation of staff is assessed.
14
i) Documentation of testing results for the board of directors, senior
management, auditors and regulators.
Methods and technique s
Management should develop a test plan for each BCP testing method
used. An institution is expected to employ various methods of exercising
including but not limited to the following;
• Technical tests.
• Desktop /Orientation/walkthroughs.
• Live runs.
• Simulations.
• Integrated tests for departments that are dependent on each other
and also stress testing of recovery facilities.
3.2.6 Ensure that the institution’s response to a disruption is communicated
internally and externally to applicable parties. External communication to
the media must only be through the external communications teams and
approved by senior management or the board.
3.2.6.1 Communication
Financial institutions should include in their business continuity plans
procedures for communicating within their institution and with relevant
external parties in the event of major disruptions. The communication
procedures for a financial institution should:
a) Ensure that there is a clear plan identifying staff, for communicating
internally (within the organisation) and externally (to the public )
stakeholders.
b) Establish communication protocols clearly outlining the chain of
command from the board of directors, chief executive, and senior
15
management; Develop a directory for all recovery team members
including the crisis management and emergency management teams,
local emergency response organisations and critical service providers.
c) Ensure that the directory/contact lists are made available to all team
members.
d) Address obstacles that may arise due to failure in primary
communications systems (electricity, mobile phone network, road
network). Ensure that the institution has set up alternative modes of
communication.
e) Ensure regular updating and testing of call trees at least quarterly.
f) Ensure that copies of business continuity plans are disseminated to the
relevant personnel.
3.2.6.2 Cross-Border Communication
Increased globalization of business processes has implications on the
impact of a major operational disruption, which can extend across national
borders. In this regard, financial institutions are expected to put in place
procedures for communications with financial authorities in other
jurisdictions in the event of a major operational disruption. Cross border
communications mechanisms for financial institutions should:
a) Take into account the implication of disruption of its business operations
in one jurisdiction that significantly affect a subsidiary, branch or
correspondent operations in other jurisdictions.
16
b) Establish communication procedures for sharing information, views and
assessments among authorities based in different jurisdictions and at
different levels.
c) Establish a directory of contacts for the various non-domestic financial
authorities, supervisory bodies, treasuries, risk management/business
continuity specialists.
d) Ensure contact details are kept up to date on at least a quarterly basis.
PART IV. REMEDIAL MEASURES
4.1 Remedial measures– Central Bank may pursue any or all remedial actions
as provided in Sections 33,34 and 55 of the Banking Act.
PART V. EFFECTIVE DATE
5.1 Effective date: 1st March 2008.
ENQUIRIES – Any enquires on this Guideline should be addressed to:
The Director
Bank Supervision Department
Central Bank of Kenya
P.O. Box 60000-00200
NAIROBI
TEL. 2860000 e-mail: [email protected]
17
Glossary
1.4.1 ‘Alternate Site’ means a site held in readiness for use in the event of a major
disruption that maintains an organisations’ business continuity.
1.4.2. ‘Business Continuity’ is a state of continued, uninterrupted operation
of a business.
1.4.3 ‘Business Continuity Management’ is a holistic business approach that
includes policies, standards , frameworks and procedures for ensuring that
specific operations can be maintained or recovered in a timely fashion in
the event of disruption. Its purpose is to minimise the operations, financial,
legal, reputational and other material consequences arising from disruption.
1.4.4 ‘Business Continuity Plan’ means a comprehensive, documented plan of
action that sets out procedures and establishes the processes and systems
necessary to continue or restore the operation of an organisation in the
event of a disruption.
1.4.5 ‘Business Impact Analysis’ means the process of identifying, and measuring
(quantitatively and qualitatively) the business impact loss of business
processes in the event of a disruption. It is used to identify recovery priorities,
recovery resource requirements and essential staff and to help shape the
business continuity plan. All impacts should be measured on financial,
regulatory, legal and reputational damage basis.
1.4.6 ‘Call Tree’ means a system that enables a list of person/roles organizations
to be contracted as part of an information/communication plan.
1.4.7 ‘Communication Protocols’ means an established procedure for
communication that is agreed in advance between two or more par ties
internal or external to an institution. Such procedure also includes the nature
18
of the information that should be shared with internal and external parties
and how certain types of information should be shared with internal and
external parties.
1.4.8 ‘Critical Services’ means any activity, function, process or service, the loss of
which would be material to the continued operation of a financial
institution.
1.4.9 ‘Crisis’ an event, occurrence and/or perception that threatens the
operations, staff, shareholder value, stakeholders, brand, reputation, trust
and/or strategic/business goals of an institution.
1.4.10 ‘Crisis Management Team’ means a team consisting of key executives, key
role players (i.e. legal counsel, facilities manager, disaster recovery
coordinator), and the appropriate business owners of critical functions who
are responsible for recovery operations during a crisis. Evaluation of
capability, training, testing of Crisis Management teams maturity level must
be documented.
1.4.11 ‘Disaster’ means a sudden, unplanned catastrophic event that
compromises an organization’s ability to provide critical functions,
processes, or services for some unacceptable period of time, causing
unacceptable damage or loss.
1.4.12 ‘Emergency Response Team’ means any organization that is responsible for
responding to hazards to the general population (e.g. fire brigades, police
services, hospitals)
1.4.13 ‘Exercising’ means the process through which business continuity plans are
tested, rehearsed in a controlled environment using team members and
staff.
19
1.4.14 ‘Major operational disruption’ means high impact disruption of normal
business operations, affecting a large geographic area and adjacent
communities that are economically integrated to it.
1.4.15 ‘Operational Risk’ means the risk of loss fro m inadequate or failed
internal processes, people and systems or from external events.
1.4.16 ‘Recovery’ means the rebuilding of a specific business operation
following a disruption to a level sufficient to meet outstanding
business obligations.
1.4.17 ‘Recovery Objective’ means a predefined goal for recovering specific
business operations and supporting systems to a specified level of service
(recovery level) within a defined period following a disruption. (recovery
time).
1.4.18 ‘Recovery Time’ (RTO) means the duration of time required to resume a
specified business operation. It has two components, the duration of time
from activation of the business continuity plan and the recovery of business
operations.
1.4.19 ‘Recovery Point Objective’ (RPO) describes a point in time to which data,
must be restored from backup storage for normal operations to resume if a
computer, system, or network goes down as a result of a disruption.
1.4.20 ‘Resilience’ means the ability of an organisation, network, activity, process
or financial system to absorb the impact of a major operational disruption
and continues to maintain critical operations or services.
1.4.21 ‘Risk Assessment’ means the probability and impact of specific threats
being realised.
20
1.4.22 ‘Single point of failure’ a unique source of a service, activity, and/or process
where, there is no alternative and whose loss could lead to the failure of a
critical function.
21


Use: 0.041