Singapore publishes new financial guidelines to address business continuity – Asia Law Portal


On 6 June 2022, pursuing two rounds of consultations, the Financial Authority of Singapore (MAS) published revised Guidelines on Business enterprise Continuity Management (BCM), updating the current patchwork of main and subsidiary laws. This iteration of the guidelines (2022 Pointers) introduces a slew of alterations which are anticipated to be adopted by 6 June 2023 and is the greatest update in nearly two decades – considering the fact that the original launch in 2003.

Authors: Hagen Rooke, Bryan Tan, Charmian Aw, Nina Carlina Sugianto, Bernice Tian, Leon Goh (Source Law LLC)

Crucial modifications

Crucial organization solutions and features

Under the 2022 Pointers, Monetary Institutions (FIs) need to detect their essential company expert services mainly because several constraints stop FIs from resuming all enterprise solutions and capabilities rapidly when disruptions happen.

However, FIs can formulate recovery approaches that prioritise crucial providers. In formulating these techniques, FIs must adopt an conclude-to-conclusion see of the essential company services’ dependencies, contemplating both of those the specific processes and the other processes supporting the supply of the crucial expert services.

FIs should really take into account:

  • their basic safety and soundness
  • their prospects, acquiring regard to the number and profile of customers impacted, as properly as the manner in which they are impacted and
  • other FIs that count on the organization expert services.

With the onus on FIs to guarantee obvious accountability and obligation for the business enterprise continuity of their critical business enterprise solutions, FIs ought to also guarantee that there are staff appointed to oversee the restoration and resumption of each individual vital organization support in the function of a disruption.

Support recovery time objective (SRTO)

The moment the important enterprise services have been discovered, the FI ought to build an SRTO for each of these products and services. In establishing the SRTOs, the FI should take into consideration:

  • its obligations to its prospects
  • the other FIs that depend on the small business expert services and
  • the feasibility of reaching the established SRTO, specifically for crucial enterprise providers that require additional dependencies.

Thus, the recovery strategies in spot should really permit FIs to achieve the established SRTOs and restore the disrupted solutions to the stage essential to meet up with their small business obligations.

FIs ought to also be ready for the risk of partial disruptions (which would include intermittent or diminished overall performance that is not tantamount to a entire unavailability of company). When confronted with these kinds of a prospect, FIs ought to have apparent conditions to establish if their organization continuity designs (BCPs) need to be activated in advance of the predicament success in a significant effect.

Dependency mapping

Amid an ever more interconnected monetary ecosystem, the 2022 Tips emphasize hazards arising from the expanding reliance on widespread IT devices and third get-togethers. To mitigate these threats, FIs are suggested to establish and map the end-to-conclude dependencies covering persons, procedures, technology and other means (such as those people involving third parties) that help each crucial company support.

By accomplishing so, FIs will be able to establish resources significant to company shipping and tackle any prospective gaps that could hinder the usefulness and safe recovery of the important business enterprise solutions. This details can also guide in formulating the recovery strategies talked over higher than.

As for dependence on third functions, the 2022 Pointers recognise the reality of at any time-growing interconnectivity inside of the economic technique. Nonetheless, FIs must nevertheless make certain that third parties are equipped to meet the SRTOs of their crucial company providers. This can be accomplished by:

  • examining the agreements with third events to consist of particular and measurable recovery expectations that assistance the FI’s BCM
  • ensuring that the BCPs of 3rd events meet suitable standards and are on a regular basis analyzed
  • establishing preparations with 3rd events to safeguard the availability of key methods
  • conducting audits on the 3rd get-togethers or
  • executing joint assessments with third parties.

Risk of concentration

When various essential business services and/or features are outsourced to a one provider service provider, there is an enhanced risk of concentration. As a result, the 2022 Rules propose the following techniques to mitigate the possibility of focus and minimize the impact in the celebration of a disruption:

  • have different principal and secondary internet sites for critical business enterprise services and functions, or infrastructure (these types of as information centres) in distinct zones, to mitigate large-place disruption
  • individual critical business capabilities into different zones to mitigate the danger of shedding many vital business features, and the crucial company expert services that they aid, pursuing broad-location disruption
  • deploy critical personnel across distinctive zones, or set up reserve crew arrangements to do away with dependency on a one labour pool
  • detect crucial capabilities or roles, and acquire cross-teaching programmes to make versatility for essential staff concerned in these roles
  • activate cross-border assist as a contingency during disruptions or
  • engage an option support supplier to allow for for redundancy, or so that they can be activated to give fast guidance when the key services provider is unavailable.

Ongoing review and enhancement

Even though it is pure for FIs to consistently improve their company procedures by incorporating new get-togethers or technological know-how, the reliance on technology and third events is accompanied by better possibility exposure, which FIs ought to tackle proactively by:

  • actively checking and determining external threats and developments that could disrupt standard functions as perfectly as any rising threats that could pose a possibility to enterprise continuity
  • owning in spot a system to alert inside stakeholders and senior management to the existence of threats in a well timed manner
  • consistently reviewing their BCM measures to determine spots of advancement and deal with any gaps. This really should be carried out in certain next operational disruption, around misses, or incidents in other organisations, to improve enterprise continuity preparedness and
  • regularly evaluating the will need for additional instruments and automation to permit them to manage incidents or disruption a lot more correctly.

Usually, it is suggested that FIs evaluation their essential business enterprise expert services and functions, and the respective SRTOs and restoration time targets (RTOs) and their dependencies, at minimum per year or every time there are content modifications that impact them.


As aspect of its BCM preparedness, the FI ought to conduct regular and in depth testing. Having said that, for the screening to be successful, the 2022 Guidelines advocate that the proposed take a look at routines meet up with the pursuing goals:

  • the tests should validate and measure the performance of the BCPs employing acceptable metrics, and remediate any gaps or weaknesses that are discovered in the recovery approach
  • staff (such as those of relevant 3rd parties) who are included in business continuity and crisis administration really should be acquainted with their roles and responsibilities so as to improve coordination and make certain seamless execution of the numerous ideas
  • to prepare senior administration and staff concerned in disaster management, the proposed check should really not only inform them of likely locations of worry that could crop up in a disaster, but also enable them to practise generating choices beneath simulated ailments, including eventualities that have to have prioritising the restoration of competing vital enterprise services and functions
  • to make certain the relevance and effectiveness of the FI’s BCPs, the programs should be strain-examined beneath extraordinary, but plausible, scenarios so as to greater mitigate the effect of severe disruptions and
  • the FI should validate that the set up restoration strategies can obtain the SRTOs of its crucial enterprise products and services and RTOs of its essential company capabilities.

The FI must also correctly document all its exam data in element, together with the test targets, scope, situation design, participants involved, benefits and follow-ups for every single exam. Gaps and weaknesses discovered from the FI’s company continuity testing must then be described to senior management.

In response to these conclusions, remedial actions must be taken to enhance the existing recovery procedures. There must also be a official procedure to comply with up on the remedial steps, and the efficacy of the remediation steps undertaken really should also be validated at subsequent assessments.

The 2022 Tips also strongly urge FIs to participate in field and cross-sector exercise routines to bolster joint response and coordination, and strengthen the performance of the fiscal sector’s in general company continuity functionality.


Underneath the 2022 Tips, it is suggested that FIs audit their overall BCM framework and the BCM of every of their significant business providers at least the moment each and every three decades. The audit really should be finished by a qualified celebration that is impartial and has the important BCM expertise and know-how to complete the audit. Even though the audit really should assess the adequacy and performance of the FI’s BCM, distinct focus ought to be presented to better hazard spots determined from the FI’s hazard evaluation, previous audit findings, and related incidents.

Once the audit conclusions have been released, the FI ought to keep track of and check the implementation of sustainable remedial steps. Any substantial audit findings on lapses that could have a serious impact on the FI’s BCM need to also be escalated to the board and senior administration. Furthermore, the FI need to post the BCM audit stories to MAS on ask for.

Incident and crisis administration

To ensure that senior management is properly placed to react to a crisis, the 2022 Suggestions counsel that the FI must have in spot:

  • a crisis management structure with obviously outlined roles and chain of command (such as designating alternatives to principal associates)
  • a established of pre-described triggers and requirements for well timed activation of the disaster management framework
  • options and processes to guidebook the FI on the course of action and decisions to be created during a crisis
  • instruments and processes to aid well timed updating and assessment of the most recent predicament to guidance decision-building for the duration of a crisis
  • a record of all internal and external stakeholders that need to be informed when a important organization service is disrupted, as perfectly as interaction options and needs (drawer designs, notification conditions, notification timelines, update frequency, and so forth.) for just about every stakeholder
  • conversation channels, together with mainstream and social media, to correctly connect with its stakeholders, like choice channels that can be used when the key interaction channel is unavailable
  • a conversation channel with personnel to update them on developments all through an incident and
  • an in general coordinator to coordinate incident management and recovery exactly where the shipping and delivery of a small business company relies upon on numerous company capabilities.

In addition, the FI must notify MAS as shortly as attainable, but not later than one particular hour, subsequent the discovery of incidents in which small business operations have been severely disrupted, or when the BCP is going to be activated in response to an incident. When notifying MAS, the FI really should offer information and facts as for each the MAS incident reporting template.

Duties of board and senior administration

In a departure from the former suggestions, the 2022 Pointers area a increased emphasis on the obligations of the board and senior administration. The tasks of equally organs, when related, are distinct.

The board, or the committee delegated by it, will have to make sure that:

  • the proven BCM framework is able to take care of possible operational disruptions and to meet up with the FI’s small business wants and obligations
  • a BCM function is established and sufficiently resourced to oversee the organisation-wide implementation of the BCM framework and reach the wanted point out of small business continuity preparedness
  • senior management, which is accountable for executing the FI’s BCM framework, has sufficient authority, competency, assets, and access to the board
  • the usefulness of the BCM framework is routinely reviewed and evaluated towards exterior functions, variations in chance profiles and enterprise priorities, or new procedures, programs, or products or companies and
  • an unbiased audit is done to evaluate the performance of controls, possibility management and governance of the FI’s enterprise continuity preparedness.

As for senior management, they have the accountability to make sure:

  • the BCM framework is set up to assistance and handle the growth, implementation, and servicing of effective BCPs and steps, having into consideration 3rd parties’ recovery preparations
  • sound and prudent guidelines, specifications and techniques for handling operational disruptions are recognized and taken care of, and standards and procedures are executed successfully
  • roles and duties for protecting the FI’s company continuity preparedness are founded and described plainly
  • measurable plans and metrics are used to evaluate the FI’s general small business continuity preparedness
  • company expert services and capabilities that are essential to the FI are discovered, and their SRTOs and RTOs are commensurate with its business enterprise desires and obligations
  • the BCPs and the disaster administration and communications framework are tested on a frequent basis to validate their efficiency towards extraordinary, but plausible, operational disruption scenarios and validate that the vital small business products and services and features are able to recuperate in line with their SRTOs and RTOs
  • gaps and weaknesses identified from the FI’s small business continuity testing, post-mortems of incidents, audits, or other danger administration programmes (e.g., hazard and handle self-assessments) are remediated in a well timed manner and
  • a schooling programme is founded and reviewed each year to be certain that all staff members who have a job in the FI’s BCM are familiar with their roles and responsibilities.

Senior management should offer an once-a-year attestation to the board as to the point out of the FI’s BCM preparedness, the extent of its alignment with the 2022 Tips, and crucial issues requiring the board’s attention, these kinds of as important residual danger. The attestation ought to also be supplied to MAS upon request.


Our attorneys are seasoned and remarkably acquainted with the most recent developments in the money sector. If you would like to talk about any difficulties lifted previously mentioned, you should achieve out to our crew beneath or to your common Reed Smith speak to.

Reed Smith LLP is certified to run as a international regulation observe in Singapore below the title and model, Reed Smith Pte Ltd (hereafter collectively, “Reed Smith”). In which tips on Singapore regulation is expected, we will refer the make any difference to and work with Reed Smith’s Official Legislation Alliance associate in Singapore, Useful resource Regulation LLC, in which required.

In-depth 2022-156


Source hyperlink