BUSINESS CONTINUITY MANAGEMENT

Prudential Guideline No.10

Applicability

1. The Prudential Guideline is applicable to financial institutions licensed and deemed by the Central Bank of Solomon Islands (CBSI)

Purpose of Prudential Guideline

2. The Prudential Guideline aims to provide Financial Institution(FI) with a minimum framework for Business Continuity   Management. To ensure that Critical Business operations can be maintained or recovered in a timely fashion through the period of disruption caused by disaster events.

3. The Prudential Guidelines also aims to ensure that each FI implements a whole of business approach to Business Continuity Management, relative and appropriate to the nature and scale of its operations. BCM increases resilience to Business Disruption arising from internal and external events and may reduce the impact on the FI’s operations reputation, profitability, depositors and other stakeholders.

4. The key requirements include:

a. Board and Proxy Board-approved and documented BCM policy that sets out its objectives and approaches in relation to BCM.

b. Business Continuity Plan that documents procedures and information’s which enables FI’s to manage business disruption in accordance with the BCM policy.

c. Review and test the BCP on an annual basis, or more frequently as required as well as periodic review by the internal audit function or an external expert; and

d. Notify CBSI in the event of certain disruptions and provide certain reports.

Definitions

5. As used in the Prudential Guideline, the following terms, unless otherwise clearly indicated by the context, have the meaning specified below.

“Business Continuity Management (BCM)” – means the development, implementation, and maintenance of plans, resources and actions to ensure specific operations can be maintained or recovered in a timely fashion in the event of a significant, untoward, crises event.

“Business Continuity Planning (BCP)” – means a financial institution’s risk management strategy for threats that may terminate or significantly disrupt core business. It involves mitigation activities and contingency planning for response and recovery actions. BCP necessarily embraces disaster recovery planning.

“Critical Business” – means business functions, resources, and infrastructure that may, if disrupted, have a material impact on the financial institution’s business functions, operations, reputation, profitability, depositors and other stakeholders.

“Country Head”– means a Chief Executive Officer, a Country Manager, a General Manager, or a similar designation accorded to an officer who heads the branch or a subsidiary of a foreign incorporated financial institution in Solomon Islands.

“Event”– means occurrence of a particular set of circumstances that that creates an actual potential emergency or disaster or other crises situation.

“Business Impact Analysis (BIA)” – means the process of analyzing business functions and the effect that a business disruption might have upon them.

“Business Disruption” – means an event that interrupts normal business, functions, operations, or processes whether anticipated or unanticipated.

“Risk Assessment” – means a formal but often subjective process of risk identification, risk analysis and risk evaluation.

“Recovery Strategy” – means an approach taken by a financial institution to restore its critical functions , operations, and system to their normal status and ensure continuity following a disaster event.

“Disaster Recovery Plan” – means technology and equipment, and facilities used in BCM activities impacted by the incident. “Proxy Board” – means the Country Head of a brunch of foreign incorporated financial institution. “Senior Management” – means the Country Head and senior departmental managers of the financial institution.

Business Continuity Guideline Requirements

6. Each Fi is required to develop a Board – approved or Proxy Board -approved BCM policy. This would allow the financial Institution to identify, assess, and manage potential business continuity risks to be able to meet its financial and service obligations.

7. Each FI’s BCM must documented, appropriate to its nature, size, and complexity , and at a minimum include;

a. BCM policy that sets out its objectives and approaches in relation to BCM;

b. recovery objectives and strategies;

c. a BCP that includes crises management, critical business management and recovery; and

d. programs for reviewing and testing of BCP and for training and awareness of staff in relation to BCM.

8. Each FI must consider in its BCM policy different types of likely Events to which it may  be vulnerable, and identify Critical Business functions, including those where there is dependence on external vendors, or other third parties, for which rapid resumption would be essential.

9. At a minimum, an FI’s BCM must include Business Impact Analysis (BIA), Risk Assessment, Recovery Strategy, BCP and Disaster Recovery Plan (DRP) for It and a regular review, testing and maintenance of the BCM.

Roles and Responsibilities

10. The Board, as in the case of locally incorporated FI or a subsidiary of a foreign incorporated F, or the Proxy Board Directors, as in the case of a branch of a foreign incorporated F, is responsible for the risk management of potential business continuity risks to ensure that the FI is able to meet its financial and service obligations to its depositors and other creditors.

11. The Board or its proxy remains responsible for BCM whether or not business operations are outsourced or are provided as part of a group.

12. Senior Management must similarly establish clear lines of accountability and reporting for individuals with BCM responsibility.

Business Impact Analysis

13. A BIA involves identifying and addressing the impact of a disruption on all Critical Business functions resources, and infrastructure of the financial institution.

14. When conducting the BIA, the FI must consider:

a. Plausible disruption scenarios and or Events over varying periods of time;

b. By the period of time for which the FI could not operate without each of its Critical Business operations;

c. the extent to which a disruption to the Critical Business operations might have a material impact on the interests of depositors of the financial institution; and

d. the financial, legal, regulatory, and reputational impact of a disruption to a FI’s Critical Business operations over varying periods of time.

Recovery Strategy

15. Each FI must identify and document appropriate recovery objectives and implementation strategies based on the results of the BIA and the size and complexity of the FIs.

Business continuity planning

16. Each FI must maintain at all times a documented BCP that meet the objectives of the BCM Policy.

17. The BCP must document the procedures and information that enable the FI to:

a. manage an initial Business Disruption (crises management); and

b. recovers Critical Business operation.

18. The BCP must reflect the specific requirements of the FI and must identify;

a. Critical Business operations;

b. recovery levels and time targets for each Critical Business operation;

c. recovery strategies for each Critical Business operation;

d. Infrastructure and resource requires to implement the BCP;

e. roles, responsibilities, and authorities to act in relation to the BCP; and

f. communication plans with staff and external stakeholders.

Review and testing of the BCP

19.FIs must review and test their BCP at least annually or more frequently if there are material changes to business operations, to ensure that the BCP can meet the BCM objectives.

20.Test reports must be formally reported to the Board or Proxy Board.

21.The BCM and BCP must be amended to reflect any deficiencies and enhancement identified as a result of the review and testing required under paragraph 19.

22.To facilitate its understanding of a FI’s BCM and BCP measures, CBSI may send observers to an FI’s BCP testing exercise.

Notification Requirements

23. FIs must notify CBSI as soon as possible and no later than 24 hours after experiencing a major disruption that has the potential to have a material impact on the FI’s risk profile or affect its financial soundness. The notification must address the nature of the disruption, the action being taken or are likely to be taken, the likely effect and timeframe for the return to normalcy operations. CBSI may require or request a additional reporting or updates from FIs during the disruption and recovery phase.

24. FIs must notify CBSI when BCP is removed and normal operations resume and provide a report on the disruption identifying problem and incident, root cause(s) and action or remediation efforts undertaken and amendments made to policy and procedures as a result of the incident; and testing.

External Audit

25. FIs internal audit function, or an external expert, or a duly approved external auditor, must periodically review the BCP and provide an assurance to the Board or the Proxy Board that:

a. the BCP is in accordance with the FI’s BCM Policy and addresses the risks it is designed to control; and

b. testing procedures are adequate and have been conducted satisfactorily.

Reporting Requirements to the CBSI

26.Each FI must submit to the CBSI a copy of the test results reported to the Board or its proxy under paragraph 20.

Implementation

27. FIs have a transition period of ninety (90) calendar days from the effective date to complete the following;

a. Report on their compliance with this Prudential Guideline.

b. Submit to CBSI a plan and timeframe for rectifying areas of non-compliance with this Prudential Guideline.

Enforcement and Corrective Measures

28.A FI, which fails to comply with the requirements contained in this Prudential Guideline or to submit certain reports to the CBSI, which are materially inaccurate, will be considered in breach guideline and therefore, may be subject to a monetary penalty.

29.The CBSI may pursue any or all corrective measure as provided in section 16 of the Financial Institutions Act 1998 (as amended) to enforce the provisions of this Prudential Guideline including;

a. Issuance of an order to cease and desist from the unsound and unsafe practices and

b. Action to replace or strengthen the management of the financial institution.

Effective Date

30. The effective date of this Prudential Guideline is December 1, 2017.

Issued this 31st day of October 2017.