Circulars/Notifications - Banking Supervision Department

BSD Circular No . 13 of 2004 September 04, 2004

The Presidents/ Chief Executives

All Banks/DFIs

Dear Sirs/Madam,

Guidelines on Business Continuity Planning

In the present day world, ‘Business Continuity Planning’ is becoming more and more important. Today, we are faced with multiple
internal as well as external threats, some of which are man-made and others are natural. e. g; earthquakes, fire, wars, terrorists
attacks, etc. In the fast changing, but highly vulnerable environment, ‘emergency preparedness’ deserves attention while strategic
planning for the business is underway.

2 Therefore, there is a need for making comprehensive arrangements for Business Continuity Planning in the form of instituting
physical security measures so that operational sustainability of individual institutions and that of the industry is ensured. In terms
of Para 5.10.1 of “Risk Management Guidelines” issued vide BSD Circular No.07 dated August 15, 2003, it has already been advised
that banks should have in place contingency and business continuity plans to ensure their ability to operate as going concerns and
minimize losses in the event of severe business disruptions.

3 Business Continuity Planning (BCP) means the level of readiness in the face of any actual or potential danger, damage, and
disaster. BCP, being a risk-based framework, is a proactive process and deals with operational risk by developing policies, strategies,
and specific responsibilities for the recovery of critical business functions. Most importantly, it should be commensurate with the
institutions’ nature, scale and complexity of business activities.

4 Following recommendations/guidelines are put forth to facilitate the banks/DFIs in building or improving upon their BCP:

a) Responsibility: The ultimate responsibility for business continuity planning (preparedness and recovery) following any operational
disruptions rests with the institutions’ Board of Directors and the Senior Management. Therefore, both groups should familiarize
themselves with the objectives, issues and techniques of BCP. Further, the Senior Management will be the architect of the policies,
procedures and documents, and the Board of Directors will approve them and ensure their regular updation and improvement.

b) Components of BCP: Depending on the size, scale and complexity of the business, institutions may adopt BCP having following
components: clear-cut policy and adequate budget; key persons’ detailed description of roles/responsibilities; emergency plan for
accessibility or movement of staff to primary/backup sites; succession plans for critical staff and senior management; business
impact analysis; detailed program for the development, implementation, and maintenance of BCP; program for training and
awareness of staff; and coordination with external parties and maintenance contracts / service level agreements (including
authorities, interdependent parties, etc.)

In addition to above, BCP organization & policy decision making in emergencies include: identification of organization which will
handle the emergency at the main site and at the back-up site; identification of critical (time sensitive) functions; location &
suitability of operations back-up site and availability of necessary facilities for resuming critical functions within 24 hours;
identification of critical documents / data which needs to be regularly backed up and arrangement of storage of backups on offsite
location or disaster recovery site; emergency call tree; recovery time objectives; evacuation plans; and updation & testing of BCP.

c) Critical Business Line: On account of different business focus, market niche and customers’ expectations, critical business
functions differ among institutions. It must be clear that institutions themselves are responsible for determining their critical
business functions. e.g; completing payment instructions, clearing and settling transactions, fulfilling end-of-day funding and
collateral obligations, managing customers’ risk positions and investor or public confidence, etc. In case of any emergency, banking
institutions should ensure that their critical and time sensitive business functions resume at the earliest. With reference to
technology-based services/products, there should be arrangements for ensuring their delivery manually when the technology is
unavailable or not working during the system downtime.

d) Geographic Concentration: The vulnerabilities are associated with the current geographic concentration of market participants
and some of their backup facilities. The geographic diversity for critical operations and backup facilities should be a key
consideration of BCP.

e) Centralization of Operations: Financial institutions tend to get economic benefit of centralization of critical business functions but
it should be noted that in case of disruptions it becomes more difficult to recover or replace critical information and staff. In such an
event, the likelihood of quick recovery is low. It is, therefore, important to find the right balance between mitigating concentration
risk and not losing the efficiencies gained from the centralization of business processes and critical staff. Institutions are encouraged
to innovate and explore different possibilities of mitigating concentration risk.

f) Recovery Time Targets: Institutions need to define their targets for resumption of their core business operations as well as full
fledged functioning of their business. Although in practice, depending on the situation, expectations for recovery time may differ.
However, some critical functions should continue with minimal, if any, disruption, even in the event of a major challenge. Moreover,
the plan should have the capacity to deal with the possibility of longer-term disruptions and to accommodate normal or increased
volume of transactions.

g) Testing: Regular, complete and meaningful testing/validation of BCP should not be taken just as a compliance issue or an item on
the checklist, but as a critical part of business operations. Institutions must ensure that at the time of need, operations from their
 active and backup sites do not face problems of connecting and communicating. The internal auditor should verify that the drilling
exercise has been conducted as per the plan.

h) Updation & Improvement: All of us understand that changes in technology, business processes and staffs’ roles and
responsibilities can affect the appropriateness of the BCP. Ultimately, all this may affect the institutions’ state of preparedness. It is,
therefore, important to regularly update and improve the functionality and effectiveness of their BCP. This will not only ensure their
relevance and operational viability, but also familiarize the staff with the location of the recovery site as well as the recovery
procedures.

i) Compliance: At this point in time it is beneficial for the banks / DFIs to take appropriate measures for compliance with these
guidelines depending upon the factors like size of the institution, complexity of activities the institutions engage in, the different
markets in which they conduct transactions, etc. We encourage banks/DFIs to keep themselves abreast of the best international
practices and revise their BCP as and when circumstances warrant.

5 It may be noted that the above guidelines are issued with a view to help strengthen overall resilience of the financial system.
Development of robust and practical contingency and security plans, involving participation from all concerned areas of
organization, will ensure that banks / DFIs have the capacity to deal with an unexpected situation that might flow from sudden,
internal as well as external events. Some institutions might have already planned and achieved much, yet all of us must view the
developments, both at home and abroad, as a wake-up call and ensure that an optimal combination of plans, tools, systems and
people exists with the ability to survive any tribulations.

6 Banks/DFIs are advised to incorporate BCP in their regular business operations, within six months of the date of issue of these
guidelines. During the course of inspection of banks / DFIs, our Banking Inspection Department will look into the adequacy of the
BCP and the arrangements thereof.
Please acknowledge receipt.

Yours faithfully,
Sd/-

(JAMEEL AHMAD)
Director

Home Laws & Regulations What's New? Library

About SBP Monetary Policy Speeches Rupey ko Pehchano
Publications Help Desk Online Tenders Events
Economic Data SBP Videos Web Links Zahid Husain Memorial Lecture
Press Releases Feedback Educational Resources Careers
Circulars/Notifications Contact us Regulatory Returns Sitemap

Best view Screen Resolution : 1024 * 768

Copyright © 2016. All Rights Reserved.