新加坡金融管理局《业务连续管理指引》(2022版)中文简译
写在前面 :越来越多的人们开始关注运营韧性。事实上,虽然该领域还在快速的发展中,但已经凝聚了一些共识。金融行业是最为关注运营韧性的行业之一,近几年来,多个发达国家/地区的金融监管机构和巴塞尔银行监管委员会陆续发布/修订了运营韧性(Operational Resilience)和业务连续性管理方面的正式文件。为让更多的专业人员和爱好者了解国际运营韧性领域的进展,学习并实践运营韧性的良好实践,在过去两年,我组织了两期公益翻译活动,翻译了巴塞尔银行监管委员会和英国金融监管机构的运营韧性相关资料,包括: 《运营韧性原则》中文简译 (巴塞尔银行监管委员会)(2021年11月23日) 《操作风险稳健管理原则修订》中文简译 (巴塞尔银行监管委员会)(2021年11月29日) 《运营韧性:重要业务服务的影响容忍度》中文简译 (英格兰银行、英国审慎监管局(PRA)和英国金融行为监管局(FCA)联合说明文件)(2022年11月26日) 《政策声明|PS6/21 – 运营韧性:重要业务服务的影响容忍度》中文简译 (英国审慎监管局(PRA)运营韧性政策声明)(2022年11月27日) 《PRA规则手册:CRR机构,Solvency II机构:运营韧性文书2021》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件1 — PRA规则手册运营韧性部分)(2022年11月28日) 《PRA监管声明|SS1/21 “运营韧性:重要业务服务的影响容忍度”》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件2 — PRA监管声明SS1/21)(2022年12月1日) 《PRA“运营韧性”政策说明》中文简译 (英国审慎监管局(PRA)运营韧性政策声明附件3 — 运营韧性政策说明)(2022年12月2日)
今年3月,我再次组织了一个公益翻译小组,对美国、爱尔兰、澳大利亚、新加坡和香港等地金融监管机构的运营韧性相关资料进行翻译。7月份前后,翻译小组成员陆续将翻译文稿发送给我,近期我会将这些资料审校完成,陆续在公众号发布。
以下是参与第三期运营韧性资料公益翻译小组的成员 (排名不分前后,按姓氏拼音排序): 高洋(ICBC,william.yang.gao@gmail.com) 江磊(深圳龙华,2014595@qq.com) 刘琪岳(北京) 刘宇(深圳,13316880733@189.cn) 刘元锋(北京农商银行总行,liuyf@bjrcb.com) 林喆(广州,674441632@qq.com) 马骏(埃森哲/大连,patrick.ma2018@outlook.com) 孙宁莉(深圳市韧安咨询服务有限公司,115947186@qq.com) 王舵(大连童安应急管理科技有限公司,prekids@163.com) 徐文静(DNV,wen.jing.xu@dnv.com) 薛春娟(浙江省舟山市,793571689@qq.com) 张锋(北京,zhangfeng76@wo.cn) 周可政(上海,wikikivv@gmail.com) 王曙(新常安科技,kevinwang@vip.sina.com)
感谢公益翻译小组的各位专业人员抽出个人时间进行翻译工作。以下译文由我负责最终统一审校定稿,如译文中有任何不准确或理解错误的地方,都是由于我的原因造成,与诸位翻译人员无关。如对译文有意见或修改建议,请给我留言。
王曙(kevinwang) 2023.10.26
这份文件由新加坡金融管理局(MAS)于2022年6月6日发布,介绍了金融机构可以实施以加强其运营韧性的原则和实践,原文见: https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management/bcm-guidelines/bcm-guidelines-june-2022.pdf 。
《业务连续性管理指引》(2022版)指出,金融机构需要采取以服务为中心端到端的观点,以确保持续向客户交付关键业务服务。这份修订的《指引》取代了2003年6月发布的上一版本,以及2006年1月发出的“关于BCM的进一步指引”的通函。
业务连续性管理指引 Business Continuity Management Guidelines
1 引言(1 Introduction)
前言(Preface)
1.1 金融部门的正常运作是建立在对金融生态系统保护资产和处理交易能力的信任和信心之上的。如果不能迅速恢复运营扰断,可能会损害金融机构履行其商业义务的能力,造成财务和声誉损失,并给客户带来不便。鉴于金融机构是高度互联的,严重的扰断可能会对金融体系产生更广泛的传染效应。 1.1 The proper functioning of the financial sector is underpinned by trust and confidence in the financial ecosystem’s ability to protect assets and process transactions. Operational disruptions, if not recovered speedily, may compromise the ability of financial institutions (“FIs”) to meet their business obligations, resulting in financial and reputational damage, as well as inconvenience to customers. Given that FIs are highly interconnected, severe disruptions may have a broader contagion effect on the financial system.
1.2 MAS既关注单个金融机构的稳健性,也关注金融体系的稳定性。因此,金融机构应该采取控制措施,尽量减少运营扰断的发生,包括及早发现潜在的单点故障,并在可能的情况下予以消除。 1.2 MAS is concerned with both the soundness of individual FIs and the stability of the financial system. FIs are thus expected to have controls in place to minimise the occurrence of operational disruptions, including the identification of potential single points of failure early on and their elimination, where possible.
1.3 尽管金融机构已尽最大努力实现运营韧性,但仍可能因各种因素发生扰断,其中一些因素可能不在其控制范围内。因此,有效的业务连续性管理(BCM)框架对于尽量减少任何运营扰断对金融机构持续交付金融服务的能力的影响至关重要。 1.3 Despite an FI’s best efforts to achieve operational resilience, disruptions could still occur due to various factors, some of which may not be within its control. An effective Business Continuity Management (BCM) framework is therefore critical in minimising the impact of any operational disruptions on an FI’s ability to continually deliver financial services.
指引的应用(Application of Guidelines)
1.4 这套《MAS BCM指引》(以下简称《指引》)包含了鼓励金融机构采用的稳健的BCM原则。金融机构最终负责其业务连续性准备和从运营扰断中恢复。金融机构应当制定政策、计划和程序,以确保其关键业务服务和功能在扰断后能够迅速恢复。 1.4 This set of MAS BCM Guidelines (hereafter referred as “the Guidelines”) contains sound BCM principles that FIs are encouraged to adopt. FIs are ultimately responsible for their business continuity preparedness and recovery from operational disruptions. FIs should establish policies, plans and procedures to ensure that their critical business services and functions can be promptly resumed following a disruption.
1.5 金融机构实施《指引》的范围和程度应当与其业务运营的性质、规模、风险状况和复杂程度相称。考虑到它们从事的各种活动以及进行交易的不同市场,金融机构可以根据需要调整《指引》。 1.5 The extent and degree to which an FI implements the Guidelines should be commensurate with the nature, size, risk profile and complexity of its business operations. Fis may adapt the Guidelines as necessary, taking into consideration the diverse activities they engage in, and the different markets in which they conduct transactions.
1.6 作为其监管的一部分,MAS将审查金融机构的BCM,同时考虑到遵守《指引》的程度,以评估其监督和治理结构、内部控制和风险管理的质量。将特别关注金融机构关键业务服务的BCM。 1.6 As part of its supervision, MAS will review the BCM of an FI, taking into account the extent to which the Guidelines have been observed, to assess the quality of its oversight and governance structure, internal controls, and risk management. Particular attention will be accorded to the BCM of an FI’s critical business services.
1.7 金融机构负责实施BCM的高级管理层和人员应当熟悉《指引》,理解其意图和含义。本文件提供了一般性指导,并非详尽无遗,也无意取代或推翻任何立法规定。它应当与相关法例的条文、根据相关法例制定的附属法例,以及MAS根据相关法例和附属法例不时发布的书面指示、通知、守则和其他指引一起阅读。 1.7 FIs’ senior management and personnel, who are responsible for implementing BCM, should familiarise themselves with the Guidelines and understand their intent and implications. This document provides general guidance and is not intended to be exhaustive nor replace or override any legislative provisions. It should be read in conjunction with the provisions of the relevant legislations, the subsidiary legislations made under the relevant legislations, as well as written directions, notices, codes, and other guidelines that MAS may issue from time to time pursuant to the relevant legislations and subsidiary legislations.
1.8 这套指引取代了2003年6月发布的上一版本,以及2006年1月发出的题为“关于BCM的进一步指引”的通函. 1.8 This set of Guidelines supersedes the previous version that was published in June 2003, as well as the circular titled “Further Guidance on BCM” that was issued in January 2006.
1.9 本指引适用于新加坡《金融管理局法》第27A(6)条所定义的所有金融机构。 1.9 The Guidelines is applicable to all FIs as defined in Section 27A(6) of the Monetary Authority of Singapore Act.
词汇表(Glossary)
术语 Terminology 定义(用于本文件) Definitions (as used in this document) 业务连续性管理 Business Continuity Management (BCM) 一套实践,包括制定政策、标准、流程和措施,以确保金融机构在运营扰断期间持续运作。 A set of practices that includes putting in place policies, standards, processes, and measures to provide for continuous functioning of the FI during operational disruptions. 业务连续性计划 Business Continuity Plan (BCP) 规定了运营扰断后为恢复和履行金融机构的商业义务并恢复其运营到正常所需的(1)角色和职责、(2)资源和(3)流程的计划。 A plan that sets out the (1) roles and responsibilities, (2) resources, and (3) processes that are needed to recover and fulfil the FI’s business obligations following an operational disruption and restore its operations to normalcy. 业务功能 Business Function 金融机构内由各独立组织线(即部门或单元)执行的一项活动或一组活动。 An activity or set of activities performed by individual organisational lines (i.e. department or unit) in the FI. 业务服务 Business Service 向金融机构客户提供的面向外部的服务。 An external-facing service that is provided to customers of the FI. 关键业务功能 Critical Business Function 一旦扰断,可能会对金融机构产生重大影响(无论是财务还是非财务方面)的业务功能。 A business function which, if disrupted, is likely to have a significant impact on the FI, whether financially or non-financially. 关键业务服务 Critical Business Service 一旦扰断,可能会对金融机构的安全性和稳健性、其客户或其它依赖该业务服务的金融机构产生重大影响的业务服务。 A business service which, if disrupted, is likely to have a significant impact on the FI’s safety and soundness, its customers or other FIs that depend on the business service. 依赖关系映射 Dependency Mapping 为每个关键业务服务识别和理解对人员、流程、技术和其他资源的(包括涉及第三方的)内部和外部依赖关系的流程。 A process to identify and understand the internal and external dependencies on people, processes, technology, and other resources (including those involving third parties) for each critical business service. 恢复时间目标 Recovery Time Objective (RTO) 将特定 业务功能 从扰断点恢复到特定 业务功能 足以履行商业义务的水平的目标持续时间。 Target duration of time to restore a specific business function from the point of disruption to the point when the specific business function is recovered to a level sufficient to meet business obligations. 服务恢复时间目标 Service Recovery Time Objective (SRTO) 将特定 业务服务 从扰断点恢复到特定 业务服务 足以履行商业义务的水平 [1] 的目标持续时间。 Target duration of time to restore a specific business service from the point of disruption to the point when the specific business service is recovered to a level 1 sufficient to meet business obligations. 恢复策略 Recovery Strategy 明确的、管理层批准并被测试的金融机构行动方案,以确保在运营扰断期间业务服务和功能的恢复和连续性。 A defined, management-approved and tested course of action by the FI to ensure the recovery and continuity of business services and functions in the event of operational disruptions.
2 关键业务服务和功能(Critical Business Services and Functions)
2.1 业务功能是向金融机构的客户提供业务服务的基础。当业务功能扰断时,所有依赖它的业务服务都可能扰断,从而放大了对金融机构运营或业务的影响。也可能有一些业务功能并不直接有助于业务服务 [2] ,但其扰断可能会影响金融机构的安全性和稳健性。 2.1 Business functions underpin the provision of business services to an FI’s customers. When a business function is disrupted, all the business services that are dependent on it could be disrupted, and as a result, amplify the operational or business impact to the FI. There may also be some business functions that do not directly contribute to business services 2 , but their disruption could impact an FI’s safety and soundness.
2.2 在发生扰断的情况下,由于时间和资源限制,尽早恢复所有业务服务和功能可能不切实际,也不可能。因此,金融机构应当根据其重要性排定业务服务和功能恢复的优先顺序,并确定适当的恢复策略和资源分配。 2.2 In the event of a disruption, it might not be practical nor possible to recover all business services and functions at the earliest opportunity due to time and resource constraints. The FI should therefore prioritise the recovery of its business services and functions based on their criticality, and determine the appropriate recovery strategies and resource allocation.
2.3 金融机构应当通过考虑其不可用对以下方面的影响确定 [3] 其关键业务服务(参阅附录:业务服务示例)和功能: (a)金融机构的安全性和稳健性; [4] (b)金融机构的客户,根据受影响客户的数量和概况 [5] ,和他们受影响的方式;以及 (c)其他依赖该业务服务的金融机构。 2.3 The FI should identify 3 its critical business services (refer to Appendix: Examples of Business Services ) and functions by considering the impact of their unavailability on: the FI’s safety and soundness 4 ; the FI’s customers, based on the number and profile 5 of customers affected, as well as how they are impacted; and other FIs that depend on the business service.
2.4在制定恢复策略时,金融机构应当采用关键业务服务依赖关系的端到端视图,不仅要考虑单个流程的恢复,还要考虑支持服务交付的一系列流程。这将尽量减少扰断程度,保障客户利益,并维护金融机构的安全性和稳健性。 2.4 In establishing recovery strategies, the FI should adopt an end-to-end view of the critical business services’ dependencies, to not only consider the recovery of individual processes, but the complete set of processes supporting the delivery of the service. This will minimise the degree of disruption, safeguard customer interests and maintain the safety and soundness of the FI.
2.5 金融机构应当确保对其关键业务服务的业务连续性有明确的责任和问责。金融机构应当委派人员监督每个关键业务服务在发生扰断时的恢复和复原。 2.5 The FI should ensure clear accountability and responsibility for the business continuity of its critical business services. The FI should appoint personnel to oversee the recovery and resumption of each critical business service in the event of a disruption.
3 服务恢复时间目标(3 Service Recovery Time Objective)
3.1 金融机构应当为每个关键业务服务制定 服务恢复时间目标(SRTO) 。SRTO是一个基于时间的指标,它在金融机构内部明确了每个业务服务的预期恢复时间表。这将有助于指导规划期间资源的优先次序,并促进决策和扰断时的恢复进度监测。 3.1 The FI should establish a Service Recovery Time Objective (SRTO) for each critical business service. The SRTO, being a time-based metric, provides clarity within the FI on the expected recovery timelines for each business service. This will help to guide the prioritization of resources during planning, and facilitate decision-making and monitoring of the recovery progress in a disruption.
3.2 金融机构在制定SRTO时,应当考虑其对客户以及依赖该业务服务的其它金融机构的义务。金融机构应该制定恢复策略 [6] ,使其能够实现既定的SRTO,并恢复到履行其商业义务所需的服务水平。对于由多个业务功能支持的关键业务服务,金融机构必须确保下层业务功能及其依赖项的恢复时间目标(RTO)满足SRTO。 3.2 In establishing SRTOs, the FI should take into consideration its obligations to customers, as well as other FIs that depend on the business services. The FI is expected to put in place recovery strategies 6 to enable it to achieve the established SRTOs and recover to the service levels required to meet its business obligations. For critical business services that are supported by a number of business functions, the FI must ensure that the Recovery Time Objectives (RTOs) of the underlying business functions and their dependencies will meet the SRTOs.
3.3 金融机构还应当为关键业务服务遇到部分扰断(包括间歇性或性能降低,不等于服务完全不可用)时的BCP启用制定明确的标准。这将指导金融机构在服务降级恶化到导致严重影响之前,及时果断地启用其BCP。 3.3 The FI should also set out clearly defined criteria for BCP activation when a critical business service encounters partial disruption (including intermittent or reduced performance that is not tantamount to a complete unavailability of service). This will guide the FI in activating its BCP in a timely and decisive manner, before the service degradation worsens to the point that it results in severe impact.
4 依赖关系映射(4 Dependency Mapping)
人员、流程、技术和其它资源(People, Processes, Technology and Other Resources)
4.1 金融部门日益相互联系,越来越依赖通用IT系统和第三方。作为减轻这些联系所带来的风险的第一步,金融机构应当识别并映射端到端的依赖关系,涵盖支持每个关键业务服务的人员、流程、技术和其它资源 [7] (包括那些涉及第三方的)。 4.1 The financial sector has become increasingly interconnected with the growing reliance on common IT systems and third parties. As a first step to mitigate the risks arising from these linkages, the FI should identify and map the end-to-end dependencies covering people, processes, technology and other resources 7 (including those involving third parties) that support each critical business service.
4.2 依赖关系映射将使金融机构能够识别对服务交付至关重要的资源,考虑其不可用的影响,并解决可能阻碍关键业务服务的有效性和安全恢复的任何差距。金融机构应当使用从依赖关系映射中派生的信息来验证业务功能及其依赖关系的恢复是否能够满足既定的SRTO。 4.2 The dependency mapping will enable the FI to identify resources critical to the service delivery, consider the implications of their unavailability, and address any gaps that could hinder the effectiveness and safe recovery of the critical business services. The FI should use the information derived from the dependency map to verify that the recovery of the business functions and their dependencies can meet the established SRTOs.
第三方依赖关系(Third-Party Dependencies)
4.3 许多金融机构聘请第三方 [8] 来支持其关键业务服务的交付。这些安排可能会增加因第三方在提供服务时故障、延误或损害而产生的操作风险。 4.3 Many FIs engage third parties 8 to support the delivery of their critical business services. These arrangements could increase operational risks arising from the failure, delay, or compromise of a third party in providing the service.
4.4 金融机构应当采取措施,使第三方能够满足其关键业务服务的SRTO。这可以通过以下措施来实现: (a)与第三方订立并定期审查运营水平或服务水平协议,规定具体和可衡量的恢复期望,并支持金融机构的BCM; (b)审查第三方的BCP,并验证BCP是否符合适当的标准并定期进行测试; (c)与第三方订立安排,以保障资源的可用性,例如要求专职人力; (d)对第三方进行审计 [9] ;或 (e)与第三方进行联合测试。 4.4 The FI should put in place measures that enable third parties to meet the SRTOs of its critical business services. This can be done through measures, such as the following: establish and regularly review operational level or service level agreements with third parties that set out specific and measurable recovery expectations and support the FI’s BCM; review the BCPs of third parties and verify that the BCPs meet appropriate standards and are regularly tested; establish arrangements with third parties to safeguard the availability of resources, such as requesting for dedicated manpower; conduct audits9 on the third parties; or perform joint tests with third parties.
4.5 金融机构还应当制定计划和程序 [10] ,以应对第三方安排的任何不可预见的扰断、故障或终止,将此类不利事件对其关键业务服务连续性的影响降至最低。 4.5 The FI should also put in place plans and procedures 10 to address any unforeseen disruption, failure or termination of third-party arrangements to minimise the impact of such adverse events on the continuity of its critical business services.
4.6 金融机构应当尽可能采取措施,解决支持关键业务服务的公共公用事业服务 [11] 的扰断问题,例如实施冗余或替代应急安排。 4.6 As far as possible, the FI should put in place measures to address the disruption of common utility services 11 supporting critical business services, such as implementing redundancy or alternative contingency arrangements
5 集中风险(5 Concentration Risk)
5.1 虽然集中运营可以带来经济利益,但当人员、技术或其他所需资源集中在同一区域时 [12] ,可能会产生集中风险。当金融机构的多个关键业务服务和/或功能外包给单一服务提供商时,金融机构也可能面临集中风险。由于熟练的人员、信息和系统是难以快速更换的重要资产,金融机构需要采取稳健且反应灵敏的风险管理来应对集中风险。 5.1 While there are economic benefits to be gained through the centralisation of operations, concentration risk may arise when there is concentration of people, technology or other required resources in the same zone 12 . FIs may also be exposed to concentration risk when several of its critical business services and/or functions are outsourced to a single service provider. As skilled people, information, and systems are important assets that are difficult to replace quickly, FIs will need to adopt sound and responsive risk management to address concentration risk.
5.2 金融机构可以考虑采取以下方法,以减轻集中风险,并在发生扰断时减低影响: (a)主从站点运营—将关键业务服务和功能或基础设施(如数据中心)的主站点和辅助站点分离到不同的区域,以减轻大范围扰断; (b)关键业务功能隔离—将关键业务功能分离到不同的区域,以降低因大范围扰断而损失多个关键业务功能及其所支持的关键业务服务的风险; (c)将团队和后备团队安排分开—在不同区域部署关键人员,或建立预备团队安排 [13] ,以消除对单一劳动力库的依赖; (d)交叉培训—确定关键技能或角色,并制定交叉培训项目,为参与这些角色的关键人员建立多功能性; (e)跨境支持—在扰断期间启动跨境支持作为应急措施; [14] 或 (f)替代服务提供商—聘请替代服务提供商进行冗余,或者在主服务提供商不可用时启用以提供即时支持。 5.2 The FI could consider adopting the following approaches to mitigate the risk of concentration and reduce the impact in the event of a disruption: primary-secondary site operation – separate primary and secondary sites of critical business services and functions, or infrastructure (such as data centres) into different zones to mitigate wide-area disruption; critical business functions segregation – separate critical business functions into different zones to mitigate the risk of losing multiple critical business functions, and the critical business services that they support, from a wide-area disruption; split team and back-up team arrangements – deploying critical personnel across different zones, or establish reserve team arrangements 13 to eliminate the dependency on a single labour pool; cross-training – identify critical skills or roles, and develop cross-training programs to build versatility for key personnel involved in these roles; cross-border support – activate cross-border support as a contingency during disruptions 14 ; or alternative service provider – engage an alternate service provider for redundancy, or to be activated to provide immediate support when the primary service provider is unavailable.
5.3 考虑到从大流行病(例如SARS、H1N1、COVID-19)中吸取的经验教训,金融机构应当认识到实施替代工作安排以减低工作场所疾病传播风险所带来的风险。替代工作安排可能需要改变政策、操作流程以及设备或IT系统的使用,从而带来新的操作风险和其它挑战 [15] 。金融机构也应当采取缓解措施 [16] 以应对这些新的风险和挑战。 5.3 Taking into consideration learnings from pandemics (e.g. SARS, H1N1, COVID-19), the FI should be cognizant of the resultant risks from the implementation of alternate work arrangements to mitigate the risk of disease transmission at workplaces. Alternative work arrangements may entail changes to policies, operational processes, and use of equipment or IT systems that pose new operational risks and other challenges15. The FI should also put in place mitigating controls 16 to address such new risks and challenges.
6 持续审查和改进(6 Continuous Review and Improvement)
6.1 BCM是一项持续的工作,以确保所实施的措施能够应对最新威胁以及未来可能存在的威胁所带来的操作风险。金融机构应当采取积极的业务连续性态度,将BCM融入其日常运营,并制定BCP,以应对一系列可能随时间推移而演变的严重和合理的扰断情景。 6.1 BCM is an ongoing effort to ensure that the measures put in place are able to address operational risks posed by the latest threats, as well as plausible threats in the future. The FI should adopt a proactive business continuity posture by embedding BCM into its business-as-usual operations and establish BCPs that address a range of severe and plausible disruption scenarios, which may evolve over time.
6.2 虽然全球化和技术进步为金融机构带来改善其业务流程的机会,但对技术和第三方的依赖也对金融机构构成更大的风险敞口。金融机构应当积极应对此类风险,并不断寻找需要加强的领域,并确保其BCM保持相关性和前瞻性。这将加强金融机构管理其业务服务的任何不可预见的扰断的能力。 6.2 While globalisation and technological advancement bring about opportunities for Fis to improve their business processes, the reliance on technology and third parties also poses greater risk exposure to FIs. The FI should proactively address such risks, and continuously seek out areas to enhance and ensure that its BCM remain relevant and forward looking. This will strengthen the FI’s abilities to manage any unforeseen disruption to its business services.
威胁监测、审查和报告(Threat Monitoring, Review and Reporting)
6.3 金融机构应当积极监测和识别可能扰乱其正常运营的外部威胁及发展,并制定升级流程,及时向内部相关方和高级管理层发出有关威胁的警报。 6.3 The FI should actively monitor and identify external threats and developments that could disrupt its normal operation, and have an escalation process to alert internal stakeholders and senior management about the relevant threats in a timely manner.
6.4 金融机构应当制定流程,对如自然灾害、恐怖主义、大流行病爆发和网络事件等相关风险事件进行环境扫描。金融机构还应当监测有关当局发布的公开公告,以获取有关可能对其业务连续性构成风险的新兴威胁的最新信息和指导。 6.4 The FI should institute processes to conduct environmental scanning for relevant risk events, such as natural disasters, terrorism, pandemic outbreaks, and cyber incidents. Fis should also monitor public advisories issued by relevant authorities to obtain the latest information and guidance on emerging threats that may pose a risk to their business continuity.
持续改进(On-going Improvement)
6.5 金融机构应当进行审查,以确定需改进的领域,并解决运营扰断后其BCM措施中的任何差距。金融机构还应当从其自身的未遂事故和其他组织的事件中吸取教训,以加强其业务连续性准备。 6.5 The FI should perform a review to identify areas of improvement and address any gaps in its BCM measures following an operational disruption. The FI should also draw lessons learnt from its own near misses, as well as incidents in other organisations, to enhance its business continuity preparedness.
6.6 金融机构应当定期评估对更多工具和自动化的需要,以使其能够更有效地管理事件或扰断。这些可能包括增强金融机构的BCM实施或危机管理的实施工具,例如自动化工作流、模板和清单,用于启用和通知人员的通信工具,以及提供事件实时更新的态势仪表盘。 6.6 The FI should regularly assess the need for additional tools and automation to enable it to manage an incident or disruption more effectively. These could include implementing tools that enhance the FI’s BCM implementation or crisis management, such as automated workflows, templates and checklists, communications tool for activation and notification of personnel, as well as situational dashboards providing real-time updates on the incident.
6.7 金融机构应当根据其经营环境和威胁形势的变化,更新其BCM政策、计划和程序,包括相关的员工培训方案和测试计划。金融机构还应当至少每年一次或在有影响它们的重大变化时,审查其关键业务服务和功能、其各自的SRTO/RTO和依赖关系。 6.7 The FI should update its BCM policies, plans, and procedures, including relevant training programmes for staff and test plans, based on changes in its operational environment and the threat landscape. The FI should also review its critical business services and functions, their respective SRTOs/ RTOs and dependencies at least annually, or whenever there are material changes that affect them.
7 测试(7 Testing)
7.1 测试对于确认金融机构的BCM准备至关重要。金融机构应当定期和全面地测试,以确保其响应和恢复安排是稳健的,并使他们能够在扰断后及时可靠地继续交付关键业务服务和功能。 7.1 Testing is crucial in validating an FI’s BCM preparedness. The FI should conduct regular and comprehensive testing to gain assurance that its response and recovery arrangements are robust, and enable them to continue the delivery of critical business services and functions in a timely and reliable manner following a disruption.
7.2 金融机构应当规划其测试活动,对其BCM框架的所有方面进行有意义地测试,并达到以下测试目标: (a)使用适当的指标确认和衡量BCP的有效性,并纠正在恢复过程中发现的任何差距或弱点; (b)使参与业务连续性和危机管理的人员,包括相关第三方的人员,熟悉其角色和职责。这包括应当如何操作备用场所和恢复安排,以改善协调并确保各种计划的无缝执行; (c)使参与危机管理的高级管理层和员工对危机局势中可能出现的潜在关切领域保持敏感,并在模拟条件下练习决策,包括需要排定竞争的关键业务服务和功能的恢复优先顺序的情景; (d)在严重但合理的情景下对BCP进行压力测试,使金融机构能够质疑其当前的规划假设,并确保其BCP的相关性和有效性,以更好地减轻严重扰断的影响;和 (e)验证其关键业务服务的SRTOs和关键业务功能的RTO是否可以通过既定的恢复策略得到满足。 7.2 The FI should plan its test activities to meaningfully test all aspects of its BCM framework, and to meet the following test objectives: validate and measure the effectiveness of the BCPs using appropriate metrics, and remediate any gaps or weaknesses that are identified in the recovery process; familiarise personnel, including those of relevant third parties, involved in business continuity and crisis management with their roles and responsibilities. This includes how the alternate sites and recovery arrangements should be operated, so as to improve coordination and ensure a seamless execution of various plans; sensitise senior management and staff involved in crisis management to the potential areas of concern that could arise in crisis situations, and practise making decisions under simulated conditions, including scenarios that require prioritising the recovery of competing critical business services and functions; stress test BCPs under severe but plausible scenarios to allow the FI to challenge its current planning assumptions and ensure the relevance and effectiveness of its BCPs, to better mitigate the impact of severe disruptions; and verify that the SRTOs of its critical business services and RTOs of its critical business functions can be met through the established recovery strategies.
7.3 金融机构应当选择最符合这些目标的测试类型 [17] ,并设定与业务服务和功能的重要性相称的测试频率和范围 [18] 。金融机构还应当妥善地记录其所有测试记录,清楚地列明测试细节,如测试目标、范围、情景设计、参与者、每次测试的结果和后续跟进等。金融机构在业务连续性测试中发现的差距和弱点应当报告给高级管理层。 7.3 The FI should select the types of tests 17 that best meet these objectives, and set out the frequency and scope 18 of these tests to be commensurate with the criticality of the business services and functions. The FI should also properly document all its test records, clearly indicating details, such as the test objectives, scope, scenario design, participants involved, results and follow-ups for each test. Gaps and weaknesses identified from the FI’s business continuity testing should be reported to the senior management.
补救措施Remedial actions
7.4能够清晰地跟踪并明确补救措施的责任,对于确保系统地捕获经验教训并用于改善现有的恢复过程至关重要。金融机构应当制定正式流程,以跟进每次测试中确定的补救措施。所采取补救措施的有效性也应当在后续的测试中得到确认,以确保正确实施。 7.4 Being able to clearly track and assign ownership of remedial actions is essential in ensuring that lessons learnt are systematically captured and used to improve the existing recovery processes. The FI should establish a formal process to follow up on the remedial actions identified in each test. The effectiveness of the remediation measures undertaken should also be validated at subsequent tests to ensure proper implementation.
行业演练Industry exercises
7.5 强烈鼓励金融机构参与由政府机构、监管机构、行业协会和金融市场基础设施运营商组织的行业和跨部门演练 [19] 。这样做将加强机构之间的联合应对和协调,并提高金融部门整体业务连续性能力的有效性。 7.5 FIs are strongly encouraged to participate in industry and cross-sector exercises 19 organised by government agencies, regulatory bodies, industry associations, and financial market infrastructure operators. Doing so would strengthen the joint response and coordination between institutions and improve the effectiveness in the financial sector’s overall business continuity capability.
7.6 这些演练为参与机构提供机会,以评价和讨论金融机构的行动对其外部依赖关系的影响,以及对金融部门的更广泛影响。这将使金融机构能够获得有用的洞察,以改进其BCM政策、计划和程序。 7.6 These exercises provide opportunities for the participating institutions to evaluate and discuss the impact of the FIs’ actions on their external dependencies and the broader implications on the financial sector. This will allow FIs to gain useful insights to improve their BCM policies, plans and procedures.
8 审计(8 Audit)
8.1 BCM审计是金融机构对其BCM框架实施的充分性和有效性进行独立评估的重要手段。金融机构应当确保其审计方案充分覆盖基于其所面临的操作风险水平的BCM准备评估。 8.1 BCM audit is an important means to provide the FI with an independent assessment on the adequacy and effectiveness of the implementation of its BCM framework. The FI should ensure that its audit programme adequately covers the assessment of BCM preparedness based on the level of operational risks that it is exposed to.
8.2 金融机构应当至少每三年对其整体BCM框架和每个关键业务服务的BCM进行一次审计。审计应当评估金融机构BCM的充分性和有效性。审计应当特别关注从金融机构的风险评估、过往审计发现和相关事件中确定的高风险区域。 8.2 The FI should audit its overall BCM framework and the BCM of each of its critical business services at least once every three years. The audit should assess the adequacy and effectiveness of the FI’s BCM. The audit should pay particular attention to higher risk areas identified from the FI’s risk assessment, previous audit findings, and relevant incidents.
8.3 BCM审计应当由具备执行审计所需BCM知识和专业技能,并独立于金融机构负责BCM的单元或功能的合格方进行。 8.3 The BCM audits should be conducted by a qualified party who possesses the requisite BCM knowledge and expertise to perform the audit, and is independent of the unit or function responsible for the BCM of the FI.
8.4 金融机构应当制定流程,跟踪和监控针对审计结果采取的可持续补救措施的实施情况。金融机构应当将可能对金融机构的BCM产生严重影响的任何重大审计发现上报董事会和高级管理层。金融机构应当根据要求向MAS提交BCM审计报告。 8.4 The FI should establish processes to track and monitor the implementation of sustainable remedial actions in response to the audit findings. The FI should escalate any significant audit findings on lapses that may have severe impact on the FI’s BCM to the Board and senior management. The FI should submit the BCM audit reports to MAS upon request.
9 事件和危机管理(9 Incident and Crisis Management)
事件管理Incident Management
9.1 金融机构应当具备健全的流程来管理事件,以便在规定的SRTOs/RTOs内恢复关键业务服务和功能。如果业务服务的交付依赖于多个业务功能,则应当任命一名总协调员来协调受影响功能之间的事件管理和恢复。 9.1 The FI should have robust processes to manage incidents in order to resume critical business services and functions within the stipulated SRTOs/RTOs. Where the delivery of a business service depends on multiple business functions, an overall coordinator should be appointed to coordinate incident management and recovery across affected functions.
危机管理Crisis Management
9.2 金融机构的高级管理层负责监督其危机管理活动,引导金融机构走出危机。为了帮助高级管理层应对危机,金融机构应当具备: (a)危机管理结构,明确界定角色、职责、汇报线路和指挥链(包括指定主要代表的候补人选); (b)一套预定义的触发因素和标准,用于及时启用危机管理结构; (c)指导金融机构在危机期间采取行动和作出决定的计划和程序; (d)促进及时更新和评估最新情况的工具和程序,以支持危机期间的决策; (e)关键业务服务扰断时需要通知的所有内部和外部相关方名单,以及每个相关方的沟通计划和要求(即抽屉计划、通知标准、通知时间表,更新频率等);和 (f)包括主流和社交媒体的沟通渠道,以与其相关方有效沟通,包括在主要沟通渠道不可用时可以使用的替代渠道。 9.2 The FI’s senior management is responsible for steering the FI out of a crisis by overseeing its crisis management activities. To aid the senior management in responding to a crisis, the FI should have in place: a crisis management structure, with clearly defined roles, responsibilities, reporting lines, and chain of command (including designating alternates to primary representatives); a set of pre-defined triggers and criteria for timely activation of the crisis management structure; plans and procedures to guide the FI on the course of actions and decisions to be made during a crisis; tools and processes to facilitate timely updating and assessment of the latest situation to support decision-making during a crisis; a list of all internal and external stakeholders to be informed when a critical business service is disrupted, as well as communications plans and requirements (i.e. drawer plans, notification criteria, notification timelines, update frequency, etc.) for each stakeholder; and communication channels, including mainstream and social media, to effectively communicate with its stakeholders, including alternative channels that can be used when the primary communication channel is unavailable.
与员工的沟通Communications with Staff
9.3 金融机构应当建立渠道,向员工通报事件或危机期间的最新进展。这包括及时发布员工应注意的信息,以保护他们的安全,以及发送员工福利信息,管理员工士气。金融机构还应当确保因危机而遭受心理创伤的员工能够获得危机咨询支持。 9.3 The FI should have in place channels to update staff on developments during an incident or a crisis. This includes cascading timely information that staff should take note to protect their safety, as well as sending out messages on staff welfare to manage staff morale. The FI should also ensure that staff who experience psychological trauma from a crisis has access to crisis counselling support.
与外部相关方的沟通Communications with External Stakeholders
9.4 金融机构应当确保与其外部相关方 [20] 的沟通是积极、透明和实事求是的。这将使相关方放心,并在扰断或危机期间保持客户信心。 9.4 The FI should ensure that communications to its external stakeholders 20 are proactive, transparent, and factual. This will reassure stakeholders and maintain customer confidence during a disruption or crisis.
9.5 为促进及时的公众沟通,金融机构应当制定沟通计划,并准备针对不同情况的抽屉媒体声明,以及在发生扰断时可以立即发布的备用声明。如有需要,金融机构还应当通过相关行业协会与同行金融机构协调,以在发生大范围扰断时向公众发出一致的信息。金融机构还应当确定其指定的发言人,负责向媒体和公众发言。 9.5 To facilitate timely public communications, the FI should have a communications plan and prepare drawer media statements that cater to different scenarios and holding statements that can be released immediately in the event of a disruption. Where necessary, the FI should also coordinate with peer FIs through the relevant industry associations to achieve consistent messaging to the public in the event of a widespread disruption. The FI should also identify its designated spokesperson(s) who will be responsible to address the media and the public.
9.6 金融机构应当确保在发现业务运营将受到严重扰断后或在启用BCP应对事件时,尽快(不得迟于1小时 [21] )通知MAS。在通知中,金融机构应当按照MAS事件报告模板提供信息,例如对其客户的评估影响和已采取的行动(例如启用替代服务渠道、替代场所或手动程序、公共沟通等)。 9.6 The FI should ensure that MAS is notified as soon as possible, but not later than one hour 21 upon the discovery of incidents where business operations will be severely disrupted, or when the BCP is going to be activated in response to an incident. In the notification, the FI should provide information as per the MAS incident reporting template, such as the assessed impact to its customers and the actions that have been taken (e.g. activation of alternative service channels, alternate sites or manual procedures, public communications, etc.).
10 董事会和高级管理层的责任(10 Responsibilities of Board and Senior Management)
10.1 董事会和高级管理层对金融机构的业务连续性负最终责任。金融机构关键业务服务和功能出现长时间扰断,可能会严重损害其声誉、财务安全和稳健性,或在某些情况下,损害金融生态系统的正常运作。 10.1 The Board and senior management are ultimately responsible for the FI’s business continuity. A prolonged disruption in the performance of the FI’s critical business services and functions could significantly impair its reputation, financial safety and soundness, or in some instances, the proper functioning of the financial ecosystem.
10.2 因此,董事会和高级管理层应当提供领导和战略方向,以对金融机构的BCM建立强有力的治理。这将确保金融机构有能力有效应对各种运营扰断并从中恢复。 10.2 The Board and senior management should therefore provide the leadership and strategic direction to establish strong governance over the FI’s BCM. This would ensure that the FI has the ability to effectively respond to and recover from a wide range of operational disruptions.
10.3 董事会 [22] 和高级管理层应当建立一种组织文化,将业务连续性准备融入金融机构的日常风险管理 [23] , 并整合进金融机构的操作风险管理框架中,以有效识别和管理整个组织的风险。 10.3 The Board 22 and senior management should build an organisational culture that has business continuity preparedness embedded within the FI’s day-to-day risk management 23 , and integrated within the FI’s operational risk management framework to enable effective identification and management of the risks across the organisation.
10.4 董事会或其委托的委员会应当负责确保: (a)建立并维护有效和全面的BCM框架,以管理潜在的运营扰断,并满足其业务需要和商业义务; (b)建立BCM功能或同等功能,并有充足的资源监督BCM框架在全组织的实施,以达到业务连续性准备的预期状态; (c)负责执行金融机构BCM框架的高级管理层拥有足够的权力、能力、资源以和进入董事会的机会; (d)根据外部事件、风险状况和业务优先级的变化或新流程、系统或产品或服务,定期审查和评估BCM框架的有效性;和 (e)进行独立审计,以评估金融机构业务连续性准备的控制、风险管理和治理的有效性。 10.4 The Board, or the committee delegated by it, should be responsible to ensure that: an effective and comprehensive BCM framework is established and maintained to manage potential operational disruptions, and to meet its business needs and obligations; a BCM function or equivalent is established and sufficiently resourced to oversee the organisation-wide implementation of the BCM framework to achieve the desired state of business continuity preparedness; the senior management, who is responsible for executing the FI’s BCM framework, has sufficient authority, competency, resources, and access to the Board; the effectiveness of the BCM framework is regularly reviewed and evaluated against external events, changes in risk profiles and business priorities, or new processes, systems, or products or services; and an independent audit is performed to assess the effectiveness of controls, risk management and governance of business continuity preparedness of the FI.
10.5 高级管理层应当确保: (a)建立BCM框架以支持和管理有效的BCP和措施的制定、实施和维护,同时考虑到第三方的恢复安排; (b)制定并维护管理运营扰断的稳健和审慎的政策、标准和程序,并有效执行标准和程序; (c)明确建立和界定维护金融机构业务连续性准备的角色和职责; (d)可衡量的目标和指标用于评估金融机构的整体业务连续性准备; (e)确定对金融机构至关重要的业务服务和功能,其SRTOs和RTOs与其商业需要和义务相称; (f)定期测试危机管理和沟通结构以及BCP,以确认其在严重但合理的运营扰断情景下的有效性,并验证关键业务服务和功能是否能够在其SRTOs和RTOs内恢复; (g)及时补救金融机构在业务连续性测试、事件的事后总结、审计或其他风险管理计划(如风险和控制自评估)中发现的差距和弱点;和 (h)制定并每年审查一次培训计划,以确保在金融机构的BCM中发挥作用的所有员工熟悉自己的角色和职责。 10.5 The senior management should ensure that: the BCM framework is established to support and manage the development, implementation, and maintenance of effective BCPs and measures, taking into consideration recovery arrangements by third parties; sound and prudent policies, standards and procedures for managing operational disruptions are established and maintained, and standards and procedures are implemented effectively; roles and responsibilities for maintaining the FI’s business continuity preparedness are established and defined clearly; measurable goals and metrics are used to assess the FI’s overall business continuity preparedness; business services and functions that are critical to the FI are identified, their SRTOs and RTOs are commensurate with its business needs and obligations; the crisis management and communications structure, and BCPs are tested on a regular basis to validate their effectiveness against severe but plausible operational disruption scenarios and verify that the critical business services and functions are able to recover within their SRTOs and RTOs; gaps and weaknesses identified from the FI’s business continuity testing, post-mortems of incidents, audit, or other risk management programmes (e.g. risk and control self-assessments) are remediated in a timely manner; and a training programme is established and reviewed annually to ensure that all staff who have a role in the FI’s BCM are familiar with their roles and responsibilities.
10.6 高级管理层应当向董事会提供年度证明,说明金融机构BCM的准备状态,与《指引》的一致程度,以及需要董事会注意的关键问题,例如重大剩余风险。还应当根据MAS的要求向其提供证明。 10.6 The senior management should provide an annual attestation to the Board on the state of the FI’s BCM preparedness, the extent of its alignment with the Guidelines, and key issues requiring Board‘s attention such as significant residual risk. The attestation should also be provided to MAS upon request.
附录:业务服务示例(Appendix: Examples of Business Services)
业务服务类型 Types of Business Services 业务服务示例 [24] Examples of Business Services 24 银行业 Banking 现金交易 Cash transactions 贷款 Lending 存款 Deposit-taking 司库 [25] Treasury 25 私人银行和财富管理 Private banking and wealth management 投资银行或公司金融 Investment banking or corporate finance 贸易服务 Trade services 保险业 Insurance 理赔服务(包括退保) Claims servicing (including surrender) 保单续保和服务 Policy renewal and servicing 保单生效 Policy inception 金融市场基础设施 Financial Market Infrastructures 衍生品交易、清算、结算和报告 Derivatives trading, clearing, settlement and reporting 证券交易、清算、结算和存管 Securities trading, clearing, settlement and depository 基准管理 Administering of benchmarks 支付清算和结算 Payments clearing and settlement 经纪和托管 Broking and Custody 交易、清算、结算和托管 Trading, clearing, settlement and custody 资产管理 Asset Management 投资组合管理和交易 Portfolio management and trading 贸易结算和操作 Trade settlement and operations 受托人服务,包括基金管理和估值 Trustee services, including fund admin and valuation 基金单位的认购和赎回处理(转让代理)Processing of subscriptions and redemptions in fund units (transfer agency) 支付服务 Payment Services 跨境和国内资金转账 Cross-border and domestic funds transfer 信用卡/借记卡支付 Credit/debit card payments 电子钱包支付/预付卡支付 E-wallet payments/ prepaid card payments
足以履行金融机构商业义务的最低服务水平。此最低服务水平应当由金融机构预先确定,作为其恢复规划的一部分。A minimum service level that is sufficient to meet the FI’s business obligations. This minimum service level should be pre-determined by the FI as part of its recovery planning. ↑ 此类业务功能的示例可能包括薪资处理、安全运营中心、法律和合规。Examples of such business functions may include payroll processing, security operations centre, legal and compliance. ↑ 金融机构可以采用为业务影响分析方法来协助其确定关键业务服务和功能。An FI can adopt the business impact analysis methodology to assist in its identification of critical business services and functions. ↑ 这包括评估金融机构的财务和流动性头寸受损程度、任何资产和收入损失、业务和投资损失,以及任何无法履行法律法规义务(包括制裁合规)的情况。This include assessing the extent of damage to the FI’s financial and liquidity position, any loss of assets and revenue, loss of business and investments, and any inability to meet legal and regulatory obligations (including sanctions compliance). ↑ 这应当考虑客户的类型(例如零售/企业/银行间客户)。This should take into consideration the type of customers (e.g. retail/corporate/interbank customers). ↑ 恢复策略的示例可能包括手动解决方案、启用备用场所以及扩大替代交付渠道的服务容量,以满足需求增加。Examples of recovery strategies could include manual workarounds, activation of alternate sites, and expansion of the service capacity of alternate delivery channel(s) to meet the increase in demand. ↑ 其它资源包括数字和非数字形式的数据。Other resources include data in both digital and non-digital form. ↑ 这些包括集团内部的服务提供商。These will include intra-group service providers. ↑ 作为认证过程的一部分进行的审计(如《ISO 22301 安全和韧性 – 业务连续性管理体系》)可以用来获得对第三方的保证,前提是审计由独立且称职的评估员进行。金融机构也应当审查和验证审计范围是否足以为第三方的服务提供所需的保证。Audits performed as part of a certification process (e.g. ISO 22301 Security and Resilience – Business Continuity Management Systems) can be relied on to obtain the assurance on their third parties, provided that the audit is conducted by independent and competent assessors. The FI should also review and verify that the scope of the audit is adequate in providing the needed assurance over the third party’s services. ↑ 示例包括预先指定替代服务提供商或在主要服务提供商无法提供即时支持的情况下建立内部能力。Examples include pre-designating an alternate service provider or building up in-house capability in the event that the primary service provider is unavailable to provide immediate support. ↑ 示例包括电信网络和电力设施。Examples include telecommunications networks and power utilities. ↑ 区域是指具有类似风险状况的地方或地区,因此位于同一区域中的人员、数据、系统和其它关键资源可能会受到扰断的影响。由于许多因素,如新加坡各金融机构的业务运营的规模和复杂程度不同,因此,对定义一个可以平等适用于整个金融部门的准则进行标准化既不合适也不切实际。A zone refers to an area or region that shares a similar risk profile such that people, data, systems, and other key resources located in the same zone would likely be affected by a disruption. Due to a number of factors such as the differing size and complexity of business operations across FIs in Singapore, it would not be appropriate nor practical, to standardise on a criterion that defines a zone that could be applied equally across the financial sector. ↑ 金融机构可以考虑建立一支或多支做好行动准备的预备队,以取代目前执行关键业务功能的队伍,以防他们需要隔离以遏制传染病的传播。预备队可以由在启用以支持关键业务功能之前不与原团队联系的人员组成。FIs could consider establishing operationally ready reserve team(s) to substitute the team(s) currently performing critical business functions in the event they need to be isolated to curb the spread of an infectious disease. The reserve team(s) could comprise personnel who are not in contact with the original team until being activated to support the critical business functions. ↑ 跨境支持可能会使金融机构面临其它司法管辖区可能存在的潜在经济、社会、政治和法律/合规风险。因此,金融机构在实施跨境支持措施前,应当检查和评估潜在的风险影响。Cross-border support may subject an FI to potential economic, social, political, and legal/ compliance risks that may be present in other jurisdictions. FIs should therefore examine and assess the potential risk implications before implementing cross-border support measures. ↑ 此类新的操作风险和挑战的例子可能包括支持远程工作安排的基础设施的容量、韧性和安全,或实现跨境支持的能力。Examples of such new operational risks and challenges could include the capacity, resiliency, and security of infrastructure to support remote working arrangements, or the ability to enable cross-border support. ↑ 缓解措施的例子包括建立替代地点以允许人员解决硬件问题或自动化流程以减少对关键人员的依赖。Examples of mitigating controls include establishing alternative locations to allow personnel to resolve hardware issues or automating processes to reduce dependencies on critical personnel. ↑ 测试类型可以包括基本呼叫树启用、危机管理演练、业务流程恢复测试、数据复原测试、和覆盖诸如备用数据中心或备用场所启用、人员不足情况下的运营、缺少关键第三方情况下的运营、长时间依靠现场发电机等情景。Types of tests could range from basic call-tree activation, crisis management exercises, business process recovery tests, data restoration testing, and cover scenarios such as alternate data centre or alternate site activation, operating with reduced headcount, operating in the absence of a key third party, relying on onsite generators for a prolonged period, etc. ↑ 测试范围会涉及情景设计,以确定要测试的组件(例如,事件管理、危机管理、危机沟通、关键业务服务和功能恢复、备用场所启用和运营、重要记录检索、关键员工或关键第三方不可用,以及对工具和自动化的熟悉程度)和参与者的参与情况。Scope of the tests would involve scenario design to determine the components to be tested (e.g. incident management, crisis management, crisis communications, recovery of critical business services and functions, alternate site activation and operation, retrieval of vital records, unavailability of critical staff or key third parties, and familiarity with the tools and automation), as well as the involvement of participants. ↑ 这类演练的例子包括新加坡银行公会组织的业务连续性演练、新加坡自动清算所组织的应急测试、新加坡金融管理局组织的MEPS+演练,以及新加坡交易所举办的业务连续性测试。Examples of such exercises include business continuity exercises organised by the Association of Banks in Singapore, contingency tests organised by the Singapore Automated Clearing House, MEPS+ contingency exercises organised by the Monetary Authority of Singapore, and business continuity tests by the Singapore Exchange. ↑ 外部相关方包括客户、媒体、政府部门和监管机构等。External stakeholders include customers, media, government authorities and regulators, etc. ↑ 金融机构应当通过其审查官或MAS BCM热线通知MAS。向MAS报告的事件通知指令和事件报告模板可以从MAS网站下载。FIs should notify MAS through their review officers or the MAS BCM Hotline. The instructions on incident notification and reporting to MAS, and the incident reporting template can be downloaded from the MAS website. ↑ 董事会可将做决策的权力委托给董事会委员会,但须承担最终责任。请参阅MAS风险管理实践指引-董事会和高级管理层。对于总部在新加坡以外的金融机构,董事会的职责可委托全负责监督和监管在新加坡运营的管理委员会或机构。和The Board may delegate the authority to make decisions to a Board committee but bears the ultimate responsibility. Please refer to MAS Guidelines on Risk Management Practices – Board and Senior management. For FIs headquartered outside Singapore, the responsibility of the Board may be delegated to a management committee or body responsible for the supervision and oversight for the FI’s operations in Singapore. ↑ 举例来说,金融机构对业务和系统的变更管理流程应当考虑拟议的变更是否会对金融机构的业务连续性准备产生影响,以及是否有必要对BCP进行相应的变更。As an example, the FI’s change management process for businesses and systems should consider if the proposed change could have implications to the FI’s business continuity preparedness, and if corresponding changes to the BCPs are necessary. ↑ 业务服务是向金融机构客户提供的面向外部的服务。附录中列出的这些示例并非详尽无遗。金融机构应当根据其业务运营的性质、规模和复杂程度确定关键业务服务。Business services are external-facing services that are provided to customers of an FI. These examples listed in the Appendix are non-exhaustive. FIs should identify the business services that are critical depending on the nature, size, and complexity of its business operations. ↑ 这是指向客户提供的面向外部的司库服务(例如机构销售)。This refers to the provision of external-facing Treasury services to customers (e.g. institutional sales). ↑
本公众号(ID:bcmplus)专注于业务连续性和运营韧性知识的普及和传播,关注业务连续性、应急和危机管理的朋友请关注本公众号。
由于公众号注册时腾讯已调整政策,未能开通留言功能,希望交流和讨论业务连续性和运营韧性问题、或获取相关资料的朋友,可长按以下二维码加入知识星球参与讨论(另,公众号每月只能发4次文章,会有一些内容直接在知识星球分享而不在公众号发布)。
原文发表于公众号”业务连续性+” | 原文链接