BANK 7.2.10 Principle 10: business resiliency and continuity

(1) A banking business firm must have business resiliency and continuity plans to ensure that the firm can continue to operate, and can limit its losses, in the event of severe business disruption.
Guidance
A banking business firm is exposed to disruptive events, some of which may be severe and result in an inability to fulfil some or all of the firm’s business obligations. Incidents that damage or render inaccessible the firm’s facilities, telecommunication or information technology infrastructures, or a pandemic event that affects human resources, can result in significant financial losses to the firm, and broader disruptions to the financial system.
(2) A banking business firm must establish business continuity plans commensurate with the nature, size and complexity of the firm’s operations. The plans must take into account different likely or plausible scenarios to which the firm may be vulnerable.
(3) Continuity management must incorporate business impact analysis, recovery strategies, testing, training and awareness programs, and communication and crisis management programs. The firm must identify critical business operations, key internal and external dependencies, and appropriate resilience levels.
(4) Plausible disruptive scenarios must be assessed for their financial, operational and reputational impact, and the resulting risk assessment must be the foundation for recovery priorities and objectives. Continuity plans should establish contingency strategies, recovery and resumption procedures, and plans for informing management, employees, the Regulatory Authority, customers, suppliers and, if appropriate, the civil authorities.
(5) The firm must periodically review its continuity plans to ensure that contingency strategies remain consistent with the firm’s current operations, risks and threats, resiliency requirements, and recovery priorities. Training and awareness programmes must be implemented to ensure that the firm’s staff can effectively carry out the plans.
(6) The firm must test each plan periodically to ensure that its recovery and resumption objectives and timeframes can be met. If possible, the firm must participate in disaster recovery and business continuity testing with key service providers.
(7) The results of testing must be reported to the firm’s management and governing body.
Derived from QFCRA RM/2020-2 (as from 1st January 2021)