INMA S1.3.4 Business continuity risk

(1) Business continuity risk is the risk of loss (both financial and non-financial) resulting from disruptions to critical business operations. Critical business operations are the business functions, resources and infrastructure that would, if disrupted, have a significant effect on a firm’s business functions, reputation, profitability and customers.

Note CTRL, rule 3.1.17 (3), requires an INMA firm’s governing body to review its business continuity procedures at least once every 18 months.
(2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating business continuity risk. The policy should include::
(a) processes for identifying and analysing:
(i) events that might lead to a disruption in business continuity;
(ii) the likelihood of those events occurring;
(iii) the processes most at risk; and
(iv) the consequences of those events;
(b) a plan (business continuity plan or BCP) describing:
(i) objectives and procedures for crisis management and recovery to minimise the consequences from the disruption of its business;
(ii) detailed procedures for carrying out the BCP, including manual processes, the activation of an off-site recovery site (if needed), the persons responsible for activating the BCP, and pre-assigned responsibilities of staff;
(iii) a communications strategy and contact information for relevant staff, suppliers, regulators, market authorities, major customers, the media and other key people;
(iv) a schedule of critical systems covered by the BCP and the timeframe for restoring those systems;
(v) procedures for staff awareness and training on all aspects of the BCP; and
(vi) procedures for regular (at least annual) testing, review and reporting on the BCP to the governing body and senior management; and
(c) procedures for backing up important data regularly and storing the data off-site.
Derived from QFCRA RM/2014-4 (as from 1st January 2015)
Amended by QFCRA RM/2021-1 (as from 1st July 2021).