Business Continuity Management (BCM) Officer
Minimum Requirements for Risk Management (MaRisk)
AT 7.3 Business continuity management
1 The institution shall define business continuity management objectives and establish a business continuity management process on this basis. Arrangements shall be made for emergency situations in time-critical activities and processes (contingency plan).
The measures defined in the contingency plan shall be suitable for reducing the extent of potential losses. The contingency plan must be updated on an ad hoc basis, reviewed annually to ensure that it is up to date, and communicated appropriately.
The management board shall require written status reports on business continuity management to be submitted to it at least quarterly and on an ad hoc basis.
Time-critical activities and processes
The term “time-critical” applies to activities and processes whose impairment for defined periods is expected to lead to damage to that the institution can no longer consider as acceptable.
The institution shall perform business impact analyses and risk impact analyses to identify time-critical activities and processes as well as supporting activities and processes, the IT systems needed for this plus other necessary resources, and potential threats.
These analyses shall be based on an overview of all activities and processes (e.g. in form of a process map).
Business impact analyses
Business impact analyses examine the consequences for business operations of impairments of activities and processes over different time periods. They should take due account of the following aspects, among other things:
– The nature and scale of the (non-)material losses,
– The point in time at which the failure occurs.
Risk impact analyses
Risk impact analyses are used to identify and assess potential threats to the identified time-critical activities and processes that could lead to the impairment of these time-critical activities and processes.
2 The contingency plan shall include business continuity and recovery plans. Business continuity plans shall ensure that back-up solutions are promptly available in emergencies.
Recovery plans shall ensure that normal operations can be resumed within an appropriate time frame. Appropriate internal and external communication shall be ensured during emergencies. In the event that time-critical activities and processes are outsourced, the outsourcing institution and the external service provider shall have in place coordinated contingency plans.
The contingency plan sets out responsibilities, objectives and measures for continuing or restoring time-critical activities and processes, plus classification criteria and criteria for triggering the plans.
The following scenarios shall be considered at a minimum:
– Partial or total site failures (eg as a result of flooding, major fires, closures of specific areas, or access control failures)
– Substantial failures of IT systems or of the communications infrastructure (e.g. due to errors or attacks)
– The non-availability of a critical number of staff (e.g. in the case of a pandemic, food poisoning, or strikes)
– Service provider outages (e.g. suppliers, utilities)
3 The effectiveness and appropriateness of the contingency plan shall be reviewed regularly.
For time-critical activities and processes, this shall be demonstrated for all relevant scenarios at least once a year and on an event-driven basis. Reviews of the contingency plan must be minuted. The results shall be analysed to establish any necessary improvements. Risks shall be managed appropriately. The results shall be communicated in writing to the persons responsible in each case.
Reviews of the contingency plan
The frequency and scale of reviews should be based on the threat landscape. Service providers shall be integrated appropriately. Among other things, reviews include:
– Testing of technical precautions
– Communication exercises, crisis management team and alarm exercises
– Simulation exercises or full-scale exercises.