BCM and Operational resilience for regulated institutions

Home / Regulatory Digest & Market Consultation / Regulatory digest / BCM and Operational resilience for regulated institutions

REGULATORY DIGEST ON THE REGULATION No 43/2022 OF 02/06/2022 GOVERNING BUSINESS CONTINUITY MANAGEMENT AND OPERATIONAL RESILIENCE FOR REGULATED INSTITUTIONS

Introduction 

Since the 1970s, Business Continuity Management (BCM) has evolved in response to the technical and operational risks that threaten an organization’s recovery from hazards and interruptions. (Brahim Herbane, De Montfort University, Leicester, UK 2010)

In regards to the current global development, the business operations in financial sector are continuously being exposed to a number of disruptive incidents; natural disasters and technological incidents. It is in that context that the National Bank of Rwanda (NBR) issued   regulation No 43/2022 of 02/06/2022 governing Business Continuity Management and operational resilience for regulated institutions in order to promote, enhance and ensure the operational resilience for regulated institutions, with utmost aim to ensure that they are able to continue operations on a going concern while minimizing losses during the event of major operational disruptions.

This Regulation repeals the regulation N ° 04/2018 of 24/01/ 2018 on business continuity management which applied to banks only while the current regulation is applicable to all institutions licensed and supervised by NBR.

Regulatory Key Highlights

The following are the main changes in the new regulation:

  •  This Regulation accommodates principles of operational resilience (Basel Committee on Banking Supervision (BCBS), March 2021) and aligns with High-level principles for business continuity issued by BCBS in 2006.

  •  The regulated institutions shall have dedicated team in charge of BCM composed by coordinator (Senior management), risk management officer & heads of departments.

  •  The BCM team has the mandate of developing a Business Continuity Plan (BCP) for board approval, along the five (5) levels which reflect the business continuity management life cycle namely strategic level, process level, resource recovery, awareness and education and testing, maintenance, measurement & audit.

  •  The BCP should be well documented, tested and meet the objectives of the BCM policy.

  •  The BCM team shall ensure the implementation of the BCP by annually conducting the business impact analysis considering the period of time for which they cannot operate without the critical business operations.

  •  The regulated institutions reciprocally use their respective branches to host each other´s operations shall put in place service level agreement (SLA) that governs the arrangement once a disaster is likely to happen.

  •  If recovery sites and other solutions are outsourced, there shall be a SLA between a regulated institution and supplier.

  •  Every regulated institution shall have at least one disaster recovery site located in Rwanda and within 45 Km from the primary site.

  •  All regulated institutions shall have procedures designed for communicating stakeholders in the event of major disruptions.

  •  This regulation also has a chapter on operational resilience which provides among others that the Board of Directors of regulated institutions shall formulate the risk tolerances for disruption of critical operations and services. It specifies metrics to refer to for the expression of impact tolerance. The regulation also provides the responsibilities of senior management vis-à-vis operational resilience of regulated institutions and requires the Board of Directors to establish a broad understanding of a regulated institution’s operational resilience approach.

  •  The regulated institutions shall report to NBR major interruptions and incidents within a period not exceeding two hours from the occurrence of the event.

Important deadlines

The regulated institutions are given a period of one year to comply with the provisions of this regulation from the date of its publication in the Official Gazette of the Republic of Rwanda (Art 44) which is ending 26 June 2023.

Implications for concerned stakeholders

  •  The regulated institutions shall submit to the supervisory authority incidents, test reports, Business continuity plans, quarterly report and annual testing plans in accordance with conditions defined by this regulation (Art 41).

  •  The regulated institutions are required to prepare annual report describing the critical systems, their recovery objectives and strategy to achieve them within four months after end of the financial year.

  •  The NBR may provide a directive of BCM & operational resilience to specific regulated institutions in line with nature, size, complexity, maturity of its business operations and apply sanctions of non-compliance.

  •  Where a regulated institution fails to satisfy any of the requirements of this regulation, the Supervisory authority may apply any sanctions available under the provisions of the Law governing the financial sector in which it belongs or relevant regulations. Pecuniary sanctions determined by this regulation, appropriate to the violation and proportionate to the category of the regulated institutions, may also be subjected to the regulated institution failing to comply with the provisions of this regulation.

CLICK HERE FOR MORE DETAILS:

https://www.bnr.rw/financial-stability/bank-supervision/laws-and-regulations/laws-and-regulations/