Directive No. 11/DSB-DRO of 2021, dated October 5

---

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 1 of 29 GOVERNOR DIRECTIVE NO. 11/DSB/DRO/2021 Whereas it is necessary to establish criteria and procedures that Financial Institutions must adopt within the scope of business continuity management; Under the combined provisions of items d) and f) of paragraph 1 of Article 21.º, and item d) of paragraph 1 of Article 51.º, both of Law No. 16/10, dated July 15 – the Law of the National Bank of Angola, and Article 166.º of Law No. 14/21 dated May 19 – the Law on the General Regime of Financial Institutions; This Directive serves to establish the following:

1. The National Bank of Angola publishes the “Implementation Guide on Business Continuity Management for Financial Institutions”, hereinafter referred to as the “Guide” according to Annex I, contained in this Directive and forming an integral part thereof, with the following objectives: a) Clarify the concept of business continuity management for Financial Institutions; b) Clarify the importance of integrating business continuity management into the organizational structure of Financial Institutions and the expected manner of their operation in this regard; c) Provide essential guidelines, principles, and orientations to Financial Institutions in the implementation and adoption of preventive procedures and criteria applicable in situations adverse to their normal activity; and,

ORIGIN: Banking Supervision Department (DSB) Financial System Regulation and Organization Department (DRO) DATE: 05/10/2021 SUBJECT: FINANCIAL SYSTEM - Implementation Guide on Business Continuity Management for Financial Institutions

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 2 of 29 d) Promote the strengthening of financial institutions' response capacity when events occur that may disrupt normal business development. 2. The Guide applies to Financial Institutions under the supervision of the National Bank of Angola, as provided for in Law No. 14/21, dated May 19, the Law on the General Regime of Financial Institutions, hereinafter referred to as “Institutions”. 3. In accordance with Article 31.º of Notice No. 10/2021, dated July 14, on the Corporate Governance Code for Financial Institutions, Institutions must also include information related to the business continuity plan. 4. For the purposes of this Directive, it is understood that: 4.1. Events: occurrences capable of disrupting the normal functioning of Institutions, such as natural disasters, pandemics, acts of terrorism, IT system failures, fires, floods, or major power outages. 4.2. Business Continuity Management: an integrated set of policies, processes, and procedures aimed at ensuring the continuous operation of an organization, or its timely recovery in case of events capable of disrupting normal business functioning. 4.3. Alternative Infrastructures: infrastructures that allow an Institution to ensure the continuity of its critical business functions, or their recovery within a short period, in case an emergency situation causes primary infrastructures to become inoperable or prevents access to them. 4.4. Primary Infrastructures: location(s) where critical business functions are normally performed, simultaneously encompassing information technology infrastructures and workstations, as well as supply networks that enable their operation or access (e.g., telecommunications, energy, water, transport).

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 3 of 29 4.5. Business Continuity Plan: a detailed action plan that establishes the measures and procedures necessary for activity recovery at defined levels and times, covering means to manage an eventual unplanned interruption of activity, including the return process, as quickly as possible to normal service quality levels. 5. Whenever necessary, the National Bank of Angola may request additional clarifications from Institutions regarding the content of the received Business Continuity Plan. 6. Non-compliance with the mandatory norms established in this Directive constitutes an infraction punishable under Law No. 14/21, dated May 19, the Law on the General Regime of Financial Institutions. 7. Doubts and omissions resulting from the interpretation of this Directive are resolved by the National Bank of Angola. 8. Institutions must comply with the provisions of this Directive within a period of 6 (six) months after its publication date. 9. For the purposes of the preceding paragraph, Institutions must submit to the National Bank of Angola an action plan for implementing the business continuity plan within 3 (three) months after the publication of this Directive, according to the elements established in Annex II, which is an integral part of this Directive. 10. This Directive enters into force on the date of its publication. Luanda, October 5, 2021. FINANCIAL INCLUSION DEPARTMENT

---

Elavoko do Rosário Chaves João -Director- FINANCIAL SYSTEM REGULATION AND ORGANIZATION DEPARTMENT

---

Cândido Abrantes Pina -Acting Director-

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 4 of 29 ANNEX I Index INTRODUCTION.......................................................................................................... 5

1. BUSINESS CONTINUITY MANAGEMENT - CONCEPT................................. 6 1.1. Definition and objectives of business continuity management and planning.................................................................................................................... 6 1.2. Regulatory context ............................................................................... 7 1.3. Benefits of adopting business continuity management ................. 9 1.4. Guidelines .................................................................................................. 10
2. BUSINESS CONTINUITY MANAGEMENT – POLICIES, PROCESSES AND PROCEDMENTS................................................................................................. 11 2.1. Structured policies to preserve business continuity .......... 11 2.2. Responsibility structure................................................................. 12 2.2.1. Responsibilities of the governing body ........................................ 12 2.2.2. Definition of responsibilities in case of disaster............................ 13 2.3. Business continuity management.......................................................... 14 2.2.3. Business continuity management process...................................... 14 2.2.4. Business impact analysis.................................................................. 14 2.2.5. Definition of recovery strategy ................................................... 16 2.2.6. Business Continuity Plan ........................................................... 24 2.2.7. Testing, updating and maintenance of the business continuity plan. 27

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 5 of 29 INTRODUCTION The Implementation Guide on Business Continuity Management aims to provide institutions with guidance on implementing a business continuity management system within their organizational structures, based on international best practices. The Guide presents solutions to institutions in order to stimulate stability not only within the Angolan financial system, but also at the level of the financial system as a whole, and to promote the adoption of good management practices, so that, when carried out prudently, ethically, and diligently, they focus on risk management and mitigation.

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 6 of 29

1. BUSINESS CONTINUITY MANAGEMENT - CONCEPT 1.1. Definition and objectives of business continuity management and planning 1.1.1. Business continuity management comprises an integrated set of policies and procedures aimed at ensuring the continuous operation of an institution, or its timely recovery, in case of events capable of destabilizing normal business development, namely by implying the unavailability of physical infrastructures, IT systems, or human resources, either individually or simultaneously. This type of events covers, among others, scenarios such as natural disasters, pandemics, acts of terrorism, IT system failures, fires, floods, or major power outages. 1.1.2. Business continuity management encompasses two complementary concepts: operational continuity, which corresponds to a situation where operational activity is performed without interruptions or with the minimum possible disruption in terms of processes, stakeholders, relationships with partners and suppliers, among others; and recovery, which aims to ensure the restoration of activity, namely after an event causes a complete or partial interruption of business or otherwise prevents its normal functioning. 1.1.3. Considering the costs inherent to a period of unavailability, particularly in the case of an institution, as well as the resulting risks, both for the institution itself and for the Angolan financial system, it is essential that business recovery occurs in the shortest possible time, ensuring a timely transition to alternative operating modes. Thus, business continuity management reflects the recognition that the only way to guarantee institutional objectives is through advance planning and adoption of a set of immediate response measures to situations disrupting activity. 1.1.4. In this context, business continuity management aims to identify the threats and risks to which institutions are exposed, analyze business impacts if these threats materialize, and enable their operation to reach an acceptable level in case of events disrupting normal business functioning, safeguarding the interests of stakeholders, as well as the institution's reputation and activity. 1.1.5. Business continuity management constitutes an integrated approach involving the mobilization of the entire institution to manage crisis situations and recover operations after any event causing an operational rupture. 1.2. Regulatory context 1.2.1. The recognition of the importance of ensuring institutional resilience motivated, at the international level, the issuance of regulatory standards. From a perspective guaranteeing financial system stability, business continuity management must be an integral part of a well-structured internal control system supported by principles, which must be continuously observed and comply with international best practices and principles. 1.2.2. It is in this context that the present Guide was issued, resulting from the National Bank of Angola's initiative to provide institutions with guidelines for implementing business continuity management within their organizational structure.

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 7 of 29 1.2.3. Business continuity management must be carried out with reference to each institution's specific situation and risk profile. Indeed, each institution's needs regarding how business continuity is ensured or activity recovery is processed in adverse situations are closely related to aspects such as the business model, organizational structure, physical infrastructure characteristics, or geographical implementation, among others. Thus, business continuity management reflects a process of specific nature for each institution, which does not align with standardized approaches. 1.2.4. This document aims, therefore, to promote the development and/or improvement of BCM at institutions operating within the Angolan financial system, with a view to strengthening their response capacity to adverse situations in their activities. 1.2.5. The subject of these guidelines consists solely in planning for the continuity of operational business activity in case of disaster, not encompassing the concept of financial crisis management. Generally, a financial crisis – although it also constitutes an exceptional circumstance capable of jeopardizing the institution's survival – requires planning of a distinct nature from that required for operational disaster situations. However, there are inevitably common points between these two components, not only because a disaster situation may ultimately entail costs or financial risks of such magnitude that it evolves into a financial distress situation, but also because there are common elements in certain structuring aspects of planning for disaster situations and financial crisis situations. 1.2.6. Business continuity management policies and financial crisis management policies share certain elements, requiring that due consistency between both components is safeguarded and that interaction possibilities are considered, i.e., within business continuity management, the possible financial implications of a disaster are also weighed, and from there, its interconnection with the respective financial crisis management policy is ensured. 1.2.7. This Guide covers only one of the two pillars of business continuity management in the financial system, namely that referring to “micro” level resilience, which comprises the initiative for business continuity management at the individual level of each institution. Nevertheless, financial system resilience also requires implementing measures reflecting a “macro” approach, under which an integrated perspective of the system as a whole is adopted and interdependencies between different agents are considered. 1.2.8. This “macro” approach presupposes a comprehensive perspective encompassing, among others, institutions, supervisory authorities, payment infrastructures, and trading, clearing, settlement, and central counterparty infrastructures, as well as providers of financial market information services. This comprehensive perspective is not the subject of this Guide, but may be addressed in the future. 1.3. Benefits of adopting business continuity management 1.3.1. The adoption of business continuity management is essential to ensure institutional resilience and guarantees the following: a) Identification of critical processes and the impact of rupture throughout the institution; b) Knowledge of the degree of exposure to adverse events capable of causing an interruption in institutional activity; c) Efficient response to interruptions; d) Preservation of the institution's reputation; and e) Mitigation of possible impacts to stakeholders and institutional assets.

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 8 of 29 1.4. Guidelines 1.4.1. Institutions must establish business continuity management to ensure the continuous operation of their business, or its timely recovery, in case of events capable of disrupting normal functioning, such as natural disasters, pandemics, acts of terrorism, IT system failures, fires, floods, or major power outages. 1.4.2. Business continuity management must embody an integrated and structured approach encompassing the institution as a whole, and must be an integral part of global risk management policies. 1.4.3. Policies, processes, and procedures must be proportional and reflect the size, nature, and complexity of the institution's activity.

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 9 of 29 2. BUSINESS CONTINUITY MANAGEMENT – POLICIES, PROCESSES AND PROCEDMENTS 2.1. Structured policies to preserve business continuity 2.1.1. Institutions must have a business continuity management policy that reflects their risk profile and is adequate to the size, nature, and complexity of their activities. 2.1.2. Institutions must establish policies and procedures aimed at ensuring continuous business operation, or its timely recovery, in case of events capable of disrupting normal functioning, such as natural disasters, pandemics, acts of terrorism, IT system failures, fires, floods, or major power outages (hereinafter referred to as “disasters”). 2.1.3. Policies and procedures must cover prevention, when possible, of events capable of disrupting normal institutional functioning, as well as business recovery after an interruption if prevention was not possible, and the return to normal activity standards. 2.1.4. The business continuity management policy must be adjusted to the institution's specificities and reflect the main risks to which it is exposed, as well as vulnerabilities inherent to its business, organizational structure, physical infrastructure characteristics, geographical implementation, among others. 2.1.5. The levels of detail and depth of planning for disaster situations must be proportional and reflect the size, nature, and complexity of the institution's activity.

CONTINUATION OF DIRECTIVE NO. 11/DSB/DRO/2021 10 of 29 2.1.6. Recovery policies and procedures must not cover only technology, IT, or physical infrastructure domains, but must also safeguard functional business recovery, which implies considering human resource aspects, their mobility, and adaptability to alternative means. 2.1.7. The business continuity policy must be subject to continuous adjustment in line with business development. 2.2. Responsibility structure 2.2.1. Responsibilities of the governing body 2.2.1.1. The governing body of each institution is responsible for promoting its resilience against disasters and ensuring continuous operation, namely business recovery in case of activity disruptions. In this context, the governing body must consider business continuity management as an integral part of risk management, articulating it also with the institution's internal control policies, being responsible for implementing and developing the business continuity management policy. 2.2.1.2. The business continuity management policy must, therefore, be approved by the governing body, which is also responsible for ensuring close monitoring of the implementation and development process, and promoting regular discussion on business continuity management in its meetings. 2.2.1.3. The competence for implementing the business continuity management policy may be delegated to a committee created for this purpose or another adequate structural unit; however, responsibility must remain with the governing body. 2.2.1.4. To this effect, a member of the governing body should be designated as the point of contact for matters related to business continuity management. If the creation of a committee or other structural unit is justified, clear responsibility lines must exist, in particular maintaining a direct reporting line to the governing body. 2.2.1.5. In the case of larger institutions with a more complex business model, this structural unit may have dedicated resources and the creation of a business continuity function may be considered. 2.2.1.6. The governing body must promote and encourage human resource awareness regarding prevention and preparation for potential activity disruption situations, which can be achieved by assigning a high priority to the business continuity management policy, namely through allocating sufficient human and financial resources in quantity and quality to this policy to ensure comprehensive and solid implementation. 2.2.2. Definition of responsibilities in case of disaster 2.2.2.1. The governing body must be responsible for activating business continuity management procedures, reflected in the business continuity plan, in case of disaster. 2.2.2.2. If the business continuity plan is activated in a disaster situation, it must provide a clear responsibility structure defining the division and assignment of tasks among employees participating in business recovery, so that they unequivocally understand their assigned functions in an emergency. Considering the risk of human resource unavailability, the business continuity plan must also provide clear substitution rules. 2.2.2.3. Within this responsibility structure, a team with decision-making powers and broad intervention capacity must be established, which may have a composition distinct from the governing body due to the exceptional situation in which it is activated. This team must be responsible for deciding on measures to adopt in business recovery. 2.2.2.4. The business continuity plan must also provide institutional communication channels ensuring that the governing body is continuously and adequately informed about procedures executed in emergency/contingency situations and the state of business recovery. 2.3. Business Continuity Management 2.2.3. Business continuity management process 2.2.3.1. Institutions must implement a business continuity management process integrated into their business processes, comprising the stages of business impact analysis, definition of a recovery strategy and business continuity plan, as well as testing programs, training, and awareness-raising for all employees at all levels of the institution.