COBAC Regulation R-2008/01 on the Obligation for Credit Institutions to Develop a Business Continuity Plan

REGLEMENT COBAC R-2008/01 ON THE OBLIGATION FOR CREDIT INSTITUTIONS TO DEVELOP A BUSINESS CONTINUITY PLAN

---

The Central African Banking Commission (COBAC) convened on September 29, 2008 in Yaoundé; Having regard to the Treaty establishing the Economic and Monetary Community of Central Africa (CEMAC) and its Addendum regarding the institutional and legal system of the Community; Having regard to the Convention governing the Central African Monetary Union (UMAC); Having regard to the Convention of October 16, 1990 establishing the Central African Banking Commission (COBAC); Having regard to the Convention of January 17, 1992 on the Harmonization of Banking Regulation in the States of Central Africa; Having regard to COBAC Regulation R-2001/07 on internal control in credit institutions, particularly Article 41; Emphasizing the central role of financial intermediation in promoting economic activity and growth; Recognizing that credit institutions are exposed to major operational disruptions likely to affect their physical infrastructure and/or human resources; Noting that events likely to influence the normal conduct of credit institutions' activities may be natural or human in origin; Observing that, given the financial systems' dependence on automation and physical infrastructure components supporting it, an operational failure of a credit institution may cause difficulties for the banking system as a whole; Considering in particular that disruptions to clearing and settlement processes may have adverse and significant consequences for the financial system and prevent significant market actors from completing transactions and fulfilling their obligations; Convinced that repeated or prolonged interruptions in the operation of a banking system erode confidence and may lead to capital withdrawals by national or international users; Admitting, however, that the efforts undertaken by the Banking Commission to restore the fundamental balances of credit institutions shaken by banking crises deserve support to maintain regained public confidence; Affirming that effective banking supervision enables the banking system to continue guaranteeing customers a minimum level of banking services;

Noting that international standards commit supervisory and regulatory authorities to drive a general movement towards the implementation by their regulated entities of a business continuity plan; Considering that, to this end, the Joint Forum of the Basel Committee on Banking Supervision published in August 2006 Guidelines on Business Continuity; Emphasizing that, due to the imprecision or even inadequacy of current mechanisms regarding the imperative for implementing a continuity plan, it is paramount, given the potential for major operational disruption phenomena, to draft a text obliging credit institutions to implement a business continuity plan covering all aspects of management; Agreeing that a text adopted by the banking supervisory authority should enable it, on the one hand, to determine an appropriate level of systemic resilience and, on the other hand, to ensure that specific operations can be continued or recovered by credit institutions within a reasonable timeframe in case of disruption to normal operations or physical infrastructure; HAS ADOPTED THE REGULATION HEREIN:

Title I - Guidelines on Business Continuity Chapter I - Definitions Article 1 - For the purposes of this Regulation, the following expressions shall be understood as follows:

1. Critical actors: entities performing critical operations or providing critical services;

2. Business impact analysis (BIA): process of evaluating and quantitatively and qualitatively measuring the impact on business or losses in business processes in case of disruption, to identify priorities in business recovery;

3. Business continuity: state of activity where operations are not interrupted;

4. Recovery time objective (RTO): target duration required for the recovery of a specific professional operation after a disaster or interruption;

5. Business continuity management: comprehensive approach comprising policies, standards and procedures to ensure that specified operations can be maintained or recovered within a reasonable timeframe in case of disruption;

6. Physical infrastructure: assets, equipment and services provided by entities other than credit institutions on which the daily activities of economic agents largely depend;

7. Recovery level: target service level, relative to a specific professional operation, which will be provided after a disaster or interruption;

8. Recovery objective: predetermined target for the recovery of specific professional operations and support systems to a service level set within a defined recovery duration after a disaster or interruption;

9. Critical operation or service: activity, function, process or service, the absence or cessation of which would have substantial consequences for the continuity of operations of a credit institution or the financial system considered as a whole;

10. Major operational disruption: disruption with high potential impact on the normal operations of a credit institution or financial system affecting physical infrastructure or personnel over a large geographical area or economically integrated communities;

11. Business continuity plan: written and detailed action plan describing the procedures and systems necessary to continue or restore an organization's operations in case of disaster or interruption;

12. Communication protocol: established and pre-approved communication procedures by two or more internal or external parties to a credit institution. These procedures specify the transmission, writing and reading means for data, as well as the type of information shared between these different parties and how to process them according to their public or non-public nature;

13. Recovery: restoration of specific operating conditions after a disruption, to a sufficient level to meet essential professional obligations;

14. Resilience: capacity of a credit institution or financial system to absorb the impact of a major operational disruption and continue or maintain critical operations or services;

15. Operational risk: risk of losses resulting from the inadequacy or failure of internal processes, personnel and systems, or external events;

16. Alternative site: workspace and technological equipment kept permanently ready for use in the event of an occurrence requiring the implementation of a credit institution's business continuity plan when the primary site becomes inoperable.

Chapter II - Object and Scope Article 2 - This Regulation defines the general principles guiding credit institutions in developing a business continuity plan in case of major operational disruption. Article 3 - The provisions of this Regulation apply to regulated entities operating, in any form whatsoever, within the territories of the CEMAC States and subject to COBAC's supervision.

Chapter III - Responsibilities of the Governing Bodies of Credit Institutions Article 4 - Credit institutions must implement policies and procedures taking into account the technical and human aspects of business continuity management, which is an integral part of risk management. Article 5 - The deliberative and executive bodies are collectively responsible for defining effective and comprehensive business continuity management approaches. They are responsible for effectively managing business continuity, even in case of outsourcing, and for developing and approving the appropriate policy to strengthen resilience and continuity in the face of major operational disruptions. Article 6 - Credit institutions must establish an organization to inform the deliberative and executive bodies regarding the implementation of business continuity management, observed incidents, test results, and action plans to strengthen the institution's resilience and its capacity to resume specific activities. Article 7 - The way business continuity management is organized must be regularly examined independently by internal control or external audit, and the deliberative body must be informed at least once a year of the assessment regarding the effectiveness of existing measures.

Chapter IV - Business Continuity Management Policy Article 8 - Every credit institution must implement appropriate approaches for adequate business continuity management. The business continuity management policy includes impact analyses, a business recovery strategy and business continuity plans. Article 9 - Business impact analyses must identify essential activities and services, key dependencies on internal and external sources of the credit institution, as well as appropriate resilience levels. They must enable the assessment of risks and consequences of different disaster or major operational disruption scenarios on the credit institution's activities and its reputation. Article 10 - The recovery strategy must define, based on impact analyses, recovery objectives and priorities, as well as the minimum service level provided by the credit institution in case of disaster or major operational disruption, and the framework within which it will restore normal operating conditions. Article 11 - The continuity plan must provide detailed formalized and documented indications on how to implement the recovery strategy, establishing roles and defining responsibilities in disaster and operational disruption management, and providing precise indications on succession plans, substitution or delegation of powers in case the disaster or disruption creates a distortion in the command chain. The business continuity plan must specify the scope of covered activities, priority activities in case of major operational disruption, uncovered residual risks, implementation timeframes for this plan, formalization of procedures, as well as a synthetic description of the alternative site(s). Article 12 - A credit institution's business continuity management must be adapted to its risk profile and take into account its size, the scale and scope of its operations, as well as the risk it poses to the continuous functioning of the banking system and depositor security. The business continuity management policy must consider new risks linked to socio-economic developments, at the national and international levels, and cover requirements inherent to outsourced activities. Article 13 - The policies, standards and processes of business continuity management must be taken into account and implemented in the credit institution's comprehensive risk management program and execution of critical operations.

Chapter V - Management of Major Operational Disruption Risk Article 14 - Credit institutions must integrate the risk of major operational disruption into their business continuity management approaches. Article 15 - The business continuity management approaches developed by credit institutions must include response modes to major operational disruptions that may affect their operations. Article 16 - Anticipating appropriate measures to recover from a major operational disruption must be based on the institution's specific characteristics and risk profile.

Chapter VI - Development of Recovery Objectives Article 17 - Recovery objectives must serve as reference points for evaluating the effectiveness of business continuity management and enable achieving a consistent level of resilience. Article 18 - The deliberative and executive bodies are responsible for establishing recovery objectives proportionate to the risk that the concerned credit institution represents for the functioning of the financial system as a whole and for depositor security. Article 19 - Recovery objectives must include the continued provision of critical services and, where applicable depending on the specific situation of the credit institution, meet requirements higher than those of other banking system participants.

Chapter VII - Development of Internal and External Communication Protocols Article 20 - Credit institutions must include in their business continuity plan the emergency communication protocols and procedures within themselves and towards all stakeholders, including international ones, in case of major operational disruption.

Chapter VIII - Conduct of Business Continuity Management Assessment Tests Article 21 - Every credit institution must, according to a periodicity appropriate to the risks and consequences of different major operational disruption scenarios, evaluate its business continuity management device regarding its capacity to withstand major operational disruptions, ensuring in particular that:

• the alternative site is located in a region distinct from the primary location and does not share the same physical infrastructure components;
• the alternative site has sufficient updated data, up-to-date equipment and necessary systems to recover and maintain critical operations and services for a sufficient period;
• the business continuity plan defines transport means and replacement modalities for personnel, sufficient in terms of headcount and expertise to resume critical operations and services compatible with recovery objectives. Article 22 - Each credit institution presenting a risk to the banking system must independently conduct tests of its alternative sites by operational managers and participate in system-wide tests to evaluate the level of resilience across this system and the compatibility of other credit institutions' recovery strategies. Article 23 - The scope and frequency of tests must be determined based on the criticality of applications and functions for the credit institution, as well as regarding this institution's position in the banking and financial system and based on significant changes occurring in the national, regional and international environment. Article 24 - Significant findings resulting from periodic tests of business continuity plans must be submitted to the deliberative and executive bodies within a reasonable timeframe so that necessary corrective measures are taken and the business continuity management device is updated.

Title II - Methodological Phases of Business Continuity Management Chapter IX - Characteristics of the Business Continuity Device Article 25 - Credit institutions have a documented, homogeneous and proven business continuity plan. To this end, they ensure the consistency and effectiveness of business continuity plans within a global plan integrating objectives defined by the executive body and, where applicable, by the deliberative body. Article 26 - The organization and availability of human, real estate, technical and financial resources of credit institutions are subject to regular assessment regarding risks related to business continuity. Article 27 - Measures adopted by credit institutions within the framework of business continuity management are included in internal control reports, in accordance with Article 47 of Regulation 2001/07 on internal control of credit institutions. Article 28 - The Banking Commission ensures the compliance of business continuity plans with the provisions of this Regulation. Article 29 - Credit institutions define a unified framework for business continuity planning aimed at ensuring the overall consistency of the device and its operational nature. Article 30 - Credit institutions implement a business continuity management process based in particular on:

• risk and vulnerability analysis;
• classification of critical activities and definition of functional needs;
• consideration of security issues and the impact of potential disasters on the credit institution's activities and the financial sector;
• definition of a business continuity strategy consistent with objectives;
• possible transfer of certain risks to appropriate insurance policies;
• updating, maintenance, testing and evaluation of provided devices;
• definition of responsibilities and procedures in case of emergency;
• implementation of degraded procedures taking regulatory imperatives into account;
• staff awareness;
• business impact assessment. Article 31 - Credit institutions appoint a Business Continuity Plan Manager and inform the Banking Commission. Article 32 - The Business Continuity Plan Manager is responsible for plan administration in normal operations, participation in crisis management, keeping records up to date, controlling and implementing associated corrective actions, as well as carrying out training and testing campaigns for the plan. Article 33 - The executive body must drive, promote, make visible and control business continuity management.

Chapter X - Business Continuity Management Methodology Section I - Knowledge of Activities Article 34 - With a view to defining and implementing a plan of measures aimed at preventing or minimizing major disasters and thus reducing the extent of residual risks to be covered in the business continuity plan, credit institutions identify their vulnerability poles through audits and inspections. Article 35 - Credit institutions define the disaster mapping and scenarios to be taken into account in their business continuity plan. To this end, they must:

• identify the essential activities of the credit institution for its survival or the proper functioning of the financial system;
• identify threats weighing on these activities that could cause discontinuity;
• evaluate for each risk the probability of occurrence and potential impact (disaster assessment scale, disaster impact evaluation grid, typology of risks and disasters);
• define the risk management strategy for each characterized risk;
• define the assumptions for developing their business continuity plan taking into account the scale of disaster scenarios. The disaster mapping must be regularly updated and in particular upon each significant change occurring in the institution's life. Article 36 - Credit institutions determine the impact of potential disasters on their activities and on the functioning of the banking system and specify a business continuity strategy taking into account defined issues. The business impact assessment is established based on:
• identification and classification of critical activities and functions as well as risks weighing on each activity or function;
• validation of recovery or continuity objectives for each critical activity or function;
• determination of key processes and resources related to critical activities and functions in order to derive degraded operating modes;
• identification of single points of failure and internal and external dependencies;
• evaluation of activity interruption impacts. Article 37 - Risk analysis on activities and resources is guided by the business impact assessment and enables defining risk reduction plans for identified critical processes, activities and resources. Risk analysis is updated at each significant change in the institution's organization, particularly with the creation of new sites or locations and during modification of existing infrastructure.

Section II - Orientation of the Business Continuity Strategy Article 38 - Credit institutions define the methods and means enabling them to continue their activities in case of major disaster. Article 39 - An effective business continuity device relies on the following elements:

• crisis management organization with a Business Continuity Plan Manager;
• detailed, tested documentary system, widely distributed within the credit institution and regularly updated;
• backup strategy established based on results of business impact analyses for the credit institution and financial system functioning, and periodically tested. Backup organization relies in particular on the creation of a remote alternative site located in an environment technically distinct from the initial environment;
• rationalized human resource management;
• tested technical backup solution covering continuity needs. Article 40 - The choice of continuity strategy is the result of comparative analysis of possible business continuity management scenarios. These scenarios must be aligned with the institution's strategy pr