Circular 20/2023 on Business Continuity Planning for Emergencies

[Image of Central Bank of Libya Logo]

Central Bank of Libya P.O. Box 1103, Telegram Address: MasrafLibya - Tripoli, Libya

Reference: A.R.M.N No. 804 Circular A.R.M.N No. (20/2023) Date: 7 Dhu al-Hijjah 1444 (Hijri) Corresponding Date: June 25, 2023

To: Chairmen of the Boards of Directors of Banks

Subject: Business Continuity in the Face of Emergencies

---

Based on the provisions of Law No. (1) of 2005 concerning Banks and its amendments, and on the supervisory and regulatory role exercised by the Central Bank of Libya over banks.

And with reference to Circular A.R.M.N No. (2010/13), through which the Central Bank of Libya Board of Directors issued Resolution No. (20) of 2010, concerning the Corporate Governance Guide for Banks.

And with reference to Circular A.R.M.N No. (2022/8), concerning Principle No. 15 for activating the risk management process emanating from the Basel Committee on Banking Supervision.

Therefore, we attach to you this Circular the Business Continuity Plan Guide for Emergencies, to establish a strategy for business recovery in case the bank experiences any event that prevents it from operating normally, while continuously verifying the plan's security to ensure its viability and non-violation, and guaranteeing unauthorized access to information is prevented during and after any event. The bank shall provide this Administration with its Business Continuity Plan within a maximum of three months from the date hereof.

Peace be upon you,

[Signature] Naji Mohammed Eissa Director of the Banking and Currency Supervision Department

Copy to: Mr. / The Governor Mr. / Deputy Director of the Banking and Currency Supervision Department for Office Supervision and Compliance Monitoring Mr. / Deputy Director of the Banking and Currency Supervision Department for Inspection Affairs Mr. / Deputy Director of the Banking and Currency Supervision Department for Islamic Banking Affairs The Banking Supervision Department, Benghazi The Bank Compliance Department Managers (for follow-up) The Bank Risk Management Department Managers

---

Banking and Currency Supervision Department

Business Continuity in the Face of Emergencies

Business continuity management in the financial and banking sector is a key priority for the Central Bank of Libya, forming an important component in operational risk management and a significant part of the core business continuity principles issued by the Basel Committee on Banking Supervision. Business continuity management is defined as the set of policies, standards, and procedures used to operate and rehabilitate business operations upon a process stoppage, aimed at reducing risks. It includes a comprehensive approach with policies, standards, and procedures to ensure the maintenance or timely recovery of specific operations in case of disruption. This is because financial and banking institutions now feature numerous products and services provided through interdependent and complex systems. The stoppage of any such system disrupts others, a phenomenon known as interdependency among supporting systems. Natural and unnatural disasters causing sudden business interruptions may lead to significant losses for the Libyan financial sector.

Key Elements of Business Continuity Management:

Business Continuity Plan: Provides detailed guidelines for implementing the recovery strategy and distributing roles and responsibilities to manage operational disruptions, along with clear guidance regarding succession of authority in case of a disruption affecting key personnel. Additionally, decision-making authority is clearly defined, along with the conditions required to activate the institution's business continuity plan. Business continuity management also includes how sensitive information is stored and recovered during crises, ensuring the institution avoids collapse or operational halt during natural disasters, sabotage, or internal system failures due to viruses or other causes. This plan should be written and comprehensive, including the necessary systems and procedures to restart the institution upon operational stoppages.

Business Impact Analysis (BIA): Is the qualitative and quantitative identification and measurement of business impact or loss of banking operations in case of disruption. The analysis is used to determine recovery priorities,

Page 1 of 8

---

Banking and Currency Supervision Department

and determines the restart priorities for important departments, identifies key personnel, assists in shaping the business continuity plan, and determines the time required to resume normal operations within the financial institution. Through conducting the analysis, a financial institution can achieve the following results:

• Identifying interdependent departments and units at the institutional level and external entities, ranking them by impact.
• Determining the risk ratio for each department and unit within the financial institution, and ranking business recovery priorities according to the importance of the department or unit.
• Determining the risk tolerance capacity of the financial institution resulting from business stoppages.
• Determining whether the business recovery strategy and plans are sufficient, identifying weaknesses, and addressing them.

Recovery Strategy: In this stage, recovery objectives and priorities are determined based on the Business Impact Analysis. Among other things, the minimum services the organization aims to provide in case of disruption and for ultimately resuming commercial operations are also defined. Embedding the Business Continuity Management Principle in the Institution's Mindset: Establishing the principle of developing business continuity is important, as it supports, motivates, and enhances the efficiency and readiness of employees at all levels within the institution. This is achieved through continuous support, training, and emphasizing the principle's importance.

Principles Issued by the Basel Committee on Banking Supervision: The principles issued by the Basel Committee in collaboration with the International Organization of Securities Commissions (IOSCO) and the International Association of Insurance Supervisors (IAIS), regarding business continuity requirements for financial and banking institutions, include seven principles. The first six are applied through cooperation between regulatory authorities and financial/banking institutions regarding planning and preparing to build business continuity plans, while the seventh principle pertains to regulatory authorities' responsibilities in supervising and monitoring the implementation of business continuity plans by these institutions. These principles were prepared to serve as a guideline for financial institutions

Page 2 of 8

---

Banking and Currency Supervision Department

to establish effective business continuity management, without replacing other arrangements deemed important and appropriate by the Central Bank of Libya or financial institutions in preparing and managing business continuity plans. The seven principles mentioned below aim to support the efforts of international institutions and the Central Bank of Libya in enhancing the resilience of the Libyan financial system upon operational stoppages. These principles rely on traditional concepts of effective business continuity management as follows:

Principle One: Board of Directors and Senior Management Responsibilities: Financial institutions must follow effective and comprehensive approaches in managing business continuity. The Board of Directors and senior executive management of any institution are responsible for the business continuity of that institution through the following responsibilities:

• Developing appropriate policies for business continuity management, including redefining priorities and resources, and identifying responsibilities related to business continuity management upon any operational stoppage.
• Establishing an organizational structure that clarifies the roles, responsibilities, and authorities required for operations, and ensuring the existence of a qualified workforce capable of preparing and developing business continuity plans.
• Management must create and strengthen an organizational culture that prioritizes business continuity. This message should be reinforced by providing sufficient funding and human resources to implement and support the organization's approach to business continuity management.
• Periodically reviewing emergency plans and updating them as needed.
• Enhancing resilience and continuity in the event of operational disruptions. The Board of Directors and senior management must also recognize that outsourcing bank operations does not transfer related responsibilities to the service provider.
• Implementing a reporting framework to the Central Bank of Libya, the Board of Directors, and senior management regarding business continuity matters, incident reports, test results, and related action plans to enhance organizational resilience or the ability to recover specific operations.

Page 3 of 8

---

Banking and Currency Supervision Department

Principle Two: Operational Stoppage Events: Financial institutions under the supervision of the Central Bank of Libya must identify and embody risks resulting from operational stoppages in the form of business continuity plans. Sound post-stoppage recovery plans must be established through conducting a Business Impact Analysis and setting appropriate recovery objectives, given the potential constraints on accessing resources needed for full operational recovery. Furthermore, financial institutions must review the adequacy of their recovery arrangements according to the following key points:

• It is essential for the financial institution to exercise caution in selecting an alternative operational site during emergencies, located sufficiently far from the main operational site, as this reduces the severity of risks that might affect both sites due to exposure to the same event.
• The institution must ensure the adequacy of information regarding the alternative site, equipment, and necessary systems to recover important operations and maintain them for a sufficient period in case the main site suffers significant damage.
• The institution must provide a well-trained and experienced human resource capable and ready for recovery, as well as providing an operational guide that assists the bank in setting recovery objectives commensurate with the risk level caused by this operational stoppage.
• An electronic storage unit capable of accommodating all the bank's operations should be established and transportable in case of emergencies.

Page 4 of 8

---

Banking and Currency Supervision Department

Principle Three: Operational Recovery Objectives: Financial and banking institutions must establish and develop operational recovery objectives in cases of operational stoppages, which reflect the risks they cause regarding operations within the financial and banking system as a whole. The financial institution must set recovery objectives in a manner commensurate with the risks they pose to the functioning of the financial system. The institution's specific recovery objectives are determined by the Board of Directors and senior management. Recovery objectives must specify expected recovery levels and the estimated time to recover each activity. Although these conditions may not be achievable under all circumstances, they provide financial sector stakeholders with benchmarks to test the effectiveness of their business continuity management. They also offer them certain assurances.

Page 5 of 8

---

Banking and Currency Supervision Department

Principle Four: Local-Level Communications: The business continuity plan for financial and banking institutions must include procedures to facilitate communication with the institution's departments and branches, as well as communication with relevant external parties in case of operational stoppages. The procedures are implemented as follows:

• Identifying personnel responsible for communicating with employees and various external stakeholders. This group may include senior management, administrative staff, the legal department, compliance department, and employees responsible for continuity procedures at the bank. This group must be able to communicate with all relevant parties, in addition to establishing protocols and taking comprehensive communication measures during emergencies.
• Continuously updating communication networks and obtaining the latest technological means for communications, while continuing periodic tests to ensure their capability and effectiveness in facilitating communication among all relevant parties at the appropriate time.
• Conducting communication under the most difficult conditions, coordinated with telecommunications and information technology companies, as well as renewing communication means with the latest technologies and ensuring their effectiveness among all relevant parties.

Page 6 of 8

---

Banking and Currency Supervision Department

Principle Five: External-Level Communications: Due to the increasing interconnectivity among cross-border financial and banking institutions, major operational disruptions may affect subsidiaries or branches outside national borders. Addressing disruptions beyond the local level presents an additional challenge. Although local communication procedures may be reasonably defined in the business continuity plans of many financial institutions, special attention must be paid to preparing for internationally scoped disruptions. Communication protocols must be established and incorporated into business continuity plans to facilitate communications between local and international financial institutions at the global level, through arranging specific business continuity memorandums of understanding consisting of a set of principles and procedures for exchanging information, insights, and assessments. In addition, periodic discussions must be held between relevant banking and financial institutions at the international level to reach a shared understanding of events that may negatively impact the international financial system due to operational stoppages. It is worth noting that the Basel Committee maintains a list of contact representatives for banking supervisors in all countries.

Page 7 of 8

---

Banking and Currency Supervision Department

Principle Six: Conducting Tests: Financial institutions must conduct tests on their business continuity plans, evaluate their effectiveness, and update business continuity management as needed. Conducting tests to assess the institution's ability to recover important operations is one of the most important elements of effective business continuity management. It is appropriate that these tests are conducted periodically by determining the nature, type, and duration of the tests, through the reliability of applications and business functions, and through fundamental changes in the operations performed by the financial institution or its surrounding environment, determining the need to adjust the business continuity plan as a result of changes in operations, responsibilities, systems, software, hardware, employees, or the external environment. Furthermore, an independent party, such as the external auditor, must evaluate the effectiveness of the testing programs implemented by the financial institution and review the results Page 8 of 8

---

Banking and Currency Supervision Department

of the tests, prepare reports on the facts, and submit them to the Central Bank of Libya and senior management/the Board of Directors.

Principle Seven: Regulatory Authorities' Review of Business Continuity Management: Procedures for reviewing financial institutions' business continuity plans must be incorporated into the regulatory authority's evaluation procedures for supervised institutions. Therefore, financial and banking institutions under the supervision of the Central Bank of Libya must develop and apply effective business continuity management, ensuring it is continuously updated. Each bank must provide the Banking Supervision Department with a copy of its business continuity plan, along with notifying any future amendments to the plan. The business continuity plan for emergencies must be commensurate with the size of the financial institution, including its specific recovery objectives according to the volume and type of business conducted by the institution and the risks it poses to the financial system, whether as systemic or non-systemic institutions, as well as the effectiveness and efficiency of the testing program for business continuity plans.

Steps for Planning Business Continuity in the Face of Emergencies:

Stage One: Analysis: In this stage, impacts are analyzed and needs that support business continuity upon operational stoppages are identified. Events are determined, their impacts studied, and how to handle them extracted, along with lessons learned. The aim is to determine recovery priorities and establish the timeframe for recovering operations after they stop.

Stage Two: Solution Design Stage: Relies on the results of Step One (Analysis), where appropriate recovery plans are established, whether regarding testing alternative sites (e.g., whether the alternative site is in the same city or another). It also determines the communication method between them and the main site, and establishes necessary arrangements for communication systems that support business continuity.

Stage Three: Implementation of the Business Continuity Plan for Emergencies: After selecting solutions involving alternative sites and necessary arrangements, implementation occurs, which must be tested to ensure its integrity, compliance with actual execution requirements, and determination of its effectiveness.

Stage Four: Testing the Business Continuity Plan for Emergencies: In this stage, the plan is fully tested after determining a scenario representing an internal or external event affecting the institution's operations. After conducting the test, the plan's effectiveness is determined; if it fails, the process returns to Stage One to identify and correct weaknesses that led to failure.

Stage Five: Plan Operation Monitoring and Updating Stage according to Developments: In conclusion, the importance of these guidelines has emerged particularly in recent times amid increasing natural disasters such as epidemics or sabotage acts. Undoubtedly, adherence to the principles will limit many risks that may affect the financial and banking sector in Libya, as well as reduce losses resulting from the stoppage of financial institutions' operations.

End,

Page 8 of 8