Prudential Standard No. 4 - Business Continuity Management

CENTRAL BANK OF SOLOMON ISLANDS

Financial System Regulations Department

Prudential Standard No. 4 Business Continuity Management

---

2

Contents

1. Introduction ................................................................................................................................. 3 General stipulations ........................................................................................................................ 3 Objectives and key requirements ................................................................................................... 3 Applicability .................................................................................................................................. 3 Enforcement and corrective measures ........................................................................................... 3 References ...................................................................................................................................... 4 Effective Date ................................................................................................................................ 4
2. Definition of terms ..................................................................................................................... 6
3. The role of the Board and senior management ........................................................................... 7
4. Business Continuity Management .............................................................................................. 7
5. BCM Policy ................................................................................................................................ 8
6. Business Impact Analysis ........................................................................................................... 8
7. Recovery objectives and strategies ............................................................................................. 8
8. Business Continuity Plan ........................................................................................................... 8
9. Review and testing of BCP ........................................................................................................ 9
10. Audit arrangements ................................................................................................................... 9

---

3

1. Introduction

General stipulations

1. This Prudential Standard (PS) forms part of the Central Bank of Solomon Islands (CBSI) standards governing the conduct of Licensed Financial Institutions in Solomon Islands.

2. The requirements in this PS are specified pursuant to section 8 of the Financial Institution Act 1998 (the Act) as amended, to ensure that a Licensed Financial Institution (FI) effectively establishes and operates a sound framework for managing business continuity.

3. Part III of the Financial Institutions Act 1998 states that in determining whether or not an FI carries on its business in a prudent manner, the CBSI shall have regard to internal controls and risk management and such other matters as the CBSI considers relevant.

Objectives and key requirements

4. This PS establishes the CBSI's minimum requirements for the establishment and operation of an effective business continuity management within all licensed entities.

5. This PS requires each FI to implement a whole-of-business approach to business continuity management that is appropriate to the size and complexity of its operations. Business continuity management increases resilience to business disruption arising from internal and external events and may reduce the impact on the FI's reputation, profitability and depositors.

Applicability

6. The PS is applicable to Financial Institutions licensed by the CBSI under the Act. Notwithstanding that an FI may meet these Standards, the CBSI may by order direct the FI to take specific actions with regards to its business continuity management framework.

Enforcement and corrective measures

7. A FI which fails to comply with the requirements contained in this PS, or which submits reports to the CBSI which are materially inaccurate will be considered as following unsound and unsafe practices as provided in Section 16 (1) (a) of the Act.

8. The CBSI may pursue any or all corrective measures as provided in Section 16 of the Act to enforce the provisions of this PS including:

---

4

a) issuance of an order to cease and desist from the unsound and unsafe practices; and b) action to replace or strengthen the management of the FI.

References

9. This PS should be specifically applied in conjunction with the following related PS’s: a) PS Governance (No. 1) b) PS Risk Management (No. 2) c) ...

Effective Date

The effective date of this Prudential Standard is 30th December 2024. Issued this 28th day of June, 2024

[Signature]

Luke Forau, PhD, Governor Central Bank of Solomon Islands

---

5

Abbreviations

BIA – Business Impact Analysis

BCM – Business Continuity Management

BCP – Business Continuity Plan

CBSI – Central FI of Solomon Islands

FI – Licensed Financial Institution

PS- Prudential Standard

SI – Solomon Islands

---

6

2. Definition of terms

10. “Business continuity management” – a whole-of-business approach that includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimize the operational, financial, legal, reputational and other material consequences arising from a disruption.

11. “Business impact analysis” – a dynamic process for identifying critical operations and services, key internal and external dependencies and appropriate resilience levels. It assesses the risks and potential impact of various disruption scenarios on a FI’s operations and reputation.

12. “Recovery strategy” – sets out recovery objectives and priorities that are based on the business impact analysis. Among other things, it establishes targets for the level of service the FI would seek to deliver in the event of a disruption and the framework for ultimately resuming business operations.

13. “Business continuity plan” – detailed guidance for implementing the recovery strategy. They establish the roles and allocate responsibilities for managing operational disruptions and provide clear guidance regarding the succession of authority in the event of a disruption that disables key personnel. They also clearly set out the decision-making authority and define the triggers for invoking the plan.

14. “Critical business operations” – the business functions, resources and infrastructure that may, if disrupted, have a material impact on the FI’s business functions, reputation or profitability, and as such depositors’ interests.

15. “Business disruption” – any interruption to normal business working conditions that may have a material impact on the FI’s business functions, reputation or profitability, and as such depositors’ interests.

---

7

3. The role of the Board and senior management

16. A FI must identify, measure, monitor and control potential business continuity risks to ensure that it can meet its financial obligations to its depositors.

17. A FI’s Board and senior management are collectively responsible for the FI’s business continuity.

18. The Board must approve the FI’s Business Continuity Management Policy (BCM Policy).

19. BCM should be an integral part of the overall risk management program of a FI.

20. The Board must ensure that the FI’s business continuity risks and controls are considered as part of its overall risk management systems and when completing a risk management declaration required to be provided to CBSI¹.

4. Business Continuity Management

21. BCM is a whole-of-business approach that includes policies, standards and procedures for ensuring that critical business operations are maintained or recovered in a timely fashion, in the event of a disruption. Its purpose is to minimize the financial, legal, regulatory, reputational and other material consequences arising from a disruption.

22. A FI’s BCM must, at a minimum, include: a) a BCM Policy in accordance with paragraphs 8 and 9; b) a business impact analysis (BIA) including risk assessment in accordance with paragraphs 23 and 24; c) recovery objectives and strategies; in accordance with paragraphs 27 and 28; d) a business continuity plan (BCP) including crisis management and recovery in accordance with paragraphs 29 to 32; and e) programs for: (i) review and testing of the BCP in accordance with paragraph 18; and (ii) training and ensuring awareness of staff in relation to BCM.

---

¹ Refer to requirements in Risk Management Prudential Standard

---

8

5. BCM Policy

23. A FI must have an up-to-date documented BCM Policy that sets out its objectives and approach in relation to BCM.

24. The BCM Policy must clearly state the roles, responsibilities and authorities to act in relation to the BCM Policy.

6. Business Impact Analysis

25. A BIA involves identifying all critical business functions, resources and infrastructure of the FI and assessing the impact of a disruption on these.

26. When conducting the BIA, the FI must consider: a) plausible disruption scenarios over varying periods of time; b) the period of time for which the FI could not operate without each of its critical business operations; c) the extent to which a disruption to the critical business operations might have a material impact on the interests of depositors of the FI; and d) the financial, legal, regulatory and reputational impact of a disruption to a FI’s critical business operations over varying periods of time.

7. Recovery objectives and strategies

27. Recovery objectives are pre-defined goals for recovering critical business operations to a specified level of service (recovery level) within a defined period (recovery time) following a disruption.

28. A FI must identify and document appropriate recovery objectives and implementation strategies based on the results of the BIA and the size and complexity of the FI.

8. Business Continuity Plan

29. An FI must maintain at all times a documented BCP that meets the objectives of the BCM Policy.

---

9

30. A copy of the Plan must be maintained at an off-site location readily available in the event of a disruption.

31. The BCP must document procedures and information that enable the FI to: a) manage an initial business disruption (crisis management); and b) recover critical business operations.

32. The BCP must reflect the specific requirements of the FI and must identify: a) critical business operations; b) recovery levels and time targets for each critical business operation; c) recovery strategies for each critical business operation; d) infrastructure and resources required to implement the BCP; e) roles, responsibilities and authorities to act in relation to the BCP; and f) communication plans with staff and external stakeholders.

9. Review and testing of BCP

33. A FI must review and test its BCP at least annually, or more frequently if there are material changes to business operations, to ensure that the BCP can meet the BCM objectives. The results of the testing must be formally reported to the Board or to delegated management.

34. The BCP must be amended to fix any problems or issues identified as part of the review and testing required under paragraphs 20 and 21.

10. Audit arrangements

35. A FI’s internal audit function, or an external expert, must periodically review the BCP and provide an assurance to the Board or to delegated management that: a) the BCP is in accordance with the FI’s BCM Policy and addresses the risks it is designed to control; and b) testing procedures are adequate and have been conducted satisfactorily.

36. The CBSI may request the external auditor of the FI, or another appropriate external expert, to provide an assessment of the FI’s BCM arrangements. Any such report must be paid for by the FI and must be made available to the CBSI.