In accordance with COBAC Regulation R-2008/01 requiring credit institutions to prepare a business continuity plan, in order to define and implement a plan of measures aimed at preventing or minimizing major losses and thus reduce the extent of residual risks to be covered in the business continuity plan, credit institutions identify their areas of weakness through audits and inspections.
Credit institutions define the mapping and scenarios of losses to be taken into account in their business continuity plan. To this end, they must;
– Identify the activities that are essential to the survival of the credit institution or the proper functioning of the financial system;
– Identify the threats to these activities that could cause them to be discontinued;
– Assess the probability of occurrence and the potential impact of each risk (loss assessment scale, loss impact assessment grid, risk and loss typology);
– Define the risk management strategy for each characterized risk;
– define the assumptions for the development of their business continuity plan, taking into account the scope of the loss scenarios.
The loss map must be updated regularly, in particular when each major change in the life of the institution occurs.
Credit institutions determine the impact of potential losses on their activities and on the functioning of the banking system and specify a business continuity strategy that takes into account the issues identified.
The business impact assessment is based on:
– The identification and classification of critical activities and functions as well as the risks that touch on each critical activity or function;
– The validation of recovery or continuity objectives for each critical activity or function;
– Determination of the processes and key resources related to the critical activities and functions to deduce the degraded modes of operation;
– Identification of single points of failure and internal and external dependencies;
– Assessing the impact of business interruption.
The analysis of risks to activities and resources is guided by the business impact assessment and allows the definition of risk reduction plans for the processes, activities and resources identified as critical.
The risk analysis is updated whenever there is a significant change in the organization notably when new sites or locations are created and when the existing infrastructure is modified.