Tasks and duties of the Business Continuity Manager
Tasks and duties of the Business Continuity Manager. From the ICT Guidelines, requirements for emergency management are implemented in the newly formulated section AT 7.3. Risk analyses must first be carried out for all time-critical activities and processes identified in an impact analysis. The emergency concept must show which substitute solutions are available in a timely manner in the event of an emergency and how a return to normal operation is to proceed. An overview of all activities and processes (e.g. in the form of a process map) serves as a basis for this. The effectiveness and appropriateness of the emergency concept must be reviewed regularly.
With the course Tasks and Duties of the Business Continuity Manager, you will learn the following professional skills for a secure implementation of MaRisk and BAIT:
#1 Tasks and duties of the business continuity manager
#2 Business impact analyses and risk impact analyses
#3 Ongoing monitoring duties of the business continuity manager
Tasks and duties of the Business Continuity Manager
# Target group for the seminar Tasks and Duties of the Business Continuity Manager:
# Board members and managing directors at banks, financial service providers, investment and fund companies, leasing and factoring companies
# Managers and specialists from the areas of emergency management, outsourcing management, IT compliance, compliance officers and internal audit.
Your benefits with the Business Continuity Manager course:
#1 Tasks and duties of the Business Continuity Manager
#2 Business impact analyses and risk impact analyses
#3 Ongoing monitoring duties of the Business Continuity Manager
Get a head start with the Business Continuity Manager course:
Each participant receives the S+P Tool Box with the course:
+ Guidelines for BCM (approx. 30 pages)
+ Sample reporting for Business Continuity Managers
+ S+P Tool Risk Impact Analysis for more audit security
#1 Tasks and duties of the Business Continuity Manager
MaRisk AT 7.3: The significantly expanded range of tasks of BCM:
o Objectives for emergency management and derivation of an emergency management process
o Emergency concept for time-critical activities and processes
o Determination of suitable measures for damage reduction
New reporting obligations: at least quarterly reporting on the status of emergency management
Emergency concept with business continuation and recovery plans
Interface outsourcing: outsourcers and insourcers must have coordinated contingency concepts.
#2 Business Impact Analyses and Risk Impact Analyses
More stringent requirements for business impact analyses:
o Impact on activities and processes
o Type and extent of (im-)material damage
o Timing of the failure.
Risk impact analyses for the identified time-critical activities and processes:
o Identify and assess potential hazards.
o Carrying out qualitatively tightened risk analysis on the basis of uniform scoring criteria
Consideration of emergency scenarios
o (Partial) failure of a site (e.g. due to flood, major fire, area closure, access control failure)
o Significant failure of IT systems or communication infrastructure
o Loss of a critical number of employees
o Failure of service providers (e.g. suppliers, electricity providers)
#3 Ongoing monitoring obligations of the business continuity manager
MaRisk + BAIT: Requirements for monitoring and control activities
Benchmarks for monitoring and control activities and their implementation
Audit-proof assessment of impact and risk analyses
o The effectiveness and appropriateness of the emergency concept must be reviewed regularly.
o For time-critical activities and processes, the relevant scenarios must be demonstrated at least annually and on an ad hoc basis.
Reviews of the emergency concept shall be recorded.
o Results shall be analysed with regard to necessary improvements.
o The results are to be communicated in writing to the respective persons responsible.
This could also be of interest to you as a business continuity manager
MaRisk 6.0: Stricter requirements for emergency management. From the ICT Guidelines, requirements for emergency management are implemented in the newly formulated section AT 7.3.
Risk analyses must first be carried out for all time-critical activities and processes identified within the scope of an impact analysis to be carried out. The emergency concept must show which substitute solutions are available in a timely manner in the event of an emergency and how a return to normal operation is to proceed.
An overview of all activities and processes (e.g. in the form of a process map) serves as a basis for this. The effectiveness and adequacy of the emergency concept must be reviewed regularly.
#1 MaRisk 6.0: Stricter requirements for emergency management
Chapter AT 7.3 Emergency management has now been worded as follows:
The institution shall define objectives for emergency management and, derived from this, establish an emergency management process. Precautions must be taken for emergencies in time-critical activities and processes (emergency concept). The measures defined in the emergency concept must be suitable for reducing the extent of possible damage. The emergency concept must be updated as required, reviewed annually to ensure that it is up to date and communicated appropriately. The management must receive written reports on the status of the emergency management at least quarterly and on an ad hoc basis.
The contingency plan must include business continuity and recovery plans. Business continuity plans must ensure that substitute solutions are available promptly in the event of an emergency. Recovery plans shall allow for a return to normal operations within a reasonable period of time. Adequate internal and external communication must be ensured in the event of emergencies. In the case of outsourcing of time-critical activities and processes, the outsourcing institution and the outsourcing company shall have coordinated contingency plans.
The effectiveness and appropriateness of the emergency concept shall be reviewed regularly. For time-critical activities and processes, it shall be demonstrated for all relevant scenarios at least annually and on an ad hoc basis. Reviews of the emergency concept shall be recorded. Results shall be analysed with regard to necessary improvements. Risks shall be managed appropriately. The results are to be communicated in writing to the respective persons responsible.
MaRisk provides the following explanations on the stricter requirements for emergency management.
#2 Time-critical activities and processes
Time-critical activities and processes are those which, if impaired for a defined period of time, are expected to cause unacceptable damage to the institution.
In order to identify time-critical activities and processes as well as supporting activities and processes, IT systems and other resources required for this purpose as well as potential threats, the Institute conducts impact analyses and risk analyses. An overview of all activities and processes (e.g. in the form of a process map) serves as a basis for this.
#3 Impact analyses – MaRisk 6.0: Stricter requirements for emergency management
In business impact analyses, the consequences that an impairment of activities and processes can have for business operations are considered over graduated periods of time. The impact analyses should consider the following aspects, among others:
– Nature and extent of the (im)material damage.
– Impact of the timing of the failure on the damage (e.g. failure of payment transactions during peak business hours).
#4 Risk Analyses – Tasks and Duties of the Business Continuity Manager
In risk analyses (risk impact analyses) for the identified time-critical activities and processes, potential hazards are identified and evaluated which could cause an impairment of the time-critical business processes.
#5 Emergency concept – tasks and duties of the business continuity manager
In the emergency concept, responsibilities, objectives and measures for the continuation or recovery of time-critical activities and processes are determined and criteria for the classification as well as for the triggering of the plans are defined.
#6 Emergency Scenarios – MaRisk 6.0: Stricter Requirements for Emergency Management
At least the following scenarios are taken into account:
– (Partial) failure of a location (e.g. due to flood, major fire, area closure,failure of access control).
– Significant failure of IT systems or communication infrastructure (e.g. due to errors or attacks)
– Loss of a critical number of employees (e.g. pandemic, food poisoning, strike)
– Failure of service providers (e.g. suppliers, electricity providers)
#7 Reviews of the emergency plan – tasks and duties of the business continuity manager
The frequency and scope of the reviews should generally be based on the hazard situation. Service providers should be involved appropriately. Reviews include, among other things:
– Testing of technical precautionary measures
– communication, crisis management and alerting exercises
– Emergency or full-scale exercises.
#8 What implementation deadlines apply to the New MaRisk 6.0?
The new version of MaRisk comes into force upon publication. There is a transition period until 31.12.2021.
This applies to the documentation requirement related to the outsourcing register in AT 9 para. 14 MaRisk only insofar as the obligation to maintain an outsourcing register also applies as of 01.01.2022 when the FISG comes into force.
Otherwise, the first date of application for the specification of this requirement in MaRisk is also based on the law.
Different implementation deadlines apply to the adjustment of outsourcing agreements that already exist or are being negotiated.
A separate implementation period until 31 December 2022 is granted for this.
An adjustment of contractual relationships concluded on the basis of a public procurement procedure can be omitted due to the special legal problems insofar as these contracts are limited in time and must be re-awarded within the next five years. BaFin assumes that the new requirements will already be sufficiently taken into account in award procedures initiated from 01.01.2022.
Institutions with a high NPL portfolio must already comply with the requirements of the NPE Guidelines immediately after the end of the transition period on 31 December 2021, provided that these institutions have an NPL ratio greater than 5% on the two preceding quarterly reporting dates (30 September 2021 and 31 December 2021).
The first quarterly reporting date relevant for the classification as an institution with a high NPL ratio is therefore 30.09.2021.