3.6. Business continuity
3.6.1. General expectations
Clear, up-to-date and appropriately tested business continuity planning to address the continuity of critical services is key to safeguarding the operational resilience of financial institutions. In particular, financial institutions may:
- Implement, maintain and regularly test business continuity plans to anticipate, withstand, respond to, and recover from the disruption or failure of critical services; and
- Seek to ensure that their relationships with third-party service providers commit them to:
• Implement appropriate business continuity plans (and other relevant plans such as contingency plans, disaster recovery plans and incident response plans) covering critical services they provide to the financial institution;
• Regularly test these plans and share the results, including lessons learnt, vulnerabilities and remediation actions; and
• Support the testing of financial institutions' business continuity plans as appropriate.
Both financial institutions' and third-party service providers' business continuity plans may incorporate business impact analyses (BIA), recovery strategies, testing programmes, awareness and training programmes, and communication and crisis management programmes.
Business continuity plans should be distinguished from exit plans examined in the next section, which are a distinct process with different objective. However, some business continuity plans may include an exit from the third-party service relationship where feasible, practicable and usually as a measure of last resort.