Questionnaire Survey on Business Continuity Management
(December 2006)
July 27, 2007
Financial Systems and Bank Examination Department
Bank of Japan
Click on ron0707b.pdf to download the full text.
Introduction
- The Bank of Japan conducted the third Questionnaire Survey on Business Continuity Management, following the previous surveys in 2002 and 2004.
- The respondents were 84 financial institutions that have current accounts at the Bank with a large volume of transactions in payment and settlement systems.
- The objectives of the survey were to grasp the respondents' current situation and to use the survey results as a basis for the Bank to extensively discuss business continuity issues with financial institutions.
- Taking account of the survey results, the Bank intends to further discuss the issues with financial institutions on such occasions as on-site examinations and off-site monitoring and strengthen cooperation with them, to enhance the overall business continuity capability of the Japanese financial system.
Key Findings
A. Framework for Developing Business Continuity Management (BCM)
- 76 percent of all the respondents answered that they "have established BCM," up from 67 percent in the previous survey in 2004 (see IV. A. 1.).
- 76 percent of the respondents answered that they "have established a business continuity plan (BCP) control section, and the officer in charge is an executive." However, only 54 percent of the respondents answered that their "BCP control sections review BCPs developed by each section in charge and also review their overall consistency" (see IV. A. 3.).
B. Business Continuity Planning
1. Assumptions and Conditions for Business Continuity Planning
- 90 percent of the respondents answered that they "have specified disaster scenarios," and 81 percent of the respondents answered that they "have made a business impact analysis of disaster scenarios" (see IV. B. 1. a.).
- A wider range of potential threats were envisaged in disaster scenarios than in the previous surveys. As for BCPs for new types of pandemics, however, only 20 percent of the respondents answered that they "have formulated relevant BCPs and ensured necessary resources" (see IV. B. 1. b. and c).
- As disaster scenarios for operational disruptions, 90 percent of the respondents answered that "computer systems fail, and operations are continued by a back-up system," and 75 percent of the respondents answered that "computer systems fail, and operations are continued manually." Meanwhile, only 45 percent of the respondents answered that "areas become inaccessible due to wide-area disasters or administrative measures to limit entry" (see IV. B. 1. d.).
- 90 percent of the respondents answered that they "have identified critical operations," up from 85 percent in the previous survey. However, 33 percent of the respondents answered that they "have identified but not regularly reviewed critical operations," and only 43 percent of the respondents answered that they "have set specific recovery time objectives for all critical operations" (see IV. B. 1. e. and g.).
2. Resources Necessary for Business Continuity
- 50 percent of the respondents answered either that they "have made estimates for staff arrangements but have not appointed critical staff" or "need to make estimates for staff arrangements" (see IV. B. 2. a.).
- 88 percent of the respondents answered that they "have established" a back-up computer center, and 76 percent of the respondents answered that they "have established" a back-up office (see IV. B. 2. b.).
- 38 percent of the respondents answered that "90 percent or more" of critical operations are covered by their back-up offices, and 43 percent of the respondents answered that "90 percent or more" of critical operations are covered by their back-up computer centers (see IV. B. 2. c.).
3. Recovery Time Objectives for the Most Critical Operations
- 65 percent of the respondents answered that they set recovery time objectives of "within 4 hours" for the most critical operations (see IV. B. 3.).
4. Back-Up Arrangements for Critical Operations
- 64 percent of the respondents answered that "processing capacity of a back-up system is equal to that of a main system" (see IV. B. 4. c.).
- However, only 51 percent of the respondents answered that they "have estimated the time for both data mirroring and data updating and have also examined the compatibility with BCPs" in relation with starting up back-up systems (see IV. B. 4. b.).
5. Decision-making Procedures and Communication Arrangements for BCP Implementation
- 80 percent of the respondents answered that they "have established" "management systems that ensure the smooth delegation of authority when contact with top management or division heads is not possible" and "ways to contact important external parties such as payment and settlement institutions, outside service providers, and major clients." Meanwhile, only 49 percent of the respondents answered that they "have established" "contact points and ways to contact important external parties when the parties invoke their BCPs" (see IV. B. 5.).
6. Manuals for BCP Implementation
- Only 26 percent of the respondents answered that they "have prepared manuals for all procedures of critical operations, including follow-up data input and manual operations" (see IV. B. 6. a.).
C. Exercises and Reviews of BCPs
- 88 percent of the respondents answered that they "conduct exercises on a regular basis." However, only 39 percent of the respondents answered that they "conduct exercises for all of critical operations" (see IV. C. 1. b. and c.).
- 81 percent of the respondents answered that they "conduct exercises using computer systems and equipment that are to be actually used when BCPs are "invoked." The most commonly conducted exercises are "communication in emergency" and "switch-overs to a back-up computer center with only computer staff involved." Meanwhile, only 32 percent of the respondents answered that they conduct "switch-overs to a back-up computer center with branch offices involved as well," and only 23 percent answered that they conduct "input of unsettled transaction records while switching over to a back-up computer center" (see IV. C. 1. d. and f.).
- 58 percent of the respondents answered that they "have assessed the attainability of recovery time objectives, identified challenges, reported to management, and reviewed BCPs as appropriate" (see IV. C. 2.).
- 99 percent of the respondents answered that they "have participated in joint exercises" organized by other financial institutions, and 96 percent of the respondents affirm the need to enhance joint exercises (see IV. C. 3. a. and b.).
D. Overall Assessment
- Only 14 percent of the respondents answered that "feasibility of business continuity has been secured," whereas 62 percent of the respondents answered that "feasibility of business continuity has been mostly secured although some uncertainties remain" (see IV. D. 1.).
- As for critical issues to be addressed, 65 percent of the respondents answered that they should "expand or refine BCPs," and 49 percent of the respondents answered that they should "improve back-up facilities" (see IV. D. 2.).
Notice
Please contact the Financial Systems and Bank Examination Department at the address below in advance to request permission when reproducing or copying the content of this report for commercial purposes.
Please credit the source when reproducing or copying the content of this report.
Financial Systems and Bank Examination Department, Bank of Japan
C.P.O. Box 203, Tokyo 100-8630, Japan
For further information about this survey, please contact:
Hiroyoshi Yamazaki (Mr.) or Minoru Shiraishi (Mr.),
Examination of Computer System Risk, Financial Systems and Bank Examination Department
Tel: +81-3-3664-4333