Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR) by SEBI

Neelansh Gupta

30 May, 2019

On March 26, 2019, the Securities Exchange Board of India (SEBI) with the recommendation of Technical Advisory Committee (TAC), has issued guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR) of Market Infrastructure Institutions (MIIs). Previously, SEBI had issued prescribed business continuity and, disaster recovery framework for stock exchanges and depositories in 2012. Further, the new guidelines develop and expand these.

Now let’s go ahead and try to widen the horizon of this latest guideline.

Background of Business Continuity Plan and Disaster Recovery Plan

While most of the Indian companies look at a DR/BCP implementation and audits internally, they may not consider business continuity management (BCM). In India, there is a very positive trend in the market as more and more companies are looking for BCM implementation.

One of the first Indian companies to implement a full-fledged BCM was the National Stock Exchange (NSE) in 1997. National Securities Depository Limited (NSDL) was yet another early entrant to BCM practices in India. The implementations at these organisations have matured over a while. Once an organisation is confident of its application, the next step is to commence internal and external business continuity audits.

What is Business Continuity Planning Audit?

A business continuity planning (BCP) audit helps:

• Organisations define policies and provide remedial recommendations to tackle disasters.
• The BCP audit brings transparency to organisational management of internal systems and processes.
• It enables organisations to handle the risks on account of known and unexpected disasters.
• It will assess your organisation’s capabilities to recover and resume activities in case of an incident.

In India, both SEBI and RBI have mandated BCP and DR. As a result, all major Indian financial institutions are already compliant.

What are the best practices for BCP Audit?

Note down the following best practices for BCP Audit:

• Appoint a Single Point of Contact for the continuity of business
• Set up standard operating procedures
• Use a phased approach at the time of conducting the audit
• Try to raise awareness in the organisation
• Develop the scope for business continuity audit and follow the standards
• Select the right auditors

Latest Circular on Business Continuity Plan and Disaster Recovery Plan

You can read the complete circular here

Key Highlights related to guidelines on Business Continuity and Disaster Recovery Plan

One of the main reason to introduce these guidelines is the advancement in ‘technology and improved automation of processes in terms of transitioning time, wherein the operations can be moved from the Primary Data Centre (PDC) to the DRS.

• SEBI had advised all Market Infrastructure Institutions (MIIs), the stock exchanges, clearing corporations and depositories to have in place a business continuity plan (BCP) and disaster recovery sites (DRS) to maintain data and transaction integrity.
• The depositories should also ensure zero data loss by adopting a suitable mechanism.
• The institutions are required to have Recovery Time Objective and Recovery Point Objective of not more than 4 hours and 30 minutes
• The DRS should preferably be set up in the different seismic zone and in the case due to certain reasons such as operational constraints, change of seismic zones, etc, the minimum distance of 500 kilometres will be ensured between the primary data centre (PDC) and DRS.
• The regulator said the work force deployed at DRS should be sufficient in number and should have the same expertise as available at PDC in terms of knowledge and awareness of various technological and procedural systems and processes relating to all operations such that DRS/NS can function at short notice, independently.
• MIIs should try to develop systems that do not require configuration changes at the end of trading members/ clearing members/ depository participants for the switchover from the PDC to DRS.
• They should further test such switchover functionality by conducting unannounced 2-day live trading session from its DRS, which would help to gauge the state of readiness of various other processes and procedure relating to business continuity and disaster recovery that may not get tested in a planned exercise.
• Live trading sessions from DR site shall be scheduled for at least two consecutive days in every six months, on normal working days. 
• The results and observations of these drills should be documented and placed before the governing board of stock exchanges/ clearing corporations/ depositories.

Conclusion

Businesses are increasingly looking at ways to protect their business and critical data. Disaster Recovery (DR) solutions work successfully and efficiently to help achieve this. Disaster Recovery Management (DRM) at the end of the day is not about information technology but a management driven business process. On the other hand, business continuity planning (BCP) or business continuity management (BCM) helps in identifying those critical parts of an organisation that cannot afford to suffer a loss, viz., data and information. Moreover, the guidelines seem to be robust and encouraging for the Indian Organisations.

For more information related to the drafting of Business Plan policies and the information related thereto, kindly contact the team of experts at Enterslice.