and corrective maintenance records) is necessary for effective facility and equipment maintenance.
Article 49. Commercial banks should have an effective change management process in place to ensure integrity and reliability of the production environment. Commercial banks should develop a formal change management process.
Chapter VII
Business Continuity Management
Article 50. Commercial banks should have in place appropriate arrangements, having regard to the nature, scale and complexity of its business, to ensure that it can continue to function and meet its regulatory obligations in the event of an unforeseen interruption. These arrangements should be regularly updated and tested to ensure their effectiveness. Article 51. Commercial
banks
should
consider
the
likelihood and impact of a disruption to the continuity of its operation from unexpected events. This should include assessing the disruptions to which it is particularly susceptible including but not limited to:
(1) Loss of failure of internal and external resources
(such as people, systems and other assets); (2) The loss or corruption of its information; and (3) External events (such as war, earthquake, typhoon,
etc).
Article 52. Commercial bank should act to reduce both the likelihood of disruptions (including system resilience and dual processing); and the impact of disruptions (including by contingency arrangements and insurance).
Article 53. Commercial bank should document its strategy for maintaining continuity of its operations, and its plans for communicating and regularly testing the adequacy and effectiveness of this strategy. Commercial bank should establish:
(1) Formal business continuity plans that outline
arrangements to reduce the impact of a short, medium and long-term disruption, including: a)
Resource requirements such as people, systems and other assets, and arrangements for obtaining these resources; b)
The recovery priorities for the commercial bank’s operations; and c)
Communication arrangements for internal and external concerned parties (including CBRC, clients and the press);
(2) Escalation and invocation plans that outline the
processes for implementing the business continuity plans, together with relevant contact information; (3) Processes to validate the integrity of information
affected by the disruption;
(4) Processes to review and update (1) to (3) following
changes to the commercial bank’s operations or risk profile.
Article 54. A final BCP plan and an annual drill result must be signed off by the IT Risk management, or internal auditor and IT Steering Committee.
Chapter VIII
Outsourcing
Article 55. Commercial banks cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourcing functions.
Article 56. Commercial banks should take particular care to manage material outsourcing arrangement (such as outsourcing of data center, IT infrastructure, etc.), and should notify CBRC when it intends to enter into material outsourcing arrangement.
Article 57. Before entering into, or significantly changing, an outsourcing arrangement, the commercial bank should:
(1) Analyze how the arrangement will fit with its
organization and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
(2) Consider whether the arrangements will allow it to
monitor and control its operational risk exposure relating to the outsourcing;
(3) Conduct appropriate due diligence of the service
provider’s financial stability, expertise and risk assessment of the service provider, facilities and ability to cover the potential liabilities; (4) Consider how it will ensure a smooth transition of
its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and (5) Consider any concentration risk implications such as
the business continuity implications that may arise if a single service provider is used by several firms.
Article 58. In negotiating its contract with a service provider, the commercial bank should have regard to ( but not limited to ):
(1) Reporting and negotiation requirements it may wish
to impose on the service provider;
(2) Whether sufficient access will be available to its
internal auditors, external auditors and banking regulators;
(3) Information ownership rights, confidentiality
agreements and Firewalls to protect client and other information (including arrangements at the termination of contract);
(4) The adequacy of any guarantees and indemnities; (5) The extent to which the service provider must comply
with the commercial bank’s polices and procedures covering IT Risk;
(6) The extent to which the service provider will provide
business continuity for outsourced operations, and whether exclusive access to its resources is agreed; (7) The need for continued availability of software
following difficulty at a third party supplier; (8) The processes for making changes to the outsourcing
arrangement and the conditions under which the commercial bank or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
商业银行信息科技风险管理指引英文版
