Business continuity planning is a fundamental regulatory requirement for all licensed financial firms in Hong Kong. Both the SFC and IA expect firms to have comprehensive, tested, and regularly updated business continuity plans that ensure the firm can continue its critical operations during and after disruptive events. The lessons learned from recent global events, including pandemics, severe weather events, and cyber incidents, have further underscored the importance of robust BCP frameworks.
This guide provides a practical roadmap for developing, implementing, and maintaining a BCP that meets regulatory expectations while genuinely protecting your business operations.
1. Regulatory Requirements for BCP
SFC Requirements
The SFC requires licensed corporations to maintain adequate and effective business continuity plans as part of their internal control systems. Key regulatory references include:
- The Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the SFC require firms to have documented BCP covering all critical business functions
- The Code of Conduct requires licensed firms to organise and control their internal affairs responsibly, which encompasses business continuity preparedness
- Circular to Licensed Corporations on Business Continuity Planning provides specific guidance on BCP expectations, including the need for regular testing and updating
- The SFC's cybersecurity guidelines include specific requirements for IT disaster recovery as part of the broader BCP framework
IA Requirements
The Insurance Authority similarly requires licensed insurance intermediaries to maintain business continuity plans. The IA's expectations include:
- BCP documentation covering continuity of policyholder services
- Plans for maintaining claims processing capabilities during disruptions
- Protection of policyholder data and records
- Communication plans for policyholders and insurers during incidents
2. Essential BCP Components
A comprehensive business continuity plan should include the following core components:
| Component | Description | Key Contents |
|---|---|---|
| Governance Structure | BCP ownership and management | BCP committee, roles, responsibilities, escalation procedures |
| Business Impact Analysis | Assessment of disruption impact | Critical functions, RTOs, RPOs, dependencies |
| Risk Assessment | Identification of threats | Threat catalogue, likelihood, impact, mitigation measures |
| Recovery Strategies | Plans for resuming operations | Alternative sites, remote working, manual procedures |
| IT Disaster Recovery | Technology recovery plans | System recovery, data restoration, failover procedures |
| Communication Plan | Stakeholder communications | Contact lists, notification procedures, templates |
| Testing Programme | Regular BCP validation | Test schedule, scenarios, results documentation |
3. Risk Assessment Methodology
An effective BCP begins with a thorough risk assessment that identifies the threats most likely to disrupt your operations. A structured risk assessment should consider:
Natural Disasters
- Typhoons and severe weather (particularly relevant in Hong Kong with Typhoon Signal No. 8 and above)
- Flooding, especially for ground-floor or basement server rooms
- Earthquakes (lower probability but should be considered)
Technology Failures
- Hardware failure (servers, networking equipment, storage)
- Software failures and system outages
- Cybersecurity incidents (ransomware, data breaches, DDoS attacks)
- Internet and telecommunications outages
- Power failures
Human-Related Disruptions
- Pandemic events affecting staff availability
- Loss of key personnel
- Labour disputes or staff shortages
- Civil unrest affecting access to premises
Third-Party Disruptions
- Failure of critical service providers (custodians, brokers, IT providers)
- Banking service disruptions
- Market infrastructure outages (exchange systems, clearing systems)
Each identified risk should be assessed for likelihood and potential impact, and prioritised accordingly. The risk assessment should be reviewed and updated at least annually or whenever there are significant changes to the business or its operating environment.
4. Critical Business Functions Identification
The Business Impact Analysis (BIA) is the foundation of your recovery planning. It identifies which business functions are critical and establishes recovery priorities. For each critical function, you should determine:
- Recovery Time Objective (RTO): The maximum acceptable time before the function must be restored. For trading firms, this may be hours; for advisory firms, it may be days.
- Recovery Point Objective (RPO): The maximum acceptable amount of data that can be lost, measured in time. This determines backup frequency.
- Minimum Resources Required: The minimum staff, systems, and facilities needed to operate the function at an acceptable level during recovery.
- Dependencies: Internal and external dependencies, including IT systems, third-party service providers, and other business units.
Typical critical functions for licensed financial firms include:
- Client order execution and trade processing
- Client money and asset safeguarding
- Regulatory reporting and compliance monitoring
- Financial Resources Rule (FRR) calculations and reporting
- Client communications and service
- Risk management and position monitoring
- Settlement and reconciliation
- IT systems and data integrity
5. Recovery Strategies
Based on the BIA results, develop appropriate recovery strategies for each critical function:
Workplace Recovery
- Remote Working: Ensure staff can work remotely with secure access to critical systems. This includes VPN infrastructure, remote desktop solutions, and secure communication tools.
- Alternative Site: Identify an alternative office location that can be activated if the primary site is unavailable. This could be a disaster recovery site, a partner's office, or a serviced office arrangement.
- Split Operations: Consider splitting critical teams across multiple locations to reduce single-point-of-failure risk.
Data and Systems Recovery
- Backup Strategy: Implement a robust backup strategy following the 3-2-1 rule (three copies of data, on two different media types, with one copy off-site)
- Cloud-Based Recovery: Consider cloud-based disaster recovery solutions that can provide rapid system restoration
- System Failover: For critical systems, implement failover capabilities that allow automatic switching to backup systems
Personnel Recovery
- Cross-Training: Ensure critical functions can be performed by more than one person through cross-training programmes
- Succession Planning: Identify successors for key personnel, including Responsible Officers and the compliance officer
- External Resources: Identify external resources (temporary staff, outsourced service providers) that can be mobilised during extended disruptions
6. IT Disaster Recovery
IT disaster recovery is a critical subset of the overall BCP. Given the technology-dependent nature of financial services, IT DR plans must be detailed and thoroughly tested:
- System Classification: Classify all IT systems by criticality (Tier 1: mission-critical, must be restored within hours; Tier 2: important, restore within 24 hours; Tier 3: necessary, restore within 72 hours)
- Recovery Procedures: Document detailed step-by-step recovery procedures for each critical system, including server configurations, application settings, and network requirements
- Backup Verification: Regularly verify backup integrity through test restores. Backups that have never been tested provide false assurance
- DR Site: Maintain a disaster recovery site (physical or cloud-based) with the necessary infrastructure to support critical system recovery
- Network Recovery: Plan for network recovery including internet connectivity, VPN access, and internal network restoration
7. Communication Plans
Effective communication during a disruption is essential. Your communication plan should address:
- Internal Communications: How to notify and coordinate with staff during an incident, including out-of-hours contact procedures and status update mechanisms
- Regulatory Notifications: Procedures and templates for notifying the SFC or IA of significant disruptions. The SFC expects to be notified of material business disruptions as soon as practicable.
- Client Communications: How to inform clients about service disruptions, expected recovery times, and alternative contact methods
- Third-Party Notifications: Procedures for notifying critical service providers, counterparties, and business partners
- Media and Public Communications: If the disruption is significant enough to attract media attention, have pre-prepared statements and a designated spokesperson
Maintain up-to-date emergency contact lists for all key stakeholders, stored in multiple accessible locations (not solely on systems that may be affected by the disruption).
8. Pandemic Planning
The global pandemic experience has elevated pandemic planning from a theoretical exercise to a practical necessity. Your BCP should include specific pandemic provisions:
- Remote Working Readiness: Ensure all critical functions can be performed remotely with appropriate security controls
- Health and Safety Measures: Plans for implementing health screening, social distancing, sanitisation, and other protective measures in the workplace
- Staff Availability Planning: Plans for operating with significantly reduced staff levels (e.g., 50% or more staff absent)
- Technology Infrastructure: Ensure VPN capacity, collaboration tools, and communication systems can support large-scale remote working
- Regulatory Flexibility: Understand any regulatory accommodations that may be available during pandemic events and how to apply for them
- Phased Return: Plans for safely returning to normal office operations, including hybrid working arrangements
9. Testing and Review Schedule
A BCP that has never been tested is essentially a theoretical document. Both the SFC and IA expect firms to test their BCP regularly. A comprehensive testing programme should include:
| Test Type | Frequency | Description |
|---|---|---|
| Tabletop Exercise | Semi-annually | Walk-through of BCP scenarios with key staff to validate procedures and identify gaps |
| Communication Test | Quarterly | Test of emergency contact procedures and notification systems |
| IT DR Test | Annually | Full or partial restoration of critical systems from backups at the DR site |
| Remote Working Test | Semi-annually | Staff work remotely for a day to validate remote access and productivity |
| Full Simulation | Annually | Comprehensive simulation of a major disruption scenario, activating all BCP components |
After each test, document the results, identify lessons learned, and update the BCP accordingly. Test results should be reported to senior management and retained as evidence of testing for regulatory purposes.
10. Documentation Requirements
The BCP must be properly documented and maintained. Key documentation requirements include:
- Formal BCP document approved by senior management or the board
- Business Impact Analysis with RTOs and RPOs for each critical function
- Risk assessment with threat identification and mitigation measures
- Detailed recovery procedures for each critical function
- IT disaster recovery plan with system recovery procedures
- Emergency contact lists (regularly updated)
- Communication templates and procedures
- Testing schedule, results, and lessons learned
- BCP review and update log showing version history
- Staff training records related to BCP
11. Common Deficiencies
Based on regulatory inspection findings and our consulting experience, the most common BCP deficiencies include:
- Outdated Plans: BCPs that have not been reviewed or updated in over a year, containing outdated contact information, systems references, or procedures
- Insufficient Testing: Plans that have never been tested or are tested only with tabletop exercises without practical validation
- Generic Content: BCPs copied from templates without customisation to the firm's specific operations, systems, and risks
- Missing IT DR: Lack of detailed IT disaster recovery procedures, particularly backup verification and system restoration testing
- Incomplete BIA: Business impact analyses that fail to identify all critical functions or establish realistic RTOs and RPOs
- No Pandemic Planning: Despite recent experience, some firms still lack specific pandemic provisions in their BCP
- Poor Communication Plans: Inadequate communication procedures, outdated contact lists, or lack of pre-prepared communication templates
- Third-Party Gaps: Failure to consider the continuity plans of critical third-party service providers
12. Practical Template Guidance
When developing your BCP, structure it in a way that is practical and actionable during an actual disruption. Here is a recommended structure:
- Executive Summary: One-page overview of the BCP, including scope, key contacts, and activation criteria
- BCP Governance: Roles, responsibilities, and decision-making authority during a disruption
- Activation Procedures: Clear criteria for activating the BCP and step-by-step activation procedures
- Scenario-Based Response Plans: Specific response plans for the most likely disruption scenarios (e.g., loss of premises, IT failure, pandemic, cyber incident)
- Recovery Procedures: Detailed procedures for recovering each critical business function
- IT Disaster Recovery: Technical procedures for system and data recovery
- Communication Plans: Contact lists, notification procedures, and communication templates
- Appendices: Supporting documents including vendor contacts, system inventories, floor plans, and insurance information
Key Takeaway
The best BCP is one that is simple enough to follow under stress, comprehensive enough to address real threats, and regularly tested to ensure it actually works. Invest time in making your BCP practical and actionable rather than creating a lengthy document that no one can follow during an actual crisis.
"A business continuity plan is like insurance - you hope you never need it, but when you do, its quality determines whether your business survives. The firms that weathered recent disruptions most successfully were those that had invested in practical, tested, and up-to-date BCPs."