This guide is for banks, insurers, capital market intermediaries, payment institutions, and other MAS-regulated financial institutions navigating Singapore's regulatory landscape. Foreign companies and multinationals entering Singapore's financial services market for the first time will find practical clarity on key requirements, audit obligations, governance expectations, and a step-by-step preparation roadmap.
We'll cover the core requirements of MAS BCM Guidelines, the mandatory audit cycle, board-level accountability, and how to build audit-ready resilience frameworks that meet regulatory expectations.
TLDR:
- MAS issued revised BCM Guidelines on 6 June 2022; next independent audit deadline is June 2027 (every 3 years)
- Financial institutions must adopt service-centric BCM, mapping end-to-end dependencies and setting measurable Service Recovery Time Objectives (SRTOs)
- Third-party risk management and concentration risk mitigation are now mandatory requirements
- Board and senior management hold ultimate accountability for BCM strategy, resource allocation, and audit remediation
- Preparation should start in 2026 to avoid last-minute gaps and adverse audit findings
What Is BCM and How Does It Differ from BCP?
Before unpacking Singapore's regulatory requirements, it helps to be precise about what these two terms actually mean — and why conflating them creates compliance risk.
Business Continuity Management (BCM) is the overarching framework organizations use to prepare for, respond to, and recover from disruptions. It covers people, processes, technology, and facilities, ensuring critical business services are never permanently interrupted. BCM is a living discipline built on continuous risk assessment, plan development, testing, and improvement.
Business Continuity Plan (BCP) is a specific documented plan outlining recovery actions for identified disruption scenarios. It describes what to do when something goes wrong: who acts, when, and how.
The difference matters more than most organizations realize. As the BCI defines it, BCP is the plan; BCM is the program. One is a document. The other is the management system that governs how that document gets created, tested, and continuously improved.
| BCM | BCP | |
|---|---|---|
| What it is | Ongoing management framework | Specific documented plan |
| Scope | People, processes, technology, facilities | Defined disruption scenarios |
| Nature | Living, continuously updated | Static until formally revised |
| Ownership | Senior leadership / governance | Operations / continuity teams |
In Singapore's regulatory context, this distinction is critical. MAS evaluates the entire BCM program — not just whether a BCP document exists. Financial institutions must demonstrate a living, embedded framework with measurable outcomes, regular testing, and documented improvement cycles. A plan that hasn't been tested or updated since it was written will not satisfy MAS scrutiny.
Overview of MAS BCM Guidelines (June 2022)
Regulatory Timeline and Compliance Deadlines
MAS issued the revised BCM Guidelines on 6 June 2022, superseding the original 2003 guidelines and 2006 circular. The compliance timeline was:
- 12 months (by June 2023): Establish a BCM audit plan and meet new guideline requirements
- 24 months (by June 2024): Complete the first independent BCM audit
- Next audit cycle (by June 2027): Three years from the first audit deadline
For institutions that completed their first audit on schedule, the clock is already ticking toward June 2027.
Central Shift: From Internal Risk to Customer-First Resilience
The 2022 Guidelines mark a clear directional change. MAS shifted from an internally-focused risk management view to a service-centric, customer-first orientation. Financial institutions must now build BCM programs around ensuring uninterrupted delivery of critical business services to customers — not just protecting internal operations.
MAS explicitly stated: FIs should "adopt a service-centric approach through timely recovery of critical business services facing customers."
Which Entities Must Comply?
The guidelines apply to all MAS-regulated financial institutions, including:
- Full banks, merchant banks, and finance companies
- Direct insurers and reinsurers
- Capital market service licensees and fund managers
- Payment institutions
- Financial advisers
- Trust companies
Proportionality applies: the extent of implementation should be scaled to the institution's size, risk profile, and complexity.
Five Headline Changes Introduced by the 2022 Guidelines
- Customer service-centric BCM reframing — Recovery strategies must be designed around customer service continuity, not just internal operations resumption
- Introduction of Service Recovery Time Objectives (SRTOs) — Measurable targets for restoring disrupted services, informed by Business Impact Analysis
- Third-party risk management obligations — FIs must obtain contractual assurance that third-party providers can meet SRTO targets, with backup arrangements in place
- Mandatory independent BCM audits every 3 years — Qualified auditors must assess the entire BCM framework, not just documentation
- Enhanced crisis management and communications frameworks — Formal structures with predefined roles, responsibilities, and activation triggers — designed to engage before service degradation occurs
Additional changes include end-to-end dependency mapping and enhanced threat monitoring and environmental scanning.
Active Supervisory Oversight
These requirements don't exist on paper alone — MAS enforces them actively. The regulator conducts thematic reviews, targeted inspections, and follow-up engagements to verify compliance. Per paragraph 1.6 of the guidelines: "As part of its supervision, MAS will review the BCM of an FI, taking into account the extent to which the Guidelines have been observed." MAS looks at whether BCM frameworks are functioning in practice — not just filed away in a compliance folder.
Key Requirements of the MAS BCM Framework
Identification of Critical Business Services (CBS) and Critical Business Functions (CBF)
Financial institutions must maintain a comprehensive inventory of services essential to customers or financial system stability. These form the backbone of the BCM program.
- Critical Business Services (CBS): External-facing services which, if disrupted, would significantly impact the FI's safety and soundness, its customers, or other dependent FIs
- Critical Business Functions (CBF): Activities performed by individual units or departments which, if disrupted, have significant direct or indirect impact (financial or non-financial) on the FI
All recovery strategies and SRTOs must be mapped to these services. Once CBS and CBF are defined, the next step is setting concrete timeframes for restoring them.
Service Recovery Time Objectives (SRTOs)
SRTO is the maximum time within which a disrupted critical business service must be restored to operational status. The MAS Guidelines glossary defines this as the "target duration of time to restore a specific business service from the point of disruption to the point when the service is operational."
Key SRTO Requirements:
- Set realistic, measurable SRTOs informed by Business Impact Analysis (BIA)
- Review SRTOs, RTOs, and dependencies annually or upon material changes
- Continuously test whether recovery strategies can meet those timeframes
- Focus on end-to-end customer-facing service recovery, not just individual system or function recovery
End-to-End Dependency Mapping
FIs must map all dependencies supporting each critical business service, including:
- People: Staffing, skills, and key roles
- Technology systems: Applications, infrastructure, and data
- Processes: Workflows and procedures
- Physical facilities: Offices and data centers
- Third-party providers: Vendors and service providers
This mapping must be thorough enough to identify single points of failure that could prevent service recovery.
Third-Party and Concentration Risk Management
Financial institutions must identify and actively manage risks introduced by external providers. Core requirements include:
- Identify critical third-party providers supporting each critical business service
- Obtain contractual assurance that those providers can support SRTO achievement
- Maintain backup arrangements in case of provider failure, termination, or underperformance
- Assess concentration risk from over-reliance on a single vendor, technology, location, or zone
Where concentration risk is identified, FIs should address it through service diversification, redundant or alternate sites, and regular due diligence on third-party BCM capabilities.
Note: MAS launched a separate Consultation Paper on Proposed Guidelines on Third-Party Risk Management in March 2024, expanding requirements beyond outsourcing to cover all third-party services.
BCP Testing and Continuous Improvement
MAS requires FIs to regularly test BCPs through three primary exercise types:
- Tabletop exercises that walk teams through disruption scenarios in a discussion format
- Simulation drills that partially activate recovery procedures under realistic conditions
- Full-scale recovery tests that validate the complete recovery process end-to-end
Tests must encompass various disruption scenarios:
- Cyber incidents
- IT outages
- Pandemics
- Physical threats
Testing best practices:
- Involve internal teams, external vendors, and regulatory authorities when applicable
- Update BCP and test plans based on operational changes and evolving threats
- Conduct gap analysis against the BCP after any operational disruption
- Incorporate findings into a structured review and improvement cycle
Industry example: MAS and ABS jointly conduct sector-wide BCM exercises. Exercise Raffles (7th edition, October 2024) involved 20 key financial institutions across banking, payments, securities, and insurance — testing crisis management through simulated IT outages, cyber-attacks, and operational disruptions.
BCM Audit Requirements in Singapore
Mandatory Audit Obligation
MAS requires FIs to conduct an independent BCM audit for each critical business service at least once every three years. The first audit was due by June 2024; the next cycle runs through June 2027. Institutions should begin preparing now to avoid last-minute remediation.
Auditor Qualification Requirements
Auditors must be qualified and possess substantive BCM knowledge. FIs can use:
- Independent internal audit functions (if adequately resourced and independent)
- External auditors (specialist BCM audit firms)
Auditors must be capable of assessing the full BCM framework — not just documentation compliance. They should challenge assumptions and look for evidence of operational embedding.
What a BCM Audit Covers
A comprehensive BCM audit evaluates:
- Risk assessments and BIA accuracy — Are CBS/CBF identifications complete and validated against current operations?
- Recovery strategy adequacy — Can the FI realistically meet its stated SRTOs, or are targets aspirational?
- End-to-end dependency mapping — Are third-party and facility dependencies fully captured, with no single points of failure overlooked?
- Third-party due diligence — Are contractual assurances in place and backup arrangements actively maintained?
- BCP testing effectiveness — Are tests conducted on schedule, and do findings get resolved before the next cycle?
- Governance and accountability — Is there board-level oversight with clear senior management ownership?
Anticipated Focus Areas for the 2026/2027 Audit Cycle
The 2024 audit cycle surfaced common gaps across institutions — and the 2026/2027 cycle is expected to scrutinize whether those gaps have been closed. Based on supervisory trends, auditors are likely to focus on:
- Whether 2024 audit findings have been formally remediated — not just acknowledged
- CBS/CBF list accuracy, particularly for institutions that have changed business lines or expanded services
- SRTO calibration — auditors will test whether recovery objectives are achievable, not just documented
- Single points of failure in dependency maps that previous audits may have flagged
- Third-party contracts that lack explicit BCM obligations or enforceable SRTO commitments
- Board engagement — evidence of active reporting, not just sign-off on annual BCM policy reviews
Institutions that began remediation after the 2024 cycle will be better positioned; those that deferred it now face compressed timelines before June 2027.
Board and Senior Management Responsibilities in BCM
Ultimate Accountability
MAS places explicit accountability for BCM at the board and senior management level. Per the guidelines: "Board and Senior Management are ultimately responsible for the FI's BCM" and must provide "strong governance."
Specific obligations include:
- Approve BCM strategy and set risk appetite relevant to operational resilience
- Ensure adequate resources are allocated to the BCM program
- Ensure BCM policies align with both the institution's risk appetite and MAS regulatory requirements
- Receive regular reporting on BCM performance, key metrics, testing outcomes, and progress against remediation action plans
Ongoing Board Oversight in Practice
What regular reporting looks like:
- BCM performance metrics (SRTO achievement rates, incident frequency)
- Progress against remediation action plans from audits or internal reviews
- Key changes to critical business services or third-party providers
- Detailed outcomes from BCP tests and exercises, including gaps identified
- Assessment of emerging threats and environmental changes
Senior management must provide an annual attestation to the Board regarding BCM preparedness, alignment with the guidelines, and any key issues. The attestation report must be submitted to MAS upon request.
Crisis Management Structure Obligation
That oversight framework only works when it's backed by a structured response capability. FIs must establish a formal crisis management (CM) framework covering:
- Roles and responsibilities — Who owns each decision, and who has authority to act during a disruption
- Activation triggers — Defined thresholds (service degradation, breach, system failure) that initiate the CM response
- Communication protocols — Pre-approved messaging for staff, regulators, customers, and media
- Escalation procedures — Clear timelines and criteria for escalating issues to senior management or the board
Critical requirement: The CM structure and BCP must be designed for proactive activation before a critical service becomes degraded or unavailable. MAS expects activation at the first sign of a credible threat — not after customers are already affected.
Incident Reporting
When they discover incidents involving severe business disruption or BCP activation, FIs must notify MAS within one hour. The initial notification should cover the nature of the incident, services affected, and immediate response actions taken. Follow-up updates are expected as the situation develops.
How to Prepare for MAS BCM Compliance
Step 1 — Conduct a Gap Assessment
Evaluate your current BCM program against each requirement in the 2022 MAS Guidelines. Identify shortfalls in:
- Documentation: Are BCM policies, BCPs, and crisis management plans current and comprehensive?
- Dependency mapping: Have all end-to-end dependencies been identified, including third-party providers and facilities?
- SRTO definitions: Have you set measurable, realistic SRTOs for all critical business services?
- Third-party arrangements: Do you have contractual assurances and backup arrangements for critical providers?
- Testing frequency: Are you conducting tabletop exercises, simulation drills, and full-scale recovery tests regularly across multiple scenarios?
Step 2 — Build or Refresh Core BCM Components
Follow this logical sequence:
- Update Business Impact Analysis (BIA) — Identify and validate all critical business services and functions
- Redefine/confirm Critical Business Services — Ensure CBS list reflects customer-facing services critical to service continuity
- Set measurable SRTOs — Define recovery time objectives informed by BIA findings
- Complete dependency mapping — Map all people, processes, technology, facilities, and third-party dependencies end-to-end
- Establish or refresh third-party assurance arrangements — Obtain contractual commitments and prepare backup plans
- Update BCP documentation and crisis management frameworks — Ensure plans reflect current dependencies, SRTOs, and activation triggers
Step 3 — Test, Audit, and Remediate
BCP Testing
Schedule regular tests covering multiple scenarios — cyber incidents, IT outages, pandemics, and physical threats. Involve internal teams, external vendors, and where relevant, regulatory authorities. Document every finding and feed results into a structured improvement cycle.
Maintaining Audit Readiness
Treat audit readiness as an ongoing discipline, not a pre-inspection scramble. Keep current evidence of:
- Regular testing and remediation cycles
- Annual SRTO reviews
- Board and senior management oversight
- Third-party due diligence records
Foreign companies or multinationals new to Singapore's regulatory environment may find it worth engaging a compliance advisory partner with MAS BCM expertise. Doing so can speed up gap remediation, align documentation with MAS expectations, and reduce exposure to adverse audit findings.
Frequently Asked Questions
What is a BCM audit?
A BCM audit is an independent assessment of a financial institution's Business Continuity Management framework, verifying that recovery strategies, documentation, dependency mapping, and testing programs are adequate and aligned with MAS requirements. Under MAS guidelines, this must occur at least once every three years.
What is the purpose of a BCM risk assessment?
A BCM risk assessment identifies potential threats and disruptions that could impact critical business services (e.g., cyber-attacks, IT outages, pandemics, physical threats). It evaluates their likelihood and impact, informing the design of appropriate recovery strategies and SRTO targets.
Who is responsible for BCM?
Under MAS BCM Guidelines, ultimate responsibility sits with the board and senior management, who set strategy, approve policies, and ensure resource allocation. Day-to-day implementation falls to a designated BCM team, drawing on business units, IT, and third-party providers.
What is BCM compliance?
BCM compliance means meeting the requirements in MAS's June 2022 BCM Guidelines. This covers identifying critical business services, setting SRTOs, dependency mapping, third-party risk management, regular BCP testing, and an independent BCM audit at least every three years.
What is the difference between BCP and BCM?
A Business Continuity Plan (BCP) is a specific documented plan describing recovery actions for identified disruption scenarios. Business Continuity Management (BCM) is the broader program that governs how the BCP is developed, implemented, tested, and continuously improved over time.
How often must MAS-regulated FIs conduct a BCM audit?
MAS requires an independent BCM audit to be conducted at least once every three years for all critical business services. The first audit was due by June 2024, and the next cycle must be completed by June 2027.
Need support preparing for the June 2027 BCM audit cycle? VJM Global's compliance advisory team helps regulated businesses structure documentation, map dependencies, and meet audit-readiness requirements. Contact our team to discuss how we can support your BCM compliance preparation.
