MaRisk 6.0: Stricter requirements for contingencies
The basis for this is an overview of all activities and processes (e.g. in the form of a process map). The effectiveness and appropriateness of the contingency plan must be checked regularly.
# 1 MaRisk 6.0: Stricter requirements for business continuity management
Chapter AT 7.3 Contingency Management has now been worded as follows:
- The institute has to define goals for business continuity management and derive an business continuity management process from this. Provision must be made for emergencies in time-critical activities and processes (contingency concept). The measures specified in the contingency plan must be suitable for reducing the extent of possible damage. The contingency plan must be updated as required, checked annually to ensure that it is up-to-date and communicated appropriately. The management has to receive a written report on the status of the contingency management at least quarterly and on an ad hoc basis .
- The contingency plan must include business continuity and recovery plans. Business continuity plans must ensure that replacement solutions are available promptly in the event of an contingency. Recovery plans must allow normal operations to be restored within a reasonable period of time. Appropriate internal and external communication must be ensured in emergencies. In the event that time-critical activities and processes are outsourced, the outsourcing institute and the outsourcing company must have contingency plans that have been coordinated with one another.
- The effectiveness and appropriateness of the contingency plan must be checked regularly. For time-critical activities and processes, it must be proven for all relevant scenarios at least once a year and on an ad hoc basis. Reviews of the contingency plan are to be recorded. Results are to be analyzed with regard to necessary improvements. Risks are to be controlled appropriately. The results are to be communicated in writing to the responsible persons.
The MaRisk provide the following explanations of the stricter requirements for business continuity management.
# 2 Time critical activities and processes
In principle, those activities and processes are time-critical, if they are impaired for a defined period of time, unacceptable damage for the institute can
The institute carries out impact and risk analyzes to identify time-critical activities and processes as well as supporting activities and processes, the IT systems and other necessary resources required for this, as well as potential hazards. The basis for this is an overview of all activities and processes (e.g. in the form of a process map).
# 3 Impact analyzes – MaRisk 6.0: Stricter requirements for business continuity management
In business impact analyzes, the consequences that an impairment of activities and processes can have on business operations are examined over graduated periods of time. The impact analyzes should take into account the following aspects, among others:
– Type and scope of the (im-) material damage
– Effect of the point in time of the failure on the damage (e.g. failure of payment transactions during peak business hours)
# 4 Risk analysis
In risk analyzes (Risk Impact Analyzes) for the identified time-critical activities and processes, potential hazards are identified and assessed, which can cause an impairment of the time-critical business processes.
# 5 Contingency concept
In the contingency concept, responsibilities, goals and measures for the continuation or restoration of time-critical activities and processes are determined
and criteria for the classification and for the triggering of the plans are defined.
# 6 Contingency scenarios – MaRisk 6.0: Stricter requirements for contingency management
At least the following scenarios are taken into account:
– (partial) failure of a location (e.g. due to flooding, major fire, area closure, failure of access control)
– Significant failure of IT systems or communication infrastructure (e.g. due to errors or attacks)
– Loss of a critical number of employees (e.g. in the event of a pandemic, food poisoning, strike)
– Failure of service providers (e.g. suppliers, electricity suppliers)
The frequency and scope of the inspections should generally be based on the risk situation. Service providers are to be appropriately involved. Checks include, among other things:
– Test of the technical precautionary measures
– Communication, crisis team and alerting exercises – contingency or full exercises.
# 8 What are the implementation deadlines for the new MaRisk 6.0 ?
The new version of MaRisk comes into force upon publication. There is a transition period until December 31, 2021 .
This applies to the documentation requirement in AT 9 Item 14 MaRisk related to the outsourcing register only insofar as the obligation to keep an outsourcing register already applies with the entry into force of the FISG on 01.01.2022 .
Otherwise, the first day of validity is based on the law for specifying this requirement in MaRisk.
There are different implementation deadlines for the adjustment of existing or negotiated outsourcing contracts.
A separate implementation period is granted for this until December 31, 2022.
An adjustment of contractual relationships that were concluded on the basis of a public procurement procedure can be omitted because of the special legal problems, as far as these contracts are limited in time and have to be re-awarded within the next five years. BaFin assumes that the new requirements will already be adequately taken into account in procurement procedures that are initiated from 01.01.2022 .
Institutions with a high number of NPLs must comply with the requirements of the NPE Guidelines immediately after the transition period has expired on December 31, 2021, provided that these institutions have an NPL ratio of more than 5% on the two preceding quarterly reference dates (September 30, 2021 and December 31, 2021) .
The first quarterly key date relevant for classification as an institute with a high NPL inventory is therefore September 30, 2021 .