MIR 2.6 MIR 2.6 Operational systems and controls
A Recognised Body must establish a robust operational risk management framework with appropriate systems and controls to identify, monitor and management operational risks that key participants, other Recognised Bodies, service providers (including outsourcees) and utility providers might pose to itself.
A Recognised Body must have a business continuity plan, which is subjected to periodic review and scenario testing, that addresses events posing a significant risk of disrupting operations, including events that could cause a widespread or major disruption. The plan should:(a) outline objectives, policies, procedures and responsibilities to deal with internal and external business disruptions and measures to ensure timely resumption of service levels;(b) include policies and procedures for event and crisis management;(c) incorporate the use of a secondary site;(d) contain appropriate emergency rules for force majeure events;(e) be designed to ensure that critical information technology systems can resume operations within two hours following disruptive events;(f) outline business continuity procedures in respect of its Members and other users of its facilities following disruptive or force majeure events; and(g) in the case of a Recognised Clearing House, be designed to enable the Recognised Clearing House to complete settlement by the end of the day of disruption, even in case of extreme circumstances.
A Recognised Body should have an incident management procedure in place to record, report, analyse and resolve all operational incidents.
A Recognised Body should have clearly defined operational reliability objectives and policies to achieve these objectives, as well as a scalable operational capacity adequate to handle increasing stress volumes, service-level objectives and historical data.
A Recognised Body should have a comprehensive physical and information security policy, standards, practices and controls to identify, assess and manage security threats and vulnerabilities and to protect data from loss and leakage, unauthorised access and other processing risks.