6th MaRisk amendment: New requirements for business continuity management

The risks lurking in business operations are currently being demonstrated to us from many sides: Cyber attacks, natural disasters and the collapse of supply chains due to the pandemic show how vulnerable our economic system is. For banks and other financial institutions and their IT service providers, the need for action is also intensified by innovations on the part of the regulators: the 6th MaRisk amendment specifies the requirements for business continuity management. On August 16, 2021, BaFin published the new version of MaRisk.

Most of the changes in the 6th MaRisk amendment result from the fact that the EBA guidelines on outsourcing will be transposed into national regulation. I gave a first overview in my article on IT outsourcing. In the following, I present the most important innovations with respect to business continuity management:

Create a business continuity plan

The amendment contains a number of new provisions with respect to business continuity management that are based on the requirements of the ICT Guidelines (Guidelines on Information and Communications Technology and Security Risk Management). According to these guidelines, institutions must define the objective of business continuity management, conduct risk analyses for all time-critical activities and processes, and create a business continuity concept.

Impact and risk analysis

BaFin considers activities and processes to be time-critical if they are expected to cause unacceptable damage to the institution within a specified period of time. Impact and risk analysis must be prepared in order to identify the relevant processes.

The impact analysis should take into account, among other things, the type and extent of the (im)material damage. Likewise, the impact of a point in time on the damage should be examined, for example if payment transactions fail during peak business hours.

The risk analysis identifies and evaluates hazards that could impair time-critical business processes.

BaFin requires that certain scenarios be taken into account:

• the (partial) failure of a site (e.g. due to flooding, major fire, area closure, failure of access control)
• a significant failure of IT systems or communication infrastructure (e.g. due to errors or attacks)
• a loss of a critical number of employees (e.g. in the event of a pandemic, food poisoning, strike)
• the failure of service providers (such as suppliers, electricity providers)

The business continuity plan must describe which alternatives are available in an emergency event and how the return to normal operation is to proceed. To this end, the amendment requires an overview of all activities and processes, for example in the form of a process map. Whether the business continuity concept is effective and appropriate must also be reviewed regularly.

Need for action by banks and IT service providers

We support banks and IT service providers in gaining an overview of the innovations of the 6th MaRisk amendment and in checking the extent to which they comply with the requirements. In addition, we advise on the areas of action arising from the new requirements, particularly with regard to emergency management and the analysis of risks.

Michaela Witzel, LL.M. (Fordham University School of Law), Certified Expert for IT Law