Business Continuity Plan (Hong Kong)

A Business Continuity Plan in Hong Kong sets out the standards and procedures the organisation expects its people to follow.

While no single Hong Kong statute mandates a BCP for all businesses, several regulatory frameworks effectively require formal business continuity planning for specific sectors. The Hong Kong Monetary Authority (HKMA) Supervisory Policy Manual module TM-G-2 sets out detailed business continuity management requirements for authorised institutions — licensed banks, restricted licence banks, and deposit-taking companies — under the Banking Ordinance (Cap. 155). Authorised institutions must maintain tested BCPs covering critical systems, alternate processing sites, and crisis communication. The Securities and Futures Commission (SFC) requires licensed corporations under the Securities and Futures Ordinance (Cap. 571) to maintain adequate business continuity arrangements under the Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the SFC. The Insurance Authority (IA) expects regulated insurers under the Insurance Ordinance (Cap. 41) to maintain BCPs as part of their corporate governance and enterprise risk management frameworks.

For companies incorporated under the Companies Ordinance (Cap. 622), directors owe a duty of care, skill, and diligence under Section 465 of Cap. 622. A director who fails to plan for foreseeable business disruptions — and whose company suffers avoidable losses as a result — may face claims for breach of fiduciary duty. Companies listed on the Hong Kong Stock Exchange (HKEX) face additional corporate governance expectations under the HKEX Corporate Governance Code, which recommends maintaining strong risk management and internal control systems that should encompass business continuity.

For organisations handling personal data, the BCP must address data protection obligations under the Personal Data (Privacy) Ordinance (Cap. 486). The Privacy Commissioner for Personal Data (PCPD) expects data users to maintain security measures — including business continuity arrangements — that protect personal data against accidental loss or destruction during disruption events. Section 26 of the Personal Data (Privacy) Ordinance (Cap. 486) empowers the PCPD to issue enforcement notices requiring data users to remedy contraventions of the Data Protection Principles, including DPP4 failures caused by inadequate continuity planning. Section 4 of the Banking Ordinance (Cap. 155) grants the HKMA authority to issue guidelines on risk management — including business continuity — to which all authorised institutions supervised by the HKMA must adhere.

Forms-legal.com provides a Hong Kong Business Continuity Plan template designed for organisations across industries — financial services, professional services, retail, hospitality, logistics, and technology — covering all key BCP components required by Hong Kong regulators and international standards including ISO 22301. The Telecommunications Ordinance (Cap. 106) and the Office of the Government Chief Information Officer (OGCIO) framework further guide BCP requirements for critical infrastructure operators in the Hong Kong Special Administrative Region.

A Business Continuity Plan in Hong Kong is needed by every organisation that cannot afford to have its critical operations suspended without preparation — which in practice means every commercially active business, non-profit, or public body operating in the territory.

Organisations regulated by the HKMA, SFC, or IA must have a tested BCP as a licence condition or supervisory expectation. Banks, securities brokers, asset managers, and insurers that operate without adequate business continuity arrangements risk regulatory action, including restriction of licence, financial penalties, or public cconfirm. The HKMA’s Supervisory Policy Manual TM-G-2 sets specific requirements for recovery time objectives (RTOs) and alternate site arrangements that regulated institutions must meet.

All Hong Kong businesses face the territory’s annual typhoon season, which runs from June to November. When the Hong Kong Observatory hoists Typhoon Signal 8 or above, the Employment Ordinance (Cap. 57) and the Labour Department’s guidelines require employers to have clear policies on work arrangements — whether employees are required to report to work, how to handle employees already at work when the signal is hoisted, and the timing of resumption after the signal is lowered. A BCP should specify the organisation’s typhoon protocol, remote working arrangements, and critical function staffing during signal periods.

Hong Kong’s Black Rainstorm Warning — issued by the Hong Kong Observatory when rainfall of 70mm or more per hour is occurring — triggers employee safety arrangements similar to typhoon protocols. Any organisation whose employees travel to and from work should have a documented rainstorm procedure as part of its BCP.

Cyber threats targeting Hong Kong businesses have increased significantly since 2020. Ransomware attacks, data breaches, and business email compromise (BEC) scams affect organisations across all sectors. A BCP should include an IT Disaster Recovery component that addresses backup systems, failover procedures, data recovery, and the integration with the organisation’s cybersecurity incident response plan. The PCPD recommends that organisations maintain data breach response plans consistent with obligations under Cap. 486.

Organisations with supply chains that depend on mainland China or international suppliers — particularly relevant for Hong Kong’s manufacturing, retail, logistics, and professional services sectors — need BCP provisions addressing supply chain disruptions. The COVID-19 pandemic demonstrated the critical importance of supply chain continuity planning for Hong Kong businesses.

Companies tendering for government contracts or major private sector contracts in Hong Kong are increasingly required to demonstrate BCP capability as part of their vendor qualification. A documented, tested BCP is a competitive requirement in many procurement processes.

A Hong Kong Business Continuity Plan must include the following key elements to meet regulatory expectations and provide a practical recovery framework for the organisation.

Business Impact Analysis (BIA): An assessment of the organisation’s critical business functions, the resources they depend on (people, systems, premises, suppliers), and the impact of disruption over time. The BIA should determine the Maximum Tolerable Period of Disruption (MTPD) — the maximum time the organisation can operate without each critical function — the Recovery Time Objective (RTO) — the target time within which each function must be restored — and the Recovery Point Objective (RPO) — the maximum acceptable data loss measured in time. For HKMA-regulated institutions, these parameters must meet the specific requirements of TM-G-2.

Risk Assessment: An identification and evaluation of the threats most relevant to Hong Kong operations. Typhoons and severe weather: Hong Kong experiences an average of five to six Tropical Cyclone Warning Signal 8 or above per year. Pandemic outbreaks: COVID-19 demonstrated the severe operational disruptions possible in Hong Kong’s dense urban environment. Cyber attacks: ransomware, DDoS attacks, and phishing targeting Hong Kong financial and professional services firms. Power and telecommunications failures affecting Kowloon or Hong Kong Island. Civil unrest or access restrictions affecting key business districts. Geopolitical events affecting Hong Kong’s role as an international financial centre.

Recovery Strategies: For each critical function identified in the BIA, a specific strategy for maintaining or restoring operations. Remote working arrangements using Hong Kong’s high-speed broadband infrastructure and cloud applications. Alternate premises — a backup office in a different district or building to address premises unavailability; Hong Kong commercial real estate providers including IWG (Regus) and WeWork offer short-term alternate site solutions. Backup IT systems, cloud data storage, and failover to secondary systems. Manual workaround procedures for when IT systems are unavailable. Cross-training of staff to cover critical roles.

Typhoon and Rainstorm Protocol: A specific procedure addressing: pre-signal preparation (data backup, remote access setup, communication to staff); operations during Signal 8 or above (who must remain on site for essential services, remote working arrangements, client communication); the 2-hour post-lowering transport resumption gap; and post-signal recovery. The protocol should reference the Employment Ordinance (Cap. 57) and the Labour Department’s guidelines on typhoon work arrangements.

Crisis Communication Plan: An internal communication tree identifying the crisis management team, their contact details, alternates, and escalation procedures. External communication protocols for notifying key clients, the HKMA or SFC (for regulated entities), critical suppliers, and if necessary, the media. A template holding statement for external communications.

Business Continuity Plan (Hong Kong) Disaster Recovery: Detailed technical procedures for recovering IT systems, data, and communications. Integration with the cybersecurity incident response plan. Recovery procedures for cloud-based systems hosted in Hong Kong data centres (HKCOLO, SUNeVision, iAdvantage) and for applications hosted in Singapore, Japan, or elsewhere. Data recovery procedures consistent with backup schedules and RPOs.

Supply Chain Continuity: Identification of critical suppliers and service providers, assessment of their own BCP capability, and identification of backup suppliers. For Hong Kong businesses dependent on mainland China supply chains, cross-border logistics contingencies should be addressed.

Staff Welfare and Human Resources: Emergency contact lists and next-of-kin details. Procedures for staff safety during typhoons, including employees with long commutes from the New Territories or Lantau Island. Pandemic protocols for employee health and safety. Mental health support resources.

Testing Programme: A schedule of BCP tests including tabletop exercises (at least twice annually), simulation drills for specific scenarios, and live failover tests. Post-test debrief reports and action logs to capture lessons learned. For HKMA-regulated institutions, annual testing with documented results is mandatory under TM-G-2.

Plan Governance: BCP ownership assigned to a named senior executive. Annual review cycle and version control. Post-incident reviews following any actual disruption. Board-level oversight of BCP adequacy, as expected under the HKEX Corporate Governance Code for listed companies. The forms-legal.com Business Continuity Plan (Hong Kong) template covers the mandatory elements under Companies Ordinance (Cap. 622).