OJK's BCM Framework for Financial Institutions
OJK (Otoritas Jasa Keuangan) is Indonesia's financial services regulator, responsible for overseeing banks, insurance companies, capital markets, and other financial institutions. In 2022, OJK issued POJK 11/2022 on Operational Risk Management for Commercial Banks, establishing business continuity management as a mandatory component of operational risk governance for all regulated financial institutions. Unlike ISO 22301, which is a voluntary international standard, POJK 11/2022 is a regulatory requirement enforced through supervisory examinations and enforcement actions.
Business continuity management is not a separate compliance domain from OJK's perspective—it is one of three pillars of operational risk management, alongside internal controls and risk monitoring. OJK's supervisory approach to BCM is outcome-focused: examiners assess whether an organization can identify and mitigate its critical dependencies, test recovery capabilities in realistic scenarios, and maintain current plans that reflect the organization's actual operating environment. The quality of BCM execution directly affects OJK's operational risk rating for an institution.
POJK 11/2022 BCM Requirements
POJK 11/2022 does not prescribe a specific standard or methodology for BCM—it establishes required outcomes and evidence. The regulation expects banks to have a BCM policy, conduct business impact analysis, develop continuity strategies proportionate to criticality, maintain and test plans, and continuously improve based on exercise results. The following comparison table maps POJK 11/2022 requirements to ISO 22301 clauses and the evidence OJK examiners expect:
| POJK 11/2022 Requirement | ISO 22301 Mapping | Evidence Required |
|---|---|---|
| BCM Policy and Governance | Clause 5: Leadership, Policy | BCMS Policy, Management Review minutes, Board-approved BCM framework |
| Business Impact Analysis | Clause 8.2: BIA | BIA documentation, MAO/RTO register, criticality assessment |
| Business Continuity Strategies | Clause 8.3: BC Strategies | Strategy documentation linked to BIA, scenario analysis, resource plan |
| Business Continuity Plans | Clause 8.4: BC Plans | Current, tested BCPs, plan version control, stakeholder sign-off |
| Testing and Exercises | Clause 8.5: Exercise program | Exercise records, debrief reports, corrective action tracking |
| Review and Improvement | Clause 9 and 10: Evaluation and Improvement | KPI reports, corrective actions, management review evidence |
IT Continuity Requirements under OJK
OJK places particular emphasis on Information Technology continuity because financial institutions depend heavily on IT systems for payment processing, customer data management, and regulatory reporting. POJK 11/2022 requires banks to define specific RTO (Recovery Time Objective) and RPO (Recovery Point Objective) standards for critical IT systems, with RTOs typically ranging from 1 to 4 hours for payment systems and core banking applications.
Data center resilience is a key OJK expectation. Banks must have a geographically separate backup data center (outside the primary city or earthquake zone), automated failover capability, and verified recovery time through annual or semi-annual disaster recovery testing. Large Indonesian banks like BNI and Mandiri achieved ISO 22301 certification partly to formalize and independently verify these IT continuity capabilities that OJK expects.
OJK Supervisory Assessment of BCM
OJK examiners assess BCM maturity during on-site examinations. They review the BIA to determine whether the bank has accurately identified critical activities and dependencies. They examine BCPs for currency, technical accuracy, and realistic recovery procedures. They evaluate exercise records to assess whether the organization learns from testing and closes gaps. Common OJK findings include outdated contact lists in BCPs, insufficient frequency of DR testing for critical systems, failure to test full end-to-end recovery (testing only individual components), and lack of evidence that lessons learned are translated into plan updates.
ISO 22301 certification signals to OJK examiners that an independent, accredited body has verified the BCMS framework and that the organization has demonstrated compliance through a rigorous audit process. However, the certificate itself does not substitute for OJK supervisory assessment. OJK examiners still conduct their own assessment of BCM substance, focusing on whether the organization can actually execute its plans and whether the plans reflect current risk exposure.
Aligning ISO 22301 with OJK Reporting
Organizations can align ISO 22301 BCMS outputs with OJK reporting requirements, avoiding duplication and creating a single evidence base for both regulatory and certification purposes. The following table shows how key BCMS outputs map to OJK reporting needs:
| ISO 22301 Output | OJK Reporting Use | Reporting Frequency |
|---|---|---|
| BIA register with RTO/RPO | Operational risk report: BCM section | Annual |
| Exercise records | BCM testing evidence to OJK on request | Per exercise |
| BCMS KPI dashboard | Management report: BCM performance | Quarterly |
| Corrective action register | Audit finding remediation evidence | As required |
| Management review minutes | BCM governance evidence | Annual |
| KEY IDEA | ISO 22301 does not replace POJK 11/2022 compliance—it provides the management system framework within which OJK BCM requirements are implemented and evidenced. Organizations that treat ISO 22301 as their BCM operating model typically find that OJK compliance follows naturally. |
Building a Unified Compliance Architecture
The most efficient approach for OJK-regulated financial institutions is to use ISO 22301 as the BCMS framework that satisfies OJK, while adding OJK-specific documentation layers for regulatory reporting. Rather than building a separate "OJK BCM program" alongside ISO 22301, successful organizations integrate POJK 11/2022 requirements directly into their BCMS scope, policy, and KPIs.
This unified approach eliminates duplication between ISO BCMS documentation and regulatory BCM documentation. A single BIA document serves both certification audit and OJK supervisory review. A single exercise program with integrated debrief and corrective action tracking satisfies both ISO 22301 evaluation requirements and OJK testing expectations. This efficiency is particularly valuable for mid-sized banks that lack dedicated BCM staff and must work within resource constraints.
Practical Guidance for OJK-Regulated Organizations
Organizations pursuing ISO 22301 certification to satisfy OJK requirements should start with BIA before defining BCMS scope. The BIA will determine which activities and IT systems are critical, and this analysis should drive both the scope of ISO 22301 certification and the focus of OJK reporting. Engage your OJK relationship manager early in the certification process to clarify supervisory expectations and avoid surprises during combined ISO audit and OJK examination.
Prepare for the combined ISO 22301 certification audit and subsequent OJK supervisory review as an integrated process. OJK will examine exercise records to verify that the organization has tested critical scenarios relevant to its risk profile. Ensure that exercise programs include scenarios aligned with POJK 11/2022 expectations and that debrief and corrective action processes are rigorous and documented.
| IMPORTANT | OJK supervisory reviews assess BCM substance, not just documentation. Having an ISO 22301 certificate without a functioning BCMS will not satisfy OJK examiners. The certificate is evidence of the framework; the exercise records and BCP currency are evidence of the capability. |
| BITLION INSIGHT | OJK has progressively increased BCM supervision intensity since the COVID-19 pandemic and the 2021 BSI ransomware incident. Indonesian financial institutions that completed ISO 22301 certification ahead of this regulatory intensification were better positioned for supervisory review. |