Details :
Job description
REQUEST FOR PROPOSALS
Ref. No: CBS/RFP/001/2025
TERMS OF REFERENCE
Refinement and Implementation of Business Continuity and Disaster Recovery Plans 1. Background
Central bank of Somalia (“the Bank”) recognizes the critical importance of maintaining business operations in the face of potential disruptions. The Bank has developed a draft Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) and now seeks the expertise of a qualified firm to refine, enhance, and implement these plans effectively across the organization. This engagement aims to ensure the Bank’s resilience, minimize the impact of disruptions, and facilitate a swift and efficient recovery.
2. Objectives
The primary objectives of this engagement are to:
Conduct a comprehensive Business Impact Analysis (BIA) for all departments and functional areas.
Perform a thorough Risk Assessment of the Bank’s key assets.
Develop and document robust Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) for each functional area ensuring alignment with ISO 22301 standards.
Document clear procedures for the ongoing maintenance and governance of the Business Continuity Management (BCM) Framework aligned with the ISO 22301 standards.
Facilitate training to raise awareness and build capacity within the Bank for BCM and the implemented plans.
Conduct testing exercises to validate the effectiveness of the BCP and DRP.
- Scope of Work
The selected firm will be responsible for the following tasks:
3.1 Business Impact Analysis (BIA)
Conduct detailed interviews and workshops with representatives from each department and functional area.
Identify critical business processes and their interdependencies.
Assess the qualitative and quantitative impact (financial, operational, reputational, legal/regulatory) of potential disruptions on each critical process.
Determine Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each critical process, including Maximum Tolerable Outages (MTOs).
Document the BIA findings in a clear and concise report.
3.2 Risk Assessment
Identify the Bank’s key assets, including people, technology hardware, software, data, and physical premises.
Identify potential threats (natural disasters, technological failures, cyberattacks, human error, etc.) and vulnerabilities associated with these assets.
Assess the likelihood and potential impact of each identified risk.
Recommend appropriate mitigation strategies to reduce the likelihood and impact of identified risks.
Document the risk assessment process, findings, and recommendations.
3.3 Documentation of Business Continuity and Disaster Recovery Plans
Review and enhance the Bank’s existing draft BCP and DRP documentation.
Develop comprehensive and user-friendly BCPs for each functional area, outlining procedures for responding to and recovering from various disruptive scenarios ensuring alignment with the requirements of ISO 22301.
Develop detailed DRPs for critical IT systems and infrastructure, including step-by-step recovery procedures, roles, and responsibilities.
Ensure alignment between the BCPs and DRPs.
Present the documented BCPs and DRPs to relevant stakeholders for review, feedback, and acceptance.
Incorporate stakeholder feedback into the final versions of the plans.
3.4 Documentation of BCM Framework Procedures
Develop and document clear and practical procedures for the following elements of the BCM Framework:
- BCM Framework Maintenance (governance, roles, responsibilities, review cycles).
- Business Impact Analysis (methodology, templates, frequency of updates).
- Testing and Exercising (types of tests, planning, execution, documentation, lessons learned).
- Training and Awareness (content, target audiences, delivery methods, frequency).
- Performance Evaluation (metrics, reporting, improvement processes).
- Risk Assessment (methodology, frequency of updates).
3.5 Facilitation of BCM Framework Training
Develop and deliver a general BCM awareness training program for all team leads to ensure understanding of BCP and DRP principles, roles, and responsibilities.
Tailor the training content to the specific needs and roles of the participants.
3.6 Facilitation of BCM Technical Training
Develop and deliver technical training sessions for identified risk champions and the DRP Lead.
Provide in-depth knowledge and practical skills on how to continuously maintain, update, and execute the BCM Framework, including the BIA, risk assessment, BCPs, and DRPs.
3.7 Facilitation of BCP Testing (Table top Exercise)
Plan and facilitate a table top exercise simulating a significant business disruption. Involve relevant stakeholders from different departments.
Guide participants through the BCP response procedures, clarifying roles and responsibilities.
Document observations, lessons learned, and recommendations for improvement.
- 8 Facilitation of DR Test / Failover Exercise
Plan and facilitate the execution of a Disaster Recovery failover exercise for critical IT systems.
Work with the Bank’s IT team to simulate a system failure and execute the documented DRP.
Monitor the execution of the DRP, identify any gaps or vulnerabilities, and document the results.
Provide recommendations for addressing any identified findings.
- Deliverables
The selected firm will be expected to deliver the following:
A detailed Business Impact Analysis report. A comprehensive Risk Assessment report.
Documented Business Continuity Plans (BCPs) for each functional area aligned with ISO 22301.
Documented Disaster Recovery Plans (DRPs) for critical IT systems.
Documented procedures for the BCM Framework Maintenance, BIA, Testing and Exercising, Training and Awareness, Performance Evaluation, and Risk Assessment.
Training materials and records for the facilitated BCM awareness training for team leads.
Training materials and records for the facilitated technical BCM training for risk champions and the DRP Lead.
A report on the BCP Table top exercise, including observations, lessons learned, and recommendations.
A report on the DR Failover exercise, including results, identified vulnerabilities, and recommendations.
A final report summarizing the entire engagement, key achievements, and recommendations for ongoing BCM management.
- Methodology
The firm should propose a clear methodology outlining their approach to each stage of the project, including:
Data gathering techniques (interviews, workshops, document review). Risk assessment methodologies.
BCP and DRP development frameworks and best practices, with specific reference to ISO 22301.
Training delivery methods.
Testing and exercising methodologies.
Project management and communication strategies.
- Timeline
The firm should provide a proposed project timeline with clear milestones for each deliverable. The Bank anticipates this project to be completed within 6 to 8 weeks.
7. Reporting and Communication
The firm will report to the General Manager, Regular progress meetings will be held to discuss progress, challenges, and next steps. The firm should outline their proposed communication plan.
Skills and qualifications
Required Expertise and Experience
The firm should demonstrate the following expertise and experience:
Proven experience in developing and implementing Business Continuity and Disaster Recovery Plans for financial institutions, preferably banks with a strong understanding and practical application of ISO 22301 standards.
Deep understanding of relevant industry standards and best practices (e.g., ISO 22301).
Strong expertise in conducting Business Impact Analyses and Risk Assessments. Demonstrated experience in developing and documenting BCM frameworks and
procedures.
Proven ability to facilitate effective training sessions and testing exercises.
Qualified and experienced consultants with relevant certifications (e.g., CBCP, MBCI, ISO 22301 Lead Implementer/Auditor).
Excellent communication, facilitation, and report writing skills.
- Proposal Submission Requirements
Interested firms are invited to submit a comprehensive proposal that includes the following:
Company profile and relevant experience, highlighting experience with ISO 22301. Detailed methodology for each stage of the project.
Proposed project team, including the roles and qualifications of key personnel. Detailed project timeline with milestones.
Proposed fee structure, including a breakdown of costs.
References from previous clients, preferably within the banking sector.
- Evaluation Criteria
Proposals will be evaluated based on the following criteria:
Technical expertise and experience of the firm and proposed team.
Methodology and approach to the project, including how ISO 22301 alignment will be achieved.
Understanding of the Bank’s requirements. Proposed timeline and value for money.
References and past performance.
- Confidentiality
All information provided by the Bank will be treated as confidential. The selected firm will be required to sign a Non-Disclosure Agreement (NDA).
12. Submission requirements:
Proposals should be submitted in English and include the following:
A cover letter introducing the company and outlining the firm’s technical expertise and experience.
Proposed team detailed CVs and their academic qualifications, Company registration certificates from the country of operations Proof of tax clearance certificates from the country of operations
A list of relevant references and case studies demonstrating the company’s experience in similar projects.
A detailed proposal outlining the approach, including a timeline for completion. A detailed budget, including any additional fees or expenses.
How to apply
All interested bidders are hereby informed to submit their electronic proposals to cbs.tender@centralbank.gov.sonot later than 2nd May 2025, 5:00pm (Mogadishu Time) by clearly marking “RFP No. CBS/RFP/001/2025” in the subject line. It shall remain your responsibility to ensure that your proposals will reach the address above on or before the deadline. Proposals that are received by CBS after the deadline indicated above, for whatever reason, shall not be considered for evaluation.
