BCP/DR · RC.1–RC.4

BCP/DR Posture Assessment: Meeting RBI and SEBI RC.1–RC.4 Without 3 Months of Consultancy

CreativeCyber ResearchApril 202514 min readSEBI CSCRF · RBI DPSC · Resiliency Compliance

1.7/5

Avg RC domain maturity

68%

Lack full DR test evidence

RBI RTO for core banking

Inspection failure points

The SEBI CSCRF Respond and Recover domain — specifically sub-categories RC.1 through RC.4 — consistently shows the lowest average maturity score across all regulated entity categories. At 1.7 out of 5, resiliency and continuity is where Indian BFSI organisations are most exposed, and where regulators are increasingly directing inspection attention.

The irony is that most regulated entities have a Business Continuity Plan document. The gap is not documentation — it is operationalisation. An untested BCP is not a plan; it is a fiction. SEBI and RBI both require evidence of actual test execution, not just the existence of a document.

What RC.1–RC.4 Actually Require

Subcategory	Requirement	Evidence Auditors Expect
RC.1 — BCP Documented	Business Continuity Plan approved by board/senior management and reviewed annually	Board-approved BCP document, date-stamped; review minutes or sign-off within last 12 months
RC.2 — BIA Completed	Business Impact Analysis with defined RTO and RPO for all critical processes	BIA report with critical process inventory, financial impact calculations, agreed RTO/RPO per process
RC.3 — DR Site Operational	Disaster recovery site available and capable of handling core workloads	DR site agreement/confirmation, infrastructure inventory at DR, last connectivity test report
RC.4 — Annual Full DR Test	Full DR failover test conducted at least annually, with documented results and lessons learned	Test plan, test execution log, post-test report with deficiencies and closure dates

RBI DPSC Resiliency Requirements

For payment-focused regulated entities, RBI's Digital Payment Security Controls (DPSC) framework adds specific availability and recovery obligations on top of SEBI CSCRF RC requirements:

99.5% availability for core payment processing systems (calculated monthly, per payment channel)
4-hour RTO for ATM processing infrastructure
Same-day recovery for RTGS and NEFT critical payment rails
Quarterly DR drills for internet banking and mobile banking platforms (not just annual)
Communication protocol to RBI within 2 hours of any outage exceeding 30 minutes on payment channels

ℹ️

RBI reporting obligation: Any payment system outage exceeding 2 hours must be reported to RBI's DPSS (Department of Payment and Settlement Systems) within 2 hours of the outage onset. Failure to report is treated as a separate compliance violation from the outage itself.

Industry RTO/RPO Benchmarks for Indian BFSI

Regulators do not mandate specific RTO/RPO values for most systems — but they do expect the values an organisation sets to be achievable, tested, and reflective of the financial and operational impact of unavailability. These are the industry benchmarks that SEBI and RBI inspectors use as reference points:

System	Industry RTO	Industry RPO	Regulatory Driver
Core Banking System (CBS)	4 hours	1 hour	RBI IT Governance Framework
Payment Switch / NPCI Interface	2 hours	15 minutes	RBI DPSC 99.5% availability
Internet Banking Portal	8 hours	4 hours	SEBI CSCRF RC.2
Mobile Banking App	8 hours	4 hours	SEBI CSCRF RC.2
ATM Processing	4 hours	1 hour	RBI DPSC
RTGS / NEFT Processing	Same day	30 minutes	RBI DPSC same-day recovery
SIEM / SOC Platform	24 hours	4 hours	CERT-In log retention (180 days)
Email and Collaboration	24 hours	8 hours	SEBI CSCRF RC.2

BIA Methodology: The Foundation SEBI Checks First

The Business Impact Analysis is the document SEBI inspectors go to before evaluating anything else in the RC domain. Without a credible BIA, the RTO/RPO values in your BCP are unverifiable — and the entire resiliency programme is considered theoretical.

A SEBI-compliant BIA for a regulated entity must cover four elements:

1. Critical Process Inventory

Every business process that, if disrupted, would cause regulatory breach, financial loss, customer harm, or reputational damage must be documented. For a mid-sized private bank, this typically yields 40–80 critical processes across payments, lending, trade finance, and back-office functions.

2. Dependency Mapping

For each critical process: which applications support it? Which infrastructure? Which third-party vendors? Which staff categories? A disruption to any dependency propagates to the process. The BIA must trace these chains — a payment process that depends on CBS, which depends on Oracle DB, which depends on specific DBAs, which depend on VPN access, which depends on an ISP.

3. Financial Impact Calculation

SEBI expects the RTO to reflect the point at which financial loss, regulatory breach, or customer harm becomes material. "We estimated 4 hours" is not sufficient. "Transaction revenue loss of ₹2.4Cr/hour for the UPI channel, plus regulatory breach after 2 hours of outage under RBI DPSC" is a defensible basis.

4. RTO/RPO Agreement and Sign-Off

RTO and RPO values must be formally agreed between IT, the business process owner, and senior management — and signed off. An IT-determined RTO that the business has never reviewed or accepted is not a valid BIA output.

A BCP that has never been tested is not a plan — it is a document. SEBI requires evidence of test execution, not just documentation. The distinction is categorical.

The 9 RC Failures That Appear in Every SEBI Inspection

BCP document never tested

The most common finding. A BCP that cannot demonstrate test history is treated as non-existent for inspection purposes.

DR site not truly operational

DR sites listed as "warm standby" that have not had a live workload placed on them in over 12 months. Inspectors request the last DR test report.

RTO/RPO set arbitrarily

Values chosen without a BIA — "we said 4 hours because that sounds reasonable." No BIA supporting the values means no defensible basis.

Last DR test was 18+ months ago

SEBI CSCRF RC.4 requires annual testing. A test gap over 12 months is a finding. Over 18 months is a major finding.

Tabletop test only — no actual failover

A tabletop exercise is Level 1. It proves the plan exists and team knows their roles. It does not prove systems can actually recover. Inspectors expect at least one Level 2 or Level 3 test.

Third-party systems excluded from DR scope

The DR plan covers internal infrastructure but not CBS hosted by a vendor, or cloud SaaS platforms. If a system is critical, its DR is the regulated entity's responsibility regardless of hosting.

No regulator communication plan

No documented procedure for notifying RBI, SEBI, or CERT-In during an outage. The regulated entity must notify RBI within 2 hours of a significant payment outage.

Recovery runbooks outdated

Runbooks not updated after infrastructure changes. A runbook for a database version that was decommissioned 18 months ago provides false assurance.

No post-test lessons learned

Tests completed but no post-test report, no deficiency register, and no closure dates assigned. SEBI inspectors view this as evidence that tests are not taken seriously.

The 3-Tier DR Test Evidence SEBI Accepts

Level 1

Tabletop Exercise

Structured walkthrough of the BCP. Team reviews their roles, decision points, and escalation paths. No systems activated.

For awareness only. Does not satisfy RC.4 alone.

Level 2

Partial Failover

Specific systems or workloads failed over to DR site. Recovery time measured. Production not affected.

Satisfies RC.4 for non-critical systems. Combined with tabletop, acceptable for Tier 2 organisations.

Level 3

Full Failover

All critical systems failed over. Production traffic routed through DR site. RTO and RPO validated against BIA targets.

Fully satisfies RC.4. Required for Tier 1 regulated entities (banks, large brokers, payment systems).

⚠️

Critical timing: Schedule your annual full DR test at least 90 days before your expected SEBI inspection window. This allows time to address any deficiencies found during testing. A DR test conducted the week before an inspection — with open deficiencies — is worse than no test, because it demonstrates the programme was not mature enough to have been tested earlier.

Free Platform for BFSI Practitioners

BCP/DR Templates Pre-Mapped to SEBI RC.1–RC.4 Evidence Requirements

Practitioner Toolkit includes BCP/DR readiness templates, BIA worksheets, DR test report formats, and a gap tracker pre-aligned to SEBI CSCRF RC and RBI DPSC resiliency requirements — ready for your next inspection.

Open Practitioner Toolkit →

We use cookies and analytics (Google Analytics) to improve your experience. Under India's Digital Personal Data Protection Act, 2023, we require your consent before collecting any usage data. Privacy Policy