Australian Prudential Regulation Authority publishes business continuity regulations

The Australian Prudential Regulation Authority (APRA) yesterday issued prudential standards on business continuity management for authorised deposit-taking institutions (ADIs) and general insurers.

The new prudential standards aim to ensure that ADIs and general insurers implement a ‘whole of business’ approach to business continuity management, appropriate to the nature and scale of their individual operations.

Key requirements of the prudential standards include:

* The Board of Directors and senior management of an ADI or general insurer must consider business continuity risks and controls as part of the company’s overall risk management framework provided to APRA on an annual basis;

* An ADI or general insurer must identify critical business functions, resources and infrastructure which, if disrupted, would have a material impact on the company’s business operations, reputation or profitability;

* An ADI or general insurer must assess the impact of plausible disruption scenarios on critical business functions, resources and infrastructure and have in place appropriate recovery strategies to ensure all necessary resources are readily available to withstand the impact of the disruption; and

* An ADI or general insurer must develop, implement and maintain through review and testing procedures, a business continuity plan that documents procedures and information which enable the company to respond to disruptions and recover critical business functions.

The two new standards come into effect immediately, but ADIs and general insurers have a 12-month transitional period in which to identify areas of non-compliance with the new standards and provide to APRA a rectification plan and timetable.

APRA’s Chairman, Dr John Laker, said APRA has identified business continuity management as an area of the prudential framework requiring further improvement.

“As business operations have become increasingly complex, with a growing reliance on outsourcing activities offshore, it is vital that ADIs and general insurers maintain critical business operations in the event of an external disruption”, said Dr Laker. “The new prudential standards provide a structured framework for addressing business continuity management on an organisation-wide basis to ensure this important part of risk management is adequately addressed.”

APRA is anticipating the release of a similar standard on business continuity management for life companies in the first half of 2006.

According to the prudential standard business continuity management “describes a whole of business approach to ensure critical business functions can be maintained, or restored in a timely fashion, in the event of material disruptions arising from internal or external events. Its purpose is to minimise the financial, legal, reputational and other material consequences arising from the disruption.”

The standard states that business continuity involves an integrated process of:

(a) Risk assessment;
(b) Business impact analysis;
(c) Consideration of recovery strategies;
(d) Business continuity planning;
(e) Establishing business continuity/crisis management teams; and
(f) Review and testing.

The standard also states that:

* Business continuity management “should also be part of the planning phase for new business acquisitions, joint ventures, material outsourcing arrangements and major projects involving the introduction of new business processes and systems.”

* BCM should be an integrated component of the ADI’s risk management and control framework.

* The Board and responsible senior management of the ADI must consider the ADI’s business continuity risks and controls as part of its overall risk management framework and when completing the risk management declaration provided to APRA on an annual basis as required by APS 310 Auditing and Related Arrangements for Prudential Reporting.

* An ADI must have a formal policy that sets out its approach to business continuity management. The policy should be summarised in the risk management system descriptions as required by APS 310 Auditing and Related Arrangements for Prudential Reporting.

* Procedures must be in place to ensure that all business units are fully aware of, and comply with, the business continuity management policy.

To view the business continuity regulations (APS 232) and the associated guidance note ‘Risk Assessment and Business Continuity Management’ you must be logged in!

End


To find out more about how the Continuity Forum can help your organisation plan for and address a wide variety of Business Resilience and Continuity issues, please contact us directly HERE! or call either us on 020 8993 1599.