Business continuity now risk management requirement
Directors and senior management of an Australian bank or general insurer must regard business continuity risks and controls as part of the firm's overall risk management report to regulators.
That's a key requirement of new prudential standards on business continuity management issued by the Australian Prudential Regulation Authority (Apra) in April.
The rules came into effect immediately for authorised deposit-taking institutions (ADIs) - banks, building societies and credit unions - and general insurers. Apra expects to issue similar rules for life insurance companies in the first half of 2006.
The new prudential standards aim to ensure that the firms implement a "whole of business" approach to business continuity management, appropriate to the nature and scale of their individual operations, Apra said.
Other key requirements of the rules are:
· firms must identify critical business functions, resources and infrastructure which, if disrupted, would have a material impact on the company's business operations, reputation or profitability;
· firms must assess the impact of plausible disruption scenarios on critical business functions, resources and infrastructure. They must have in place appropriate recovery strategies to ensure all necessary resources are readily available to withstand the impact of the disruption; and
· firms must develop, implement and maintain through review and testing procedures, a business continuity plan that documents procedures and information which enable the company to respond to disruptions and recover critical business functions.
Firms have a 12 month transitional period in which to identify areas of non-compliance with the new standards and provide Apra with a rectification plan and timetable.
Apra chairman John Laker said the agency has identified business continuity management as an area requiring further improvement.
"As business operations have become increasingly complex, with a growing reliance on outsourcing activities offshore, it is vital that ADIs and general insurers maintain critical business operations in the event of an external disruption", said Laker.
