APRA Prudential Standard CPS 232 - Business Continuity Management: Overview and Summary of Requirements

• By: Staff Editor
• Date: June 14, 2013

• The standard applies to all ADIs including foreign ADIs and NOHCs, all Category C insurers, authorized insurance NOHCs and parent entities of Level 2 insurance groups
• The standard also applies to friendly societies, Eligible Foreign Life Insurance Companies (EFLICs) and registered life NOHCs
• The standard applies whether or not activities are outsourced to related bodies – corporate or third party.

• Regulated institutions must identify, assess, manage and mitigate potential business continuity risks
• The Board is ultimately responsible for business continuity of the regulated institution
• The Board can delegate day-to-day handling of BCM to a responsible committee, including responsible committee of the Head of the Level 2 group, and/or senior management
• The Board must approve the BCM policy

• BCM Policy
  
  • Up to date and documented BCM policy setting out objectives and approach to BCM
  • Must clearly state the respective roles, responsibilities and authorities
• Business Impact Analysis (BIA)
  
  • Involves identifying critical business functions, resources and infrastructure of regulated institution and assessing disruption impact
  • Disruption scenarios and periods of time must be considered while making the BIA
  • The extent to which a disruption may impact an institution’s depositors, policyholders
  • Financial, legal, regulatory and reputational impact of a disruption to critical business operations
• Recovery Objectives and Strategies
  
  • These are pre-defined goals for recovering key business operations after a possible disruption to a specified level of service (recovery level) within a defined period (recovery time)
  • The recovery objectives and implementation strategies must be identified and documented using the results of the BIA
• Business Continuity Plan (BCP)
  
  • The BCP must be documented and meet the objectives of the BCM policy
  • It must identify:
    
    • critical business operations,
    • recovery levels and time targets for each critical business operation
    • recovery strategies for each critical business operation
    • infrastructure and resources required to implement the BCP
    • roles and responsibilities
    • communication plans with staff and external stakeholders

• The regulated institution must review and test the BCP at least once on an annual basis and if possible, more frequently.
• The reviews must happen after every change made in the business operations
• The results of the review must be reported to the Board or delegated management
• The BCP must be updated based on the reviews and the shortcomings identified

• The internal or external audit function of the regulated institution must provide an assurance to the Board that:
  • The BCP is in accordance with the BCM Policy and addresses the necessary risks
  • Testing procedures are adequate and satisfactory
• The APRA may in writing adjust or exclude the requirements mentioned above in relation to a specific regulated institution
• In case of a major disruption that can materially affect the regulated institution’s risk profile, the APRA must be notified as soon as possible (in less than 24 hours) of the same.

Additional Resources

Read the APRA Prudential Standard CPS 232 - Business Continuity Management in full.