SPG 232 Business Continuity Management

Although the Board of the RSE licensee (Board) is ultimately responsible for BCM under SPS 232, APRA recognises that the Board may delegate certain functions. A Board may delegate day-today operational responsibility to a responsible committee and/or senior management and need not have a detailed knowledge of, or familiarity with, the particulars of the day-to-day management of BCM.

Business continuity is generally defined as a state of continued and uninterrupted operations of a business. BCM is an approach taken across the whole of the business to ensure business continuity.

In order to adopt a whole-of-business approach, many of the processes embedded within an RSE licensee’s business operations will need to consider BCM. For example, BCM may need to be considered in:

the planning phase for new business acquisitions, joint ventures and major projects involving the introduction of new business processes and systems; and

staff training, including those without specific BCM responsibilities, to ensure staff are aware of business continuity issues.

A consistent method of documenting the BCM will typically be implemented throughout the RSE licensee’s business operations and have detailed input at the business unit level.

A centralised business continuity function may be of assistance to ensure that common standards and practices are in place across an RSE licensee’s business operations or a corporate group.

The Business Continuity Management Policy (BCM Policy) required by SPS 232 is a high-level strategic document outlining an RSE licensee’s objectives and approach in relation to BCM. The BCM Policy of an RSE licensee assists it in ensuring that critical business activities can be maintained or restored in the event of material disruptions and that the financial, legal, regulatory, reputational and other material consequences are minimised.

In many corporate groups it is common practice to develop and implement BCM across the group. Where this is the case, SPS 232 requires that an RSE licensee in a group will satisfy itself that the group BCM arrangements meet the RSE licensee’s BCM Policy requirements.

Business Impact Analysis (BIA) is a dynamic process that involves identifying all critical business activities and assessing the impact of a disruption on these activities. It is used to help shape a Business Continuity Plan (BCP).

Typically, a BIA will be conducted at least annually, or more frequently where there have been material changes to business operations or new or changed external factors that would alter the RSE licensee’s BIA.

Components of a BIA will vary to reflect the size, business mix and complexity of an RSE licensee’s business operations, but APRA would ordinarily expect it to detail:

the likelihood of a disruption scenario leading to short-, medium- or long-term disruption to critical business activities;

particulars of the impact of a disruption to critical business activities;

the priority and timeframes assigned for the recovery of critical business activities; and

the degree of difficulty, including the time taken, to restore the business activity or support function or implement alternate arrangements.

There are numerous disruption scenarios that may be encountered by an RSE licensee. Common scenarios include:

loss of precinct; (b) loss of building;

denial of access to building for a limited time;

loss of IT (data);

loss of IT (voice);

loss of vital (non-electronic) records;

loss of key staff (temporary or permanent staff); and

loss of key dependencies.

In developing the BIA, critical interdependencies that are not within the RSE licensee’s direct control will typically be identified and provided for within the scenario setting. This may include dependencies on utilities, outsourced service providers and key suppliers.

Recovery objectives are pre-defined goals for recovering specified critical business activities, to a specified level of service (recovery level) within a defined period (recovery time), following a disruption.

A recovery level is the target level of service that will be provided in respect of a specified business operation after a disruption. An RSE licensee may have a range of recovery levels for different business activities.

A recovery time is the target time taken to recover a specific business operation. An RSE licensee may divide recovery time as the duration:

from the disruption to the activation of the BCP; and

from the activation of the BCP to the recovery of the specific business operation.

An RSE licensee may have a range of strategies to meet the recovery objectives.

In assessing recovery objectives, an RSE licensee may also consider the effect of:

the increased risk of failed transactions;

liquidity risks;

solvency problems; and

loss of confidence that prolonged disruptions may cause.

A prudent RSE licensee would also consider giving priority to the payment of benefits to beneficiaries ahead of other matters.

The BCP facilitates the management of a disruption and the recovery of critical business activities. The ultimate objective of a BCP is the full restoration of an RSE licensee’s operations to the point where the RSE licensee is able to resume normal business activities. An RSE licensee’s BCP will typically include business continuity procedures that enable it to meet immediate and long-term recovery strategies.

In developing its BCP, the RSE licensee would usually sequence the recovery of operations according to their business impact, focusing first on critical operations.

In managing a disruption and recovering critical business activities, an RSE licensee’s recovery strategies may consider the resources needed to run operations in the event that the primary operational site is unavailable. The resources may cover a wide range of things, including operational resources such as computer hardware and software, printers, faxes, telephones, standard stationery and forms. Additional resources may include suitably trained staff and relevant documentation such as insurance policies and contracts, up-to-date contact lists and copies of the BCP.

A BCP would typically document specific responsibilities and authorities for:

assessing the impact of the disruption;

determining an appropriate response;

implementing the communication plan;

evacuating staff;

activating an alternate site if required; and

implementing recovery objectives.

An alternate site refers to a site used for the temporary resumption of critical business activities. This site may be an operational site owned by the RSE licensee or a disaster recovery site managed by the RSE licensee or an outsourced service provider.

In assessing the appropriateness of a particular alternate site, the following would typically be considered by the RSE licensee:

the capacity of the alternate site;

the timeframe over which the site could operate in a particular combined business continuity and operational mode;

the distance between the alternate site and the primary operational site, in order to minimise the risk of both sites being unavailable simultaneously;

whether an annual review and assessment of the capacity and adequacy of the alternate site has been conducted;

where the alternate site has contracted arrangements with a third party:

the likelihood of multiple simultaneous calls on shared resources at the alternate site;

the impact of multiple simultaneous calls, for example, on the dedicated and shared functional and seating capacity available; and

the reliability of the shared capacity;

whether the alternate site and the primary operational site share the same power grid, telecommunications network or other physical infrastructure;

whether the alternate site has sufficient current data and the necessary equipment and systems to recover critical business activities for a sufficient period of time; and

whether adequate transport is available to the alternate site.

In order to minimise the risk of a primary operational and alternate site being impacted by a wide area disruption, APRA would normally expect that, if the primary site is in a central business district, the alternate site would be located outside it.

An RSE licensee may consider conducting staff training at the alternate site on a regular basis to ensure there are sufficient staff able to recover critical business activities in the event of a disruption.

A communication plan describes the information necessary for notifying key internal and external stakeholders if the BCP is invoked.[1] Examples of information that might be included in a communication plan are:

the process for notifying APRA, as soon as possible and no later than 24 hours after experiencing a major disruption that has the potential to have a material impact on its risk profile or to affect the RSE licensee’s financial soundness, of the nature of the disruption, the action being taken, the likely effect, the timeframe for return to normal operations and when normal operations are resumed;

identification of those responsible for communicating with staff and various external stakeholders;

a list of contact names, numbers and email addresses of, but not limited to, staff, regulators, members, counterparties, service providers, market authorities and media;

out-of-hours numbers (including primary/ alternate contacts) for all staff with BCP responsibility; and

the staff authorised to deal with the media.

Ordinarily, contact lists require regular review to ensure they remain up-to-date.

Prudential Standard SPS 231 Outsourcing (SPS 231) defines outsourcing to involve an RSE licensee entering into an arrangement with any other party to perform, on a continuing basis, a business activity that currently is, or could be, undertaken by the RSE licensee itself.

Typically, an RSE licensee will have procedures in place to adapt the BCP in the event of any material outsourcing agreement that involves a change to business processes and systems.

While some RSE licensees may rely upon outsourced service providers for components of their BCP, accountability for the BCP remains with the RSE licensee. It is important for RSE licensees to recognise that, while outsourcing can be of significant benefit and may reduce some risks, it may also give rise to other risks.[2] 

APRA expects that an RSE licensee would gain an understanding of the nature and scope of an outsourced service provider’s BCP as it applies to the relevant activities under the outsourcing arrangement and satisfy itself that the BCP provides adequate protection to the interests of beneficiaries. A declaration from a service provider may assist an RSE licensee in forming a view as to whether the service provider will respond adequately in the event of a disruption.

Alternative contingency arrangements may need to be considered for the event that the outsourced service provider is unable to provide the agreed services. This is particularly important where there is no capability of bringing the outsourced business function back in-house (in either the short or medium-term), or where an arrangement with an alternative service provider could not be implemented within an acceptably short time period.

Testing of the BCP is required under SPS 232 and is considered essential to ensuring that the BCP is capable of meeting its objectives. An RSE licensee will typically document testing scenarios, objectives and procedures. Testing would ordinarily be overseen by senior management and involve all personnel with specific responsibility for BCM.

There are a range of test approaches available to an RSE licensee, including:

desk-top ‘walk-throughs’;

individual component testing (e.g. IT equipment);

testing from an alternate site; and

fully integrated tests covering the entire RSE licensee and outsourced service providers.

Areas of the BCP that are likely to require regular testing include:

staff evacuation procedures;

communication plans;

alternate site activation and capability;

data back up and recovery;

readiness of critical service providers;

physical and computer security; and

recovery of critical business activities.