Table of contents
Prudential standard
CPS 232 Business Continuity Management
-
Current1 July 2017 – 30 June 2025
Prudential framework pillars
About this standard
This standard requires an entity to plan for business disruptions. Entities must develop a business continuity management policy and related plans and procedures. Entities must review their business continuity plan annually.
This standard supports CPS 220 Risk Management, which is a core standard in the Risk Management Pillar. It applies to all ADIs, general insurers and life insurers.
Objectives and key requirements of this Prudential Standard
This Prudential Standard requires each APRA-regulated institution and Head of a group to implement a whole-of-business approach to business continuity management that is appropriate to the nature and scale of the operations. Business continuity management increases resilience to business disruption arising from internal and external events and may reduce the impact on the institution’s or group’s business operations, reputation, profitability, depositors, policyholders and other stakeholders.
The Board of an APRA regulated institution and the Board of a Head of a group, respectively, have ultimate responsibility for the business continuity of the institution or group.
The key requirements of this Prudential Standard are that an APRA-regulated institution and a Head of a group must:
- maintain a business continuity management policy for the institution or group, approved by the Board;
- identify, assess and manage potential business continuity risks to ensure that it is able to meet its financial and service obligations to its depositors, policyholders and other stakeholders;
- consider business continuity risks and controls as part of its risk management framework;
- maintain a business continuity plan that documents procedures and information which enable the institution to manage business disruptions;
- review the business continuity plan annually and periodically arrange for its review by the internal audit function or an appropriate external expert; and
- notify APRA in the event of certain disruptions.
Where an APRA-regulated institution is the Head of a group, this Prudential Standard requires that the group has in place business continuity management appropriate to the nature and scale of the group’s operations, and the provisions of this Prudential Standard are applied appropriately throughout the group, including in relation to institutions that are not APRA-regulated. In addition, where specified, the Head of a group must comply with the requirements on a group basis.
Preamble
Banking, Insurance and Life Insurance (prudential standard) determination No. 7 of 2016
Prudential Standard CPS 232 Business Continuity Management
Banking Act 1959
Insurance Act 1973
Life Insurance Act 1995
I, Wayne Byres, delegate of :
under subsection 11AF(3) of the Banking Act 1959 REVOKE Banking, Insurance and Life Insurance (prudential standard) determination No. 2 of 2014, including Prudential Standard CPS 232 Business Continuity Management made under that Determination, to the extent that it applied to all ADIs and authorised banking NOHCs;
under subsection 32(4) of the Insurance Act 1973 REVOKE Banking, Insurance and Life Insurance (prudential standard) determination No. 2 of 2014, including Prudential Standard CPS 232 Business Continuity Management made under that Determination, to the extent that it applied to all general insurers, authorised insurance NOHCs, and subsidiaries of general insurers and authorised insurance NOHCs;
under subsection 230A(5) of the Life Insurance Act 1995 REVOKE Banking, Insurance and Life Insurance (prudential standard) determination No. 2 of 2014, including Prudential Standard CPS 232 Business Continuity Management made under that Determination, to the extent that it applied to life companies, friendly societies, registered life NOHCs, and subsidiaries of life companies and registered life NOHCs;
under subsection 11AF(1) of the Banking Act 1959 DETERMINE Prudential Standard CPS 232 Business Continuity Management in the form set out in the Schedule, to the extent that it applies to all ADIs and authorised banking NOHCs;
under subsection 32(1) of the Insurance Act 1973 DETERMINE Prudential Standard CPS 232 Business Continuity Management in the form set out in the Schedule, to the extent that it applies to all general insurers, authorised insurance NOHCs, and subsidiaries of general insurers and authorised insurance NOHCs; and
under subsection 230A(1) of the Life Insurance Act 1995 DETERMINE Prudential Standard CPS 232 Business Continuity Management in the form set out in the Schedule, to the extent that it applies to all life companies, friendly societies, registered life NOHCs, and subsidiaries of life companies and registered life NOHCs.
This instrument commences on 1 July 2017.
Dated: 8 September 2016
[Signed]
Wayne Byres
Chairman
Interpretation
In this Determination:
ADI has the meaning given in section 5 of the Banking Act 1959.
APRA means the Australian Prudential Regulation Authority.
authorised banking NOHC has the meaning given to the expression authorised NOHC in section 5 of the Banking Act 1959.
authorised insurance NOHC has the meaning given to the expression authorised NOHC in subsection 3(1) of the Insurance Act 1973.
friendly society has the meaning given in section 16C of the Life Insurance Act 1995.
general insurer has the meaning given in section 11 of the Insurance Act 1973.
life company has the meaning given in the Schedule to the Life Insurance Act 1995.
registered life NOHC has the meaning given to the expression registered NOHC in the Schedule to the Life Insurance Act 1995.
Schedule
Prudential Standard CPS 232 Business Continuity Management comprises the 9 pages commencing on the following page.
Prudential Standard CPS 232
Business Continuity Management
Authority
This Prudential Standard is made under:
section 11AF of the Banking Act 1959 (Banking Act);
section 32 of the Insurance Act 1973 (Insurance Act); and
section 230A of the Life Insurance Act 1995 (Life Insurance Act).
Application
This Prudential Standard applies to all ‘APRA-regulated institutions’, defined as:
all authorised deposit-taking institutions (ADIs), including foreign ADIs, and non-operating holding companies authorised under the Banking Act (authorised banking NOHCs);
all general insurers, including Category C insurers, non-operating holding companies authorised under the Insurance Act (authorised insurance NOHCs) and parent entities of Level 2 insurance groups; and
all life companies, including friendly societies and eligible foreign life insurance companies (EFLICs), and non-operating holding companies registered under the Life Insurance Act (registered life NOHCs).
All APRA-regulated institutions have to comply with this Prudential Standard in its entirety, unless otherwise expressly indicated. The obligations imposed by this Prudential Standard on, or in relation to, a foreign , a Category C insurer or an EFLIC apply only in relation to the Australian branch operations of that institution.
Where an APRA-regulated institution is the ‘Head of a group’, it must comply with a requirement of this Prudential Standard:
in its capacity as an APRA-regulated institution;
by ensuring that the requirement is applied appropriately throughout the group, including in relation to institutions that are not APRA-regulated; and
on a group basis.
In applying the requirements of this Prudential Standard on a group basis, references in paragraphs 17 to 40 to an ‘APRA-regulated institution’ should be read as ‘Head of a group’ and references to ‘institution’ should be read as ‘group’.
This Prudential Standard applies whether or not activities are outsourced to related bodies corporate or third-party service providers. This Prudential Standard also applies to arrangements where the service provider is located outside Australia or the functions are performed outside Australia.
Nothing in this Prudential Standard prevents an APRA-regulated institution from adopting and applying a group policy used by a related body corporate, provided that the policy has been approved by the Board of the regulated institution and meets the requirements of this Prudential Standard.
This Prudential Standard commences on 1 July 2017.
Interpretation
Terms that are defined in Prudential Standard 3PS 001 Definitions, Prudential Standard APS 001 Definitions (APS 001), Prudential Standard GPS 001 Definitions (GPS 001) or Prudential Standard LPS 001 Definitions appear in bold the first time they are used in this Prudential Standard.
Where this Prudential Standard provides for APRA to exercise a power or discretion, this power or discretion is to be exercised in writing.
For the purposes of this Prudential Standard:
‘group’ means a Level 2 group or a Level 3 group, as relevant; ‘Head of a group’ means a Level 2 Head or Level 3 Head, as relevant; ‘Level 2 group’ means the entities that comprise: Level 2 as defined in APS 001; or a Level 2 insurance group as defined in GPS 001; ‘Level 2 Head’ means: where an ADI that is a member of a Level 2 group is not a subsidiary of an authorised banking NOHC or another ADI, that ADI; where an ADI that is a member of a Level 2 group is a subsidiary of an authorised banking NOHC, that authorised banking NOHC; or the parent entity of a Level 2 insurance group as defined in GPS 001. |
APRA
APRA means the Australian Prudential Regulation Authority.
[1]
Note, for the purposes of this Prudential Standard, an RSE licensee is not treated as an ‘APRA-regulated institution’. Refer to Prudential Standard SPS 232 Business Continuity Management (SPS 232) for requirements relating to business continuity management for an RSE licensee.
ADI
ADI has the meaning given in section 5 of the Banking Act 1959.
[2]
Where a Level 2 group operates within a Level 3 group, a requirement expressed as applying to a Head of a group is to be read as applying to the Level 3 Head.
[3]
A reference to the Board in the case of a foreign ADI is a reference to the senior officer outside Australia.
Additional requirements of the Head of a group
The Head of a group must maintain business continuity management (BCM) for the group (see paragraphs 20 to 22) including a BCM policy for the group (see paragraphs 23 to 25).
The Head of a group must apply BCM to risk assessments and risk processes at a functional level in the group, where appropriate.
The Board of the Head of a group must:
ensure that the group’s BCM is appropriate to the nature and scale of its operations and is consistent with the group’s risk management strategy and risk management framework;
oversee the appropriateness of BCM across the group; and
ensure that the group’s business continuity plan (BCP) is reviewed at least annually by responsible senior management of the Head of the group.
The Head of a group must notify APRA in accordance with paragraph 36 if the institution experiences a major disruption that has the potential to have a material impact on the institution’s risk profile, or affect its financial soundness, except where an APRA-regulated institution within the group has otherwise notified APRA of that information.
The group internal audit function, or an appropriate external expert, must periodically review the group BCP and provide an assurance to the Board of the Head of the group, or delegated management, on the matters in paragraph 38 on a group basis.
Where an institution within the group that is not an APRA-regulated institution undertakes business operations critical to the group, the Head of the group must ensure that those business operations are undertaken in a way that complies with the group BCM policy.
The role of the Board and senior management
An APRA-regulated institution must identify, assess, manage, mitigate and report on potential business continuity risks to ensure that the institution is able to meet its financial and service obligations to its depositors, policyholders and other stakeholders.
The Board is ultimately responsible for the business continuity of the institution. The Board remains ultimately responsible for BCM of the institution whether or not business operations are outsourced or are part of a corporate group.
[4]
Refer to Prudential Standard CPS 231 Outsourcing (CPS 231) for further information on requirements relating to outsourcing.
The Board must ensure that the business continuity risks and controls are taken into account as part of the institution’s risk management strategy and when completing a risk management declaration required to be provided to APRA.
[5]
For details of the risk management framework for regulated institutions refer to Prudential Standard CPS 220 Risk Management.
Business continuity management
BCM is a whole-of-business approach that includes policies, standards and procedures for ensuring that critical business operations can be maintained or recovered in a timely fashion, in the event of a disruption. Its purpose is to minimise the financial, legal, regulatory, reputational and other material consequences arising from a disruption.
Critical business operations are the business functions, resources and infrastructure that may, if disrupted, have a material impact on the institution’s business functions, reputation, profitability, depositors and/or policyholders.
BCM must, at a minimum, include:
a BCM policy in accordance with paragraphs 23 to 25;
a business impact analysis (BIA) including risk assessment in accordance with paragraphs 26 and 27;
recovery objectives and strategies; in accordance with paragraphs 28 and 29;
a BCP in accordance with paragraphs 30 to 33; and
programs for:
review and testing of the BCP in accordance with paragraphs 34 and 35; and
training and ensuring awareness of staff in relation to BCM.
Business continuity management policy
The Board must approve the institution’s BCM policy.
The BCM policy must be up-to-date, documented and must set out the objectives and approach in relation to BCM.
The BCM policy must clearly state the roles, responsibilities and authorities to act in relation to the BCM policy.
Business impact analysis
A BIA involves identifying all critical business functions, resources and infrastructure of the institution and assessing the impact of a disruption on these.
When conducting the BIA, the APRA-regulated institution must consider:
plausible disruption scenarios over varying periods of time;
the period of time for which the institution could not operate without each of its critical business operations;
the extent to which a disruption to the critical business operations might have a material impact on the interests of depositors and/or policyholders of the institution; and
the financial, legal, regulatory and reputational impact of a disruption to the institution’s critical business operations over varying periods of time.
Recovery objectives and strategies
Recovery objectives are pre-defined goals for recovering critical business operations to a specified level of service (recovery level) within a defined period (recovery time) following a disruption.
An APRA-regulated institution must identify and document appropriate recovery objectives and implementation strategies based on the results of the BIA and the size and complexity of the institution.
Business continuity planning
An APRA-regulated institution must maintain at all times a documented BCP for the institution that meets the objectives of the institution’s BCM policy.
[6]
A reference to a ‘BCP’ includes a reference to more than one BCP where appropriate. An institution may have a number of BCPs. A BCP may include a separate crisis management plan and disaster recovery plan.
The BCP must document procedures and information that enable the institution to:
manage an initial business disruption (crisis management); and
recover critical business operations.
The BCP must reflect the specific requirements of the institution and must identify:
critical business operations;
recovery levels and time targets for each critical business operation;
recovery strategies for each critical business operation;
infrastructure and resources required to implement the BCP;
roles, responsibilities and authorities to act in relation to the BCP; and
communication plans with staff and external stakeholders.
Where material business activities are outsourced, an APRA-regulated institution must satisfy itself as to the adequacy of the outsourced service provider’s BCP and must consider any dependencies between the two BCPs.
Review and testing of the Business Continuity Plan
An APRA-regulated institution must review and test the institution’s BCP at least annually, or more frequently if there are material changes to business operations, to ensure that the BCP can meet the BCM objectives. The results of the testing must be formally reported to the Board or to delegated management.
[7]
A material change to business operations includes a change in a material outsourcing arrangement. Refer to CPS 231 for further information on outsourcing.
The BCP must be updated if shortcomings are identified as a result of the review and testing required under paragraph 34.
Notification requirements
An APRA-regulated institution must notify APRA as soon as possible and no later than 24 hours after the institution experiences a major disruption that has the potential to have a material impact on the institution’s risk profile, or affect its financial soundness. The APRA-regulated institution must explain to APRA the nature of the disruption, the action being taken, the likely effect and the timeframe for returning to normal operations. The APRA-regulated institution must notify APRA when normal operations resume.
The information or notifications required by this Prudential Standard must be given in such form, if any, and by such procedures, if any, as APRA determines and publishes on its website from time to time.
Audit arrangements
An institution’s internal audit function, or an appropriate external expert, must periodically review the BCP and provide an assurance to the Board or to delegated management that:
the BCP is in accordance with the institution’s BCM policy and addresses the risks it is designed to control; and
testing procedures are adequate and have been conducted satisfactorily.
APRA may request the external auditor of the institution, or another appropriate external expert, to provide an assessment of the institution’s BCM arrangements. Any such report must be paid for by the institution and must be made available to APRA.
Adjustments and exclusions
APRA may adjust or exclude a specific requirement in this Prudential Standard in relation to an APRA-regulated institution.
[9]
Refer to subsection 11AF(2) of the Banking Act, subsection 32(3D) of the Insurance Act and subsection 230A(4) of the Life Insurance Act.
Determinations made under previous prudential standards
An exercise of APRA’s discretion (such as an approval, waiver or direction) under a previous version of this Prudential Standard continues to have effect as though exercised pursuant to a corresponding power (if any) exercisable by APRA under this Prudential Standard. For the purposes of this paragraph, ‘a previous version of this Prudential Standard’ includes any versions of:
Prudential Standard APS 232 Business Continuity Management (including Guidance Note AGN 232.1 Risk Assessment and Business Continuity Management);
Prudential Standard GPS 222 Business Continuity Management (including Guidance Note GGN 222.1 Risk Assessment and Business Continuity Management);
Prudential Standard GPS 221 Risk Management: Level 2 Insurance Groups (GPS 221), to the extent that GPS 221 related to business continuity management.