There was a time when the safest place for your money was reckoned to be under your mattress. Paper money didn’t exist. The gold and silver coins in use were resistant against flood and a certain degree of fire, as well as theft if you were lying on the mattress at the time: in other words, there was a certain degree of business continuity built in. Nowadays, things are rather different. The gold standard is no more. Many people’s or businesses’ wealth is locked up in digital investments, regulated by organisations like ASIC, the Australian Securities & Investments Commission. So what about business continuity now?
ASIC provides guidance concerning business continuity for the entities licensed to provide investment services. In its “ADDENDUM TO REGULATORY GUIDE 172”, it states that licensees should have adequate BC and DR plans for each system involved in providing investment services. It expects licensees to be able to ensure that critical business functions remain available for investors. It also states that licensees should consider different scenarios, implement adequate policies and procedures, and back up both business and compliance critical data.
It also quotes a number of references that investment companies might like to consider when thinking about business continuity: the ISO 22301 standard; Australia’s own HB 292-2006; and “High-level principles for business continuity” from the joint forum that included the Basel Committee on Banking Supervision. However, ASIC stops short of using words like “must” or “will”. Its statements are expressed as recommendations, not requirements. This begs the question: given the importance of business continuity in the financial sector, should ASIC move towards either using language that expresses obligations rather than options, or mention sanctions in the case of failure to comply?