APRA and Business Continuity in Finance – Accountable in More Ways than One

Business continuity is a big deal in financial institutions. This is not just because of the institutions themselves, but because of the widespread follow-on effects of interruption to their millions of business and consumer customers. APRA (Australian Prudential Regulation Authority) revised its compulsory standards in 2012 by bringing out Prudential Standard CPS 232 for Business Continuity Management. Applying to any Authorised Deposit-taking Institution (ADI), the new version both extends the scope of BCM and specifies a degree of accountability that even non-financial organisations could do well to observe.

The standard specifies that business continuity management must in the first instance be applied to the financial institution as a whole, and not merely to certain operations deemed to be essential. This is in the revised definition of Business Impact Analysis, which must be done for all operations without any pre-filtering. Doing it this way round allows an organisation to then correctly identify which are the truly business critical ones.

If a business continuity incident arises that can materially affect the risk profile or the financial soundness of the financial institution concerned, it must notify APRA within 24 hours. In doing so, it must give details on what happened, what is being done about it, the likely effect and the expected time to get back to normal. It must also confirm back to APRA when normal operations start again. While this is a requirement in this context because of what is at stake, it makes an interesting blueprint for other organisations as well. Not every industry sector has an APRA on its tail to make sure that suitable procedures are followed, but nothing stops a board of directors from taking a similar stance concerning an individual company, for example. Doing so could improve BC and reinforce the message from the top down about its importance.