Written by Zoe Moulton – Consultant, Business Continuity
From July 2012, Australian financial services firms must comply with four (4) new standards outlined by the Australian Prudential Regulation Authority (APRA) in September last year.
The CPS 232 is one of the four new standards which consolidates and replaces the existing twelve standards contained in APS 232 [applicable to authorised deposit-taking Institutions (ADIs)], the GPS 222 (applicable to general insurers) and the LPS 232 (applicable to life companies).
The remaining three standards relate to governance, outsourcing and fitness and propriety. In APRA’s view, the risks arising from outsourcing business continuity management, governance and the fitness and propriety of responsible persons are similar regardless of the industry.
Currently, there are three individual, almost identical, prudential standards covering the business continuity management requirements for each APRA-regulated industry. The standards essentially relay that a regulated institution must implement a whole-of-business approach to business continuity management appropriate to the nature and scale of its operations.
APRA emphasised that the process “did not seek to review the content and scope of the behavioural standards, beyond that required to harmonise application across industries.”
The regulator received a number of submissions from institutions and industry groups in a related “consultation package” that was released in December 2010.
The submissions supported the harmonisation initiative.
Other key features of CPS 232 include:
- An amendment to clarify the definition of Business Impact Analysis. That is, “a process performed to identify the critical business operations. That is, a regulated institution cannot just perform a BIA for critical business operations it must perform the analysis for all operations in order to determine which are critical.”
- Clarity around the role and obligations of the Board (or equivalent) in complying with the standard.
- A requirement for the Board of the Head of the Level 2 banking group to ensure that all group members have in place BCM policies. That BCM is applied to each part of the group and that the business continuity policy is internally and externally reviewed at least annually.
- Extension of the application of the standard to include registered life Non Operating Holding Companies (NOHCs).
- Greater clarity around the application of the standard to foreign branches.
- Extension to life companies the requirement, currently applying to ADIs and general insurers, to conduct a periodic review of the Business Continuity Plan by the internal auditor or an external expert.
- Extension to ADIs and general insurers APRA’s ability, under LPS 232, to request the external auditor (or an external expert) to undertake an assessment of BCM arrangements.
- Transfer of requirements for Level 2 insurance groups to comply with BCM requirements from Prudential Standard GPS 221 Risk Management: Level 2 Insurance Groups (GPS 221);
The consolidated standards are found on the APRA website under the ‘Prudential Framework’ page for each industry.