Prudential Standard LPS 232



Similar documents
Prudential Standard CPS 232 Business Continuity Management

Business Continuity Management

Business Continuity Management

Bank of Papua New Guinea Prudential Standard BPS251: Business Continuity Management

INSURANCE REGULATORY AUTHORITY IRA/PG/ GUIDELINE TO THE INSURANCE INDUSTRY ON THE BUSINESS CONTINUITY MANAGEMENT

Prudential Practice Guide

Prudential Practice Guide

External Supplier Control Requirements BCM

Guidance Note XGN XXX.1

Objective and key requirements of this Prudential Standard

Checklist of ISO Mandatory Documentation

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

Global Statement of Business Continuity

BUSINESS CONTINUITY MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS

The PNC Financial Services Group, Inc. Business Continuity Program

November 2007 Recommendations for Business Continuity Management (BCM)

#316 The Security Elements of Business Continuity & Disaster Recovery Plans

How To Manage A Disruption Event

Council Policy Business Continuity Management

(Mr. Krirk Vanikkul) Assistant Governor, Financial Institutions Policy Group Governor For

Statement of Guidance

Business Continuity Management

BUSINESS CONTINUITY MANAGEMENT REQUIREMENTS FOR SGX MEMBERS NEW RULES FOR INCLUSION IN SGX-ST RULES

Business Continuity Management

CITY UNIVERSITY OF HONG KONG Business Continuity Management Standard

Managing Outsourcing Arrangements

Business continuity management policy

Guideline on Business Continuity Management

Business Continuity Planning (800)

Objectives and key requirements of this Prudential Standard

Proposal for Business Continuity Plan and Management Review 6 August 2008

Business Continuity Management

AUSTRACLEAR REGULATIONS Guidance Note 10

Business continuity management policy

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

Disaster Recovery Journal Spring World 2014

Business Continuity Planning Instructions

BUSINESS CONTINUITY POLICY

COMCARE BUSINESS CONTINUITY MANAGEMENT

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

Business Continuity Policy and Business Continuity Management System

MHA Consulting. Business Continuity Management 101

Table of Contents... 1

Business Continuity & Crisis Management

Business Continuity Planning and Disaster Recovery Planning

Coping with a major business disruption. Some practical advice

The PNC Financial Services Group, Inc. Business Continuity Program

BUSINESS CONTINUITY MANAGEMENT POLICY

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

Guideline - Business Continuity Plan

August 2013 Recommendations for Business Continuity Management (BCM)

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

ASX SETTLEMENT OPERATING RULES Guidance Note 10

Annex B. The Proposed Amendments AMENDMENTS TO NATIONAL INSTRUMENT MARKETPLACE OPERATION

BCP and DR. P K Patel AGM, MoF

July Objectives and key requirements of this Prudential Standard

Business Resiliency Business Continuity Management - January 14, 2014

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

BS BUSINESS CONTINUITY MANAGEMENT

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Business Continuity Business Continuity Management Policy

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

INFOSEC.MY KNOWLEDGE SHARING SESSION

How to Plan for Disaster Recovery and Business Continuity

Business Continuity Management Policy

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

BUSINESS CONTINUITY STRATEGY

: Chief Executive Officers of all Licensed Commercial Banks, Primary Dealers, Central Depository Systems (Pvt) Ltd. and LankaClear (Pvt.) Ltd.

PART A: OVERVIEW Introduction Applicability Legal Provisions Effective Date...2

Solihull Clinical Commissioning Group

CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM

Business Continuity Policy

2014 NABRICO Conference

GUIDELINES ON OUTSOURCING

Principles for BCM requirements for the Dutch financial sector and its providers.

Business Continuity and Disaster Recovery Planning

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Monetary Authority of Singapore BUSINESS CONTINUITY MANAGEMENT GUIDELINES

Business Continuity Management 101. Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009

Business Continuity Policy

OUTSOURCING POLICY

ASTRAZENECA GLOBAL POLICY SAFETY, HEALTH AND ENVIRONMENT (SHE)

Business Continuity Management Policy and Framework

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

Business Continuity Management January 2011

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

Domain 3 Business Continuity and Disaster Recovery Planning

BUSINESS CONTINUITY POLICY RM03

Temple university. Auditing a business continuity management BCM. November, 2015

Emergency Response and Business Continuity Management Policy

Business Continuity Management Policy

Guidelines. Guidelines on registration of life companies. Australian Prudential Regulation Authority. 27 May 2010

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

CISM Certified Information Security Manager

Business Continuity Management

Transcription:

Prudential Standard LPS 232 Business Continuity Management Objective and key requirements of this Prudential Standard This Prudential Standard aims to ensure that each life company implements a whole of business approach to business continuity management, appropriate to the nature and scale of its operations. Business continuity management increases a life company s resilience to business disruption arising from internal and external events and reduces the impact on the life company s business operations, reputation, profitability, policy owners and other stakeholders. The ultimate responsibility for the business continuity of a life company rests with the Board of directors, or, in the case of an eligible foreign life insurance company, with the Compliance Committee. The key requirements of this Prudential Standard are: All life companies must identify, assess and manage potential business continuity risks to ensure that each life company is able to meet its financial and service obligations to its policy owners and other creditors; The Board of directors of the life company must consider business continuity risks and controls as part of its overall risk management systems and approve a Business Continuity Management Policy; A life company must: develop and maintain a Business Continuity Plan that documents procedures and information which enable the life company to manage business disruptions; allocate and maintain sufficient infrastructure, budgetary and other resources to implement the Business Continuity Plan; review the Business Continuity Plan annually and periodically arrange for its review by the internal audit function or an external expert; and notify APRA in the event of certain disruptions. LPS 232-1

Authority and application 1. This Prudential Standard, made under section 230A(1) of the Life Insurance Act 1995 (the Life Act), applies to all life companies including friendly societies (together referred to as life companies) registered under the Life Act. 2. This Prudential Standard applies regardless of whether activities are outsourced to related or third-party service providers. This Prudential Standard also applies to arrangements where the service provider is located outside Australia or the functions are performed outside Australia. 3. Nothing in this Prudential Standard prevents a life company from applying policies used in a related company provided that the policies meet the requirements of this Prudential Standard. The role of the Board and senior management 4. All life companies must identify, assess and manage potential business continuity risks to ensure that each life company is able to meet its financial and service obligations to its policy owners and other creditors. 5. The Board of directors (the Board) is ultimately responsible for the business continuity of the life company. 1 The Board remains responsible for Business Continuity Management (BCM) regardless of whether business operations are outsourced or are part of a corporate group. 2 6. The Board, in fulfilling its functions, may delegate authority to management to act on behalf of the Board with respect to certain matters, as decided by the Board. Such delegation does not extend to the requirements set out in paragraphs 4 to 7 or 9. This delegation of authority must be clearly set out and documented. The Board must have mechanisms in place to monitor the exercise of delegated authority. The Board cannot abrogate its responsibility for functions delegated to management. 3 7. The Board must approve the life company s Business Continuity Management Policy (BCM Policy). 4 8. The Board or delegated management must be satisfied that sufficient infrastructure, budgetary and other resources are allocated and maintained in order for the company to be able to fulfil the objectives of the BCM Policy and to implement the Business Continuity Plan (BCP). 5 1 2 3 4 5 For the purposes of this Prudential Standard, a reference to the Board, in the case of an eligible foreign life insurance company (EFLIC), is a reference to the Compliance Committee. Subsection 16ZF of the Life Act requires an EFLIC to establish and operate a Compliance Committee. Refer Attachment B of Prudential Standard LPS 510 Governance. A corporate group comprises more than one company, where the companies are related bodies corporate within the meaning of section 50 of the Corporations Act 2001. The term management includes reference to senior management and/or a committee. See paragraph 13. See paragraph 19. LPS 232-2

9. The Board of the life company must consider the life company s business continuity risks and controls as part of its overall risk management systems and when completing a risk management declaration required to be provided to APRA. 6 Business Continuity Management 10. BCM is a whole of business approach that includes policies, standards and procedures for ensuring that critical business operations can be maintained or recovered in a timely fashion, in the event of a disruption. Its purpose is to minimise the financial, legal, regulatory, reputational and other material consequences arising from a disruption. 11. Critical business operations are defined as business functions, resources and infrastructure that have the potential, if disrupted, to impact materially on the life company s business functions, policy owners, reputation or profitability. 12. The minimum components of a life company s BCM must include: (e) a BCM Policy; a Business Impact Analysis (BIA) including risk assessment; recovery objectives and strategies; a BCP including crisis management and recovery; programs for: (i) (ii) review and testing of the BCP; and training and awareness of staff in relation to BCM. Business Continuity Management Policy 13. A life company must have an up-to-date written policy that sets out its objectives and approach in relation to BCM (BCM Policy). 7 14. Roles, responsibilities and authorities to act in relation to the BCM Policy must be clearly articulated in the BCM Policy. Business Impact Analysis 15. BIA is the process of identifying and measuring (quantitatively and qualitatively) the business impact of the loss or disruption of critical business operations. 16. When conducting the BIA the life company must consider: 6 7 Refer Prudential Standard LPS 220 Risk Management (LPS 220 Risk Management). The BCM Policy must be approved by the Board under paragraph 7. LPS 232-3

plausible disruption scenarios over varying periods of time; the period of time for which the life company could not operate without each of its critical business operations; the extent to which a disruption to the critical business operations might adversely affect the interests of policy owners of the life company; and the financial, legal, regulatory and reputational impact of a disruption to a life company s critical business operations over varying periods of time. Recovery objectives and strategies 17. Recovery objectives are pre-defined goals for recovering critical business operations to a specified level of service (recovery level) within a defined period (recovery time), following a disruption. 18. The life company must identify and document appropriate recovery objectives and implementation strategies based on the results of the BIA and the size and complexity of the life company. Business Continuity Plan 19. The life company must maintain at all times a written BCP which meets the objectives of the BCM Policy. 8 20. The BCP must document procedures and information which enable the life company to: manage an initial business disruption (crisis management); and recover critical business operations. 21. The BCP must reflect the specific requirements of the life company and must identify: (e) (f) critical business operations; recovery levels and time targets for each critical business operation; recovery strategies for each critical business operation; infrastructure and resources required to implement the plan; roles, responsibilities and authorities to act in relation to the BCP; and communication plans with staff and external stakeholders. 8 A reference to a BCP can be individual or collective. It is acknowledged that a life company may have a number of BCPs. A BCP may include a separate Crisis Management Plan (CMP) and Disaster Recovery Plan (DRP). LPS 232-4

Review and testing of the BCP 22. A life company must review and test its BCP at least annually, or more frequently if there are material changes to business operations, to ensure that the BCP is capable of meeting the BCM objectives. The results of the testing must be formally reported to the Board or to delegated management. 9 23. The BCP must be updated if shortcomings are identified as a result of the review or testing required under paragraph 22. 24. The life company s internal audit function, or an external expert, must periodically review the BCP and provide an assurance to the Board or to delegated management that the BCP is in accordance with the life company s BCM Policy, addresses the risks it is designed to control and that testing procedures are adequate and have been conducted satisfactorily. Notification requirements 25. A life company must notify APRA as soon as possible and no later than 24 hours after experiencing a major disruption that has the potential to have a material impact on its risk profile, or to affect the life company s financial soundness. The life company should outline to APRA the nature of the disruption, the action being taken, the likely effect and the timeframe for return to normal operations. APRA must be notified when normal operations are resumed. 26. The information or notifications required by this Prudential Standard must be given in such form, if any, and by such procedures, if any, as APRA publishes on its website from time to time. Transitional arrangements 27. A transitional period of 12 months applies from the date this Prudential Standard takes effect. During this transitional period, all life companies must: report on their compliance with this Prudential Standard in their annual risk management declaration (as required under Prudential Standard LPS 220 Risk Management (LPS 220)); and submit to APRA a plan and timeframe for rectifying any areas of noncompliance with this Prudential Standard. 9 A material change to business operations includes a change in a material outsourcing arrangement. Refer Prudential Standard LPS 231 Outsourcing for further information on outsourcing. LPS 232-5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information