New rules on business continuity management
for the finance sector came into effect this month, but one local
expert says more than just finance companies will be
April 1 saw a new standard for business continuity management,
APS 232, come into effect from the chief regulator of the
financial services industry, the Australian Prudential Regulation
APS 232 requires APRA members to have a business continuity
plan that documents how the company will resume operations in
the event of a disaster.
However Peter Voysey, the practice manager of Kaz's business
continuity and governance solutions, said APRA members would have
to apply the standard to their service providers as well.
"While it does apply to ADIs (authorised deposit-taking
institution), its reach is a lot wider as it applies to those
that provide services to ADIs, such as outsourced providers," he
"In an Australian regulatory context, this is the most
comprehensive standard to date."
APS 232 requires APRA members undertake a business impact analysis
that identifies critical business functions and assess the impact
of that disruption.
The analysis must include companies providing specialist
services to the ADI and arrangements with critical service
providers, according to the standard.
"ADIs will have to ask their service provider to show
compliance," said Voysey.
These could take the form of network service providers or call
centres, he said.
Voysey has worked with some finance companies on implementing
the new standard and said in many cases, their plans had not
been "up to scratch."
"We've had customers who've had rudimentary plans and wanted
us to make sure they're adequate.
"We've had to recommend improvements," he said.
Voysey said APS 232 compliance had required considerable work
for many businesses.
The standard requires members undertake risk assessment, a
business impact analysis, business continuity planning, and consider
recovery strategies, form crisis management teams and review and
test such procedures.
Specific technology components include the listing of
hardware, software, printers, faxes, phones and human resources
required to run operations in the event a primary site was
One of the key technology decisions to be made as part of
complying with the standard related to the location of backup
facilities, according to Voysey.
There was some conjecture about how far away a recovery site
or replicated data centre should be, he said.
"Some organisations think 10km is adequate separation," he
"But some are talking 50km, 100km, even another city."
One Kaz customer was even factoring the risk of a tsunami
coming into Sydney Harbour, sad Voysey.
Such considerations increased the cost of technology to the
business, he said.
"Cost is always an issue, particularly for high-availability
"Where you replicate data across sites, you need to work out
how you are going to keep those costs down."
Gartner research director Steve Bittinger labelled APS 232
"stock standard", and said business continuity frameworks such as
this were increasingly being used as a selling point by companies
or associations to do business with them.
APS 232 was first published 12 months ago. This allowed
APRA members to ensure they were compliant before the standard
took effect on April 1, 2006.