Business continuity rules to affect service providers

April 1 saw a new standard for business continuity management, APS 232, come into effect from the chief regulator of the financial services industry, the Australian Prudential Regulation Authority (APRA).

APS 232 requires APRA members to have a business continuity plan that documents how the company will resume operations in the event of a disaster.

However Peter Voysey, the practice manager of Kaz's business continuity and governance solutions, said APRA members would have to apply the standard to their service providers as well.

"While it does apply to ADIs (authorised deposit-taking institution), its reach is a lot wider as it applies to those that provide services to ADIs, such as outsourced providers," he said.

"In an Australian regulatory context, this is the most comprehensive standard to date."

APS 232 requires APRA members undertake a business impact analysis that identifies critical business functions and assess the impact of that disruption.

The analysis must include companies providing specialist services to the ADI and arrangements with critical service providers, according to the standard.

"ADIs will have to ask their service provider to show compliance," said Voysey.

These could take the form of network service providers or call centres, he said.

Voysey has worked with some finance companies on implementing the new standard and said in many cases, their plans had not been "up to scratch."

"We've had customers who've had rudimentary plans and wanted us to make sure they're adequate.

"We've had to recommend improvements," he said.

Voysey said APS 232 compliance had required considerable work for many businesses.

The standard requires members undertake risk assessment, a business impact analysis, business continuity planning, and consider recovery strategies, form crisis management teams and review and test such procedures.

Specific technology components include the listing of hardware, software, printers, faxes, phones and human resources required to run operations in the event a primary site was unavailable.

One of the key technology decisions to be made as part of complying with the standard related to the location of backup facilities, according to Voysey.

There was some conjecture about how far away a recovery site or replicated data centre should be, he said.

"Some organisations think 10km is adequate separation," he said.

"But some are talking 50km, 100km, even another city."

One Kaz customer was even factoring the risk of a tsunami coming into Sydney Harbour, sad Voysey.

Such considerations increased the cost of technology to the business, he said.

"Cost is always an issue, particularly for high-availability solutions.

"Where you replicate data across sites, you need to work out how you are going to keep those costs down."

Gartner research director Steve Bittinger labelled APS 232 "stock standard", and said business continuity frameworks such as this were increasingly being used as a selling point by companies or associations to do business with them.

APS 232 was first published 12 months ago. This allowed APRA members to ensure they were compliant before the standard took effect on April 1, 2006.