High-Level Principles for Business Continuity
The document provides authorities with a broad framework for developing business continuity arrangements that are more closely tailored to their unique sectoral and local circumstances. The principles outlined in the document apply to both financial industry participants and financial authorities and are applicable across the banking, securities and insurance sectors. The principles also provide a consistent context for those arrangements and thereby promote a common base level of resilience across national boundaries.
This paper outlines seven high-level principles that build upon traditional concepts of effective business continuity management in the following ways:
Principle 1 emphasises that the requirement for sound business continuity management applies to all financial authorities and financial industry participants and that the ultimate responsibility for business continuity management - not unlike the management of other risks - rests with an organisation's board of directors and senior management.
Principle 2 advises organisations that they should explicitly consider and plan for major operational disruptions. While this concept may be new for many organisations, it is considered important in light of the increasing frequency of such events.
Principle 3 states that financial industry participants should develop recovery objectives that reflect the risk they represent to the operation of the financial system. Financial industry participants that provide critical services to, or otherwise present significant risk to the operation of, the financial system should target higher standards in their business continuity management than other participants. This concept may be new for some financial industry participants. Because the steps necessary to improve the resilience of the financial system may be more costly than the steps such participants would choose to undertake on their own, financial authorities are encouraged to participate, as appropriate, in identifying recovery objectives that are proportionate to the risk posed by a given participant in order to achieve a reasonably consistent level of resilience.
Principle 4 stresses the critical importance of business continuity plans addressing the full range of internal and external communication issues an organisation may encounter in the event of a major operational disruption. The principle specifically recognises that clear, regular communication during a major operational disruption is necessary to manage a crisis and maintain public confidence.
Principle 5 highlights the special case of cross-border communications during a major operational disruption. Given the deepening interdependencies of financial systems across national boundaries, this principle advises financial industry participants and financial authorities to adopt communication protocols that address situations where cross border communication may be necessary.
Principle 6 emphasises the need to ensure that business continuity plans are effective and to identify necessary modifications through periodic testing.
Finally, to ensure that financial industry participants are in fact implementing appropriate approaches to business continuity management that reflect the recovery objectives adopted in accordance with Principles 1 and 3, Principle 7 calls upon financial authorities to incorporate business continuity management reviews into their frameworks for assessing financial industry participants.