Life insurance (prudential standards) determination No.4 of 2007

Prudential standard LPS 232 Business Continuity Management

Life Insurance Act 1995

I, John Roy Trowbridge, Member of APRA, delegate of APRA, under paragraph 230A(1)(a) of the Life Insurance Act 1995 (the Act), DETERMINE prudential standard LPS 232 Business Continuity Management in the form shown in the Schedule of this determination.

 

Under subparagraph 230A(4)(a)(ii) of the Act, this determination takes effect on the later of 1 January 2008 and the date of registration on the Federal Register of Legislative Instruments.

 

 

Dated Dated 23 March 2007 

 

 

 

Signed ………………………
 

John Trowbridge

Member

Interpretation

In this determination:

 

APRA means the Australian Prudential Regulation Authority.

Federal Register of Legislative Instruments means the register established under section 20 of the Legislative Instruments Act 2003.

Schedule

 

Prudential Standard LPS 232 Business Continuity Management comprises the five pages attached.

I, John Roy Trowbridge, Member of APRA, delegate of APRA, under paragraph 230A(1)(a) of the Life Insurance Act 1995 (the Act), DETERMINE prudential standard LPS 232 Business Continuity Management in the form shown in the Schedule of this determination.

 

Under subparagraph 230A(4)(a)(ii) of the Act, this determination takes effect on the later of 1 January 2008 and the date of registration on the Federal Register of Legislative Instruments.

 

 

 

Dated

 

 

 

………………………

John Trowbridge

Member

Interpretation

In this determination:

 

APRA means the Australian Prudential Regulation Authority.

Federal Register of Legislative Instruments means the register established under section 20 of the Legislative Instruments Act 2003.

 

Schedule

 

Prudential Standard LPS 232 Business Continuity Management comprises the five pages attached.

 

 

Business Continuity Management

This Prudential Standard aims to ensure that each life company implements a whole of business approach to business continuity management, appropriate to the nature and scale of its operations.  Business continuity management increases a life company’s resilience to business disruption arising from internal and external events and may reduce the impact on the life company’s business operations, reputation, profitability, policy owners and other stakeholders.

The ultimate responsibility for the business continuity of a life company rests with the Board of directors, or, in the case of an eligible foreign life insurance company, with the Compliance Committee. 

The key requirements of this Prudential Standard are:

(a)          develop and maintain a Business Continuity Plan that documents procedures and information which enable the life company to manage business disruptions;

(b)          allocate and maintain sufficient infrastructure, budgetary and other resources to implement the Business Continuity Plan;

(c)          review the Business Continuity Plan annually and periodically arrange for its review by the internal audit function or an external expert; and

(d)          notify APRA in the event of certain disruptions.


Authority and application

  1. This Prudential Standard, made under section 230A(1)(a) of the Life Insurance Act 1995 (the Act), applies to all life companies including friendly societies (together referred to as life companies) registered under the Act.
  2. Subject to the transition arrangements set out in this Prudential Standard, a life company must comply with this Prudential Standard from 1 January 2008 (referred to in this Prudential Standard as the effective date).
  3. This Prudential Standard applies regardless of whether activities are outsourced to related or third-party service providers.  This Prudential Standard also applies to arrangements where the service provider is located outside Australia or the functions are performed outside Australia.
  4. Nothing in this Prudential Standard prevents a life company from applying policies used in a related company provided that the policies meet the requirements of this Prudential Standard.

The role of the Board and senior management

5.             All life companies must identify, assess and manage potential business continuity risks to ensure that each life company is able to meet its financial and service obligations to its policy owners and other creditors.

6.             The Board of directors (the Board) is ultimately responsible for the business continuity of the life company.[1]  The Board remains responsible for Business Continuity Management (BCM) regardless of whether business operations are outsourced or are part of a corporate group.[2]

7.             The Board must approve the life company’s Business Continuity Management Policy (BCM Policy).[3]

 

8.             The Board or delegated management must be satisfied that sufficient infrastructure, budgetary and other resources are allocated and maintained in order for the company to be able to fulfil the objectives of the BCM Policy and to implement the Business Continuity Plan (BCP).[4]

9.             The Board must consider the life company’s business continuity risks and controls as part of its overall risk management systems and when completing a risk management declaration required to be provided to APRA.[5]

Business Continuity Management

10.         BCM is a whole of business approach that includes policies, standards and procedures for ensuring that critical business operations can be maintained or recovered in a timely fashion, in the event of a disruption.  Its purpose is to minimise the financial, legal, regulatory, reputational and other material consequences arising from a disruption.

11.         Critical business operations are defined as business functions, resources and infrastructure that have the potential, if disrupted, to impact materially on the life company’s business functions, policy owners, reputation or profitability.

12.         The minimum components of a life company’s BCM must include:

(a)          a BCM Policy;

(b)          a Business Impact Analysis (BIA) including risk assessment;

(c)          recovery objectives and strategies;

(d)          a BCP including crisis management and recovery;

(e)          programs for:

(i)            review and testing of the BCP; and

(ii)         training and awareness of staff in relation to BCM.

Business Continuity Management Policy

13.         A life company must have an up-to-date written policy that sets out its objectives and approach in relation to BCM (namely the BCM Policy).[6]

14.         Roles, responsibilities and authorities to act in relation to the BCM Policy must be clearly articulated in the BCM Policy.

Business Impact Analysis

15.         BIA is the process of identifying and measuring (quantitatively and qualitatively) the business impact of the loss or disruption of critical business operations.

16.         When conducting the BIA the life company must consider:

(a)          plausible disruption scenarios over varying periods of time;

(b)          the period of time for which the life company could not operate without each of its critical business operations;

(c)          the extent to which a disruption to the critical business operations might adversely affect the interests of policy owners of the life company; and

(d)          the financial, legal, regulatory and reputational impact of a disruption to a life company’s critical business operations over varying periods of time.

Recovery objectives and strategies

17.         Recovery objectives are pre-defined goals for recovering critical business operations to a specified level of service (recovery level) within a defined period (recovery time), following a disruption. 

18.         The life company must identify and document appropriate recovery objectives and implementation strategies based on the results of the BIA and the size and complexity of the life company.

Business Continuity Plan

19.         The life company must maintain at all times a written BCP which meets the objectives of the BCM Policy.[7]

20.         The BCP must document procedures and information which enable the life company to:

(a)          manage an initial business disruption (crisis management); and

(b)          recover critical business operations. 

21.         The BCP must reflect the specific requirements of the life company and must identify:

(a)          critical business operations;

(b)          recovery levels and time targets for each critical business operation;

(c)          recovery strategies for each critical business operation;

(d)          infrastructure and resources required to implement the plan;

(e)          roles, responsibilities and authorities to act in relation to the BCP; and

(f)           communication plans with staff and external stakeholders. 

Review and testing of the BCP

22.         A life company must review and test its BCP at least annually, or more frequently if there are material changes to business operations, to ensure that the BCP is capable of meeting the BCM objectives.  The results of the testing must be formally reported to the Board or to delegated management. [8] 

23.         The BCP must be updated if shortcomings are identified as a result of the review or testing required under paragraph 22. 

24.         The life company’s internal audit function, or an external expert, must periodically review the BCP and provide an assurance to the Board or to delegated management that:

(a)          the BCP is in accordance with the life company’s BCM Policy and addresses the risks it is designed to control; and

(b)          testing procedures are adequate and have been conducted satisfactorily.

Notification requirements

25.         A life company must notify APRA as soon as possible and no later than 24 hours after experiencing a major disruption that has the potential to have a material impact on its risk profile, or to affect the life company’s financial soundness. The life company should outline to APRA the nature of the disruption, the action being taken, the likely effect and the timeframe for return to normal operations. APRA must be notified when normal operations are resumed.

26.         The information or notifications required by this Prudential Standard must be given in such form, if any, and by such procedures, if any, as APRA determines and publishes on its website from time to time.

Transition arrangements

27.         A transitional period of 12 months applies from the effective date.  During this transitional period, all life companies must:

(a)          Report on their compliance with this Prudential Standard in their annual risk management declaration (as required under Prudential Standard LPS 220 Risk Management (LPS 220)); and

(b)          submit to APRA a plan and timeframe for rectifying any areas of non-compliance with this Prudential Standard.

[1]  For the purposes of this Prudential Standard, a reference to the Board, in the case of an eligible  foreign life insurance company (EFLIC), is a reference to the Compliance Committee.  Section 16ZF of the Act requires an EFLIC to establish and operate a Compliance Committee.  Refer Attachment B of Prudential Standard LPS 510 Governance.

[2]  A “corporate group” comprises more than one company, where the companies are related bodies corporate within the meaning of section 50 of the Corporations Act 2001.

[3]  See paragraph 13.

[4]  See paragraph 19.

[5]  Refer Prudential Standard LPS 220 Risk Management (LPS 220 Risk Management).

[6]  The BCM Policy must be approved by the Board under paragraph 7.

[7]  A reference to a BCP can be individual or collective.  A life company may have a number of BCPs.  A BCP may include a separate Crisis Management Plan (CMP) and Disaster Recovery Plan (DRP).

[8]  A material change to business operations includes a change in a material outsourcing arrangement.  Refer Prudential Standard LPS 231 Outsourcing for further information on outsourcing.