Is your Business Continuity Plan up to the challenge?

By Paul Neves, Chief Operating Officer, Oceanic Consulting Group

Over the past 15 years, our team have had the privilege of assisting numerous businesses in protecting their staff, maintaining critical functions, and minimising financial loss and negative publicity during operational challenges. The key to achieving positive outcomes lies in having a practical, tested business continuity plans and a well-defined crisis management process. Integrating business continuity principles into your day-to-day operations is a critical component to your success.

“You survived the Pandemic, so your business continuity plan must be fine, right?” But pause and consider: Does your plan meet regulatory obligations? Can it effectively handle events such as cyberattacks that have become increasingly prevalent in recent times, natural disasters, system outages, or staff loss? What happens if a key supplier fails? These questions emphasise the importance of having a robust and adaptable business continuity plan in place.”

Regulatory guides are prescriptive when it comes to Business Continuity requirements for wealth managers and stockbrokers. What are the guidelines that apply to your business?

RG 265 Securities Market Participants
• Participants must have robust business continuity plans to effectively respond to events that could cause significant disruption to their operations or materially impact their services. These plans must be regularly reviewed, updated and tested. RG 265 Guidance on ASIC market integrity rules for participants of securities markets | ASIC

RG 259 Fund Operators
• Operators must reduce or mitigate the consequences of realised risk via business continuity plans and disaster recover plans for technology resources. RG 259 Risk management systems of fund operators | ASIC

RG172 Financial Markets Domestic and Overseas Operators
• ASIC expect licensees to undertake robust continuity planning, capacity planning and stress testing. Where licensees rely on outsourced services for their systems ASIC Licensees to consider these principles as part of their management of the outsourced services. Arrangements should be tested periodically preferably on an industry wide basis, issues documented and remedied as soon as possible. RG 172 Financial markets: Domestic and overseas operators | ASIC

The three fundamentals of Business Continuity

To build a business continuity plan that is truly fit for purpose, it’s important to focus on three key fundamentals:

1. Business Impact Analysis (BIA): Conduct a comprehensive BIA for all functions, including outsourced processes and systems. This analysis will identify critical processes and dependencies, forming the foundation for developing effective business continuity strategies and plans.

2. Plan refresh and testing: Schedule regular plan refresh, approval, and testing cycles. By doing so, you can ensure the plan remains up to date and effective. Tracking actions resulting from tests and driving them to completion is crucial for continuous improvement.

3. Holistic evaluation: Evaluate supplier plans to assess their preparedness for disruptions. Additionally, review IT recovery strategies to ensure they align with business recovery objectives. Develop and test pandemic plans to address potential outbreaks and establish a crisis management plan/process with clearly defined roles and responsibilities.

Practicality is the key
When our team raise the subject of business continuity with leaders we hear concerns about how challenging the process can be and the amount of work involved.

Business Continuity is critical for businesses in the funds management and stockbroking industry. The risk to customers, reputation and revenue of any outage can be significant. Investment in time to get it right is paramount.

A key principle in developing a business continuity plan is to make it simple and practical. Everyone in the organisation needs to know what to do in a business continuity event. Do I work from home or do I just wait for further instructions?

For leaders the existence of a crisis management framework is critical – with clear roles and responsibilities. I have found adopting Business Continuity and Crisis Management principles into day-to-day operations helps to minimise disruptions. For example, whenever there is a system refresh we organise thorough testing outside hours and map out strategies and escalation points should there be an issue. Regular updates are issued to the incident management team who are on standby.

Oceanic Consulting Group’s business resiliency practice brings together a multidisciplinary team of consultants covering property strategy, hybrid working adoption, business continuity/compliance, crisis management, people strategy and workplace design. Significant business benefits can be delivered when this combination of factors is considered holistically.

This article is general information and does not consider the circumstances of any investor or constitute advice.