High-level principles for business continuity - final paper
In response to a request from the Financial Stability Forum in September 2004, the Joint Forum determined that high-level principles on business continuity would contribute beneficially to the resilience of the global financial system. A working group of the Joint Forum was established in early 2005 to develop the principles, which were published in a consultative paper in December 2005. An overview of the comments received on the consultative paper is provided in a separate document. This paper is a revised version of the December 2005 consultation draft.
Recent acts of terrorism, outbreaks of Severe Acute Respiratory Syndrome and various widespread natural disasters have underlined the substantial risk of major operational disruptions to the financial system. Financial authorities and financial industry participants have a shared interest in promoting the resilience of the financial system to such disruptions.
To that end, financial authorities have been working closely with financial industry participants to establish a consensus as to what constitutes acceptable standards for business continuity. Much of this work to date has been focussed at the national level. At the international level, while there have been several regulatory and private sector initiatives on the business continuity front there has not been a concerted effort to draw together the lessons learned from major events and translate them into a set of business continuity principles that is relevant across national boundaries and financial sectors (ie banking, securities, and insurance). Furthermore, consistent with their focus on preserving the functionality of the financial system as a whole, financial authorities undertaking these initiatives have tended to give priority to critical market participants. The lessons learned from past experience, however, are applicable to a broader audience.
This paper represents an effort to address these gaps. It is intended to support international standard setting organisations and national financial authorities by providing a broad framework within which more detailed business continuity arrangements might be developed that are more closely tailored to unique sectoral and local circumstances. The principles also provide a consistent context for those arrangements and thereby promote a common base level of resilience across national boundaries.
The high-level principles in this paper have been developed for two distinct but related audiences - financial industry participants and financial authorities. While these groups have different perspectives, roles and responsibilities in the event of a major operational disruption, both are integral in any meaningful effort to improve the financial system's resilience to such disruptions. The principles are not intended to be prescriptive, nor does their broad applicability mean a one-size-fits-all approach to business continuity. An organisation's business continuity management should be proportionate to its business risk (arising from both internal and external sources) and tailored to the scale and scope of its operations.
This paper outlines seven high-level principles that build upon traditional concepts of effective business continuity management in the following ways:
- Principle 1 emphasises that the requirement for sound business continuity management applies to all financial authorities and financial industry participants and that the ultimate responsibility for business continuity management - not unlike the management of other risks - rests with an organisation's board of directors and senior management.
- Principle 2 advises organisations that they should explicitly consider and plan for major operational disruptions. While this concept may be new for many organisations, it is considered important in light of the increasing frequency of such events.
- Principle 3 states that financial industry participants should develop recovery objectives that reflect the risk they represent to the operation of the financial system. Financial industry participants that provide critical services to, or otherwise present significant risk to the operation of, the financial system should target higher standards in their business continuity management than other participants. This concept may be new for some financial industry participants. Because the steps necessary to improve the resilience of the financial system may be more costly than the steps such participants would choose to undertake on their own, financial authorities are encouraged to participate, as appropriate, in identifying recovery objectives that are proportionate to the risk posed by a given participant in order to achieve a reasonably consistent level of resilience.
- Principle 4 stresses the critical importance of business continuity plans addressing the full range of internal and external communication issues an organisation may encounter in the event of a major operational disruption. The principle specifically recognises that clear, regular communication during a major operational disruption is necessary to manage a crisis and maintain public confidence.
- Principle 5 highlights the special case of cross-border communications during a major operational disruption. Given the deepening interdependencies of financial systems across national boundaries, this principle advises financial industry participants and financial authorities to adopt communication protocols that address situations where cross border communication may be necessary.
- Principle 6 emphasises the need to ensure that business continuity plans are effective and to identify necessary modifications through periodic testing.
- Finally, to ensure that financial industry participants are in fact implementing appropriate approaches to business continuity management that reflect the recovery objectives adopted in accordance with Principles 1 and 3, Principle 7 calls upon financial authorities to incorporate business continuity management reviews into their frameworks for assessing financial industry participants.
The case studies of recent instances of major operational disruption that are set out in annexes to the paper highlight lessons learned from these disruptions and explicitly link each lesson to the relevant principle. A bibliography of the publications considered in the development of the principles is also provided in an annex.