Prudential Standard GOI 3.2 (Business Continuity Management - BCM) Flashcards
BCM
An enterprise-wide approach that includes policies, standards and procedures for ensuring that critical business operations can be maintained or recovered in a timely fashion in the event of a disruption.
Its purpose is to minimise the financial, legal, regulatory, reputational and other material consequences arising from a disruption.
Critical business operations
- business functions
- resources
- infrastructure
that may, if disrupted, have a material impact on an insurer’s:
- business functions
- reputation
- profitability
- policyholders
An insurer’s BCM framework must, at minimum include: (5)
- a BCM Policy
- a regular business impact analysis
- recovery objectives and strategies
- a Business Continuity Plan that include crisis management and recovery plans
- programs for:
- – review and testing of the Business Continuity Plan
- – training and ensuring awareness of staff in relation to BCM
Business Impact Analysis
Involves an insurer identifying all its critical business operations (functions, resources and infrastructure) and assessing the impact of a material disruption on each of these.
When conducting the business impact analysis the insurer must consider: (4)
- plausible disruption scenarios over varying periods of time
- the period of time for which the insurer could not operate without each of its critical business operations
- the extent to which a disruption to the critical business operations might have a material impact on the interests of the insurer’s policyholders
- the financial, legal, regulatory and reputational impact of a disruption on the insurer’s critical business operations over varying period of time.
Recovery objectives
Pre-defined goals for recovering critical business operations
… to a specified level of service (recovery level)
… within a defined period (recovery time)
following a disruption.
The Business Continuity Plan must document procedures and information that enable the insurer to: (2)
- manage an initial business disruption (crisis management)
- recover critical business operations
The Business Continuity Plan must reflect the specific operational requirements of the insurer and must identify: (6)
- critical business operations
- recovery levels and time targets for each critical business operation
- recovery strategies for each critical business operation
- infrastructure and resources required to implement the Business Continuity Plan
- roles, responsibilities and authorities to act in relation to the Business Continuity Plan
- communication plans with staff and external stakeholders.