Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
Request a Demo

Meet Noggin

An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.

Business Continuity
Business Continuity
Operational Resilience
Operational Resilience
Crisis Communications
Crisis Communications
Operational Risk Management
Operational Risk Management
Crisis & Incident Management
Crisis & Incident Management
Third-Party Risk Management
Third-Party Risk Management
Emergency Management
Emergency Management
Safety Management
Safety Management
Investigations and Case Management
Investigations & Case Management
Security Management
Security Management

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More

Industries

Explore Noggin's integrated resilience software, purpose-built for any industry.

Aviation
Aviation & Airports
Construction
Construction
Counter Terrorism
Counter-Terrorism
Care Services
Care Services
Education
Education
Financial Services
Financial Services
Healthcare
Healthcare & Hospitals
Manufacturing
Manufacturing
Mining Oil & Gas
Mining, Oil & Gas
Government
Public Safety & Government
Retail & Hospitality
Retail & Hospitality
Technology
Technology
Transportation
Transportation
Utilities
Utilities
Venues & Entertainment
Venues & Entertainment
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Whitepaper

Guide to Prudential Standard CPS 232 Business Continuity Management for APRA-Regulated Institutions

Noggin

Continuity Management Software

Updated August 10, 2023

Table of Contents
APRA and its role

APRA and its role

Why is APRA interested in business continuity?

About Prudential Standard CPS 232Business Continuity Management

CPS 232 and ISO 22301

Role of digital technology in APRA compliance

Don’t have time to read it all now?
Download a copy for later.

APRA and its role

An independent statutory authority, the Australian Prudential Regulation Authority (APRA) supervises financial and related institutions across the banking, insurance, and superannuation sectors.

APRA is accountable to the Australian Parliament, who has tasked the authority with the duty to maintain the safety and soundness of the financial industry. More specifically, APRA is responsible for protecting the interests of depositors, policyholders, and superannuation und members. 

To promote the stability of the financial system, APRA works in tandem with other regulatory bodies, including the Australian Treasury, the Reserve Bank of Australia, and the Australian Securities and Investments Commission.

Entities APRA oversees 

  • Authorised deposit-taking institutions (such as banks, building societies, and credit unions)
  • General insurers
  • Life insurers
  •  Friendly societies
  • Private health insurers
  • Reinsurance companies
  • Superannuation funds (other than selfmanaged funds)

Why is APRA interested in business continuity?

The failure of just one regulated institution can undermine the stability of the financial system. For that reason, APRA is obliged to maintain a low incidence of failure among the entities it regulates.

Of course, APRA can only do so much. Instead, it must compel the management and directors of those entities (most likely the Board of Directors) to ensure that their own institutions remain sound. 

APRA primarily does so through the imposition of prudential standards. These standards largely involve risk management. The reason they are put into place is to increase resilience to business disruption arising
from internal and external events and reduce impact on business operations, reputation, profitability, depositors, policyholders, and other stakeholders.

Key standards address capital adequacy, liquidity, and governance to ensure that systemic risks (i.e., risks that would endanger the system as a whole) are properly managed. 

Business continuity falls under this rubric, as well. And so, in 2017, APRA released Prudential Standard CPS 232 Business Continuity Management, to which the subsequent guide provides a primer.

About Prudential Standard CPS 232Business Continuity Management

Prudential Standard CPS 232 derives its statutory authority from subsections in existing banking, insurance, and life insurance legislation. The standard is narrowly tailored to business continuity management, which it defines as a whole-of-business approach that includes policies, standards, and procedures for ensuring that critical business operations can be maintained or recovered in a timely fashion, in the event of a disruption. 

The purpose of business continuity, according to APRA, is to minimise the financial, legal, regulatory, reputational, and other material consequences arising from a disruption to critical business operations. 

What, then, are critical business operations? Critical business operations are those business functions, resources, and infrastructure that may, if disrupted, have a material impact on the institution’s business functions, reputation, profitability, depositors, and/or policyholders. 

According to the standard, the components of business continuity management (BCM) that help to ensure that these critical business operations can be maintained or recovered in a timely fashion in the event of a disruption include: 

  • BCM policy
  • Business impact analysis (BIA) including risk assessment
  • Recovery objectives and strategies
  • Business continuity plan (BCP)
  • Programs for review and testing of the BCP and training and ensuring awareness of staff in relation to BCM

More will be said of each BCM component shortly. But first, the standard itself compels regulated institutions to implement a whole-of-business approach to BCM appropriate to the nature and scale of their operations. As with many APRA regulations, ultimate responsibility for compliance rests with the Board of the regulated institution. 

In the case of CPS 232, specifically, Board members must see to it that their institutions comply with the following requirements:

  • Maintain a business continuity management policy for the institution or group, approved by the Board
  • Identify, assess, and manage potential business continuity risks to ensure that the institution can meet its financial and service obligations to its depositors, policyholders, and other stakeholders
  • Consider business continuity risks and controls as part of its risk management framework
  • Maintain a business continuity plan documenting procedures and information that enables the institution to manage business disruptions
  • Review the business continuity plan annually and periodically arrange for its review by the internal audit function or an appropriate external expert 
  • Notify APRA in the event of certain disruptions

Business continuity notifications

CPS 232 boasts stringent notification requirements. 

A regulated institution must notify APRA as soon as possible and no later than 24 hours after it experiences a major disruption; that is a disruption that has the potential to have a material impact on the institution’s risk profile or affect its financial soundness. 

Another part of the requirement is explaining to APRA the nature of the disruption, the action being taken, its likely effect, and the timeframe for returning to normal operations.

Additionally, the APRA-regulated institution must notify APRA when normal operations resume. The information or notifications required by CPS 232 must be given in such form, if any, and by such procedures, if any, as APRA determines and publishes on its website from time to time.

CPS 232 and ISO 22301

For business continuity professionals in APRA-regulated institutions, it is worth noting that CPS 232 doesn’t impose an extra layer of business continuity management best practice.

Indeed, compliance with international standard ISO 22301, with which advanced software platforms like Noggin Continuity can help you achieve, will get APRA-regulated institutions most of the way there.

How similar are the standards? See for yourselfi:

CPS 232 requirement ISO 22301 requirement
Maintain a business continuity management policy for the institution or group, approved by the Board Top management shall establish a business continuity policy that: a) is appropriate to the purpose of the organisation; b) provides a framework for setting business continuity objectives; c) includes a commitment to satisfy applicable requirements; d) includes a commitment to continual improvement of the BCMS.
Identify, assess, and manage potential business continuity risks to ensure that it is able to meet its financial and service obligations to its depositors, policyholders, and other stakeholders The organisation shall implement and maintain a risk assessment process. The organisation shall: a) identify the risks of disruption to the organisation’s prioritised activities and to their required resources; b) analyse and evaluate the identified risks; c) determine which risks require treatment.
Consider business continuity risks and controls as part of its risk management framework The organisation shall: a) implement and maintain systematic processes for analysing the business impact and assessing the risks of disruption; b) review the business impact analysis and risk assessment at planned intervals and when there are significant changes within the organisation or the context in which it operates.
Maintain a business continuity plan that documents procedures and information which enable the institution to manage business disruptions The organisation shall document and maintain business continuity plans and procedures. The business continuity plans shall provide guidance and information to assist teams to respond to a disruption and to assist the organisation with response and recovery.
Review the business continuity plan annually and periodically arrange for its review by the internal audit function or an appropriate external expert

The organisation shall: a) evaluate the suitability, adequacy, and effectiveness of its business impact analysis, risk assessment, strategies, solutions, plans, and procedures; b) undertake evaluations through reviews, analysis, exercises, tests, post-incident reports, and performance evaluations; c) conduct evaluations of the business continuity capabilities of relevant partners and suppliers; d) evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformity with its own business continuity policy and objectives; e) update documentation and procedures in a timely manner. 

These evaluations shall be conducted at planned intervals, after an incident or activation, and when significant changes occur. These evaluations shall be conducted at planned intervals, after an incident or activation, and when significant changes occur
Notify APRA in the event of certain disruptions The organisation shall document and maintain procedures for: a) communicating internally and externally to relevant interested parties, including what, when, with whom, and how to communicate;
Business continuity management
BCM is a whole-of-business approach that includes policies, standards, and procedures for ensuring that critical business operations can be maintained or recovered in a timely fashion, in the event of a disruption. Its purpose is to minimise the financial, legal, regulatory, reputational, and other material consequences arising from a disruption.

The standard specifies the structure and requirements for implementing and maintaining a business continuity management system (BCMS) that develops business continuity appropriate to the amount and type of impact that the organisation may or may not accept following a disruption. 

The outcomes of maintaining a BCMS are shaped by the organisation’s legal, regulatory, organisational, and industry requirements, products and services provided, processes employed, size and structure of the organisation, and the requirements of its interested parties. 

A BCMS emphasises the importance of understanding the organisation’s needs and the necessity for establishing business continuity policies and objectives; operating and maintaining processes, capabilities and response structures for ensuring the organisation will survive disruptions; monitoring and reviewing the performance and effectiveness of the BCMS; continual improvement based on qualitative and quantitative measures. 

A BCMS, like any other management system, includes the following components: a) a policy; b) competent people with defined responsibilities; c) management processes relating to: 1) policy; 2) planning; 3) implementation and operation; 4) performance assessment; 5) management review; 6) continual improvement; d) documented information supporting operational control and enabling performance evaluation. 

The organisation shall: a) implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, activities and resources; b) ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS; c) document this information and keep it up to date.
Critical business operations are the business functions, resources, and infrastructure that may, if disrupted, have a material impact on the institution’s business functions, reputation, profitability, depositors, and/or policyholders. The organisation shall use the process for analysing business impacts to determine business continuity priorities and requirements. The process shall: a) define the impact types and criteria relevant to the organisation’s context; b) identify the activities that support the provision of products and services.
BCM must, at a minimum, include: a) a BCM policy; b) a business impact analysis (BIA) including risk assessment; c) recovery objectives and strategies; d) a BCP: (i) review and testing of the BCP and (ii) training and ensuring awareness of staff in relation to BCM. The organisation shall establish, implement, maintain, and continually improve a BCMS, including the processes needed and their interactions, in accordance with the requirements of this document.
Business continuity management policy
The Board must approve the institution’s BCM policy. Top management shall demonstrate leadership and commitment with respect to the BCMS by a) ensuring that the business continuity policy and business continuity objectives are established and are compatible with the strategic direction of the organisation.
The BCM policy must be up to date, documented, and must set out the objectives and approach in relation to BCM. The business continuity policy shall: a) be available as documented information; b) be communicated within the organisation; c) be available to interested parties, as appropriate.
The BCM policy must clearly state the roles, responsibilities, and authorities to act in relation to the BCM policy. Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organisation. Top management shall assign the responsibility and authority for: a) ensuring that the BCMS conforms to the requirements of this document; b) reporting on the performance of the BCMS to top management.
Business impact analysis
A BIA involves identifying all critical business functions, resources, and infrastructure of the institution and assessing the impact of a disruption on these. The organisation shall use the process for analysing business impacts to determine business continuity priorities and requirements. The process shall: a) define the impact types and criteria relevant to the organisation’s context; b) identify the activities that support the provision of products and services; c) use the impact types and criteria for assessing the impacts over time resulting from the disruption of these activities;
When conducting the BIA, the APRA-regulated institution must consider: a) plausible disruption scenarios over varying periods of time; b) the period of time for which the institution could not operate without each of its critical business operations; c) the extent to which a disruption to the critical business operations might have a material impact on the interests of depositors and/or policyholders of the institution; and d) the financial, legal, regulatory and reputational impact of a disruption to the institution’s critical business operations over varying periods of time.

The organisation shall use the process for analysing business impacts to determine business continuity priorities and requirements. The process shall: d) identify the time frame within which the impacts of not resuming activities would become unacceptable to the organisation; e) set prioritised time frames within the time identified in d) for resuming disrupted activities at a specified minimum acceptable capacity; f) use this analysis to identify prioritised activities; g) determine which resources are needed to support prioritised activities; h) determine the dependencies, including partners and suppliers, and interdependencies of prioritised activities. 

The organisation shall implement and maintain a risk assessment process. The organisation shall: a) identify the risks of disruption to the organisation’s prioritised activities and to their required resources; b) analyse and evaluate the identified risks; c) determine which risks require treatment.
Recovery objectives and strategies
Recovery objectives are predefined goals for recovering critical business operations to a specified level of service (recovery level) within a defined period (recovery time) following a disruption. The organisation shall use the process for analysing business impacts to determine business continuity priorities and requirements. The process shall: d) identify the time frame within which the impacts of not resuming activities would become unacceptable to the organisation; e) set prioritised time frames within the time identified in d) for resuming disrupted activities at a specified minimum acceptable capacity.
An APRA-regulated institution must identify and document appropriate recovery objectives and implementation strategies based on the results of the BIA and the size and complexity of the institution. The organisation shall have documented processes to restore and return business activities from the temporary measures adopted during and after a disruption.
Business continuity planning
An APRA-regulated institution must always maintain a documented BCP for the institution that meets the objectives of the institution’s BCM policy. The organisation shall implement and maintain a response structure that will enable timely warning and communication to relevant interested parties. It shall provide plans and procedures to manage the organisation during a disruption. The plans and procedures shall be used when required to activate business continuity solutions. The organisation shall identify and document business continuity plans and procedures based on the output of the selected strategies and solutions. The procedures shall: a) be specific regarding the immediate steps that are to be taken during a disruption; b) be flexible to respond to the changing internal and external conditions of a disruption; c) focus on the impact of incidents that potentially lead to disruption; d) be effective in minimising the impact through the implementation of appropriate solutions; e) assign roles and responsibilities for tasks within them.
The BCP must document procedures and information that enable the institution to: a) manage an initial business disruption (crisis management); and b) recover critical business operations. The organisation shall document and maintain business continuity plans and procedures. The business continuity plans shall provide guidance and information to assist teams to respond to a disruption and to assist the organisation with response and recovery. 
The BCP must document procedures and information that enable the institution to: a) manage an initial business disruption (crisis management); and b) recover critical business operations. c) recovery strategies for each critical business operation; d) infrastructure and resources required to implement
the BCP; e) roles, responsibilities, and authorities to act in relation to the BCP; and f) communication plans with staff and external stakeholders.

Collectively, the business continuity plans shall contain: a) details of the actions that the teams will take in order to: 1) continue or recover prioritised activities within predetermined time frames; 2) monitor the impact of the disruption and the organisation’s response to it; b) reference to the pre-defined threshold(s) and process for activating the response; c) procedures to enable the delivery of products and services at agreed capacity; d) details to manage the immediate consequences of a disruption giving due regard to: 1) the welfare of individuals; 2) the prevention of further loss or unavailability of prioritised activities; 3) the impact on the environment.

Each plan shall include: a) the purpose, scope, and objectives; b) the roles and responsibilities of the team that will implement the plan; c) actions to implement the solutions; d) supporting information needed to activate (including activation criteria), operate, coordinate, and communicate the team’s actions; e) internal and external interdependencies; f) the resource requirements; g) the reporting requirements; h) a process for standing down. Each plan shall be usable and available at the time and place at which it is required.
Business continuity planning (contd)
Where material business activities are outsourced, an APRA-regulated institution must satisfy itself as to the adequacy of the outsourced service provider’s BCP and must consider any dependencies between the two BCPs. The organisation shall ensure that outsourced processes and the supply chain are controlled. The organisation shall use the process for analysing business impacts to determine business continuity priorities and requirements. The process shall determine the dependencies, including partners and suppliers, and interdependencies of prioritised activities.
Review and testing of business continuity plans
An APRA-regulated institution must review and test the institution’s BCP at least annually, or more frequently if there are material changes to business operations, to ensure that the BCP can meet the BCM objectives. The results of the testing must be formally reported to the Board or to delegated management. The organisation shall: a) evaluate the suitability, adequacy, and effectiveness of its business impact analysis, risk assessment, strategies, solutions, plans, and procedures; b) undertake evaluations through reviews, analysis, exercises, tests, post-incident reports, and performance evaluations; c) conduct evaluations of the business continuity capabilities of relevant partners and suppliers; d) evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformity with its own business continuity policy and objectives; e) update documentation and procedures in a timely manner. These evaluations shall be conducted at planned intervals, after an incident or activation, and when significant changes occur.
 Notification requirements
 An APRA-regulated institution must notify APRA as soon as possible and no later than 24 hours after the institution experiences a major disruption that has the potential to have a material impact on the institution’s risk profile, or affect its financial soundness. The APRA-regulated institution must explain to APRA the nature of the disruption, the action being taken, the likely effect and the timeframe for returning to normal operations. The APRA-regulated institution must notify APRA when normal operations resume. The organisation shall determine the internal and external communications relevant to the BCMS, including: a) on what it will communicate; b) when to communicate; c) with whom to communicate; d) how to communicate; e) who will communicate.
 Internal audit
 An institution’s internal audit function, or an appropriate external expert, must periodically review the BCP and provide an assurance to the Board or to delegated management that: (a) the BCP is in accordance with the institution’s BCM policy and addresses the risks it is designed to control; and (b) testing procedures are adequate and have been conducted satisfactorily. The organisation shall conduct internal audits at planned intervals to provide
information on whether the BCMS: a) conforms to: 1) the organisation’s own
requirements for its BCMS; 2) the requirements of this document; b) is effectively
implemented and maintained.

 

 

Role of digital technology in APRA compliance

For APRA-regulated entities, the standard might seem like a lot. However, adhering to best practices in business continuity is beneficial in and of itself.

Furthermore, digital technology can help. Platforms, like Noggin Continuity, enable APRA-regulated entities to automate the key business continuity management functions that support compliance with most CPS 232 requirements. 

Functions include:

  • Define domains, critical business activities, assets, and sites, as well as record inter-dependencies
  • Assess the risk and impact of outages across activities, assets, and sites, and implement risk treatment plans and actions to mitigate risks, and reduce the likelihood or impact of incidents
  • Assign and track business impact assessment and risk management activities for organisational unit owners
  • Set recovery targets for business activities and report on progress against those targets as incidents occur
  • Visualise and report on the risk profile of business and the impact on critical services
  • Digitise business continuity, crisis, and incident response plans, including strategies and considerations, roles and responsibilities, and pre-assigned checklists ready to deploy when incidents occur
  • Activate crisis and incident management teams including structures, roles, capabilities required, and on-call resources
  • Record and manage incidents and response tasks, log and share updates, decisions, facts, and assumptions, and produce situation reports and briefings
  • Initiate and track investigations, capture evidence and related actions
  • Conduct exercises, post-incident reviews, and lessons learned
  • Visualise locations of incidents, risks, people, and assets using the fully integrated mapping features
  • Communicate alerts, notifications and updates via email, SMS, voice, or the Noggin app
  • Manage key details of staff, contractors, customers, suppliers, regulators, and external parties
  • Display key information where it is needed using flexible dashboards, analytics, and reporting that caters for all stakeholders
  • Automate and lead people through procedures, with fully-configurable workflows

Finally, APRA-regulated entities are being asked to do their part to ensure the stability of the financial system. That means implementing best practices in business continuity to mitigate key threats. 

If those measures sound daunting, they don’t have to. Digital technologies, like Noggin Continuity, can help regulated entities comply with their requirements expeditiously, protect themselves and customers, while getting the jump on the competition.

Citations

i. BSI Group: Prudential Standard CPS 232 and ISO 22301:2019. Available at https://www.bsigroup.com/globalassets/localfiles/en-au/ISO%2027001/ documents/bsi0393---2001_apra-requirement-for-business-continuity-mapping-guide.pdf
New call-to-action
close (3)

Download your copy