Business continuity strategy for APRA regulated industries
Organisations in highly regulated industries, such as the APRA regulated banking, insurance and superannuation sectors, face stringent requirements around business continuity planning.Find out how companies in these areas can stay compliant with ever-changing regulations.
APRA regulated organisations
Fundamentally, these organisations need to demonstrate that they can maintain continuous operations no matter what is happening specifically to their organisation, impacting their local area or even globally.
In this case study, we will review a common resilience strategy that Australian Prudential Regulation Authority (APRA) regulated companies have adopted to protect their business and their data. APRA regulated organisations also must always comply with strict security requirements, due to the highly sensitive data and high-value transactions with which they are dealing. Due to the nature of their businesses, any form of downtime could have a multimillion-dollar impact on the bottom line, as well as significantly harming the organisation’s brand and reputation. There is also a greater demand for transparency, as a result of a number of recent controversies in the industry. In a highly competitive space, that could be the catalyst for customers to switch to a different provider.
Key benefits
- Decreased in downtime to optimum levels
- Reliable and resilient connectivity and system performance
- Streamlined regulatory compliance and certification management
- Supported multi-site operations while maintaining business functions
- Secured model serviced office operational structure
Why is business continuity planning vital for APRA regulated organisations?
In many disaster situations, maintaining business continuity is more than just a compliance requirement. In natural disasters, IT failures and power outages, these organisations are also heavily involved in the recovery efforts.
“If you think about a situation like the Brisbane floods, suddenly, you’ve got a lot of people that have had their homes and cars damaged, or their own businesses that might not be able to operate. They need to get in contact with their insurance providers and their banking institutions to be able to say, ‘I’ve got a big problem here, and I need your help’. There are a lot of flow-on effects downstream and the broader community implications if a financial institution went offline for any period of time,” said Brendan Knight, Business Continuity Specialist, Interactive.
COVID-19 created an even bigger challenge for these organisations because the pandemic is something that impacts people first and foremost, and businesses can’t function without their staff. Organisations couldn’t simply send everyone to work from home. Some staff either can’t rely on the performance of home broadband connections to perform their functions or require far more stringent secure environments than are possible from home.
A case in point are financial traders, who have very strict compliance regulations that they need to meet in terms of operating in secure environments with systems that have 100% uptime. Their transactions are not only high volume, but they’re also high speed, so in some instances, it’s minutes, even seconds that count.
“If it’s a large trade, and the price changes by 1% from when they wanted it to happen to when it actually happens, then that could have multi-million dollar impact,” said Knight.
Plan an test for every unexpected event
There are multiple responses to how a business will continue to operate during a disaster, which is dependent on the type of disaster that is impacting them.
In the case of a denial of access event in the organisation’s building, such as a gas leak, air conditioning failure or electrical outage, the business continuity plan kicks in which has identified the staff and business functions that are critical and need to be able to continue. Interactive provides the environment from which these organisations can physically operate, which takes in the office equipment, network, computers and telephony – as well as the underlying data centre infrastructure in the same facility, running the critical services required to support the people or functions identified in the business continuity plan.
“That means they have staff physically located here in our business continuity facilities, connecting to their IT infrastructure, which could be just metres away on the floor below them. In our highly connected world, we have to make sure that those pieces of infrastructure are also available,” said Knight.
That raises another disaster scenario: technical or communications outages and cyber security events. It’s still a common situation for organisations to house their telephony infrastructure on-premise, especially for contact centres, which could have a catastrophic failure. It’s also not uncommon for fibre to be severed by an excavator, which could interrupt connectivity for a whole business block.
In addition to office and data centre facilities, Interactive also provides multiple levels of redundancy for connectivity in its business continuity facilities, from multiple physical connections to multiple carriers.
A component of Interactive’s Business Continuity solution is regular testing, which is mandated in the contract.
“Different organisations take testing to different levels of seriousness. For one organisation, the Business Continuity team has a bus pull up out the front of the head office in the morning. Then, for staff already working and as staff arrive, they say ‘get on the bus, we’re working from our disaster recovery facilities for the day’. That’s testing their procedures as real-life as possible so that they can iron out any bugs,” said Knight.
Staying one step ahead of compliance regulations
Having their redundant data centre as part of their business continuity facilities allows the organisation to make risk-based operational decisions on what services they actively maintain and which services they can quickly restore or easily access from their business continuity suite.
That could be everything from a rack just providing connectivity, all the way through to a complete active-active data centre which can be used for application and connectivity load balancing, as well as for fully redundant capabilities.
This has proven to be particularly useful for organisations that have operated their business continuity facilities as a secondary site throughout the 2020 pandemic. That’s ensuring that they can reduce staff in their main offices for physical distancing and that they can maintain separate ‘red’ and ‘blue’ teams of critical staff and functions in case there is a positive test recorded from someone in one of the teams. It’s also been particularly useful to manage the additional load on the network from people working from home by sharing the load across the two sites.
From a security and compliance perspective, a combined business continuity and data centre facility makes it a lot easier for organisations to meet their regulatory and certification obligations, particularly with regards to APRA CPS 232 and 234, and ISO 9001 and ISO 27001. Interactive’s operations are fully compliant and regularly audited, ensuring organisations only need to manage one service provider – rather than multiple service providers if using different business continuity and data centre providers.
Many businesses are now rethinking their approach to business resiliency, including a growing trend towards operational decentralisation, rather than concentrating their workforce in large, single office environments. That’s requiring more sustainable, longer-term options for secondary sites.
“We’ve found that the average duration for people to be in a business continuity facility in response to a disaster is fourteen days. However, now that organisations have been using our facilities for staff splitting, they have been here for much longer. It’s bought them more time to implement working from home strategies, and it has avoided the tremendous risk of having all of their people in one place,” Knight concluded.
The demand for highly secured serviced offices, particularly for regulated industries, looks set to rise as organisations increasingly adopt a decentralised operational strategy.
