With the introduction of the New Fit and Proper Requirements (Board Notice 194 of 2017), the requirement of a business continuity plan forms part of the governance framework that must be adopted and implemented by all FSPs.
- The governance framework of an FSP must be relative to the nature, scale, risks and complexity of the FSP. This means that it’s not a one-size-fits all, but rather it should be customised for the specific circumstances of the FSP. Also, it should include the effective and adequate systems of corporate governance, risk management (including conduct risk management) and internal controls.
- The aim of the business continuity plan should be to ensure, in the case of an interruption to the FSP’s systems and procedures, that any losses are limited, all essential data and functions are properly preserved and that all the strategic functions can be recovered timeously. At the end of the day, it’s about ensuring that the business can be up and running after an interruption.
It is therefore evident that a sound business continuity plan is essential to the operational ability, and ultimately, to the fit and proper requirements of any FSP.
The central theme of this plan is to outline or explain the ease of resuming “business as usual” in cases of material interruption, within predetermined timelines and the quality of the restored data to a state which it would have been should the incident not have occurred.
With more and more businesses moving from a paper-based approach of operating to a more digitised or paperless approach, there are now various methods adopted in the market. Cloud technology on CRM systems, for instance, allows one to interface with their businesses from anywhere at any given time and allows for backing up in real time.
According to the Financial Sector Conduct Authority (FSCA), the business continuity plan should at least exhibit the following qualities:
- It must demonstrate processes that are devised to cater for exceptional risks that, though unlikely, would have catastrophic consequences, for the business.
- It should cover a range of situations including, succession planning, the death of a key person and crisis events that threaten to shut down business operations.
The elements therefore be considered when planning for business continuity are:
- Succession: This describes the current management situation and what would happen in the event of death, permanent disability, retirement of the key individual as well as the steps that will be taken in these events to ensure that the business continues operating.
- Disaster Recovery: Is the FSP prepared in the event of extended service outages (e.g. load shedding) caused by factors beyond your control (e.g. through natural disasters and malicious events), and how is the FSP able to restore services to the widest extent possible in a minimum time frame.
- Emergency Management: Are there set procedures to be followed in the event of an emergency.
- Plan, Review and Maintenance: Circumstances and businesses change over time and this plan is intended to be a living document. Therefore, this plan should be reviewed and updated on a regular basis.
The lack of an adequate and documented business continuity plan means that an FSP is not meeting the fit and proper requirements of operational ability and therefore there are grounds for regulatory action. Whichever course of action the FSP plans to use to address business continuity in the event of death, lapsing of license or even retirement of the key individual, it needs to be documented and tested for suitability, acceptability and feasibility.