• OM-4.3 OM-4.3 Developing a Business Continuity Plan

    • Impact Analysis

      • OM-4.3.1

        Licensees' BCPs must be based on:

        (a) A business impact analysis;
        (b) An operational impact analysis; and
        (c) A financial impact analysis.

        These analyses must be comprehensive, including all business functions and departments, not just IT or data processing.

        January 2014

      • OM-4.3.2

        The key objective of a business impact analysis is to identify the different kinds of risk to business continuity and to quantify the operational and financial impact of disruptions on a licensee's ability to conduct its critical business processes.

        January 2014

      • OM-4.3.3

        A typical business impact analysis is normally comprised of two stages. The first is to identify and prioritise the critical business processes that must be continued in the event of a disaster. The first stage should take account of the impact on customers and reputation, the legal implications and the financial cost associated with downtime. The second stage is a time-frame assessment. This aims to determine how quickly the licensee needs to resume critical business processes identified in stage one.

        January 2014

      • OM-4.3.4

        Operational impact analysis focuses on the licensee's ability to maintain communications with customers and to retrieve key activity records. It identifies the organisational implications associated with the loss of access, loss of utility, or loss of a facility. It highlights which functions may be interrupted by an outage, and the consequences to the public and customer of such interruptions.

        January 2014

      • OM-4.3.5

        A financial impact analysis identifies the financial losses that (both immediate and also consequent to the event) arise out of an operational disruption.

        January 2014

    • Risk Assessment

      • OM-4.3.6

        In developing a BCP, licensees must consider realistic threat scenarios that may (potentially) cause disruptions to their business processes.

        January 2014

      • OM-4.3.7

        Business continuity plans must take into account different types of likely or plausible scenarios to which the licensee will be vulnerable. The following specific scenarios must at a minimum, be considered in the BCP:

        (a) Utilities are not available (power, telecommunications);
        (b) Critical buildings are not available or specific facilities are not accessible;
        (c) Software and live data are not available or are corrupted;
        (d) Vendor assistance or (outsourced) service providers are not available;
        (e) Critical documents or records are not available;
        (f) Critical personnel are not available; and
        (g) Significant equipment malfunctions (hardware or telecom).
        January 2014