Banks Act Circular 4/2006: Trilateral Discussions on Business Continuity Planning

[Logo: South African Reserve Bank] FROM THE OFFICE OF THE REGISTRAR OF BANKS

CONFIDENTIAL

2006-04-11

TO ALL BANKS, BRANCHES OF FOREIGN BANKS AND MUTUAL BANKS

BANKS ACT CIRCULAR 4/2006

TRILATERAL DISCUSSIONS TO BE HELD DURING CALENDAR YEAR 2006

EXECUTIVE SUMMARY

This circular serves to inform all reporting banks that the flavour-of-the-year for the trilateral discussions to be held during 2006 is business-continuity planning.

1. Introduction

Any disruption to business continuity – a state of continued, uninterrupted operation of a business – is of concern to both financial institutions and financial regulators. This Office and banks, therefore, have an interest in promoting the resilience of our financial system to major operational disruptions.

The recent power outages in the Western Cape and Gauteng, the ongoing impact of the HIV/AIDS pandemic, the recent global spread of avian influenza (bird flu), threats of terrorism across the globe and natural disasters, which have caused devastation in many countries recently, (hereinafter collectively referred to as “major business disruptions”) have once again brought the issue of business-continuity planning to the fore.

In South Africa we have not yet had any outbreaks of avian flu or severe acute respiratory syndrome (“SARS”), and we have not had to face any major natural disaster or act of terrorism. The potential threat of the aforementioned events, however, should serve to heighten our awareness of the risk of a severe and quite possible disruption to our financial system.

Against this background, this Office wishes to determine the preparedness and ability of banks to deal with major business disruptions. In preparing or reviewing business-continuity plans, institutions should always take cognisance of the distinction between planning for events that cause short-term disruptions, for example, power outages and damage caused by fire, and those “events” that cause medium-term to longer term disruptions. The HIV/AIDS pandemic, SARS and avian flu should be classified under the latter type of event.

---

2

The annual trilateral discussions will serve as the forum to review banks business-continuity plans.

2. Format of trilateral discussions

All banks are required to present to this Office their business-continuity management frameworks in respect of major business disruptions at the trilateral discussions, utilising the format outlined below. In the presentations, banks are expected to distinguish clearly between planning for short-term disruptive events and medium-term and longer term disruptive events.

3. Business-continuity plan

3.1 Administration of business-continuity plan

(a) “Ownership/management” of the business-continuity plan. (b) Sign-off of the business-continuity plan. (c) Staff awareness of the business-continuity plan.

3.2 Business-impact analysis

(a) Identification of critical operations, services and personnel. (b) Identification of key internal and external dependencies. (c) Assessment of all risks and potential impact of various disruption scenarios on your bank, including financial impact.

3.3 Overview of business-continuity plan

(a) Recovery objectives and priorities based on the business-impact analysis, including targets for the level of service that your bank would seek to deliver in the event of a disruption. (b) Location and suitability of the disaster-recovery site. (c) Location and suitability of the alternate/remote site. (d) Information technology systems and other infrastructure allocated to the disaster-recovery process. (e) External parties involved in the disaster-recovery process. (f) Detailed description of the process for ultimately resuming pre-disruption levels of business operations, including internal, external and cross-border (if applicable) communication during a crisis.

---

3

3.4 Implementation of the business-continuity plan

Directives on the: (a) Roles and responsibilities of key personnel responsible for managing the disruptions. (b) Succession of authority in the event of key personnel being disabled. (c) Decision-making authority and associated triggers for invoking the various “stages” of the business-continuity plan.

3.5 Simulation exercises and review of the business-continuity plan

(a) Directives on the performance of simulation exercises, including: (i) Simulation exercise methodology. (ii) Regularity of simulation exercises. (b) Overview of your institution’s last simulation exercise, including: (i) Date and scope of simulation exercise. (ii) Results/effectiveness of simulation exercise. (c) Directives on the review of your bank’s business-continuity plan, including: (i) Review methodology. (ii) Regularity of reviews.

3.6 Regional awareness

A key area to be covered in the presentation is a clear demonstration by each bank as to what has been done to ensure that the entire business-continuity planning process has been rolled out to the regions and outlying branches.

4. Acknowledgement of receipt

Two additional copies of this circular are enclosed for the use of your institution’s independent auditors. The attached acknowledgement of receipt, duly completed and signed by both the chief executive officer of the institution and the said auditors, should be returned to this Office at the earliest convenience of the aforementioned signatories.

[Signature] E M Kruger Registrar of Banks

The previous circular issued was Banks Act Circular 3/2006 dated 7 April 2006.