7.2 Technology Risk and Business Continuity – Policies

(1) A Bank’s operational risk management policy must include effective and comprehensive procedures for disaster recovery and business continuity. The Bank must have a business continuity plan for possible scenarios of severe business disruption. The plan must provide for the Bank to continue to operate as a going concern, and to minimise losses (especially those from disturbances to payment and settlement systems), in those scenarios.

(2) A Bank must establish and implement appropriate information technology policies for the accurate and timely identification, measurement, evaluation, management and control or mitigation of operational risk. In particular, the policies must enable the Bank to maintain an adequate and sound information infrastructure:

• (a) that meets the Bank’s current and projected requirements (under normal circumstances and in times of stress);
• (b) that ensures that the data, and the system itself, remain secure and available; and
• (c) that supports integrated and comprehensive risk management

(3) The Bank’s information infrastructure must enable it to compile and analyse operational risk data, and must facilitate reporting to its Governing Body and senior management and the AFSA.

(4) A Bank must establish and maintain appropriate systems and controls to manage its information security risk.