Business Continuity Policy¶
| Code | OPS-001 |
| Domain | Operational Resilience |
| Owner | Chief Operating Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD09 |
| Review date | 2027-03-25 |
Regulations: CPS 230 Operational Risk Management · DTA Outsourcing Standard · ISO 22301¶
Purpose¶
Govern the platform's business continuity management framework, including business impact analysis, recovery objectives, continuity plans, and testing obligations.
Scope¶
All critical business functions, systems, and processes of the platform in NZ and AU that must be maintained or rapidly restored following a disruption.
Policy statements¶
The platform SHALL maintain a Business Continuity Management (BCM) framework that identifies critical business functions, defines recovery objectives, and provides continuity plans for all material disruption scenarios. The framework SHALL be approved by the Board and reviewed at least annually by the CTO.
A Business Impact Analysis (BIA) SHALL be performed at least annually and updated following any material change to the platform's operations, systems, or critical dependencies. The BIA SHALL define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each critical business function, with reference to customer impact, regulatory obligations, and payment processing continuity.
Continuity plans SHALL be developed and maintained for each critical business function identified in the BIA. Plans SHALL include trigger conditions, response team responsibilities, recovery procedures, communication protocols, and escalation pathways. Plans SHALL be owned by a named accountable executive and reviewed whenever the BIA is updated.
The platform SHALL achieve the RTOs and RPOs defined in the BIA for critical customer-facing services, regulatory reporting systems, and payment processing. Any system that cannot achieve its defined RTO or RPO SHALL have a documented risk acceptance signed by the CTO and CEO, with a remediation roadmap reviewed by the Board Risk Committee (BRC).
Business continuity plans SHALL be tested at least annually. Tests SHALL include tabletop exercises for all critical functions and at least one live failover test per year for the most critical systems. Test results, findings, and remediation actions SHALL be documented and reported to the BRC. Unresolved findings from prior tests SHALL be reported alongside new test results.
The BCM framework SHALL comply with APRA CPS 230 requirements for operational resilience and with applicable RBNZ operational resilience expectations. Where regulatory obligations impose stricter recovery standards than the internal BIA, the regulatory standard SHALL apply.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-143 | Open Bank Resolution pre-positioning | AUTO |
Resolution-state activation triggers immediate operational controls — channel mode switches and account partition flags applied atomically. |
Part of Operational Resilience · Governance overview
Compiled 2026-05-22 from source/entities/policies/OPS-001.yaml