Disaster Recovery Policy¶
| Code | OPS-002 |
| Domain | Operational Resilience |
| Owner | Chief Technology Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD09 |
| Review date | 2027-03-25 |
Regulations: CPS 230 Operational Risk Management · RBNZ Cyber Resilience Standard¶
Purpose¶
Govern the platform's incident management framework, including incident classification, response, escalation, and post-incident review obligations.
Scope¶
All operational incidents affecting the platform's systems, services, customers, or regulatory obligations in NZ and AU.
Policy statements¶
The platform SHALL maintain an incident management framework that defines incident classification criteria, response procedures, escalation pathways, and post-incident review requirements. The framework SHALL be approved by the CTO and reviewed at least annually.
All incidents SHALL be classified on detection using the platform's severity classification matrix. Severity classifications SHALL determine response timeframes, escalation requirements, and customer and regulatory communication obligations. The classification matrix SHALL be maintained in the operational runbooks and aligned with the BRC-approved risk appetite.
Critical and high severity incidents SHALL be escalated to the on-call incident commander within 15 minutes of classification. The incident commander SHALL establish an incident response team and initiate the incident response procedure within 30 minutes of classification. The incident commander has authority to invoke the business continuity plan (OPS-001) where the incident is assessed as a potential disruption event.
Customer-impacting incidents SHALL trigger customer communication in accordance with the platform's customer communication protocol. Communications SHALL be issued within the timeframes defined in the protocol for each severity level. Communication content SHALL be factually accurate and shall not misrepresent the scope or cause of the incident.
Incidents that meet regulatory notification thresholds SHALL be escalated to the CCO immediately for assessment of notification obligations under REP-009. The CCO SHALL determine whether notification to APRA, RBNZ, or other regulators is required and SHALL initiate notification within the required timeframe.
A post-incident review (PIR) SHALL be completed for all critical and high severity incidents within 14 days of resolution. PIRs SHALL identify root cause, contributing factors, and preventive actions. Preventive actions SHALL be assigned named owners with target completion dates and tracked to closure. Repeat incidents of the same root cause SHALL be escalated to the BRC.
Incident metrics, including volumes, severity distribution, mean time to resolution, and repeat incident rates, SHALL be reported to the BRC quarterly as indicators of operational resilience.
Satisfying modules¶
(No modules assigned yet — manual process)
Part of Operational Resilience · Governance overview
Compiled 2026-05-22 from source/entities/policies/OPS-002.yaml