PINS S6.3 Risk management policy — business continuity risk

An insurer's risk management policy for business continuity risk should:

(a) describe the process for identifying and analysing:
(i) events that may lead to a disruption in business continuity;
(ii) the likelihood of those events occurring;
(iii) the processes most at risk; and
(iv) the consequences of those events;
(b) include a plan (business continuity plan or BCP) describing:
(i) objectives and procedures for crisis management and recovery in order to minimise financial, legal, regulatory, reputational and other material consequences arising from the disruption of its business;
(ii) procedures to be followed if business continuity problems arise;
(iii) detailed procedures for carrying out the BCP, including manual processes, the activation of an off-site recovery site (if needed) and the persons responsible for activating the BCP;
(iv) a communications strategy and contact information for relevant staff, suppliers, regulators, market authorities, major clients, the media and other key staff;
(v) a schedule of critical systems covered by the BCP and the timeframe for restoring those systems;
(vi) the pre-assigned responsibilities of staff;
(vii) procedures for staff awareness and training on all aspects of the BCP; and
(vii) procedures for regular testing and review of the BCP; and
(c) procedures for backing up important data on a regular basis and storing the data off site.
Inserted by QFCRA RM/2013-1 (as from 1st January 2015).