Overview of comments received
High-level principles for business continuity
August 2006
Twenty-five comment letters were received from financial institutions, industry associations, supervisory authorities and other interested parties in response to the Joint Forum's December 2005 consultative paper, High-level principles for business continuity. The purpose of this overview is to provide a flavour of these comments and the outcome of the Joint Forum's consideration of them. To that end, a few examples of comments that resulted in revisions to the paper are highlighted. In addition, the overview includes a few examples of comments that did not result in revisions, along with the supporting rationale.
In general, the letters were broadly supportive of the initiative and acknowledged the importance of effective business continuity management. In many of the letters, commenters referred positively to the balanced, non-prescriptive nature of the principles while noting, at the same time, the usefulness of a universally applicable set of principles. Many also welcomed the flexibility the principles provide both financial authorities and financial industry participants to develop risk-based, tailored approaches to business continuity that reflect their unique circumstances.
The following changes were among those introduced in response to the useful comments received on the consultative paper:
- The definition of 'major operational disruption' has been clarified to include in the list of possible trigger events some which may not cause widespread damage to the physical infrastructure, such as pandemics and technology viruses.
- The dependence of financial authorities and financial industry participants on third parties for important aspects of their business continuity has been acknowledged, along with the corresponding implications for an organisation's communication procedures.
- The paper clarifies that an organisation's business continuity management should consider the possibility that not all employees will be available to the organisation in the course of a disruption when the families of employees are also directly affected by the same event.
- The involvement of business line management in establishing recovery objectives has been recognised and expectations for the recovery objectives of critical market participants have been clarified.
- Where financial authorities share responsibility for the oversight of a group comprising more than one financial industry participant, the paper notes that it may be beneficial for those authorities to designate a "coordinator" for purposes of facilitating communication during a major operational disruption affecting the group.
Several commenters proposed revisions that were not taken on board because the proposals were outside the scope of the paper and the mandate of the Joint Forum. For example, some suggested that the regulators of the telecommunication and power industries be encouraged to adopt the principles.
Many commenters highlighted the usefulness of the case studies. In doing so, a number of them suggested that the list of annexes be expanded to include a case study on Hurricane Katrina. While Hurricane Katrina might be of interest because it is more recent than each of the five case studies included in the consultative paper, the Joint Forum is of the view that the impact of this catastrophe on the financial services sector, specifically, was somewhat narrow and that there were no significant lessons to be drawn from this event that aren't already adequately addressed in the other case studies. Other commenters expressed the view that five case studies were more than adequate. As a result, the Joint Forum decided to restrict the case studies to the five in the consultative paper.
Finally, some commenters proposed that the glossary adopt definitions of common terms from existing sources. The purpose of the glossary in the consultative paper was not necessarily to propose definitions of business continuity terms for general application. Rather, the primary objective of the glossary was to assist readers' understanding of key concepts as they are used in the context of the paper, in part because different readers might have a different understanding of the same term. Based on these comments, the definitions in the glossary were reviewed for consistency against other commonly available definitions of the same terms and revised to promote greater consistency, as appropriate.