The New Zealand Financial Markets Authority (FMA) now specifies Business Continuity Plans for Licence requirements for businesses within the finance sector, and it won’t be long before regular testing of BCPs will be a stipulation as part of this.

The move to testing would bring New Zealand’s FMA licencing regulations in line with current international protocols. This extra step will be welcomed by many, particularly with the increasing occurrence of business disruptions taking place in New Zealand from weather events and other natural disasters, and the growing frequency and sophistication of threats to cyber security.

Compulsory BCPs is something that is long overdue here according to Standby Consulting’s CEO Sam Mulholland. “Standby already carries out a lot of Business Continuity planning work in the Middle East, where one does not get a licence to operate in the financial space without a documented and tested Business Continuity Plan.” In Gulf Cooperation Council (GCC) countries, it is a requirement for firms and organisations who provide financial products and services to test their BCP annually. This includes financial institutes like banks and other lending institutes, insurance companies, investment companies and financial trading entities, as examples.

“A business continuity plan is not complete until it has been tested,” says Sam. “Without a working knowledge of the BCP and how to apply it against different scenarios, an organisation’s team will not be equipped to deal with a major disruption.”

Standby have been part of Crisis Management Teams in dealing with real-life major events, both in New Zealand and overseas. “Things unfold quickly in a crisis and there isn’t time to find and read through a complex document to determine who is responsible for what, let alone the contingencies should a key person not be contactable.”

Templates only give guidelines and do not provide the detail that is required by a business. “Each business is different, with complex relationships between business processes and the IT infrastructure that supports them, and we modify our work to suit the organisation.”

As consultants, Standby have worked with many financial organisations such as insurance companies, banks, investment organisation and fund managers. “We take a practical independent view of the structure of plans based on their operations and the country’s legislative standards, yet we also work to meet the requirement of international good practice guidelines. That way, should this become a stipulation in the future, the client is already ahead of the game.”

Why Test Business Continuity Plans?

Having designed your plan how do you know it will work? The only way to do that is to test your planning document. Many organisations do what is known as a tabletop test, where the participants sit around the table and walk through an incident. This can be acceptable for the initial testing of the document, but there is a need to up the level of testing to challenge and train the participants.

For BCP testing Standby makes the exercise scenario as realistic as possible. As an example, in December 2024 Standby completed a test for a client focusing on a cyber-attack on a financial organisation in the United Arab Emirates (UAE). Standby had it’s  team put together a script that simulated a live hacker attack that included the downloading of confidential data and demands for payment.

“To give it a sense of reality we had mock news bulletins created that looked like it was a UAE news broadcast, except it was filmed in a studio in Dunedin, New Zealand. There was a series of injects and bulletins that put pressure on the client’s teams to show them the speed and complexity of a real cyber-attack.

The feedback we got from the client was overwhelmingly positive. The New Zealand team who produced the supporting content really came through, providing convincing video footage at television studio level standard.

The research we did while putting this exercise together highlighted for us the changing way that hackers are gaining access to people’s systems and the methods they are using to cripple IT systems. If you are not prepared to react to this type of event quickly and professionally, you are likely to face significant brand damage and financial loss.

A cyber-attack is not just an IT problem, it is a management problem

Relying solely on your IT services is not enough. Decisions need to be made at senior management level and there needs to be clear protocols in handling the wave of reaction from investors, clients, the press and the public. All this was built into the test scenario, and a great deal was learned from how the different team members who took part in the simulation responded. The report we generated provided valuable insights and highlighted areas where improvements could be made.

What does this mean for New Zealand organisations and businesses?

A cyber-attack on a New Zealand organisation within the finance sector is just as likely as anywhere in the world, so an exercise using a cyber-attack to test a team’s responses to a live situation as well as the protocols of your BCP is entirely plausible.

The same approach can be applied to different scenarios, including natural disasters, major fires, loss of services, or civil unrest.

Now that we have established a Dunedin production team we can produce the relevant television news items and online chatter for any international setting, including New Zealand. This puts us in a position to tailor this level of BCP testing and training with a local flavour - here or  anywhere - using local examples and footage.

Standby has over 30 years’ experience in the BCP business in New Zealand, Australia and throughout the Middle East. If your organisation has identified an area of risk for business disruption that you want to test your team’s response for and include in your BCP, then Standby Consulting can create an exercise that is specific to you, and run the simulation with different groups – either separately or at the same time, as we did with the UAE client in early December.

If you want assistance in developing your BCP’s or an independent audit of your plans, get in touch.