1.A CCP shall have a business continuity policy and a disaster recovery plan which are approved by the board. The business continuity policy and the disaster recovery plan shall be subject to independent reviews which are reported to the board.
2.The business continuity policy shall identify all critical business functions and related systems, and include the CCP’s strategy, policy, and objectives to ensure the continuity of these functions and systems.
3.The business continuity policy shall take into account external links and interdependencies within the financial infrastructure including trading venues cleared by the CCP, securities settlement and payment systems and credit institutions used by the CCP or a linked CCP. It shall also take into account critical functions or services which have been outsourced to third-party providers.
4.The business continuity policy and disaster recovery plan shall contain clearly defined and documented arrangements for use in the event of a business continuity emergency, disaster or crisis which are designed to ensure a minimum service level of critical functions.
5.The disaster recovery plan shall identify and include recovery point objectives and recovery time objectives for critical functions and determine the most suitable recovery strategy for each of these functions. Such arrangements shall be designed to ensure that in extreme scenarios critical functions are completed on time and that agreed service levels are met.
6.A CCP’s business continuity policy shall identify the maximum acceptable time for which critical functions and systems may be unusable. The maximum recovery time for the CCP’s critical functions to be included in the business continuity policy shall not be higher than two hours. End of day procedures and payments shall be completed on the required time and day in all circumstances.
7.A CCP shall take into account the potential overall impact on market efficiency in determining the recovery times for each function.
1.A CCP shall conduct a business impact analysis which is designed to identify the business functions which are critical to ensure the services of the CCP. The criticality of these functions to other institutions and functions in the financial infrastructure shall be part of the analysis.
2.A CCP shall use scenario based risk analysis which is designed to identify how various scenarios affect the risks to its critical business functions.
3.In assessing risks, a CCP shall take into account dependencies on external providers, including utilities services. A CCP shall take action to manage such dependencies through appropriate contractual and organisational arrangements.
4.Business impact analysis and scenario analysis shall be kept up to date, shall be reviewed at least on an annual basis and following an incident or significant organisational changes. The analyses shall take into account all relevant developments, including market and technology developments.
1.A CCP shall have in place arrangements to ensure continuity of its critical functions based on disaster scenarios. These arrangements shall at least address the availability of adequate human resources, the maximum downtime of critical functions, and fail over and recovery to a secondary site.
2.A CCP shall maintain a secondary processing site capable of ensuring continuity of all critical functions of the CCP identical to the primary site. The secondary site shall have a geographical risk profile which is distinct from that of the primary site.
3.A CCP shall maintain or have an immediate access to a secondary business site, at least, to allow staff to ensure continuity of the service if the primary location of business is not available.
4.The need for additional processing sites shall be considered by the CCP, in particular if the diversity of the risk profiles of the primary and secondary sites does not provide sufficient confidence that the CCP’s business continuity objectives will be met in all scenarios.
1.A CCP shall test and monitor its business continuity policy and disaster recovery plan at regular intervals and after significant modifications or changes to the systems or related functions to ensure the business continuity policy achieves the stated objectives including the two hour maximum recovery time objective. Tests shall be planned and documented.
2.Testing of the business continuity policy and disaster recovery plan shall fulfil the following conditions:
(a)involve scenarios of large scale disasters and switchovers between primary and secondary sites;
(b)include involvement of clearing members, external providers and relevant institutions in the financial infrastructure with which interdependencies have been identified in the business continuity policy.
1.A CCP shall regularly review and update it business continuity policy to include all critical functions and the most suitable recovery strategy for them.
2.A CCP shall regularly review and update its disaster recovery plan to include the most suitable recovery strategy for all critical functions.
3.Updates to the business continuity policy and disaster recovery plan shall take into consideration the outcome of the tests and recommendations of independent reviews and other reviews and of competent authorities. CCPs shall review their business continuity policy and disaster recovery plan after every significant disruption, to identify the causes and any required improvements to the CCP’s operations, business continuity policy and disaster recovery plan.
1.A CCP shall have a crisis management function to act in case of an emergency. The crisis management procedure shall be clear and documented in writing. The board shall monitor the crisis management function and regularly receive and review reports on it.
2.The crisis management function shall contain well-structured and clear procedures to manage internal and external crisis communications during a crisis event.
3.Following a crisis event, the CCP shall undertake a review of its handling of the crisis. The review shall, where relevant, incorporate contributions from clearing members and other external stakeholders.
1.A CCP shall have a communication plan which documents the way in which the senior management, the board and relevant external stakeholders, including competent authorities, clearing members, clients, settlement agents, securities settlement and payment systems and trading venues, will be kept adequately informed during a crisis.
2.Scenario analysis, risk analysis, reviews and results of monitoring and tests shall be reported to the board.