In May 2013, the Australian Prudential Regulation Authority (APRA) released its CPG 233 on Pandemic Planning (Guidance), which provides guidance on how APRA-regulated entities (Entities) can manage the business and operational risks posed by the widespread outbreak of contagious disease, and continue to operate in a sound and efficient manner.

Given the current global COVID-19 pandemic (Pandemic), it is important that our APRA-regulated clients consider the Guidance to prepare their organisations for the financial, risk and operational challenges they are likely to face as a result of the Pandemic, and ensure continued, sound operation as well as regulatory compliance.

Staying informed

Most importantly, APRA recommends that Entities stay informed by closely monitoring developments and announcements by relevant authorities, and take a proactive approach to communication between Entities and governmental and regulatory authorities. This will ensure that Entities can be proactive in managing the risks present within their organisations.

Establishing a Pandemic plan

APRA recommends that Entities establish a Pandemic plan (Plan) and form multi-disciplinary working groups to develop and implement an approach to a pandemic. When establishing a Plan or updating an existing Plan, clients should consider issues including:

• Staff health and welfare;
• The potential need for alternative work arrangements;
• Technology options during the Pandemic (see 'Software and ICT infrastructure' below);
• If applicable, alternative transaction processing arrangements in the event of a material increase in the use of electronic transaction processing channels by customers, as well as the need to 'stress-test' key ICT infrastructure;
• The need to develop alternative arrangements for delegations and decision making throughout the organisation; and
• For international Entities, any specific local requirements.

APRA emphasises that critical business functions and operations (such as transaction processing, and cash supply and distribution) should be explicitly prioritised in any planning exercise, as this will help to ensure that those functions receive appropriate resources. Furthermore, clients will need to consider external factors such as the availability of trading markets during the Pandemic. It is important that clients also consider how operational controls and compliance requirements might constrain any aspects of a Plan.

Any planning should be considered in the context of an Entity's existing business continuity plan (which may be updated to contemplate the approach to the Pandemic), as well as any existing crisis management and communication plans. Furthermore, clients should familiarise themselves with APRA's business continuity guidance (CPS 232 and SPS 232).

Software and ICT infrastructure

We consider that a key to business continuity during the Pandemic will be ensuring that an entity's ICT infrastructure is robust, and can handle the increased need for working remotely. To this end, we recommend that clients consider whether:

• The licenses for the software used in the organisation are sufficient to allow employees to work remotely;
• The licence terms for such software require additional entitlements to be pre-purchased to allow for this type of use;
• If additional licenses are required, the terms of those licenses and the scope of use that those licenses will allow (for example whether licences can be used on non-work issued devices and whether all types of employment relationship are covered by the relevant licence);
• The licence terms allow for a true-up of actual use versus anticipated use, and whether a rebate will be available, if excess licenses were purchased; and
• Penalties will apply if an audit is conducted and the relevant supplier claims that the client has used its licenses in contravention of the relevant terms.

Third party arrangements

We also recommend that Entities consider whether its arrangements with its third party ICT service providers will support the actions of that Entity during the Pandemic, especially if those third parties are providing or supporting the ICT infrastructure that underpins its critical business functions.

Entities should also confirm with their telecommunications providers that the infrastructure that supports their operations will be scalable and resilient to the level required, including being able to cope with potentially substantial increases in volume of use during the Pandemic.

Financial impacts

APRA expects entities to consider and understand the impact of the Pandemic on assets, liabilities and capital, as well as the impact that the Pandemic will have on customers. It is expected that ADIs exercise a degree of patience and understanding of customers' circumstances in light of the Pandemic (for example, deferring loan repayments and monitoring the extent and financial impact of such actions).

APRA's role

Entities should also keep an eye out for APRA requests for information to help it monitor the status of Pandemic-affected Entities. We recommend that clients immediately consult with APRA if they are concerned about their capacity to meet any prudential requirements as a result of the Pandemic.

How can MinterEllison help?

MinterEllison can assist you by advising on any updated and existing APRA requirements, as well as any matters related to the capacity and efficacy of your organisation's ICT infrastructure during the Pandemic. Please contact us if you have any concerns about the impact of the Pandemic on your organisation.