Description

Business Continuity Policy and Procedures for FSPs

The Business Continuity Policy and Procedures Pack is an editable downloadable template designed for Financial Services Providers that need a practical framework for preparing for, responding to and recovering from business disruptions.

This Business Continuity Policy pack helps an FSP document its business continuity plan, activation procedure, recovery procedures, succession arrangements, dry-run testing process, communication controls, IT recovery steps, remote work arrangements and post-incident review process.

For related compliance templates, you may also view our Succession Plan Template, Cyber Security Policy Template and Regulatory Compliance Reporting Schedule Template.

For official regulatory context, you can also visit the FSCA regulated entities page.

What Is Included In This Business Continuity Policy?

This template is designed to help FSPs show that business continuity is not only an IT issue. It covers people, premises, systems, client communication, key person dependency, outsourced service providers, regulatory reporting, data protection and fair treatment of clients during a disruption.

The policy includes sections for:

• Policy review control sheet
• Change log and training implementation record
• Introduction and purpose of the BCP
• Scope and applicability
• Regulatory and governance framework
• Definitions, including BCP, BIA, RTO, RPO and dry-run testing
• Business continuity policy statement
• Business continuity principles
• Governance, roles and responsibilities
• Business impact analysis and recovery priorities
• Business continuity risk assessment
• BCP activation levels and triggers
• Incident assessment and activation procedure
• Immediate response procedure
• Recovery and continuation procedure
• Return to normal operations procedure
• Recovery strategies and action plans
• Communication and stakeholder management
• Succession and key person continuity
• Recordkeeping and evidence requirements
• Training, awareness and competence
• Dry-run testing procedure
• Post-incident review and corrective action
• Monitoring, review and approval

Business Continuity Policy Annexures Included

The Business Continuity Policy pack includes practical annexures that help the FSP implement, test and evidence its continuity arrangements.

The annexures include:

• Annexure A: BCP Role Appointment and Contact List
• Annexure B: Critical Business Functions and Recovery Priorities
• Annexure C: BCP Risk Assessment and Business Impact Worksheet
• Annexure D: BCP Activation Checklist
• Annexure E: Crisis Communication Log
• Annexure F: Emergency Stakeholder Contact Register
• Annexure G: IT Recovery Checklist
• Annexure H: Remote Work Continuity Checklist
• Annexure I: Succession Plan Template
• Annexure J: Annual BCP Dry-Run Test Plan
• Annexure K: Dry-Run Attendance Register
• Annexure L: Dry-Run Results Report
• Annexure M: Post-Incident Review Report
• Annexure N: Staff Acknowledgement and Training Record

Why FSPs Need a Business Continuity Policy

Disruptions can affect an FSP’s ability to communicate with clients, access client records, manage complaints, meet regulatory deadlines, restore IT systems, process payments, protect personal information and continue rendering financial services.

A written Business Continuity Policy helps the FSP identify critical functions, assign responsibilities, set recovery priorities, activate response procedures and keep evidence that the plan has been tested and reviewed.

This template helps address common weaknesses such as:

• No written business continuity plan
• No clear BCP activation levels or triggers
• No business impact analysis or recovery priority record
• No assigned BCP coordinator or recovery team
• No IT recovery checklist
• No remote work continuity checklist
• No emergency stakeholder contact register
• No crisis communication log
• No annual dry-run test plan
• No post-incident review report or corrective action process

Activation, Recovery and Communication Procedures

The pack includes practical procedures for assessing an incident, deciding whether to activate the BCP, protecting staff and clients, securing records, isolating affected systems, restoring critical functions and returning to normal operations.

It also includes communication controls for staff, clients, product suppliers, outsourced providers, regulators, emergency services and other stakeholders. This helps ensure that communication during a disruption is factual, authorised and properly recorded.

Annual Dry-Run Testing Tools

The Business Continuity Policy pack includes a dry-run testing procedure and supporting templates. The FSP can use these to test scenarios such as power outages, cyberattacks, office inaccessibility, key person incapacity and outsourced system failure.

The dry-run results report helps the FSP record what worked, what did not work, recovery time achieved, gaps identified, corrective actions required and whether the BCP must be updated.

Who Should Use This Business Continuity Policy?

• Authorised Financial Services Providers
• Key Individuals responsible for operational ability
• FSPs with representatives or administrative staff
• FSPs that rely on cloud systems, CRM, email, remote work or outsourced providers
• FSPs preparing for compliance monitoring or internal governance review
• Compliance officers assisting FSPs with operational resilience
• Business owners who need a practical continuity and recovery plan

Editable and Customisable BCP Template

This Business Continuity Policy pack is editable and must be customised before use. The FSP must insert its name, FSP number, policy owner, BCP coordinator, recovery team members, critical business functions, recovery time objectives, contact details, systems, outsourced providers and evidence storage locations.

The template includes placeholders and practical implementation records that should be completed before the final policy is approved, issued, tested and reviewed.

Important Compliance Note

This Business Continuity Policy pack is a compliance support document. It does not replace legal advice, IT disaster recovery advice, cybersecurity advice, POPIA incident advice or a full operational resilience assessment. Each FSP remains responsible for ensuring that the final BCP is accurate, practical, tested, reviewed and aligned with its actual business model, staff structure, systems, regulatory obligations and client service arrangements.