Team of people meeting in an office
Team of people meeting in an office

Business continuity and disaster recovery

It’s about being prepared for anything

Natural disasters or major incidents happen with little or no warning, so it’s essential to plan for the worst, but hope for the best. Good preparation ensures business continuity for Southern Cross.

Business Continuity Management (BCM) enables us to continue providing services to members, business customers, and healthcare providers. By embedding appropriate levels of resilience, it also helps protect our business assets, such as our IT infrastructure.

Since 2018, Southern Cross has embraced ‘active working’ and work-from-home flexibility. This offers significant remote working capability proven through live load testing, i.e. allowing multiple users to access our systems simultaneously. We also host our Information Technology (IT) systems and data on highly available and secure data centres located in different geographic regions, mitigating single point of failure risk.

The key practices in our Risk and Business Continuity Management Programme include:

Risk management and compliance

We establish Southern Cross’ risk appetite, i.e. the level of risk we’re prepared to accept. We then ensure we have effective risk management frameworks, policies and procedures in place to manage risk in line with this.

Development and continual improvement of plans

In the event of any disruption to our services, it’s essential that we minimise customer impact. Business Continuity Plans (BCPs) enable us to prepare for the types of significant disruptions that could impact Southern Cross.

As part of this, we develop, implement and maintain BCPs for critical processes. By having a Society-wide crisis plan and a Disaster Recovery Programme (DRP) that includes annual testing, and best practice framework, we have the tools in place to recover key services.


Through our dedicated Risk Management team and business risk leads, we aim to continuously improve our BCPs and DRPs by implementing best practice frameworks and tools. The team is also responsible for:

  • compiling test and incident debrief reports
  • submitting to the Risk and Compliance team - ensuring resultant observations and lessons learned are clearly assigned and monitored through to completion to support continual improvement
  • ensuring BCM development programme actions are logged and closed in a timely manner
  • reviewing and signing off the crisis plan annually, ensuring it is fit for purpose

Our Operational Risk Forum (ORF) ensures appropriate executive oversight of the programme, agreeing and monitoring the annual programme.

Awareness and training programme

When a disruption occurs, our Gold (executive), Silver (operational), and Bronze (business units) crisis teams lead the response, depending on the level of the issue. To make sure they have the right knowledge and skills to effectively perform these activities, we provide ongoing training on BCM, the Society Crisis Plan and crisis text tool. This training is provided through one on one and group training sessions.

Related information

Security operations

Learn more > 

Member privacy statement

Learn more > 

Security governance

Learn more >