business continuity plan - pensionhelp.co.uk · web viewprepare engineering solution and if...

Business Continuity Plan V2/2019

Business Continuity Plan

Address

Tel: 0161 956 2328 22 St John Street

Email: [email protected] Manchester

Web Site: www.pensionhelp.co.uk M3 4EB

Version: 2.0

Date of Issue: 04/04/2018

Approved By:

Plan Owner: K Wilson

Next Review: 03/04/2019

of 49

http://www.pensionhelp.co.uk/


Contents

Introduction.......................................................................................................................................4

Policy statement................................................................................................................................4

Summary.......................................................................................................................................5

Distribution....................................................................................................................................5

Associated\related documents......................................................................................................5

Communication and escalation route................................................................................................6

Business continuity plan – role definitions........................................................................................7

Risk mitigation.................................................................................................................................10

Action plans.....................................................................................................................................14

Telecommunications infrastructure failure.................................................................................14

Key systems infrastructure failure...............................................................................................14

Loss of data..................................................................................................................................15

Threat to wellbeing of staff..........................................................................................................16

Denial of workplace access - short term......................................................................................16

Denial of workplace access - long term.......................................................................................18

Loss of key clients........................................................................................................................22

Procedures – technical operations..................................................................................................23

Faulty workstation evaluation.....................................................................................................23

Replace hardware device.............................................................................................................23

Physical recovery.........................................................................................................................23

Invoke emergence call routing.....................................................................................................24

Disable key application server.....................................................................................................24

Communications fault resolution................................................................................................24

Internal phone resolution............................................................................................................25

Peripheral and routing hardware fault resolution.......................................................................25

Supplier communications............................................................................................................25

Applications recovery to server...................................................................................................25

Data recovery to server...............................................................................................................26

Data access validation procedure................................................................................................26

Procedures - infrastructure operations...........................................................................................27

Staff communications..................................................................................................................27

Press communications.................................................................................................................27

Fire and evacuation.....................................................................................................................27

Business continuity management team communications...........................................................28

Damage assessment and salvage.................................................................................................29

of 49


Business Continuity Management Team meetings......................................................................29

Invoke business continuity management centre.........................................................................29

Diversion of telephones...............................................................................................................30

Interim recruitment.....................................................................................................................30

Recruitment.................................................................................................................................30

Reallocate resource letter............................................................................................................30

New employee induction.............................................................................................................31

Staff protection procedure..........................................................................................................31

Procedures - general........................................................................................................................32

Identify alternatives for workload...............................................................................................32

Assess and prioritise current workload........................................................................................32

Key contact details...........................................................................................................................33

APPENDICES.....................................................................................................................................34

Appendix 1: Full client contact list...............................................................................................35

Appendix 2: Risk assessment.......................................................................................................36

Appendix 3: Business process objectives and recovery times.....................................................37

Appendix 4: T & Cs of employment.............................................................................................38

Appendix 5: Software T & Cs of sale............................................................................................39

Appendix 6: Internal IT configuration diagram............................................................................40

Appendix 7: Company key details sheet......................................................................................41

Appendix 8: See Insurance certificate copy on file......................................................................42

Appendix 9: Crisis forms..............................................................................................................43

Appendix 10: Business impact assessment..................................................................................44

Appendix 11: Emergency pack.....................................................................................................46

Appendix 12: Threat vulnerability matrix....................................................................................47

GlossaryBCM Business Continuity ManagementBIA Business Impact AssessmentRTO Recovery Time ObjectivesBCMT Business Continuity Management TeamDR Disaster RecoveryBC Business ContinuityBCMC Business Continuity Management Centre

of 49


Introduction

The purpose of this document is to define the business continuity plan (BCP) within Pensionhelp Limited.

Policy statement

Pensionhelp Limited gives the highest priority to ensuring the continual delivery of services to our clients. Business continuity is seen as the activities that maintain and recover business operational effectiveness against any untoward or adverse circumstances.

Threats to the survival and growth of the business can come in many different forms and the purpose of this document is to set out an understanding of those threats and the prescribed responses to them. Each threat is evaluated by means of a risk assessment (refer to Appendix 2: Risk Assessment).

The scale of each perceived potential impact on the business can be worked out as part of a business impact assessment (BIA), given parameters such as the degree and duration of the disruption and the potential financial consequences. The goal of our business is for all services to continue normally for the duration of any disruption.

The key business processes and their respective objectives are listed in Appendix 3 of this document. In each case, the objective specifies the maximum desirable time it should take for the business to be able to provide services in response to any given threat materialising. The objective is set based on the expected severity of the overall business impact of different interruptions, as detailed in Appendix 10: Business Impact Assessment. The relevant disaster recovery action plans and procedures within this document detail how our business will respond in the event of so called disasters, while the wider BCP sets out how we seek to avoid or mitigate against the impact of such potential events.

Both the disaster recovery plan (DR) and BCP, depend centrally on key people and effective communication to restore normal services.

If services fall below pre-defined levels, for more than a pre-defined minimum acceptable duration, this constitutes what is commonly referred to as a crisis or disaster. This plan adopts the use of the word “incident” to reflect the differing levels of seriousness of these events.

Disaster recovery is taken to mean those activities recovering IT and other infrastructure from interruptions. In this plan, an interruption to services is deemed to be anything which degrades, or halts altogether those activities and services necessary to maintain delivery of services, whether that is in client service operations, or infrastructure operations.

Client service operations and Infrastructure are two of the high level logical divisions of the business that will be referred to generically as Functional Areas. Our aim is to plan to avoid altogether, or mitigate potential threats, to the extent that it is deemed reasonable, practical and commercially viable by senior management, out of a duty of care to both our owners and staff alike.

Where threats materialise into inconveniences, interruptions and then incidents, the plan sets out the steps needed to be taken by management to recover and\or resume normal services, possibly through identifiable recovery phases. The relevant business continuity procedures contained within this BCP will be invoked by a member of the business continuity management team (BCMT).

of 49


Summary

This BCP sets out the major perceived threats to the business. It lists the action plans and procedures to respond to those threats, should they materialise as Incidents to be managed. The BCP document is itself tested with live tests and subsequently reviewed.

Distribution

This document is intended for the recipients listed below and is intended for the sole purpose of informing relevant staff and third parties of the necessary actions and procedures to be adhered to if a given incident occurs.

Holder Name Date issuedCompliance officerManaging Director Mark WilsonDirector John StevensonPlan owner

Associated\related documents

Title VersionDisaster Recovery - Overview 1.0Disaster Recovery - IT Recovery Plan 1.0Disaster Recovery - Telecoms Recovery Plan 1.0

of 49


Communication and escalation route

A member of the Business Continuity Management Team (BCMT) must be notified in the event of an incident, crisis or disaster to decide upon further action.

The diagram below indicates a typical escalation route (within the essential function) with timescales for the Business Continuity Management Centre (BCMC):

1st Contact – Operations Director

Kerry Wilson

2nd Contact – Compliance Manager

Darren Hardy Dearness

3rd Contact – Director in order

Mark Wilson

John Stevenson

of 49


Business continuity plan – role definitions

This section identifies the groups, or individuals having specific roles with respect to this Business Continuity Plan.

Role Definition

Plan owner Responsible for controlling input to, review and circulation of the Business Continuity Plan in a timely manner, to meet the requirements of the business and its stakeholders.

Defines the list of people authorised to hold and maintain printed copies of the versions of the BCP and its constituent sections as they are updated and published from time to time, as listed in Section 2 of this plan.

Infrastructure / technical operations owner

Responsible for conducting adequate risk assessments to the infrastructure operations of the business and establishing effective business continuity so as to reduce, or remove the impact and/or duration of potential threats.

Also responsible for defining and executing policy regarding crisis management of incidents impacting infrastructure operations. Ownership of all policy, plans and activities to ensure the staff can follow required processes using suitable technology and

infrastructure to maintain and recover services for the business. Minimise potential threats and impact of those threats to the business through technical operations, including those arising from

infrastructure, staff and suppliers, as well as other external threats. Responsible for providing all necessary technical facilities to allow staff to be productively employed as soon as possible, in the event of

an Incident. Responsible for ensuring all necessary plans, processes and technology are in place to minimise the likelihood of a threat to the business,

through loss, or underperformance of a supplier to technical operations. Responsible for ensuring effective and timely communications with key suppliers before, during and after incidents. Engage necessary

support from suppliers before, during and after incidents to minimize their impact and duration.

Health and safety operations owner

Responsible for ensuring all reasonable precautions are in place to protect the staff in accordance with prevailing health and safety legislation and published best practice.

Client service operations owner

Overall ownership and responsibility for ensuring that client services are maintained at the normal level in the face of threats. Responsible for conducting adequate risk assessments to the services of the business and establishing effective business continuity planning to combat threats to these services, so as to reduce, or remove the impact and/or duration of such threats.

Responsible for defining and executing policy of managed communication with clients, in the event of a threat or incident deemed to require it.

of 49


Role Definition

Functional area owner

Overall ownership and co-ordination of crisis management and business operational recovery for the relevant functional area, defined by the business.

Responsible for plan maintenance, policy, review and testing activities relevant to the functional area. Responsible for activating the relevant portions of the plan in response to threats or incidents affecting the functional area. Responsible for ensuring all relevant personnel within the functional area are able to discharge their individual responsibilities to normal

target levels.

Information and communications technology owner

Overall responsibility for defining, communicating and implementing policy to ensure resilience of information and communications technology (ICT) activities against potential threats.

Responsible for defining the operational response to an incident in this area. Overall responsibility for minimising the impact and duration of an incident affecting this functional area.

Responsible for ensuring effective operational practices are in place and well-rehearsed to ensure swift restoration following all anticipated business disruptions.

Human resources owner

Overall responsibility for defining, communicating and implementing policy to ensure the resilience of human resources activities against potential incidents.

Responsible for defining the operational response to an incident in this area. Overall responsibility for minimizing impact and duration of an incident affecting this functional area.


Ensuring that the welfare needs of staff are met during an incident. Sourcing interim or replacement staff as appropriate.

Client communications owner

Responsible for ensuring clients are informed of issues, as directed by the Incident Management Team (BCMT). Responsible for scripting corporate messages for clients. Notifying clients when services will be/has been restored and what (if anything) will be done to avoid the same scenario happening in

the future.

Supplier communications owner

Responsible for ensuring that relevant suppliers are informed of an issue, to the extent required, as directed by the BCMT. Responsible for defining key messages for suppliers and sourcing alternative suppliers where supply issues are contributing to the

severity, or duration of the incident.

of 49


Finance owner Overall responsibility for defining, communicating and implementing policy to ensure resilience of finance activities against potential threats.

Responsible for defining the operational response to an incident in this area. Overall responsibility for minimising impact and duration of an incident affecting this functional area.


Responsible for establishing and maintaining necessary arrangements to enable financial commitments to be met in an incident. Renegotiating financial facilities and arrangements as necessary to minimise the effects of the incident on the business.

Managing all exceptional financial transactions during an incident, including all insurance and banking matters arising.

Media handling owner

Responsible for nominating spokespersons and approving press releases, statements and stories to be used in media handling.

Third parties’ owner

Responsible for defining the Member list of third party contacts within organizations on which this BCP has some dependency for execution.

Defines the list of people authorised to hold and maintain printed copies of the versions of the BCP and its constituent sections as they are updated and published from time to time, as listed in Section 2 of this plan.

of 49


Risk mitigation

This section identifies the risk identified to the operation of the day to day business, along with a summary on how the business mitigates against those risks. Please also see the following section on action plans.

Potential risk Impact Mitigation Initial response Additional procedures

Loss of internet access and

systems (including

email)

Critically dependent upon

email and internet access

for business

Immediate response required to threats to prevent loss of service

or long term system unavailability

Shut down and restart system

Contact suppliers e.g. IT

support if restart fails

Assess impact and duration on systems availability

Shutdown if necessary

Invoke IT Recovery Plan for individual

systems as required

If part of wider system failure

invoke Business Continuity Plan

Communicate impact to

senior management

IT Recovery PlanBusiness

Continuity Plan

Loss of telephones

Moderate; Clients and key contacts unable to contact firm via telephone. Some mobile

phones available until services are

restored.

Telephone communication critical

to business

Investigate fault with

service providers and re-establish connectivity

asap

Divert phones to alternative

numbersMay require

temporary use of mobiles

If appropriate, update clients

and key contacts of temporary

contact details e.g. via website and

or email

Invoke Telecoms

Recovery Plan for individual

systems if required

If part of wider system failure

invoke Business Continuity Plan

Telecoms Recovery Plan

Loss of servers / database

Critical; access to databases, client documents and

internet

Servers backed up daily

Service contract in place with Lee

Douthwaite / Paul Hartley

Investigate fault with

supplier / IT support and re-establish access to server asap

Once issue resolved,

assess any loss of data, and

apply back up as needed to

recover information

If part of wider system failure invoke

relevant IT Recovery Plan


senior management

IT Recovery Plan

of 49


Potential risk Impact Mitigation Initial response Additional procedures

Cyber-attack e.g. hacking,

virus or spyware

Critical; Systems could be used to commit financial

crimeClient data and other records

may be compromised

Install protection software on all

relevant electronic equipment. Monitor

network activity regularly.

On site IT Support. Additional IT Service

contract for when on-site IT support is not

available.

Contact IT support to

establish extent of issue and next actions

Where appropriate,

inform clients of potential risk to them

Where the incident has

resulted in loss of client data, the FCA and Information

Commissioner should be notified


senior management

IT Recovery Plan

Loss of IT support

Low; Dependent on hardware and software support

in event of failure

Have two different IT Support functions.

Assess duration and impact of

problem

Source and approve

alternative suppliers for

required support

Prioritise client services if some

unavailable

Invoke IT Recovery Plan IT Recovery Plan

Power/utilities failure

Critical; impact on voice and

data communications, and operability

of office through heating and water supply



available.Alternative office

available in event of long term failure

Assess situationCall out service

contractorsLiaise with

utilities providers if appropriate

Consider impact and duration on

hygiene

If prolonged, investigate

buying in waterHire boilers and

temporary heaters if necessary

Prepare engineering

solution and if appropriate

hire temporary equipment

and plug into building systems

Communicate impact to senior

managementInvoke Business Continuity Plan


Fire/smoke Critical; Fire can damage systemsSmoke damage

can render premises

unsuitable

Buildings have automatic detection

Tested once a week/month

Key staff trained in use of fire extinguishers

Activate fire alarm if not

automatically activated

Treat small and large fires the same way

Exercise extreme caution

Implement evacuation

process using the nearest and safest exit pathConduct head

count and assist

Only re-enter the premises

when informed it is safe to do soFollow advice of fire services


management

Evacuation Procedure

of 49


Possible injury/death to

staff

If safe to do so attempt to

locate source of fire and use

fire extinguishers if trained to

do so

visitors and contractors if involved

Flood

Critical; Flood can damage IT systems, paper

records and render office

unsuitablePossible

injury/death to staff



available.Alternative office

available if required

Implement evacuation

process using the nearest and safest exit pathConduct head

count and assist visitors and contractors

Contact service

provider and/or utility

provider

If appropriate, organise move to alternative

premises ensuring that

main building is secure


senior management

Evacuation Procedure

Break-in/ vandalism/

sabotage/ fraud

Critical; Property or equipment

may be rendered unusable

Confidential client and other records may be compromised

Building alarmed and serviced by Pointer

(0141 564 2600Full inventory of assets

maintainedAll computers

password protected.Data backed up off site

Building Insurance policy with

Oddfellows; office equipment and

public/employee liability is with

Allianz

Involve police at earliest

opportunityIf party still on

premises do not enter

Exercise extreme

caution and preserve any

available evidence

Investigate and assess situationCall out

contractors to secure

premises (e.g. broken

windows) if necessary

Determine extent of

damage, theft and impact on

businessNotify insurers

Engage contractors to

repair and replace

damaged, stolen assets


managementInvoke IT

Recovery Plan

IT Recovery Plan

Threats made to safety of

business, staff

Moderate; Could require

evacuation of

Assess seriousness and involve police if

necessary

Identify seriousness of

threat to

Evacuate premises if necessary

Notify police if appropriate

Decide in consultation with police if


management


of 49


or premises

premises and interruption of

business indefinitely until

resolved

determine if a hoax

re-entering premises is advisable

Invoke Business Continuity Plan

if needed

Prolonged denied access to premises

Moderate; Catch all category to include major

safety incident, environmental,

civil unrestDenial of access

to critical systems

Remote/home offices available with full

recovery process in place

Decide safest course of action in consultation

with emergency services at

remote muster point or other

place as advised by emergency

services

Liaise with other senior

management, emergency services etc.

to assess situation

Agree on whether to implement

Business Continuity Plan and advise staff

on plan of action


Loss of key staff

Low; Dependent upon key skills in specialist areasPossible loss of business/clients

Some protection from Terms of EmploymentRegular staff reviewsSuccession planning

and deputies in placeShareholder / key person protection

Resignation /employment issues to be

reported immediately to

senior management

Assess scale of problem

Liaise with staff member if appropriate

Advise insurers/PI

insurers if claim to be made

Instruct solicitors if appropriate

HR & grievance procedures/staff

handbook

Loss of key clients

Critical; Potential significant loss of

income to business

Review process in place to ensure

services provided to all clients to agreed

standards

Appropriate manager made

aware and client contacted to discuss any

concerns

Advise staff on relevant course of

action


management

of 49


Action plans

The following action plans have been developed in response to identified potential threats to the business and the risk assessments made in connection with those identified threats. Each action plan is designed to achieve our business’s intended recovery time objective (RTO), arising from the Business Impact Analysis.

Telecommunications infrastructure failure

This defines the procedures to be followed, or steps to be taken in the event of critical degradation, or outright loss of telecommunications services, affecting voice (telephone), or data (email/web browsing/remote access), such that normal operations are threatened, or actually interrupted.

Refer to the Risk Assessment for Loss of Infrastructure in Appendix 2.

Trigger Action Procedure

Initial report of symptom(s)

1. Investigate fault 1. Locate root cause

Failure of external link identified

1. Contact service provider for fault resolution

2. Establish time frame

1. Service providers fault resolution2. Switch inbound numbers to a

mobile phone if time frame exceeded.

Failure of telephone switch Identified

1. Establish interim function of answering system/service

2. Implement system fault resolution3. Establish time frame

1. Internal system fault resolution2. Internal system fault resolution3. Switch inbound numbers to a

mobile phone if time frame exceeded.

Failure of routing, or own network hardware identified

1. Implement fault resolution 1. Internal system fault resolution

Recovery phase achieved / normal operations resumed

1. Decide on the extent of the need to inform clients of the situation

2. Inform staff of incident status

1. Client communications2. Staff communications

Key systems infrastructure failure

This defines the procedures to be followed, or steps to be taken in the event of a threat, or actual incident of loss of key computer systems & services.


of 49



Problem reported 1. Determine whether the problem is local to a server, or with the network

1. Locate and resolve

Established that a network server has failed and cannot be used

1. Determine whether the failed item can be replaced under warranty

1. Replace hardware device & re-install from backup

Failed hardware repaired or replaced and functioning correctly

1. Review age, condition and suitability of all hardware assets and the extent of the businesses critical dependence upon each item

1. Replace hardware device

Loss of data

This defines the procedures to be followed, or steps to be taken in the event of a lack of access to correct data usually accessible to a user under conditions.



User cannot access data

1. Determine whether the lack of access is due to password access failure

2. Check if loss is due to corrupt data3. Check if loss is due to system

configuration change4. Check if loss is due to faulty workstation5. Check if loss is due to key systems

infrastructure failure6. Check if loss is due to network, or

peripheral routing hardware failure7. Check if loss is due to failure of

telecommunications infrastructure

1. Data access validation2. Data access validation3. Data access validation4. Faulty workstation evaluation5. Peripheral and routing hardware

fault resolution6. Peripheral and routing hardware

fault resolution7. Data communications service fault

resolution

Threat to wellbeing of staff

This defines the procedures to be followed, or steps to be taken in the event of tangible threats to the wellbeing of staff, through the likes of fire, flood, explosions & violence.



Individual, or group is identified as under threat

1. Alert staff to take action to remove, or avoid threat

1. Staff communications2. Staff protection procedure

of 49


2. Invoke staff protection procedures3. Alert at least one member of the

BCMT4. Inform staff as appropriate

3. BCMT communications4. Staff communications

Individual, or group is identified as suffering actual harm

1. Invoke staff protection procedures2. Alert at least one member of the

BCMT3. Inform staff as appropriate

1. Staff protection procedure2. BCMT communications3. Staff communications

Denial of workplace access - short term

This defines the procedures to be followed, or steps to be taken in the event of a threat, or actual loss of access to the workplace for up to 4 hours during office hours.



During business hours - premises evacuated

1. Ensure at least one BCMT member is aware2. Establish reason for evacuation and

confirm premises is unaffected.3. Implement emergency evacuation

procedure as appropriate

1. BCMT communications2. Damage assessment and

salvage3. Fire and evacuation

Outside business hours - call received advising denial of access

1. Establish that business facilities within the premises are unaffected

2. Ensure BCMT leaders are aware

1. BCMT communications2. Damage assessment and

salvage

Confirmed that premises is unaffected

1. Establish expected duration of denial of access

1. Damage assessment and salvage

Expected duration of denial of access is established

1. Decide whether to implement emergency workplaces

1. BCMT meetings

Decision not to implement emergency workplaces

1. Instruct all staff to go home and return to the workplace next working day, or another specified date, or to await further instructions as appropriate

1. Staff communications

Decision to implement emergency workplaces

1. Assess probable impact on clients2. Divert telephones as appropriate3. Disable key applications server as required4. Ensure all staff are advised of where to

report and operate from

1. Workload and services assessment

2. Diversion of telephony3. Disable key application

server4. Staff communications

All Reports received – emergency operations stable

1. Advise all affected clients of the situation2. Advise all relevant suppliers of the

situation3. Confirm expected date/time to return to

premises

1. Client communications2. Supplier

communications3. Staff communications

and supplier communications

of 49


Advised of date of return to premises

1. Develop plan to return all functional areas affected to normal operation levels

2. Inform all staff of planned date to return to premises

3. Inform all clients of expected date of return to normal operation levels

4. Inform all suppliers of expected date to return to normal operation levels

1. Physical recovery2. Staff communications3. Client communications4. Supplier

communications

Denial of workplace access - long term

This defines the procedures to be followed, or steps to be taken in the event of a threat, or actual loss of access to the workplace for more than a 4-hour period during office hours. Refer to the Risk Assessment for Loss of Infrastructure in Appendix 2.


During business hours - 1. Ensure at least one BCMT member is 1. BCMT communications

of 49


premises evacuated aware2. Establish reason for evacuation and

confirm premises are unaffected3. Implement emergency evacuation

procedure as appropriate


3. Fire and evacuation

Outside business hours - call received advising denial of access

1. Establish that business facilities within the premises are unaffected

2. Ensure BCMT leaders are aware


2. Situation management team communications

Confirmed that premises are unaffected

1. Establish expected duration of denial of access


Expected duration of denial of access is established

1. Decide whether to implement emergency workplaces

1. BCMT meetings

Decision not to implement emergency workplaces

1. Instruct all staff to go home and return to the workplace next working day, or another specified date, or to await further instructions as appropriate

1. Staff communications

Decision to implement emergency workplaces

1. Invoke business continuity management centre plans

2. Assess probable impact on clients3. Divert telephones as appropriate4. Disable key applications server as

required5. Ensure all staff are advised of where to

report and operate from

1. Invoke business continuity management centre

2. Workload and services assessment

3. Diversion of telephony4. Disable key application

server5. Staff communications

All reports received – emergency operations stable

1. Advise all affected clients of the Incident2. Advise all relevant suppliers of the

incident3. Confirm expected date/time to return to

premises

1. Client communications2. Supplier

communications3. Staff communications &

supplier communications

Advised of date of return to premises

1. Develop plan to return all functional areas affected to normal operation levels

2. Inform all staff of planned date to return to premises

3. Inform all clients of expected date of return to normal operation levels

4. Inform all suppliers of expected date to return to normal operation levels

1. Physical recovery2. Staff communications3. Client communications4. Supplier

communications

Key suppliers & equipment

This section lists the suppliers who provide a unique and\or critical service. Any loss or disruption of these services would incur a high disproportionate negative impact to the business.

Which other businesses are relied upon in order to carry out the processes or activities

of 49


Who are your key suppliers?

Name Risk Risk mitigation Notes

Broadband supplier

Firm reliant on internet access for services, key functions out of action whilst service is down.

Redundancy provided by second broadband line into office, using a different ISP e.g. not reliant on BT backbone

Dial up modems also available

Staff able to work from home

Disaster recovery process covers required action

Additional service level is paid for on Zest 4 (Richard Sheldon) service to ensure reported faults are responded to within 1 hour

An account manager has been established

Office Equipment

Theft would have major financial impact on the firm

All new purchases notified to insurer immediately.

Amount of cover reviewed annually

Staff told not to leave equipment in car

Disaster recovery process covers required action

Insurance with Allianz is on a like-for-like basis

Loss of key personnel resources

This section lists the key personnel who hold or provide a unique and/or critical skill set to the business, whose loss would cause a high disproportionate negative impact to the business.

Does any particular member of staff possess a unique skill set

of 49



Directors / Partners

Difficult to replace income short term on death, and costs of finding a replacement

Keyman insurance in place for £250, 000 for each director/partner to replace income and cover costs whilst a replacement is found

Appropriateness of level of cover reviewed annually

Terms of insurance include directors/partners not all travelling together

Travel policy reflects this

Insurance with Life, written in trust for the benefit of the business

IT developer All code for key IT service is written by one developer

All source code is saved incrementally

Technical notes drafted with each new release

External company used periodically to ensure they have working knowledge of code

Staff contracts state that the business owns all inventions

Notice period is 6 months

Adviser / investment manager

Loss of clients and renewal streams on leaving the business

Incentive scheme locks advisers into business

Clients have regular contact from desk based account manager not just the adviser / investment manager, to encourage loyalty to firm

Contracts have non-solicitation clause for 12 months post exit

This action plan identifies procedures to be followed or steps to be taken in the event of key individuals, or a critical percentage of staff being absent long term, or permanently.

Refer to the Risk Assessment for Loss of Key Personnel Resources in Appendix 2.


Key account handler:

1. Identify alternates to take on workload2. Advise clients of interim and/or permanent

1. Identify alternate for workload2. Change of account manager

of 49


long term changes3. Consider re-assignment of specific account

responsibilities to other account handlers4. Assess current/imminent activity and

projects5. Consider re-assignment of specific account

responsibilities to senior managers6. Advise staff

letter3. Key account review4. Key account review5. Key account review 6. Staff communications

Key account handler:permanent

1. Advise clients of interim, or permanent changes

2. Assess current/imminent activity and projects

3. Consider re-assignment of specific account responsibilities to other account handlers

4. Consider re-assignment of specific account responsibilities to senior managers

5. Decide whether to restructure the account-handling team, or to recruit replacement(s)

6. Recruit replacement if appropriate7. Consider competitive threat/loss of clients8. Advise staff

1. Change of account manager letter

2. Key account review3. Key account review 4. Key account review5. Identify alternate for workload6. Recruitment7. Key account review8. Staff communication

Senior manager:long term

1. Assess current/imminent activity and projects

2. Consider responsibilities that can be delegated to other senior managers

3. Consider interim management resources4. Advise clients as appropriate5. Advise suppliers as appropriate6. Advise staff

1. Assess and prioritise current workload

2. Assess and prioritise current workload

3. Identify alternate for workload4. Change of account manager

letter5. Supplier communications6. Staff communications

Senior manager:permanent

1. Consider competitive threat2. Recruit replacement as appropriate3. Assess forward workload and

responsibilities4. Consider re-assignment of workload and/or

responsibilities to other senior managers5. Assess requirement for interim

management, pending recruitment of replacement

6. Advise clients as appropriate7. Advise suppliers as appropriate8. Advise staff

1. Key account review2. Interim recruitment3. Assess and prioritise current

workload4. Assess and prioritise current

workload5. Identify alternate for workload6. Change of account manager

letter7. Supplier communications8. Staff communications

Functional area:critical percentage reduction – long term

1. Assess & prioritise current workload2. Decide whether clients will be materially

affected and advise as appropriate3. Review cause and recruit replacement staff

as appropriate4. Engage additional resources from suppliers

1. Assess/prioritise current workload

2. Reallocation of resource letter3. Recruitment4. Supplier communications

of 49


Functional area:critical percentage reduction – permanent

1. Assess & prioritise current workload2. Decide whether clients will be materially

affected and advise as appropriate3. Review cause and recruit replacement staff

as appropriate 4. Engage additional resources from suppliers

1. Assess/prioritise current workload

2. Reallocation of resource letter3. Recruitment4. Supplier communications

Key worker: unavailable long term

1. Evaluate options for workload2. Notify any clients materially affected3. Notify any suppliers materially affected4. Notify staff

1. Identify alternate for workload2. Client communications3. Supplier communications4. Staff communications

Loss of key clients

This section lists any key clients whose loss would have a major impact on the business, or any threats posed by undertaking work for those clients.

Who are your key clients (internal and external)

What services does the business provide to them


All clients Litigation for poor advice

Professional indemnity insurance provided through Liberty Mutual at £2million

Key conditions are: -

£20k main, 30K on excess layer – see schedule for Endorsements

of 49


Procedures – technical operations

Faulty server evaluation

1. Confirm whether issue is loss of access to data and if so, follow the set procedure for this issue.

2. Confirm that the fault can be replicated by the users.

3. Carry out system self-test diagnostics.

4. Identify if fault is a known software problem that can be remedied by applying a patch, or upgrade. If so, apply the patch or upgrade.

5. If reinstallation attempts generate multiple error conditions, schedule the workstation for software rebuild.

6. If the root cause is hardware, schedule the workstation for repair, or replacement accordingly.

Replace hardware device

1. Assess if faulty device can be fixed by replacing or repairing faulty component e.g. screen, cartridge, etc. If so, replace component as an expense item.

2. If not, confirm if replacement devices are available from a local supplier, with sufficient similarities in terms of features.

3. If not, assess cost/benefit of sourcing replacements from remote locations, versus local purchase from local sources, factoring in lead time considerations.

4. Reroute user services to secondary platforms, subject to cost/benefit assessment in terms of time estimated to recover normal operations for user.

5. Purchase replacement device as necessary.

6. Purchase additional replacement devices as necessary, as contingency, if considered beneficial to shorten future recovery to normal operations.

Physical recovery

1. Replacement of IT equipment and systems

The IT and telecommunications systems are to be restored to their previous standard, specification and configuration. A schedule of necessary hardware and software purchases, plus services to achieve this, must be drawn up and submitted to the relevant budget holder for approval.

Where relevant, a schedule of confirmed damage and losses from the salvage contractor, as agreed by the loss adjuster, must accompany this schedule.

2. Replacement of fixtures and fittings

Fixtures and fittings, including furniture, must be reinstated to their pre-incident standard. Approval for all such replacements must be obtained from the loss adjuster. A schedule of all original assets may be obtained from the relevant finance section.

3. Repairs and refurbishment of buildings and infrastructure

of 49


If physical damage occurs to the business address, Laytons Solicitors are responsible for affecting such repairs and providing alternative temporary premises in the local area in the interim.

Invoke emergence call routing

1. Confirm main workplace and its facilities will not be available for an extended period (over 1 hour).

2. Reroute telephone lines to designated alternate numbers, as specified by any member of the BCMT.

3. Revert to original routing number when normal operating conditions are resumed.

Disable key application server

1. Notify affected users informing them of relevant server shut down at specified time.

2. Send warning messages to logged on users 30 minutes, 10 minutes and 1 minute prior to shut down.

3. Check that all users are logged off at shut down time.

4. Contact any users still logged on after shut down time and instruct them to log off, or lose work.

5. Issue server shut down command at operating system level.

6. Power system off, if required.

7. If down time is known, include this in the messages to users.

8. Notify user community, or key contacts within it, that services have been recovered, with broadcast email, and/or other notification method.

Communications fault resolution

1. Identify that there appears to be an external communications service fault into the building, such that the phone service is unusable.

2. Contact on-site facilities and inform them of the fault, for escalation to their own service provider, during office hours.

3. Outside of office hours, notify Mark Wilson (04534 751931) or Kerry Wilson (07871 231291) or Esther Brooks (Laytons - 07786 518 116/07787 856 736) *

4. If necessary, contact service provider, advising them of the fault.

5. If the service provider can identify a fault on the line, request an estimated time to resolution.

6. Request the diverting of the line to an alternate number, such as a BCMT- designated mobile phone.

7. Ask service provider to place a message on the relevant line advising callers of the fault, if necessary.

8. Report expected duration of function loss to relevant staff, suppliers and clients as necessary.

9. Switch to alternate communications methods as appropriate.

*In the event of an intruder alarm our Keyholders are Sector Security 01772 794 728. They will attend the property, inspect and if necessary i.e. if there has been an incident, contact the police and Esther Brooks].

of 49


Internal phone resolution

1. Assess possibility of using alternate handset hardware within the local office.

2. Request replacement handset from Octagon (03456 787878).

3. Check replacement handset works with the underlying phone number.

4. Recheck previous configurations on new handset, such as speed dial.

Peripheral and routing hardware fault resolution

1. Conduct diagnosis to locate the faulty component.

2. Does a unit of the replacement component exist locally on site? If so, replace and re-order to replenish under warranty, or as a purchased consumable.

3. If component cannot easily be replaced, consider rerouting workload, or traffic, or other similar technical workarounds.

4. Notify any staff, clients, or suppliers likely to be materially affected.

5. Ensure replacement of item and restoration of normal operations after installation.

6. Consider cost-benefit of buying spare units of the failing component, or implementing alternative, more resilient technical solution.

Supplier communications

1. Identify list of suppliers materially affected.

2. Determine the nature, frequency and content of the communication, defaulting to email on an ‘as needs’ basis.

3. Specify clearly the way in which the supplier relationship is likely to be affected.

4. Specify any increased services required, or any changes needed in procedures between organizations.

5. Keep suppliers informed regarding likely resumption of normal operations and when it is actually achieved.

Applications recovery to server

1. Power server down if necessary.

2. Un-install any previous versions of the application as required, to permit clean install.

3. Back up associated data, as required.

4. Install fresh version of application, following installation instructions to achieve desired configuration.

5. Check access to the application across the network and locally.

6. Check relevant users can access both the application and any associated data as appropriate.

of 49


TECHNICAL OPERATIONS - DATA RECOVERY TO SERVER

Data recovery to server

1. If relevant, back up data files that can be identified.

2. Identify most recent version of stored data required, from various storage media.

3. Deploy data files into correct location, where they can be properly accessed by the user’s application.

4. Notify user when the operation is complete.

5. Check with user that they can access both application and data as expected.

Data access validation procedure

1. Confirm if same data can be accessed from another workstation.

2. Confirm if same data can be accessed using another valid password access code.

3. Check if there are error messages linked to the data source in the relevant system monitoring logs.

4. Check with IT whether there have been any recent configuration changes, since the last time the user recalls having full access.

5. Check what the user recalls doing immediately prior to the loss of access to the data.

of 49


Procedures - infrastructure operations

Staff communications

1. In each communication, ensure inclusion of relevant elements of whether there is denial of access, duration of any interruption to normal operations, IT, telephony, other service issues, any casualties and wider considerations of feedback, welfare and staff morale.

2. During office hours:

a. Ensure any staff known to be present, or associated with the affected premises, are advised regarding what action they should take.

b. Initiate emergency call-out/broadcast to notify staff according to agreed, scripted message.

c. If the incident occurs before [4pm] contact all absent staff members to advise them of action to take.

d. Record whether contact was reached, or whether just a message was left.

e. After 5pm, consider contacting remaining staff on their home phone numbers.

f. If any affected staff are on holiday, or away from their home, contact them by phone if possible, otherwise by email and post as a last resort.

3. Outside office hours:

a. If the incident occurs before 8am, consider waiting until after 8am to notify them at home. Otherwise, always default to primary contact on their mobile phone.

b. Give guidance on how long incident is likely to continue.

c. Record whether person has been contacted, or just a message was left.

d. Advise staff on how they will be kept updated on latest developments regarding the incident.

e. Confirm when normal operation has been resumed.

Press communications

1. Unless specifically authorised by the BCMT, no comment should be made to the press. If approached, staff response should be "no comment" and enquiries should be referred to the BCMT.

2. The default spokesperson in incidents will be John Stevenson. When John Stevenson is unavailable, the BCMT shall nominate the most appropriate alternative, which will be Mark Wilson unless otherwise specified.

3. The BCMT shall agree on the content of what shall be communicated, via what channels and to whom, in what order. Prior to briefing the press, a decision should be made as to whether to provide an interview, conference, or merely issue a read press statement. The latter is the preferred method for most foreseeable circumstances.

4. Wherever possible, staff should be notified first, clients second, suppliers third and press last of all. Our business has no specific obligations with respect to notifying the public concerning incidents at its locations. Third parties are responsible for their respective premises.

5. Our policy is to stick to communicating facts and expressing sorrow at any personal loss, or injury suffered as a consequence of the incident.

Fire and evacuation

of 49


1. This procedure is to be used in the event of a fire at our offices.

2. If you discover a fire:

a. Operate the fire alarm immediately by breaking the seal on the nearest relevant unit.

b. Attack the fire if possible with the equipment provided, but do not take any personal risks. Leave immediately if the fire cannot be brought quickly under control.

3. On hearing the fire alarm:

a. The alert signal is a continuous ring on a bell alarm.

b. Unless having received prior warning that the alarm is a planned exercise, staff and visiting personnel should proceed immediately to the nearest muster point, the defaults being at the gates to the park on Byrom Street, at the bottom of St John Street

c. Do not use lifts (except where special arrangements exist for the disabled.

d. Do not stop to collect belongings.

e. Do not re-enter the building until instructed to do so by an authorised person e.g. Fire Marshall, member of the Fire Service or by another authorised person.

f. Upon receiving notification of when staff will be able to return to their workspace, the most senior member of staff present in the group should notify a member of the BCMT.

g. Upon returning to the workspace, the most senior member of staff present should assess the workspace for damage and inform the BCMT of the need to invoke damage assessment and salvage procedures, if necessary.

Business continuity management team communications

1. The following should be used for contact between members of the BCMT in connection with business continuity Incidents.

2. Regardless of time, contact BCMT members by the following means, in order, until successful:

a. Mobile telephone

b. Home telephone

c. Work email, instant-mail, home e-mail

d. Travel to home address (unless it is known that the contact is away from home)

3. Members of the BCMT and their contact details appear in the contacts section of this BCP.

4. The primary purpose of initially contacting all members of the BCMT is to arrange the first BCMT meeting (see procedure on Business Continuity Management Team Meetings)

of 49


Damage assessment and salvage

1. In the event of a physical incident where losses and/or damage are likely, call Mark Wilson (04534 751931) or Kerry Wilson (07871 231291) or Esther Brooks (Laytons - 07786 518 116/07787 856 736)

2. Provide information requested and the above will liaise with insurers & loss adjuster, and expedite the recovery process.

3. Given the small amount of material involved, any damaged items should be transported by hired vehicles as necessary.

Business Continuity Management Team meetings

1. The first BCMT meeting will be held at the nominated location agreed by the BCMT, depending on the scale of the emergency. Choices shall include, but not be limited to:

a. 59 Church Street, Farnworth, Bolton. Bl4 8AQ

b. [Alternative Site 2]

c. [Alternative Site 3]

2. The objectives and standing agenda for the meetings will be:

a. Casualties, injuries and fatalities, to be recorded

b. Nature/duration of denial of access - likelihood of regaining access to premises - implementation of emergency workplaces

c. Losses, damage and salvage

d. Client communications

e. Impact on clients and services

f. Supplier communications

g. Stakeholders

h. Insurance and finance

i. Prioritise workload and roles within BCMT

j. Staff communications

k. Date/time/venue of next meeting

Invoke business continuity management centre

1. BCMT to discuss options from list of business continuity management centre locations.

2. BCMT to select one location and notify staff from contact list.

3. BCMT to arrange purchase of emergency equipment and facilities for the business continuity management centre.

4. Quantify impact of incident and likely duration of need for the business continuity management centre.

5. Notify staff, suppliers and clients affected and procedure for obtaining latest information.

6. Advise all of likely resumption of normal operations.

of 49


Diversion of telephones

1. The main company phone number is 0161 956 2328.

2. The main support number is (Octagon) 03456 787878.

3. Once normal operations is restored, divert the relevant support number back to the default.

Interim recruitment

1. For recruiting senior or key account managers, obtain authority from John Stevenson or Mark Wilson for new position or interim position and determine length of contract.

2. Approach above or Kerry Wilson, or look to use appropriate external recruitment agency to discuss job specification.

3. Obtain approval for and agree contract with appropriate external recruitment agency (none specified).

4. Interview candidates.

5. Make job offer to selected candidate in accordance with standard terms & conditions of employment.

6. Take new employee through induction, as part of their probation period in the company.

Recruitment

1. Obtain authority for new position, including detailed job specification and business case.

2. Approach relevant external recruitment agency to discuss job specification.

3. Obtain approval for and agree contract with appropriate external recruitment agency

4. Interview and shortlist candidates.

5. Make offer to selected candidate.

6. Take candidate through induction procedure.

Reallocate resource letter

This letter is held as a word file on the company shared drive.

Dear

Due to the unforeseen consequences of {reason for problem} we are allocating you different members of the {name} department to work with you and your people. {Contact name} will be in contact in the very near future to arrange a mutually convenient time and location for a review meeting.

If you would like to discuss this situation personally, please call me on [number] and I will answer any questions you may have. We hope to count on your support in these unusual circumstances and are very confident of continuing to deliver the high standard of service that you expect from us.

Yours Sincerely,

[Name]

of 49


[Title]

New employee induction

1. Ensure employee's details are registered in the business HR files, including signed contract of employment.

2. Notify payroll of employee's details, having obtained employee's last P45 if relevant.

3. Set up person with own e-mail account.

4. Obtain access to necessary systems to enable the employee to perform their tasks.

5. Allocate supervisor responsible for guiding them through the early weeks.

6. Set review date with senior manager as a mentor, to ensure any issues are raised with a mentor.

7. Cover the relevant items on the technical, client services, or infrastructure induction syllabus.

Staff protection procedure

1. Confirm details of threat of, or actual harm, to which individual member or group of staff.

2. Identify if the individual or group is aware of the potential harm.

3. Seek to communicate with the individual or group to direct them away from the threat, and towards safety, with respect to their location.

4. Seek to educate the individual or group concerning the nature of the threat, to avoid, or minimise it in future.

5. Where relevant, notify the authorities: police, fire, ambulance, coast guard.

6. Direct staff towards counselling services relevant to the nature of harm they may have suffered.

7. Notify wider staff community regarding the nature of action taken and any changes to procedure required, where appropriate.

of 49


Procedures - general

Identify alternatives for workload

1. Assess the nature, quantity and expected timescales of the workload and the skills necessary to perform it, by referring to available paperwork, electronic files and co-workers of the person(s) not available.

2. Represent the workload as a set of deliverables with target dates and associated status summaries, or starting positions.

3. Prioritise the workload in terms of the value of the deliverables to the business unit concerned.

4. Evaluate the relative cost/benefits of achieving the deliverables with existing in-house labour with spare capacity, versus subcontracted resources.

5. Formulate a plan identifying all deliverables identified, new deliverable owners, timescales agreed and method of updating progress against the plan.

6. Circulate the plan to all new actioners.

7. Actioners are responsible for notifying their own management and colleagues, and managing their workload to incorporate the newly allocated deliverables, as required.

Assess and prioritise current workload

Procedure for reviewing the activities of owners of the relevant functional areas.

1. Co-ordinator (defaults to most senior team member, unless otherwise agreed) to initiate contact with all relevant representatives of the affected work areas and collate prioritised, bullet-point list of all activities of relevant staff and key third parties

2. Invite contributions and discuss key perceived issues or activities by project, with all relevant contributors meeting together, or conferenced in

3. Co-ordinator to summarise consolidated view of contributors to assess collective impact of various courses of action and resource prioritisation on business as a whole

4. Gain agreement and commitment to proposed consolidated course of action, with action owners identified and completion timescales agreed.

5. Invite any final comments from contributors and integrate comments, or deal with the issues before proceeding.

6. Agree time/manner to review progress against agreed action plan.

7. Document and distribute agreed action plan, by e-mail, or other agreed mechanism, if e-mail cannot be relied upon.

8. Review progress at the set time/manner, unless rescheduled in the intervening time.

9. Repeat process until workload issues are resolved, and normal operations is resumed.

of 49


Key contact details

Category Name Telephone Email

BCMT Kerry Wilson 0161 956 2328 [email protected]

Mark Wilson 0161 956 2328 / 07834751931

[email protected]

Greg Harrison 07587 133 940 [email protected]

Lee Douthwaite (Pareto-IT)

0161 819 1311 / 07917 220918

Function managers

As above

Response team(s)

As Above

of 49


APPENDICES

VERSION LAST UPDATED

Appendix 1: Full Client Contact List 1.0 03/04/2017

Appendix 2: Risk Assessments 1.0 03/04/2017

Appendix 3: Business process objectives

and recovery times 1.0 03/04/2017

Appendix 4: T & Cs of Employment 1.0 03/04/2017

Appendix 5: Software T & Cs of Sale 1.0 03/04/2017

Appendix 6: Internal IT Configuration Diagram 1.0 03/04/2017

Appendix 7: Company Key Details Sheet 1.0 03/04/2017

Appendix 8: Insurance Certificate Copy 1.0 03/04/2017

Appendix 9: Crisis Forms 1.0 03/04/2017

Appendix 10: Business Impact Assessment 1.0 03/04/2017

Appendix 11: Emergency Pack 1.0 03/04/2017

Appendix 12: Threat Vulnerability Matrix 1.0 03/04/2017

of 49


Appendix 1: Full client contact listInternal

Extension Name Mobile Number

N/A John Stevenson 0161 819 1311 / 07780 991 882N/AN/A Graeme Fountain 07799 348038

329 Vincent Jeffers N/A362 Tim Burge N/A339 Steve Lorenzelli N/A360 Rachel Holden N/A361 Mike Lennox N/A350 Mike Jordan N/A332 Mark Gallagher N/A359 Marcus Barclay N/A324 Kerry Peters N/A371 Kate Jayden N/A367 Kate Barrett N/A331 Joe Turner N/A328 Geoff Ohemeng N/A364 Emilia Buczynska N/A349 Elly Bradshaw N/A345 Elliot Wood-Meynell N/A366 David Boardman N/A351 Darren Hardy-Dearness N/A363 Barry Westbrook N/A357 Claire Hammond N/A341 Alex Langton N/A342 George Agan N/A337 Jake Waterfield N/A347 James Mistiades N/A348 Jenny Dalton N/A355 Jill Lees N/A354 Lottie Wicks N/A322 Kathryn Cosgrove N/A327 Katie Rivett N/A325 Kerry Wilson N/A326 Mark Wilson 07834 751931356 Matt Amesbury N/A344 Reception N/A330 Ryan Crockart N/A340 Sam Bowman N/A327 Sarah Lane N/A

of 49


353 Stuart Grant N/A369 Ania Szylar N/A370 Greg Harrison 07587133940

Remote Worker Jamie Standish 07544 328714Remote Worker Mark Barker 07592 246353Remote Worker Peter Rhodes 07926 736444Remote Adviser John Webber 07729 076158

of 49


Appendix 2: Risk assessment

Version 1.0

Last Reviewed/Updated 04/02/2019

Next Review Scheduled April 2019

of 49


Appendix 3: Business process objectives and recovery times

Version 1.0


Next Review Scheduled 03/04/2018

of 49


Appendix 4: T & Cs of employment

Version 1.0



of 49


Appendix 5: Software T & Cs of sale

Version 1.0



of 49


Appendix 6: Internal IT configuration diagram

Version 1.0



of 49


Appendix 7: Company key details sheet

Version 1.0



of 49


Appendix 8: See Insurance certificate copy on file

of 49


Appendix 9: Crisis forms

IMPACT ASSESSMENT FORM

Manager: Tel/work location:

IMPACT SUMMARY

Date and time of impact: SITE:

Impact on personnel: Loss of life (Y/N) Injuries (level):

Impact on site access: No access Partial access

Controlled access Normal access

Emergency services at site: Fire Police

Ambulance Other:

Critical processes affected:

ASSESSMENT

Considerations Comments

Health & safety

Impact Summary Total Loss Partial loss Minimal loss

Access to building

Use of affected area

Recoverability from effected area of:

Equipment

Work in progress

Vital records

Electricity

Water

Computer data

Voice

Other services

Conclusions

Manager’s signature: Date/time of report:

of 49


of 49


Appendix 10: Business impact assessment

Clients / Suppliers

Who are your key clients (internal and external)? What services does the business provide to them? If the service was unavailable, what length of time would the client tolerate before impacts

(tangible and intangible) are felt? What requirements (contractual, legal, regulatory etc.) must be adhered to for the delivery /

performance of this service?

Tangible Impacts

What losses would be experienced in the following areas:o Financial revenueo Fines and/or penaltieso Backlog processing costs

Intangible Impacts

What losses could be experienced in the following areas:o Loss of clients as a result of dissatisfactiono Missed opportunityo Loss of market shareo Loss of stakeholder or investor confidenceo Loss of employee morale leading to higher staff turnover

Internal Environment

How high is the turnover of staff within the business? Does any particular member of staff possess a unique skill set? Are management succession plans in place? What systems (IT or otherwise) does the business rely upon? What critical information is required in order to perform the businesses processes or

activities? Where is this information stored? Is the information secure? Is the information backed up? Who has access to the information? Which other businesses are relied upon in order to carry out the processes or activities?

External Suppliers

Who are your key suppliers? What services or products do they provide to you? How long could your business tolerate non-supply before it impacted the ability to perform

processes or activities? What requirements (contractual etc.) must your supplier adhere to for the delivery /

performance of their service or product? Could any alternatives be identified and, if so, has this been done?

of 49


Type of impact and its effects

Impact descriptors and event categorisation

Catastrophic High Medium Low

FINANCIAL

Loss of revenue e.g. <£10m for large business Loss of revenue e.g. <£10m for

large business Loss of revenue

Loss of shareholder value

Penalties

Bad debts

Additional operating cost(s)

NON-FINANCIAL

Reputational loss

E.g. Adverse and sustained national media campaign and/or loss of confidence/trust by market, public and/or damage to brand image and trust.

E.g. Adverse comment in national media and/or loss of confidence in a range of service and/or products or several parts of the organisation.

E.g. Adverse comment in national media and/or loss of confidence in specific service and/or product or part of organisation.

E.g. Adverse comment in local media only and/or confined to a limited number of localised clients.

Loss of operational capacity

Client service

Regulatory/ legal

Loss of market share

Loss of quality

Brand tarnish

Environmental

Contractual

Staff moral

Political

of 49


Appendix 11: Emergency pack

Documents:

Business continuity plan – your plan to recover your business or organisation. List of employees with contact details – include home and mobile numbers, and e-mail

addresses. You may also wish to include next-of-kin contact details. Lists of client and supplier details. Contact details for emergency glaziers and building contractors. Contact details for utility companies. Building site plan (this could help in a salvage effort), including location of gas, electricity and

water shut off points. Latest stock and equipment inventory. Insurance company details. Financial and banking information. Product lists and specifications. Formulas and trade secrets. Local authority contact details. Headed stationery and company seals and documents.

Equipment:

Computer back up tapes / disks / USB memory sticks or flash drives. Spare keys / security codes. Torch and spare batteries. Hazard and cordon tape. Message pads and flip chart. Marker pens (for temporary signs). General stationery (pens, paper, etc.). Mobile telephone with credit available, plus charger. Dust and toxic fume masks. Disposable camera (useful for recording evidence in an insurance claim).

Ensure you are able to repair or replace any equipment vital to your business at short notice. If you are able to, consider storing spare parts off-site.

Notes:

Make sure this pack is stored safely and securely off-site (in another location). Ensure items in the pack are checked regularly, are kept up to date, and are working. Remember that cash / credit cards may be needed for emergency expenditure. This list is not exhaustive, and there may be other documents or equipment that should be

included for your business or organisation.

of 49


Appendix 12: Threat vulnerability matrix

Type of threat Likelihood of occurrence (probability or frequency)

High Medium Low Minimal

Fire X

Power failure X

Flood X

Bomb X

Lost data X

Security breach X

Telecoms failure X

Terrorist attack X

Industrial action X

Key

High: high risk occurring at least once a week.

Medium: medium risk occurring once a quarter.

Low: low risk occurring annually\bi annually.

Minimal: very low risk – may never occur.

of 49