Business Continuity Plan V2/2019
Business Continuity Plan
Address
Tel: 0161 956 2328 22 St John Street
Email: [email protected] Manchester
Web Site: www.pensionhelp.co.uk M3 4EB
Version: 2.0
Date of Issue: 04/04/2018
Approved By:
Plan Owner: K Wilson
Next Review: 03/04/2019
Page 1 of 49
Business Continuity Plan V2/2019
Contents
Introduction.......................................................................................................................................4
Policy statement................................................................................................................................4
Summary.......................................................................................................................................5
Distribution....................................................................................................................................5
Associated\related documents......................................................................................................5
Communication and escalation route................................................................................................6
Business continuity plan – role definitions........................................................................................7
Risk mitigation.................................................................................................................................10
Action plans.....................................................................................................................................14
Telecommunications infrastructure failure.................................................................................14
Key systems infrastructure failure...............................................................................................14
Loss of data..................................................................................................................................15
Threat to wellbeing of staff..........................................................................................................16
Denial of workplace access - short term......................................................................................16
Denial of workplace access - long term.......................................................................................18
Loss of key clients........................................................................................................................22
Procedures – technical operations..................................................................................................23
Faulty workstation evaluation.....................................................................................................23
Replace hardware device.............................................................................................................23
Physical recovery.........................................................................................................................23
Invoke emergence call routing.....................................................................................................24
Disable key application server.....................................................................................................24
Communications fault resolution................................................................................................24
Internal phone resolution............................................................................................................25
Peripheral and routing hardware fault resolution.......................................................................25
Supplier communications............................................................................................................25
Applications recovery to server...................................................................................................25
Data recovery to server...............................................................................................................26
Data access validation procedure................................................................................................26
Procedures - infrastructure operations...........................................................................................27
Staff communications..................................................................................................................27
Press communications.................................................................................................................27
Fire and evacuation.....................................................................................................................27
Business continuity management team communications...........................................................28
Damage assessment and salvage.................................................................................................29
Page 2 of 49
Business Continuity Plan V2/2019
Business Continuity Management Team meetings......................................................................29
Invoke business continuity management centre.........................................................................29
Diversion of telephones...............................................................................................................30
Interim recruitment.....................................................................................................................30
Recruitment.................................................................................................................................30
Reallocate resource letter............................................................................................................30
New employee induction.............................................................................................................31
Staff protection procedure..........................................................................................................31
Procedures - general........................................................................................................................32
Identify alternatives for workload...............................................................................................32
Assess and prioritise current workload........................................................................................32
Key contact details...........................................................................................................................33
APPENDICES.....................................................................................................................................34
Appendix 1: Full client contact list...............................................................................................35
Appendix 2: Risk assessment.......................................................................................................36
Appendix 3: Business process objectives and recovery times.....................................................37
Appendix 4: T & Cs of employment.............................................................................................38
Appendix 5: Software T & Cs of sale............................................................................................39
Appendix 6: Internal IT configuration diagram............................................................................40
Appendix 7: Company key details sheet......................................................................................41
Appendix 8: See Insurance certificate copy on file......................................................................42
Appendix 9: Crisis forms..............................................................................................................43
Appendix 10: Business impact assessment..................................................................................44
Appendix 11: Emergency pack.....................................................................................................46
Appendix 12: Threat vulnerability matrix....................................................................................47
GlossaryBCM Business Continuity ManagementBIA Business Impact AssessmentRTO Recovery Time ObjectivesBCMT Business Continuity Management TeamDR Disaster RecoveryBC Business ContinuityBCMC Business Continuity Management Centre
Page 3 of 49
Business Continuity Plan V2/2019
Introduction
The purpose of this document is to define the business continuity plan (BCP) within Pensionhelp Limited.
Policy statement
Pensionhelp Limited gives the highest priority to ensuring the continual delivery of services to our clients. Business continuity is seen as the activities that maintain and recover business operational effectiveness against any untoward or adverse circumstances.
Threats to the survival and growth of the business can come in many different forms and the purpose of this document is to set out an understanding of those threats and the prescribed responses to them. Each threat is evaluated by means of a risk assessment (refer to Appendix 2: Risk Assessment).
The scale of each perceived potential impact on the business can be worked out as part of a business impact assessment (BIA), given parameters such as the degree and duration of the disruption and the potential financial consequences. The goal of our business is for all services to continue normally for the duration of any disruption.
The key business processes and their respective objectives are listed in Appendix 3 of this document. In each case, the objective specifies the maximum desirable time it should take for the business to be able to provide services in response to any given threat materialising. The objective is set based on the expected severity of the overall business impact of different interruptions, as detailed in Appendix 10: Business Impact Assessment. The relevant disaster recovery action plans and procedures within this document detail how our business will respond in the event of so called disasters, while the wider BCP sets out how we seek to avoid or mitigate against the impact of such potential events.
Both the disaster recovery plan (DR) and BCP, depend centrally on key people and effective communication to restore normal services.
If services fall below pre-defined levels, for more than a pre-defined minimum acceptable duration, this constitutes what is commonly referred to as a crisis or disaster. This plan adopts the use of the word “incident” to reflect the differing levels of seriousness of these events.
Disaster recovery is taken to mean those activities recovering IT and other infrastructure from interruptions. In this plan, an interruption to services is deemed to be anything which degrades, or halts altogether those activities and services necessary to maintain delivery of services, whether that is in client service operations, or infrastructure operations.
Client service operations and Infrastructure are two of the high level logical divisions of the business that will be referred to generically as Functional Areas. Our aim is to plan to avoid altogether, or mitigate potential threats, to the extent that it is deemed reasonable, practical and commercially viable by senior management, out of a duty of care to both our owners and staff alike.
Where threats materialise into inconveniences, interruptions and then incidents, the plan sets out the steps needed to be taken by management to recover and\or resume normal services, possibly through identifiable recovery phases. The relevant business continuity procedures contained within this BCP will be invoked by a member of the business continuity management team (BCMT).
Page 4 of 49
Business Continuity Plan V2/2019
Summary
This BCP sets out the major perceived threats to the business. It lists the action plans and procedures to respond to those threats, should they materialise as Incidents to be managed. The BCP document is itself tested with live tests and subsequently reviewed.
Distribution
This document is intended for the recipients listed below and is intended for the sole purpose of informing relevant staff and third parties of the necessary actions and procedures to be adhered to if a given incident occurs.
Holder Name Date issuedCompliance officerManaging Director Mark WilsonDirector John StevensonPlan owner
Associated\related documents
Title VersionDisaster Recovery - Overview 1.0Disaster Recovery - IT Recovery Plan 1.0Disaster Recovery - Telecoms Recovery Plan 1.0
Page 5 of 49
Business Continuity Plan V2/2019
Communication and escalation route
A member of the Business Continuity Management Team (BCMT) must be notified in the event of an incident, crisis or disaster to decide upon further action.
The diagram below indicates a typical escalation route (within the essential function) with timescales for the Business Continuity Management Centre (BCMC):
1st Contact – Operations Director
Kerry Wilson
2nd Contact – Compliance Manager
Darren Hardy Dearness
3rd Contact – Director in order
Mark Wilson
John Stevenson
Page 6 of 49
Business Continuity Plan V2/2019
Business continuity plan – role definitions
This section identifies the groups, or individuals having specific roles with respect to this Business Continuity Plan.
Role Definition
Plan owner Responsible for controlling input to, review and circulation of the Business Continuity Plan in a timely manner, to meet the requirements of the business and its stakeholders.
Defines the list of people authorised to hold and maintain printed copies of the versions of the BCP and its constituent sections as they are updated and published from time to time, as listed in Section 2 of this plan.
Infrastructure / technical operations owner
Responsible for conducting adequate risk assessments to the infrastructure operations of the business and establishing effective business continuity so as to reduce, or remove the impact and/or duration of potential threats.
Also responsible for defining and executing policy regarding crisis management of incidents impacting infrastructure operations. Ownership of all policy, plans and activities to ensure the staff can follow required processes using suitable technology and
infrastructure to maintain and recover services for the business. Minimise potential threats and impact of those threats to the business through technical operations, including those arising from
infrastructure, staff and suppliers, as well as other external threats. Responsible for providing all necessary technical facilities to allow staff to be productively employed as soon as possible, in the event of
an Incident. Responsible for ensuring all necessary plans, processes and technology are in place to minimise the likelihood of a threat to the business,
through loss, or underperformance of a supplier to technical operations. Responsible for ensuring effective and timely communications with key suppliers before, during and after incidents. Engage necessary
support from suppliers before, during and after incidents to minimize their impact and duration.
Health and safety operations owner
Responsible for ensuring all reasonable precautions are in place to protect the staff in accordance with prevailing health and safety legislation and published best practice.
Client service operations owner
Overall ownership and responsibility for ensuring that client services are maintained at the normal level in the face of threats. Responsible for conducting adequate risk assessments to the services of the business and establishing effective business continuity planning to combat threats to these services, so as to reduce, or remove the impact and/or duration of such threats.
Responsible for defining and executing policy of managed communication with clients, in the event of a threat or incident deemed to require it.
Page 7 of 49
Business Continuity Plan V2/2019
Role Definition
Functional area owner
Overall ownership and co-ordination of crisis management and business operational recovery for the relevant functional area, defined by the business.
Responsible for plan maintenance, policy, review and testing activities relevant to the functional area. Responsible for activating the relevant portions of the plan in response to threats or incidents affecting the functional area. Responsible for ensuring all relevant personnel within the functional area are able to discharge their individual responsibilities to normal
target levels.
Information and communications technology owner
Overall responsibility for defining, communicating and implementing policy to ensure resilience of information and communications technology (ICT) activities against potential threats.
Responsible for defining the operational response to an incident in this area. Overall responsibility for minimising the impact and duration of an incident affecting this functional area.
Responsible for ensuring effective operational practices are in place and well-rehearsed to ensure swift restoration following all anticipated business disruptions.
Human resources owner
Overall responsibility for defining, communicating and implementing policy to ensure the resilience of human resources activities against potential incidents.
Responsible for defining the operational response to an incident in this area. Overall responsibility for minimizing impact and duration of an incident affecting this functional area.
Responsible for ensuring effective operational practices are in place and well-rehearsed to ensure swift restoration following all anticipated business disruptions.
Ensuring that the welfare needs of staff are met during an incident. Sourcing interim or replacement staff as appropriate.
Client communications owner
Responsible for ensuring clients are informed of issues, as directed by the Incident Management Team (BCMT). Responsible for scripting corporate messages for clients. Notifying clients when services will be/has been restored and what (if anything) will be done to avoid the same scenario happening in
the future.
Supplier communications owner
Responsible for ensuring that relevant suppliers are informed of an issue, to the extent required, as directed by the BCMT. Responsible for defining key messages for suppliers and sourcing alternative suppliers where supply issues are contributing to the
severity, or duration of the incident.
Page 8 of 49
Business Continuity Plan V2/2019
Finance owner Overall responsibility for defining, communicating and implementing policy to ensure resilience of finance activities against potential threats.
Responsible for defining the operational response to an incident in this area. Overall responsibility for minimising impact and duration of an incident affecting this functional area.
Responsible for ensuring effective operational practices are in place and well-rehearsed to ensure swift restoration following all anticipated business disruptions.
Responsible for establishing and maintaining necessary arrangements to enable financial commitments to be met in an incident. Renegotiating financial facilities and arrangements as necessary to minimise the effects of the incident on the business.
Managing all exceptional financial transactions during an incident, including all insurance and banking matters arising.
Media handling owner
Responsible for nominating spokespersons and approving press releases, statements and stories to be used in media handling.
Third parties’ owner
Responsible for defining the Member list of third party contacts within organizations on which this BCP has some dependency for execution.
Defines the list of people authorised to hold and maintain printed copies of the versions of the BCP and its constituent sections as they are updated and published from time to time, as listed in Section 2 of this plan.
Page 9 of 49
Business Continuity Plan V2/2019
Risk mitigation
This section identifies the risk identified to the operation of the day to day business, along with a summary on how the business mitigates against those risks. Please also see the following section on action plans.
Potential risk Impact Mitigation Initial response Additional procedures
Loss of internet access and
systems (including
email)
Critically dependent upon
email and internet access
for business
Immediate response required to threats to prevent loss of service
or long term system unavailability
Shut down and restart system
Contact suppliers e.g. IT
support if restart fails
Assess impact and duration on systems availability
Shutdown if necessary
Invoke IT Recovery Plan for individual
systems as required
If part of wider system failure
invoke Business Continuity Plan
Communicate impact to
senior management
IT Recovery PlanBusiness
Continuity Plan
Loss of telephones
Moderate; Clients and key contacts unable to contact firm via telephone. Some mobile
phones available until services are
restored.
Telephone communication critical
to business
Investigate fault with
service providers and re-establish connectivity
asap
Divert phones to alternative
numbersMay require
temporary use of mobiles
If appropriate, update clients
and key contacts of temporary
contact details e.g. via website and
or email
Invoke Telecoms
Recovery Plan for individual
systems if required
If part of wider system failure
invoke Business Continuity Plan
Telecoms Recovery Plan
Loss of servers / database
Critical; access to databases, client documents and
internet
Servers backed up daily
Service contract in place with Lee
Douthwaite / Paul Hartley
Investigate fault with
supplier / IT support and re-establish access to server asap
Once issue resolved,
assess any loss of data, and
apply back up as needed to
recover information
If part of wider system failure invoke
relevant IT Recovery Plan
Communicate impact to
senior management
IT Recovery Plan
Page 10 of 49
Business Continuity Plan V2/2019
Potential risk Impact Mitigation Initial response Additional procedures
Cyber-attack e.g. hacking,
virus or spyware
Critical; Systems could be used to commit financial
crimeClient data and other records
may be compromised
Install protection software on all
relevant electronic equipment. Monitor
network activity regularly.
On site IT Support. Additional IT Service
contract for when on-site IT support is not
available.
Contact IT support to
establish extent of issue and next actions
Where appropriate,
inform clients of potential risk to them
Where the incident has
resulted in loss of client data, the FCA and Information
Commissioner should be notified
Communicate impact to
senior management
IT Recovery Plan
Loss of IT support
Low; Dependent on hardware and software support
in event of failure
Have two different IT Support functions.
Assess duration and impact of
problem
Source and approve
alternative suppliers for
required support
Prioritise client services if some
unavailable
Invoke IT Recovery Plan IT Recovery Plan
Power/utilities failure
Critical; impact on voice and
data communications, and operability
of office through heating and water supply
On site IT Support. Additional IT Service
contract for when on-site IT support is not
available.Alternative office
available in event of long term failure
Assess situationCall out service
contractorsLiaise with
utilities providers if appropriate
Consider impact and duration on
hygiene
If prolonged, investigate
buying in waterHire boilers and
temporary heaters if necessary
Prepare engineering
solution and if appropriate
hire temporary equipment
and plug into building systems
Communicate impact to senior
managementInvoke Business Continuity Plan
Business Continuity Plan
Fire/smoke Critical; Fire can damage systemsSmoke damage
can render premises
unsuitable
Buildings have automatic detection
Tested once a week/month
Key staff trained in use of fire extinguishers
Activate fire alarm if not
automatically activated
Treat small and large fires the same way
Exercise extreme caution
Implement evacuation
process using the nearest and safest exit pathConduct head
count and assist
Only re-enter the premises
when informed it is safe to do soFollow advice of fire services
Communicate impact to senior
management
Evacuation Procedure
Page 11 of 49
Business Continuity Plan V2/2019
Possible injury/death to
staff
If safe to do so attempt to
locate source of fire and use
fire extinguishers if trained to
do so
visitors and contractors if involved
Flood
Critical; Flood can damage IT systems, paper
records and render office
unsuitablePossible
injury/death to staff
On site IT Support. Additional IT Service
contract for when on-site IT support is not
available.Alternative office
available if required
Implement evacuation
process using the nearest and safest exit pathConduct head
count and assist visitors and contractors
Contact service
provider and/or utility
provider
If appropriate, organise move to alternative
premises ensuring that
main building is secure
Communicate impact to
senior management
Evacuation Procedure
Break-in/ vandalism/
sabotage/ fraud
Critical; Property or equipment
may be rendered unusable
Confidential client and other records may be compromised
Building alarmed and serviced by Pointer
(0141 564 2600Full inventory of assets
maintainedAll computers
password protected.Data backed up off site
Building Insurance policy with
Oddfellows; office equipment and
public/employee liability is with
Allianz
Involve police at earliest
opportunityIf party still on
premises do not enter
Exercise extreme
caution and preserve any
available evidence
Investigate and assess situationCall out
contractors to secure
premises (e.g. broken
windows) if necessary
Determine extent of
damage, theft and impact on
businessNotify insurers
Engage contractors to
repair and replace
damaged, stolen assets
Communicate impact to senior
managementInvoke IT
Recovery Plan
IT Recovery Plan
Threats made to safety of
business, staff
Moderate; Could require
evacuation of
Assess seriousness and involve police if
necessary
Identify seriousness of
threat to
Evacuate premises if necessary
Notify police if appropriate
Decide in consultation with police if
Communicate impact to senior
management
Business Continuity Plan
Page 12 of 49
Business Continuity Plan V2/2019
or premises
premises and interruption of
business indefinitely until
resolved
determine if a hoax
re-entering premises is advisable
Invoke Business Continuity Plan
if needed
Prolonged denied access to premises
Moderate; Catch all category to include major
safety incident, environmental,
civil unrestDenial of access
to critical systems
Remote/home offices available with full
recovery process in place
Decide safest course of action in consultation
with emergency services at
remote muster point or other
place as advised by emergency
services
Liaise with other senior
management, emergency services etc.
to assess situation
Agree on whether to implement
Business Continuity Plan and advise staff
on plan of action
Business Continuity Plan
Loss of key staff
Low; Dependent upon key skills in specialist areasPossible loss of business/clients
Some protection from Terms of EmploymentRegular staff reviewsSuccession planning
and deputies in placeShareholder / key person protection
Resignation /employment issues to be
reported immediately to
senior management
Assess scale of problem
Liaise with staff member if appropriate
Advise insurers/PI
insurers if claim to be made
Instruct solicitors if appropriate
HR & grievance procedures/staff
handbook
Loss of key clients
Critical; Potential significant loss of
income to business
Review process in place to ensure
services provided to all clients to agreed
standards
Appropriate manager made
aware and client contacted to discuss any
concerns
Advise staff on relevant course of
action
Communicate impact to senior
management
Page 13 of 49
Business Continuity Plan V2/2019
Action plans
The following action plans have been developed in response to identified potential threats to the business and the risk assessments made in connection with those identified threats. Each action plan is designed to achieve our business’s intended recovery time objective (RTO), arising from the Business Impact Analysis.
Telecommunications infrastructure failure
This defines the procedures to be followed, or steps to be taken in the event of critical degradation, or outright loss of telecommunications services, affecting voice (telephone), or data (email/web browsing/remote access), such that normal operations are threatened, or actually interrupted.
Refer to the Risk Assessment for Loss of Infrastructure in Appendix 2.
Trigger Action Procedure
Initial report of symptom(s)
1. Investigate fault 1. Locate root cause
Failure of external link identified
1. Contact service provider for fault resolution
2. Establish time frame
1. Service providers fault resolution2. Switch inbound numbers to a
mobile phone if time frame exceeded.
Failure of telephone switch Identified
1. Establish interim function of answering system/service
2. Implement system fault resolution3. Establish time frame
1. Internal system fault resolution2. Internal system fault resolution3. Switch inbound numbers to a
mobile phone if time frame exceeded.
Failure of routing, or own network hardware identified
1. Implement fault resolution 1. Internal system fault resolution
Recovery phase achieved / normal operations resumed
1. Decide on the extent of the need to inform clients of the situation
2. Inform staff of incident status
1. Client communications2. Staff communications
Key systems infrastructure failure
This defines the procedures to be followed, or steps to be taken in the event of a threat, or actual incident of loss of key computer systems & services.
Refer to the Risk Assessment for Loss of Infrastructure in Appendix 2.
Page 14 of 49
Business Continuity Plan V2/2019
Trigger Action Procedure
Problem reported 1. Determine whether the problem is local to a server, or with the network
1. Locate and resolve
Established that a network server has failed and cannot be used
1. Determine whether the failed item can be replaced under warranty
1. Replace hardware device & re-install from backup
Failed hardware repaired or replaced and functioning correctly
1. Review age, condition and suitability of all hardware assets and the extent of the businesses critical dependence upon each item
1. Replace hardware device
Loss of data
This defines the procedures to be followed, or steps to be taken in the event of a lack of access to correct data usually accessible to a user under conditions.
Refer to the Risk Assessment for Loss of Infrastructure in Appendix 2.
Trigger Action Procedure
User cannot access data
1. Determine whether the lack of access is due to password access failure
2. Check if loss is due to corrupt data3. Check if loss is due to system
configuration change4. Check if loss is due to faulty workstation5. Check if loss is due to key systems
infrastructure failure6. Check if loss is due to network, or
peripheral routing hardware failure7. Check if loss is due to failure of
telecommunications infrastructure
1. Data access validation2. Data access validation3. Data access validation4. Faulty workstation evaluation5. Peripheral and routing hardware
fault resolution6. Peripheral and routing hardware
fault resolution7. Data communications service fault
resolution
Threat to wellbeing of staff
This defines the procedures to be followed, or steps to be taken in the event of tangible threats to the wellbeing of staff, through the likes of fire, flood, explosions & violence.
Refer to the Risk Assessment for Loss of Infrastructure in Appendix 2.
Trigger Action Procedure
Individual, or group is identified as under threat
1. Alert staff to take action to remove, or avoid threat
1. Staff communications2. Staff protection procedure
Page 15 of 49
Business Continuity Plan V2/2019
2. Invoke staff protection procedures3. Alert at least one member of the
BCMT4. Inform staff as appropriate
3. BCMT communications4. Staff communications
Individual, or group is identified as suffering actual harm
1. Invoke staff protection procedures2. Alert at least one member of the
BCMT3. Inform staff as appropriate
1. Staff protection procedure2. BCMT communications3. Staff communications
Denial of workplace access - short term
This defines the procedures to be followed, or steps to be taken in the event of a threat, or actual loss of access to the workplace for up to 4 hours during office hours.
Refer to the Risk Assessment for Loss of Infrastructure in Appendix 2.
Trigger Action Procedure
During business hours - premises evacuated
1. Ensure at least one BCMT member is aware2. Establish reason for evacuation and
confirm premises is unaffected.3. Implement emergency evacuation
procedure as appropriate
1. BCMT communications2. Damage assessment and
salvage3. Fire and evacuation
Outside business hours - call received advising denial of access
1. Establish that business facilities within the premises are unaffected
2. Ensure BCMT leaders are aware
1. BCMT communications2. Damage assessment and
salvage
Confirmed that premises is unaffected
1. Establish expected duration of denial of access
1. Damage assessment and salvage
Expected duration of denial of access is established
1. Decide whether to implement emergency workplaces
1. BCMT meetings
Decision not to implement emergency workplaces
1. Instruct all staff to go home and return to the workplace next working day, or another specified date, or to await further instructions as appropriate
1. Staff communications
Decision to implement emergency workplaces
1. Assess probable impact on clients2. Divert telephones as appropriate3. Disable key applications server as required4. Ensure all staff are advised of where to
report and operate from
1. Workload and services assessment
2. Diversion of telephony3. Disable key application
server4. Staff communications
All Reports received – emergency operations stable
1. Advise all affected clients of the situation2. Advise all relevant suppliers of the
situation3. Confirm expected date/time to return to
premises
1. Client communications2. Supplier
communications3. Staff communications
and supplier communications
Page 16 of 49
Business Continuity Plan V2/2019
Advised of date of return to premises
1. Develop plan to return all functional areas affected to normal operation levels
2. Inform all staff of planned date to return to premises
3. Inform all clients of expected date of return to normal operation levels
4. Inform all suppliers of expected date to return to normal operation levels
1. Physical recovery2. Staff communications3. Client communications4. Supplier
communications
Denial of workplace access - long term
This defines the procedures to be followed, or steps to be taken in the event of a threat, or actual loss of access to the workplace for more than a 4-hour period during office hours. Refer to the Risk Assessment for Loss of Infrastructure in Appendix 2.
Trigger Action Procedure
During business hours - 1. Ensure at least one BCMT member is 1. BCMT communications
Page 17 of 49
Business Continuity Plan V2/2019
premises evacuated aware2. Establish reason for evacuation and
confirm premises are unaffected3. Implement emergency evacuation
procedure as appropriate
2. Damage assessment and salvage
3. Fire and evacuation
Outside business hours - call received advising denial of access
1. Establish that business facilities within the premises are unaffected
2. Ensure BCMT leaders are aware
1. Damage assessment and salvage
2. Situation management team communications
Confirmed that premises are unaffected
1. Establish expected duration of denial of access
1. Damage assessment and salvage
Expected duration of denial of access is established
1. Decide whether to implement emergency workplaces
1. BCMT meetings
Decision not to implement emergency workplaces
1. Instruct all staff to go home and return to the workplace next working day, or another specified date, or to await further instructions as appropriate
1. Staff communications
Decision to implement emergency workplaces
1. Invoke business continuity management centre plans
2. Assess probable impact on clients3. Divert telephones as appropriate4. Disable key applications server as
required5. Ensure all staff are advised of where to
report and operate from
1. Invoke business continuity management centre
2. Workload and services assessment
3. Diversion of telephony4. Disable key application
server5. Staff communications
All reports received – emergency operations stable
1. Advise all affected clients of the Incident2. Advise all relevant suppliers of the
incident3. Confirm expected date/time to return to
premises
1. Client communications2. Supplier
communications3. Staff communications &
supplier communications
Advised of date of return to premises
1. Develop plan to return all functional areas affected to normal operation levels
2. Inform all staff of planned date to return to premises
3. Inform all clients of expected date of return to normal operation levels
4. Inform all suppliers of expected date to return to normal operation levels
1. Physical recovery2. Staff communications3. Client communications4. Supplier
communications
Key suppliers & equipment
This section lists the suppliers who provide a unique and\or critical service. Any loss or disruption of these services would incur a high disproportionate negative impact to the business.
Which other businesses are relied upon in order to carry out the processes or activities
Page 18 of 49
Business Continuity Plan V2/2019
Who are your key suppliers?
Name Risk Risk mitigation Notes
Broadband supplier
Firm reliant on internet access for services, key functions out of action whilst service is down.
Redundancy provided by second broadband line into office, using a different ISP e.g. not reliant on BT backbone
Dial up modems also available
Staff able to work from home
Disaster recovery process covers required action
Additional service level is paid for on Zest 4 (Richard Sheldon) service to ensure reported faults are responded to within 1 hour
An account manager has been established
Office Equipment
Theft would have major financial impact on the firm
All new purchases notified to insurer immediately.
Amount of cover reviewed annually
Staff told not to leave equipment in car
Disaster recovery process covers required action
Insurance with Allianz is on a like-for-like basis
Loss of key personnel resources
This section lists the key personnel who hold or provide a unique and/or critical skill set to the business, whose loss would cause a high disproportionate negative impact to the business.
Does any particular member of staff possess a unique skill set
Page 19 of 49
Business Continuity Plan V2/2019
Name Risk Risk mitigation Notes
Directors / Partners
Difficult to replace income short term on death, and costs of finding a replacement
Keyman insurance in place for £250, 000 for each director/partner to replace income and cover costs whilst a replacement is found
Appropriateness of level of cover reviewed annually
Terms of insurance include directors/partners not all travelling together
Travel policy reflects this
Insurance with Life, written in trust for the benefit of the business
IT developer All code for key IT service is written by one developer
All source code is saved incrementally
Technical notes drafted with each new release
External company used periodically to ensure they have working knowledge of code
Staff contracts state that the business owns all inventions
Notice period is 6 months
Adviser / investment manager
Loss of clients and renewal streams on leaving the business
Incentive scheme locks advisers into business
Clients have regular contact from desk based account manager not just the adviser / investment manager, to encourage loyalty to firm
Contracts have non-solicitation clause for 12 months post exit
This action plan identifies procedures to be followed or steps to be taken in the event of key individuals, or a critical percentage of staff being absent long term, or permanently.
Refer to the Risk Assessment for Loss of Key Personnel Resources in Appendix 2.
Trigger Action Procedure
Key account handler:
1. Identify alternates to take on workload2. Advise clients of interim and/or permanent
1. Identify alternate for workload2. Change of account manager
Page 20 of 49
Business Continuity Plan V2/2019
long term changes3. Consider re-assignment of specific account
responsibilities to other account handlers4. Assess current/imminent activity and
projects5. Consider re-assignment of specific account
responsibilities to senior managers6. Advise staff
letter3. Key account review4. Key account review5. Key account review 6. Staff communications
Key account handler:permanent
1. Advise clients of interim, or permanent changes
2. Assess current/imminent activity and projects
3. Consider re-assignment of specific account responsibilities to other account handlers
4. Consider re-assignment of specific account responsibilities to senior managers
5. Decide whether to restructure the account-handling team, or to recruit replacement(s)
6. Recruit replacement if appropriate7. Consider competitive threat/loss of clients8. Advise staff
1. Change of account manager letter
2. Key account review3. Key account review 4. Key account review5. Identify alternate for workload6. Recruitment7. Key account review8. Staff communication
Senior manager:long term
1. Assess current/imminent activity and projects
2. Consider responsibilities that can be delegated to other senior managers
3. Consider interim management resources4. Advise clients as appropriate5. Advise suppliers as appropriate6. Advise staff
1. Assess and prioritise current workload
2. Assess and prioritise current workload
3. Identify alternate for workload4. Change of account manager
letter5. Supplier communications6. Staff communications
Senior manager:permanent
1. Consider competitive threat2. Recruit replacement as appropriate3. Assess forward workload and
responsibilities4. Consider re-assignment of workload and/or
responsibilities to other senior managers5. Assess requirement for interim
management, pending recruitment of replacement
6. Advise clients as appropriate7. Advise suppliers as appropriate8. Advise staff
1. Key account review2. Interim recruitment3. Assess and prioritise current
workload4. Assess and prioritise current
workload5. Identify alternate for workload6. Change of account manager
letter7. Supplier communications8. Staff communications
Functional area:critical percentage reduction – long term
1. Assess & prioritise current workload2. Decide whether clients will be materially
affected and advise as appropriate3. Review cause and recruit replacement staff
as appropriate4. Engage additional resources from suppliers
1. Assess/prioritise current workload
2. Reallocation of resource letter3. Recruitment4. Supplier communications
Page 21 of 49
Business Continuity Plan V2/2019
Functional area:critical percentage reduction – permanent
1. Assess & prioritise current workload2. Decide whether clients will be materially
affected and advise as appropriate3. Review cause and recruit replacement staff
as appropriate 4. Engage additional resources from suppliers
1. Assess/prioritise current workload
2. Reallocation of resource letter3. Recruitment4. Supplier communications
Key worker: unavailable long term
1. Evaluate options for workload2. Notify any clients materially affected3. Notify any suppliers materially affected4. Notify staff
1. Identify alternate for workload2. Client communications3. Supplier communications4. Staff communications
Loss of key clients
This section lists any key clients whose loss would have a major impact on the business, or any threats posed by undertaking work for those clients.
Who are your key clients (internal and external)
What services does the business provide to them
Name Risk Risk mitigation Notes
All clients Litigation for poor advice
Professional indemnity insurance provided through Liberty Mutual at £2million
Key conditions are: -
£20k main, 30K on excess layer – see schedule for Endorsements
Page 22 of 49
Business Continuity Plan V2/2019
Procedures – technical operations
Faulty server evaluation
1. Confirm whether issue is loss of access to data and if so, follow the set procedure for this issue.
2. Confirm that the fault can be replicated by the users.
3. Carry out system self-test diagnostics.
4. Identify if fault is a known software problem that can be remedied by applying a patch, or upgrade. If so, apply the patch or upgrade.
5. If reinstallation attempts generate multiple error conditions, schedule the workstation for software rebuild.
6. If the root cause is hardware, schedule the workstation for repair, or replacement accordingly.
Replace hardware device
1. Assess if faulty device can be fixed by replacing or repairing faulty component e.g. screen, cartridge, etc. If so, replace component as an expense item.
2. If not, confirm if replacement devices are available from a local supplier, with sufficient similarities in terms of features.
3. If not, assess cost/benefit of sourcing replacements from remote locations, versus local purchase from local sources, factoring in lead time considerations.
4. Reroute user services to secondary platforms, subject to cost/benefit assessment in terms of time estimated to recover normal operations for user.
5. Purchase replacement device as necessary.
6. Purchase additional replacement devices as necessary, as contingency, if considered beneficial to shorten future recovery to normal operations.
Physical recovery
1. Replacement of IT equipment and systems
The IT and telecommunications systems are to be restored to their previous standard, specification and configuration. A schedule of necessary hardware and software purchases, plus services to achieve this, must be drawn up and submitted to the relevant budget holder for approval.
Where relevant, a schedule of confirmed damage and losses from the salvage contractor, as agreed by the loss adjuster, must accompany this schedule.
2. Replacement of fixtures and fittings
Fixtures and fittings, including furniture, must be reinstated to their pre-incident standard. Approval for all such replacements must be obtained from the loss adjuster. A schedule of all original assets may be obtained from the relevant finance section.
3. Repairs and refurbishment of buildings and infrastructure
Page 23 of 49
Business Continuity Plan V2/2019
If physical damage occurs to the business address, Laytons Solicitors are responsible for affecting such repairs and providing alternative temporary premises in the local area in the interim.
Invoke emergence call routing
1. Confirm main workplace and its facilities will not be available for an extended period (over 1 hour).
2. Reroute telephone lines to designated alternate numbers, as specified by any member of the BCMT.
3. Revert to original routing number when normal operating conditions are resumed.
Disable key application server
1. Notify affected users informing them of relevant server shut down at specified time.
2. Send warning messages to logged on users 30 minutes, 10 minutes and 1 minute prior to shut down.
3. Check that all users are logged off at shut down time.
4. Contact any users still logged on after shut down time and instruct them to log off, or lose work.
5. Issue server shut down command at operating system level.
6. Power system off, if required.
7. If down time is known, include this in the messages to users.
8. Notify user community, or key contacts within it, that services have been recovered, with broadcast email, and/or other notification method.
Communications fault resolution
1. Identify that there appears to be an external communications service fault into the building, such that the phone service is unusable.
2. Contact on-site facilities and inform them of the fault, for escalation to their own service provider, during office hours.
3. Outside of office hours, notify Mark Wilson (04534 751931) or Kerry Wilson (07871 231291) or Esther Brooks (Laytons - 07786 518 116/07787 856 736) *
4. If necessary, contact service provider, advising them of the fault.
5. If the service provider can identify a fault on the line, request an estimated time to resolution.
6. Request the diverting of the line to an alternate number, such as a BCMT- designated mobile phone.
7. Ask service provider to place a message on the relevant line advising callers of the fault, if necessary.
8. Report expected duration of function loss to relevant staff, suppliers and clients as necessary.
9. Switch to alternate communications methods as appropriate.
*In the event of an intruder alarm our Keyholders are Sector Security 01772 794 728. They will attend the property, inspect and if necessary i.e. if there has been an incident, contact the police and Esther Brooks].
Page 24 of 49
Business Continuity Plan V2/2019
Internal phone resolution
1. Assess possibility of using alternate handset hardware within the local office.
2. Request replacement handset from Octagon (03456 787878).
3. Check replacement handset works with the underlying phone number.
4. Recheck previous configurations on new handset, such as speed dial.
Peripheral and routing hardware fault resolution
1. Conduct diagnosis to locate the faulty component.
2. Does a unit of the replacement component exist locally on site? If so, replace and re-order to replenish under warranty, or as a purchased consumable.
3. If component cannot easily be replaced, consider rerouting workload, or traffic, or other similar technical workarounds.
4. Notify any staff, clients, or suppliers likely to be materially affected.
5. Ensure replacement of item and restoration of normal operations after installation.
6. Consider cost-benefit of buying spare units of the failing component, or implementing alternative, more resilient technical solution.
Supplier communications
1. Identify list of suppliers materially affected.
2. Determine the nature, frequency and content of the communication, defaulting to email on an ‘as needs’ basis.
3. Specify clearly the way in which the supplier relationship is likely to be affected.
4. Specify any increased services required, or any changes needed in procedures between organizations.
5. Keep suppliers informed regarding likely resumption of normal operations and when it is actually achieved.
Applications recovery to server
1. Power server down if necessary.
2. Un-install any previous versions of the application as required, to permit clean install.
3. Back up associated data, as required.
4. Install fresh version of application, following installation instructions to achieve desired configuration.
5. Check access to the application across the network and locally.
6. Check relevant users can access both the application and any associated data as appropriate.
Page 25 of 49
Business Continuity Plan V2/2019
TECHNICAL OPERATIONS - DATA RECOVERY TO SERVER
Data recovery to server
1. If relevant, back up data files that can be identified.
2. Identify most recent version of stored data required, from various storage media.
3. Deploy data files into correct location, where they can be properly accessed by the user’s application.
4. Notify user when the operation is complete.
5. Check with user that they can access both application and data as expected.
Data access validation procedure
1. Confirm if same data can be accessed from another workstation.
2. Confirm if same data can be accessed using another valid password access code.
3. Check if there are error messages linked to the data source in the relevant system monitoring logs.
4. Check with IT whether there have been any recent configuration changes, since the last time the user recalls having full access.
5. Check what the user recalls doing immediately prior to the loss of access to the data.
Page 26 of 49
Business Continuity Plan V2/2019
Procedures - infrastructure operations
Staff communications
1. In each communication, ensure inclusion of relevant elements of whether there is denial of access, duration of any interruption to normal operations, IT, telephony, other service issues, any casualties and wider considerations of feedback, welfare and staff morale.
2. During office hours:
a. Ensure any staff known to be present, or associated with the affected premises, are advised regarding what action they should take.
b. Initiate emergency call-out/broadcast to notify staff according to agreed, scripted message.
c. If the incident occurs before [4pm] contact all absent staff members to advise them of action to take.
d. Record whether contact was reached, or whether just a message was left.
e. After 5pm, consider contacting remaining staff on their home phone numbers.
f. If any affected staff are on holiday, or away from their home, contact them by phone if possible, otherwise by email and post as a last resort.
3. Outside office hours:
a. If the incident occurs before 8am, consider waiting until after 8am to notify them at home. Otherwise, always default to primary contact on their mobile phone.
b. Give guidance on how long incident is likely to continue.
c. Record whether person has been contacted, or just a message was left.
d. Advise staff on how they will be kept updated on latest developments regarding the incident.
e. Confirm when normal operation has been resumed.
Press communications
1. Unless specifically authorised by the BCMT, no comment should be made to the press. If approached, staff response should be "no comment" and enquiries should be referred to the BCMT.
2. The default spokesperson in incidents will be John Stevenson. When John Stevenson is unavailable, the BCMT shall nominate the most appropriate alternative, which will be Mark Wilson unless otherwise specified.
3. The BCMT shall agree on the content of what shall be communicated, via what channels and to whom, in what order. Prior to briefing the press, a decision should be made as to whether to provide an interview, conference, or merely issue a read press statement. The latter is the preferred method for most foreseeable circumstances.
4. Wherever possible, staff should be notified first, clients second, suppliers third and press last of all. Our business has no specific obligations with respect to notifying the public concerning incidents at its locations. Third parties are responsible for their respective premises.
5. Our policy is to stick to communicating facts and expressing sorrow at any personal loss, or injury suffered as a consequence of the incident.
Fire and evacuation
Page 27 of 49
Business Continuity Plan V2/2019
1. This procedure is to be used in the event of a fire at our offices.
2. If you discover a fire:
a. Operate the fire alarm immediately by breaking the seal on the nearest relevant unit.
b. Attack the fire if possible with the equipment provided, but do not take any personal risks. Leave immediately if the fire cannot be brought quickly under control.
3. On hearing the fire alarm:
a. The alert signal is a continuous ring on a bell alarm.
b. Unless having received prior warning that the alarm is a planned exercise, staff and visiting personnel should proceed immediately to the nearest muster point, the defaults being at the gates to the park on Byrom Street, at the bottom of St John Street
c. Do not use lifts (except where special arrangements exist for the disabled.
d. Do not stop to collect belongings.
e. Do not re-enter the building until instructed to do so by an authorised person e.g. Fire Marshall, member of the Fire Service or by another authorised person.
f. Upon receiving notification of when staff will be able to return to their workspace, the most senior member of staff present in the group should notify a member of the BCMT.
g. Upon returning to the workspace, the most senior member of staff present should assess the workspace for damage and inform the BCMT of the need to invoke damage assessment and salvage procedures, if necessary.
Business continuity management team communications
1. The following should be used for contact between members of the BCMT in connection with business continuity Incidents.
2. Regardless of time, contact BCMT members by the following means, in order, until successful:
a. Mobile telephone
b. Home telephone
c. Work email, instant-mail, home e-mail
d. Travel to home address (unless it is known that the contact is away from home)
3. Members of the BCMT and their contact details appear in the contacts section of this BCP.
4. The primary purpose of initially contacting all members of the BCMT is to arrange the first BCMT meeting (see procedure on Business Continuity Management Team Meetings)
Page 28 of 49
Business Continuity Plan V2/2019
Damage assessment and salvage
1. In the event of a physical incident where losses and/or damage are likely, call Mark Wilson (04534 751931) or Kerry Wilson (07871 231291) or Esther Brooks (Laytons - 07786 518 116/07787 856 736)
2. Provide information requested and the above will liaise with insurers & loss adjuster, and expedite the recovery process.
3. Given the small amount of material involved, any damaged items should be transported by hired vehicles as necessary.
Business Continuity Management Team meetings
1. The first BCMT meeting will be held at the nominated location agreed by the BCMT, depending on the scale of the emergency. Choices shall include, but not be limited to:
a. 59 Church Street, Farnworth, Bolton. Bl4 8AQ
b. [Alternative Site 2]
c. [Alternative Site 3]
2. The objectives and standing agenda for the meetings will be:
a. Casualties, injuries and fatalities, to be recorded
b. Nature/duration of denial of access - likelihood of regaining access to premises - implementation of emergency workplaces
c. Losses, damage and salvage
d. Client communications
e. Impact on clients and services
f. Supplier communications
g. Stakeholders
h. Insurance and finance
i. Prioritise workload and roles within BCMT
j. Staff communications
k. Date/time/venue of next meeting
Invoke business continuity management centre
1. BCMT to discuss options from list of business continuity management centre locations.
2. BCMT to select one location and notify staff from contact list.
3. BCMT to arrange purchase of emergency equipment and facilities for the business continuity management centre.
4. Quantify impact of incident and likely duration of need for the business continuity management centre.
5. Notify staff, suppliers and clients affected and procedure for obtaining latest information.
6. Advise all of likely resumption of normal operations.
Page 29 of 49
Business Continuity Plan V2/2019
Diversion of telephones
1. The main company phone number is 0161 956 2328.
2. The main support number is (Octagon) 03456 787878.
3. Once normal operations is restored, divert the relevant support number back to the default.
Interim recruitment
1. For recruiting senior or key account managers, obtain authority from John Stevenson or Mark Wilson for new position or interim position and determine length of contract.
2. Approach above or Kerry Wilson, or look to use appropriate external recruitment agency to discuss job specification.
3. Obtain approval for and agree contract with appropriate external recruitment agency (none specified).
4. Interview candidates.
5. Make job offer to selected candidate in accordance with standard terms & conditions of employment.
6. Take new employee through induction, as part of their probation period in the company.
Recruitment
1. Obtain authority for new position, including detailed job specification and business case.
2. Approach relevant external recruitment agency to discuss job specification.
3. Obtain approval for and agree contract with appropriate external recruitment agency
4. Interview and shortlist candidates.
5. Make offer to selected candidate.
6. Take candidate through induction procedure.
Reallocate resource letter
This letter is held as a word file on the company shared drive.
Dear
Due to the unforeseen consequences of {reason for problem} we are allocating you different members of the {name} department to work with you and your people. {Contact name} will be in contact in the very near future to arrange a mutually convenient time and location for a review meeting.
If you would like to discuss this situation personally, please call me on [number] and I will answer any questions you may have. We hope to count on your support in these unusual circumstances and are very confident of continuing to deliver the high standard of service that you expect from us.
Yours Sincerely,
[Name]
Page 30 of 49
Business Continuity Plan V2/2019
[Title]
New employee induction
1. Ensure employee's details are registered in the business HR files, including signed contract of employment.
2. Notify payroll of employee's details, having obtained employee's last P45 if relevant.
3. Set up person with own e-mail account.
4. Obtain access to necessary systems to enable the employee to perform their tasks.
5. Allocate supervisor responsible for guiding them through the early weeks.
6. Set review date with senior manager as a mentor, to ensure any issues are raised with a mentor.
7. Cover the relevant items on the technical, client services, or infrastructure induction syllabus.
Staff protection procedure
1. Confirm details of threat of, or actual harm, to which individual member or group of staff.
2. Identify if the individual or group is aware of the potential harm.
3. Seek to communicate with the individual or group to direct them away from the threat, and towards safety, with respect to their location.
4. Seek to educate the individual or group concerning the nature of the threat, to avoid, or minimise it in future.
5. Where relevant, notify the authorities: police, fire, ambulance, coast guard.
6. Direct staff towards counselling services relevant to the nature of harm they may have suffered.
7. Notify wider staff community regarding the nature of action taken and any changes to procedure required, where appropriate.
Page 31 of 49
Business Continuity Plan V2/2019
Procedures - general
Identify alternatives for workload
1. Assess the nature, quantity and expected timescales of the workload and the skills necessary to perform it, by referring to available paperwork, electronic files and co-workers of the person(s) not available.
2. Represent the workload as a set of deliverables with target dates and associated status summaries, or starting positions.
3. Prioritise the workload in terms of the value of the deliverables to the business unit concerned.
4. Evaluate the relative cost/benefits of achieving the deliverables with existing in-house labour with spare capacity, versus subcontracted resources.
5. Formulate a plan identifying all deliverables identified, new deliverable owners, timescales agreed and method of updating progress against the plan.
6. Circulate the plan to all new actioners.
7. Actioners are responsible for notifying their own management and colleagues, and managing their workload to incorporate the newly allocated deliverables, as required.
Assess and prioritise current workload
Procedure for reviewing the activities of owners of the relevant functional areas.
1. Co-ordinator (defaults to most senior team member, unless otherwise agreed) to initiate contact with all relevant representatives of the affected work areas and collate prioritised, bullet-point list of all activities of relevant staff and key third parties
2. Invite contributions and discuss key perceived issues or activities by project, with all relevant contributors meeting together, or conferenced in
3. Co-ordinator to summarise consolidated view of contributors to assess collective impact of various courses of action and resource prioritisation on business as a whole
4. Gain agreement and commitment to proposed consolidated course of action, with action owners identified and completion timescales agreed.
5. Invite any final comments from contributors and integrate comments, or deal with the issues before proceeding.
6. Agree time/manner to review progress against agreed action plan.
7. Document and distribute agreed action plan, by e-mail, or other agreed mechanism, if e-mail cannot be relied upon.
8. Review progress at the set time/manner, unless rescheduled in the intervening time.
9. Repeat process until workload issues are resolved, and normal operations is resumed.
Page 32 of 49
Business Continuity Plan V2/2019
Key contact details
Category Name Telephone Email
BCMT Kerry Wilson 0161 956 2328 [email protected]
Mark Wilson 0161 956 2328 / 07834751931
Greg Harrison 07587 133 940 [email protected]
Lee Douthwaite (Pareto-IT)
0161 819 1311 / 07917 220918
Function managers
As above
Response team(s)
As Above
Page 33 of 49
Business Continuity Plan V2/2019
APPENDICES
VERSION LAST UPDATED
Appendix 1: Full Client Contact List 1.0 03/04/2017
Appendix 2: Risk Assessments 1.0 03/04/2017
Appendix 3: Business process objectives
and recovery times 1.0 03/04/2017
Appendix 4: T & Cs of Employment 1.0 03/04/2017
Appendix 5: Software T & Cs of Sale 1.0 03/04/2017
Appendix 6: Internal IT Configuration Diagram 1.0 03/04/2017
Appendix 7: Company Key Details Sheet 1.0 03/04/2017
Appendix 8: Insurance Certificate Copy 1.0 03/04/2017
Appendix 9: Crisis Forms 1.0 03/04/2017
Appendix 10: Business Impact Assessment 1.0 03/04/2017
Appendix 11: Emergency Pack 1.0 03/04/2017
Appendix 12: Threat Vulnerability Matrix 1.0 03/04/2017
Page 34 of 49
Business Continuity Plan V2/2019
Appendix 1: Full client contact listInternal
Extension Name Mobile Number
N/A John Stevenson 0161 819 1311 / 07780 991 882N/AN/A Graeme Fountain 07799 348038
329 Vincent Jeffers N/A362 Tim Burge N/A339 Steve Lorenzelli N/A360 Rachel Holden N/A361 Mike Lennox N/A350 Mike Jordan N/A332 Mark Gallagher N/A359 Marcus Barclay N/A324 Kerry Peters N/A371 Kate Jayden N/A367 Kate Barrett N/A331 Joe Turner N/A328 Geoff Ohemeng N/A364 Emilia Buczynska N/A349 Elly Bradshaw N/A345 Elliot Wood-Meynell N/A366 David Boardman N/A351 Darren Hardy-Dearness N/A363 Barry Westbrook N/A357 Claire Hammond N/A341 Alex Langton N/A342 George Agan N/A337 Jake Waterfield N/A347 James Mistiades N/A348 Jenny Dalton N/A355 Jill Lees N/A354 Lottie Wicks N/A322 Kathryn Cosgrove N/A327 Katie Rivett N/A325 Kerry Wilson N/A326 Mark Wilson 07834 751931356 Matt Amesbury N/A344 Reception N/A330 Ryan Crockart N/A340 Sam Bowman N/A327 Sarah Lane N/A
Page 35 of 49
Business Continuity Plan V2/2019
353 Stuart Grant N/A369 Ania Szylar N/A370 Greg Harrison 07587133940
Remote Worker Jamie Standish 07544 328714Remote Worker Mark Barker 07592 246353Remote Worker Peter Rhodes 07926 736444Remote Adviser John Webber 07729 076158
Page 36 of 49
Business Continuity Plan V2/2019
Appendix 2: Risk assessment
Version 1.0
Last Reviewed/Updated 04/02/2019
Next Review Scheduled April 2019
Page 37 of 49
Business Continuity Plan V2/2019
Appendix 3: Business process objectives and recovery times
Version 1.0
Last Reviewed/Updated 03/04/2017
Next Review Scheduled 03/04/2018
Page 38 of 49
Business Continuity Plan V2/2019
Appendix 4: T & Cs of employment
Version 1.0
Last Reviewed/Updated 03/04/2017
Next Review Scheduled 03/04/2018
Page 39 of 49
Business Continuity Plan V2/2019
Appendix 5: Software T & Cs of sale
Version 1.0
Last Reviewed/Updated 03/04/2017
Next Review Scheduled 03/04/2018
Page 40 of 49
Business Continuity Plan V2/2019
Appendix 6: Internal IT configuration diagram
Version 1.0
Last Reviewed/Updated 03/04/2017
Next Review Scheduled 03/04/2018
Page 41 of 49
Business Continuity Plan V2/2019
Appendix 7: Company key details sheet
Version 1.0
Last Reviewed/Updated 15/08/2017
Next Review Scheduled 15/08/2018
Page 42 of 49
Business Continuity Plan V2/2019
Appendix 8: See Insurance certificate copy on file
Page 43 of 49
Business Continuity Plan V2/2019
Appendix 9: Crisis forms
IMPACT ASSESSMENT FORM
Manager: Tel/work location:
IMPACT SUMMARY
Date and time of impact: SITE:
Impact on personnel: Loss of life (Y/N) Injuries (level):
Impact on site access: No access Partial access
Controlled access Normal access
Emergency services at site: Fire Police
Ambulance Other:
Critical processes affected:
ASSESSMENT
Considerations Comments
Health & safety
Impact Summary Total Loss Partial loss Minimal loss
Access to building
Use of affected area
Recoverability from effected area of:
Equipment
Work in progress
Vital records
Electricity
Water
Computer data
Voice
Other services
Conclusions
Manager’s signature: Date/time of report:
Page 44 of 49
Business Continuity Plan V2/2019
Page 45 of 49
Business Continuity Plan V2/2019
Appendix 10: Business impact assessment
Clients / Suppliers
Who are your key clients (internal and external)? What services does the business provide to them? If the service was unavailable, what length of time would the client tolerate before impacts
(tangible and intangible) are felt? What requirements (contractual, legal, regulatory etc.) must be adhered to for the delivery /
performance of this service?
Tangible Impacts
What losses would be experienced in the following areas:o Financial revenueo Fines and/or penaltieso Backlog processing costs
Intangible Impacts
What losses could be experienced in the following areas:o Loss of clients as a result of dissatisfactiono Missed opportunityo Loss of market shareo Loss of stakeholder or investor confidenceo Loss of employee morale leading to higher staff turnover
Internal Environment
How high is the turnover of staff within the business? Does any particular member of staff possess a unique skill set? Are management succession plans in place? What systems (IT or otherwise) does the business rely upon? What critical information is required in order to perform the businesses processes or
activities? Where is this information stored? Is the information secure? Is the information backed up? Who has access to the information? Which other businesses are relied upon in order to carry out the processes or activities?
External Suppliers
Who are your key suppliers? What services or products do they provide to you? How long could your business tolerate non-supply before it impacted the ability to perform
processes or activities? What requirements (contractual etc.) must your supplier adhere to for the delivery /
performance of their service or product? Could any alternatives be identified and, if so, has this been done?
Page 46 of 49
Business Continuity Plan V2/2019
Type of impact and its effects
Impact descriptors and event categorisation
Catastrophic High Medium Low
FINANCIAL
Loss of revenue e.g. <£10m for large business Loss of revenue e.g. <£10m for
large business Loss of revenue
Loss of shareholder value
Penalties
Bad debts
Additional operating cost(s)
NON-FINANCIAL
Reputational loss
E.g. Adverse and sustained national media campaign and/or loss of confidence/trust by market, public and/or damage to brand image and trust.
E.g. Adverse comment in national media and/or loss of confidence in a range of service and/or products or several parts of the organisation.
E.g. Adverse comment in national media and/or loss of confidence in specific service and/or product or part of organisation.
E.g. Adverse comment in local media only and/or confined to a limited number of localised clients.
Loss of operational capacity
Client service
Regulatory/ legal
Loss of market share
Loss of quality
Brand tarnish
Environmental
Contractual
Staff moral
Political
Page 47 of 49
Business Continuity Plan V2/2019
Appendix 11: Emergency pack
Documents:
Business continuity plan – your plan to recover your business or organisation. List of employees with contact details – include home and mobile numbers, and e-mail
addresses. You may also wish to include next-of-kin contact details. Lists of client and supplier details. Contact details for emergency glaziers and building contractors. Contact details for utility companies. Building site plan (this could help in a salvage effort), including location of gas, electricity and
water shut off points. Latest stock and equipment inventory. Insurance company details. Financial and banking information. Product lists and specifications. Formulas and trade secrets. Local authority contact details. Headed stationery and company seals and documents.
Equipment:
Computer back up tapes / disks / USB memory sticks or flash drives. Spare keys / security codes. Torch and spare batteries. Hazard and cordon tape. Message pads and flip chart. Marker pens (for temporary signs). General stationery (pens, paper, etc.). Mobile telephone with credit available, plus charger. Dust and toxic fume masks. Disposable camera (useful for recording evidence in an insurance claim).
Ensure you are able to repair or replace any equipment vital to your business at short notice. If you are able to, consider storing spare parts off-site.
Notes:
Make sure this pack is stored safely and securely off-site (in another location). Ensure items in the pack are checked regularly, are kept up to date, and are working. Remember that cash / credit cards may be needed for emergency expenditure. This list is not exhaustive, and there may be other documents or equipment that should be
included for your business or organisation.
Page 48 of 49
Business Continuity Plan V2/2019
Appendix 12: Threat vulnerability matrix
Type of threat Likelihood of occurrence (probability or frequency)
High Medium Low Minimal
Fire X
Power failure X
Flood X
Bomb X
Lost data X
Security breach X
Telecoms failure X
Terrorist attack X
Industrial action X
Key
High: high risk occurring at least once a week.
Medium: medium risk occurring once a quarter.
Low: low risk occurring annually\bi annually.
Minimal: very low risk – may never occur.
Page 49 of 49