APPENDIX 1: A BCM POLICY
Business continuity policy
Policy statement
The Board of International Services recognises that the changing nature of the environment in which we operate means that our ability to continue operation uninterrupted can no longer be assured. Whilst we may not have experienced a significant interruptive incident in the past, we know from the experiences of others that International Services also could be seriously affected by an unforeseen incident.
Our customers are entitled to expect that we do everything possible to ensure minimum disruption to our operations, and the delivery of services upon which they rely. To this end, International Services (the company) has embarked upon a business continuity management (BCM) programme which will result in a set of interlocking plans and arrangements that will ensure the best response to a major incident.
The company must be as resilient as possible, so that many incidents outside our control will have little, or no effect, on our operations, and so that, when a major incident occurs, our ability to recover is founded on a planned and well-thought-out approach, utilising contingency resources that we maintain for such eventualities.
In the event of a major incident, priority will be placed upon the safety and welfare of our staff and visitors, above the restoration of business activities. Whilst the two are not mutually exclusive, management focus and resources will be diverted, where necessary, from business activity recovery, to ensuring safety and welfare.
Scope
In order to optimise the application of resources to the BCM programme, the scope defines areas of the company that are subject to its measures and that benefit from its additional protection. These areas are set out in the following table.
Areas of the company falling within the scope of the BCM system |
|
Locations |
Entire head office site, Southampton Port operations office, Harwich APAC headquarters, Singapore Americas headquarters, San Diego |
Business units |
All business units |
Activities |
All activities conducted by business units and at locations within this scope |
Supply chain |
All Level 1 suppliers (ref: approved supplier’s list) |
Resources |
Telecommunications and information systems, including all data in use Office buildings and facilities Service facilities, plant and equipment People |
Stakeholders |
Group board Non-executive directors Shareholders Customers – Groups A and B only |
Incidents and scenarios |
Any incident leading directly to the prolonged evacuation of the group’s facilities Inability to access the International Services corporate IT network Absence due to illness, including pandemic influenza, of significant numbers of staff Political, or other prevention of the delivery of services worldwide |
Timeline and phases |
The assessment of impact, and planning of response and contingencies, will be based upon elapsed time following the interruption of operational activities, constituting the ‘timeline’ The earliest point on the timeline is one day The latest point on the timeline is 12 months The timeline features three phases: 1 Incident response –measured in days 2 Operational continuity –measured in weeks 3 Full recovery –measured in months Plans and contingencies will cover the first two phases: Incident Response and Operational Continuity |
The requirements of this policy relate only to the areas of the company listed in the table above.
Business continuity management objectives
The BCM objectives are as follows:
- To ensure the safety and welfare of the company’s staff and directors, and of any visitors who are in the company’s premises at the time of an incident.
- To minimise the impact on the company of any interruption to normal activities, to a level which is below the impact tolerance level stated in this policy.
- To contain any financial costs associated with interruptions or incidents to levels that will be covered by the company’s insurances
- To protect the company’s reputation as a reliable and resilient supplier of products and services, and to ensure that business, following any interruption, is not adversely affected by reduced levels of activity during an interruption.
- To protect the company’s brand and image in all media, during and following any interruption, so that its ability to secure new business in the future is not prejudiced by the interruption, or the company’s response to it.
Business continuity management principles
The BCM system is based upon the principles of ISO22301 (the international standard for business continuity management systems) and includes the following components:
BCM component |
Practical requirement(s) |
Business impact analysis |
Assessment and analysis of the company’s operational activities and services, and their relative criticality |
Disaster recovery |
Arrangements for the restoration or provision of alternative enabling resources, and procedures for the invocation of those resources |
BC planning |
Documented plans at group, company, division and service levels, setting out key actions to be taken in response to a variety of scenarios, and showing how activities will be restored |
Culture |
An ongoing programme of activities aimed at maximising the awareness of BCM amongst all staff and stakeholders, and securing collaborative ‘buy-in’, so as to ensure the continued operability and maintenance of the BCM system |
Testing |
An ongoing programme of activities that test all aspects of the BCM system, thereby proving its adequacy and operability and providing assurance to the Board |
Business impact analysis
The key objective of the BCM programme is the limitation of impacts arising from an incident. However, it is recognised that the company must be prepared to accept a certain level of impact in the event of an interruption, not least so as to limit the level of expenditure on risk controls and resilience measures.
The Board will, from time to time, publish criteria for the assessment of impact. These criteria will include, but not be limited to, impacts whose nature is:
- Financial
- Reputational
- Customer service/satisfaction.
The following table defines the levels of impact that are used in making assessments.
Level |
Impact |
Very high |
Impact that is likely to terminate the group’s existence |
High |
Impact that exceeds the group’s tolerance, but from which it would expect to eventually recover |
Medium |
Major loss of business value |
Low |
Significant loss of business value |
Very low |
Minor loss of business value |
The company’s tolerance level for impact is as follows:
Impact tolerance |
Low |
Maximum tolerable period of disruption
Generally, the impact sustained following an interruptive incident will continue to increase with time, until the service is resumed. The priority and resource resilience given to each activity is established on an objective basis, so the Maximum Tolerable Period of Disruption (MTPD) is a function of the rate of increase of impact, and the impact tolerance stated above.
For each activity, the MTPD is the point on the timeline at or before which the activity must be resumed, so that the resulting impact will be within the stated impact tolerance.
The recovery time objective (RTO) for each activity is a time period shorter than the MTPD, allowing for the gradual recovery of activities and where the activity can, in any event, be recovered much more quickly. The Board may vary MTPD and RTO at its discretion.
Business continuity plans
In the event of the business continuity plan (BCP) being activated, the command team will use the BCP, and its associated documents, to guide their decisions on response and recovery actions. The structure of plans is as follows:
- Group plan
- Business unit (location) plans.
All plans set out their scope of applicability, so that it is always clear which plans should be activated, and the response and recovery activities that they cover.
Contingencies
The BCM system includes, and relies upon, a range of contingency resources that may be invoked as required, depending upon the nature of any incident.
The arrangements for each contingency resource include a specification for invocation and availability, embodied within the relevant plans and procedures.
Expenditure on contingency resources is based upon the criticality of the activity in question and upon its RTO, and is approved by the Board.
For information and any other rapidly changing resources, a recovery point objective (RPO) will also be established, to ensure that the restored resource provides the appropriate level of operational capability.
Responsibilities
The Chief Executive is responsible and accountable to the Board for the proper development and maintenance of the BCM system.
The risk subcommittee of the Board is responsible for overseeing development, implementation and maintenance of the BCM system, under the day-to-day control of the Group Head of Risk.
All heads of business units are responsible and accountable to the Chief Executive for executing the actions required of them by the BCM Committee and Group Head of Risk.
Approvals of any and all material changes to any part of the BCM system will be approved by the Board(s).
Response organisation
The response organisation comprises the following teams:
Group
The group team is responsible for overall leadership and direction of response activities in more serious cases, and will normally be mobilised in situations where:
- There is a requirement for media handling or public relations
- There are casualties
- More than one site or business unit is directly affected by the incident
- Southampton site is directly affected by the incident.
Business unit
Business unit teams are responsible for leadership of response and recovery activities, and the recovery of activities within specified RTOs.
They are always mobilised when an incident directly affects their operational activities, and they may be mobilised in certain cases when inter-location or inter-unit collaboration or support is required.
Testing and maintenance
The BCM system will be tested on a regular basis, including:
- Desktop rehearsal of business unit business plans at least every 12 months.
- Exercise at business unit level, including testing of in-house and outsourced contingency arrangements at least every 18 months.
- Group-level exercise involving some activation of all business unit plans and testing of in-house and outsourced contingency arrangements at least every 24 months.
A detailed testing plan will be subject to approval annually by the Board, and will be maintained and implemented by the Group Head of Risk.
Awareness and culture
The company recognises that the BCM system will be most effective when all employees and stakeholders have an appropriate level of awareness of resilience, contingencies and response plans.
An awareness and education programme will be developed and implemented by the Group Head of Risk, and the completion of relevant training and execution of actions required to maintain the BCM system, will be treated as objectives within the company’s performance management system.
Reporting
The Group Head of Risk will report to the Board on a regular basis that, through appropriate testing of the BCM system and fulfilment of all maintenance actions in respect of plans and contingencies, the company’s business interruption risks are being appropriately and effectively managed.