INTRODUCTION
Hirett (hereinafter referred to as the “Company”) business continuity plan will be distributed to the relevant staff members of the business continuity and management teams / nominated representative.
A master copy of this BCP document will always be maintained by the directors and shall be located in a secure place off-site.
For further risk mitigation, an electronic copy of this plan will be stored on a secure USB flash drive for printing on demand.
WHY THIS POLICY EXISTS
Disaster Recovery (or Business Continuity Planning), is the processes, controls, measures, policies and procedures that together, enable a company to recovery and/or continue to trade following a natural or human-induced disaster or situation. All businesses should have some form of recovery program, however those in consumer credit and financial services industries are expected to have fully documented, robust and tested plans to protect consumer interests and safeguard assets.
Vital technology infrastructure and systems are susceptible to disruptions when dealing with potential threats and disaster recovery plans form an extensive program from documenting systems, assets and information flows, through to stress-testing, back-ups and continuity plans. Any event that compromises or negatively impacts standard operations within the business are documented, with mitigating actions or alternative solutions included in the plan should a threat occur.
A plan will usually include a range of threats, risks and disasters that could happen; internal and external; natural or human-based, enabling Directors and Senior Management to assess each scenario and implement measures and controls before the issue arises. It is essential in any Disaster Recovery Plan, to include all possible threats and risks and not just focus on the obvious ones such as fire, electricity outage or network virus. For example, if an illness or virus affected 80% of a business’s workforce, to would be difficult to continue operating as normal or if the office location became uninhabitable, plans for back-up sites should be included.
PURPOSE
The purpose of this policy is to provide a flexible and documented response so that the Company can respond to a disruptive incident, maintain delivery of critical activities and services during any such incidents and resume ‘Business as usual’ in the shortest time, with the least disruption.
This plan acts as a guidance and support document in the event of any threat scenario occurring and its development has included key stakeholder and prominent employees and suppliers.
POLICY SCOPE
The policy relates to all the Company staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
OBJECTIVES
The Company is dedicated to restoring standard operating procedures as soon as is possible after any threat has occurred, and this recovery plan documents each aspect of the processes, measures and requirements to do that. We have several objectives for our recovery plan: –
- To develop, retain and maintain a detailed and up-to-date Disaster Recovery Plan (DRP)
- Understand the critical functions and activities of the business
- Identify, analyse, assess and document risks to the Company and continued operation
- Identify the key roles, responsibilities and contacts to respond to an emergency
- Maintain effective running of the business in the event of a crisis or emergency
- To ensure that all staff are aware of the DRP/BCP and their role in complying with its processes
- To minimise disruptions to the Company’s normal business operations
- To limit the extent and impact of any such disruption and/or damage
- To minimise the economic, client, customer and employee impact of any disruption
- To ensure that an alternative, adequate and appropriate means of operating is in place
- To ensure that employees and associated DRP/BCP suppliers are fully trained as to their part in any emergency procedure
- To provide a safe, swift and effective restoration to normal service
DISASTER RECOVERY PLAN
Distribution List
The below distribution list contains the names, contact details and DRP role of any employee, locums or 3rd party who has a copy of the DRP and who are fully aware of the procedures to be followed in the event of a crisis, threat or emergency.
This plan has been distributed to the relevant staff members of the business continuity and management teams and a master copy is maintained by the company Director and is in a secure place off-site. For further risk mitigation, an electronic copy of this plan is stored on a secure USB flash drive for printing on demand.
BUSINESS IMPACT ANALYSIS
The Company has completed a full Business Impact Analysis (BIA) and a risk assessment to enable us to understand our critical functions, risks to the continued operation of the business and plan for recovery.
There are several key functions (referred to in this document as Critical Functions) that are essential to the normal operation of the Company and as such, require immediate restoration after an emergency incident.
The BIA enables the Company to differentiate the critical (urgent) and non-critical (non-urgent) functions of the business, this providing us with a priority order in which to allocate resources and start restoration actions and measures. Critical functions are then given a priority describe in which order of priority the critical functions are to be completed.
When carrying out a business impact and risk assessment on each area, we aim to assign a Recovery Time Objective (RTO) to each function. This is the maximum length of time that the Company can manage a disruption to this critical function before it threatens the Company’s viability or ability to operate normally.
EMERGENCY PACK
As part of the Company’s recovery plan, we retain copies of back-up’s, key documents, spare keys, insurance documents, records and equipment in a secure, off-site in a readily available and up-to-date emergency pack. This pack is only accessible by the Director/IT Manager and can be retrieved in the event of an emergency to aid in the recovery process.
UPDATES & ANNUAL REVIEW
The Company updates this plan whenever we have a material change to our operations, structure, business or location or to those of our clearing firm. In addition, we review and test this DRP annually, to modify any changes in our operations, structure, business or location or those of our clearing firm and to ensure that all steps, processes and functions are appropriate, functioning and effective.
ACTIONS AND EXPENSES LOG
This table is used to record decisions, actions and expenses incurred in the recovery process and is used to provide information for the post-recovery debriefing, and to help provide evidence of costs incurred for any claim under an insurance policy.
Date/Time | Decision / action taken | Responsible person | Cost(s) incurred |