Business Continuity Management BCM Procedures | Operating Principles and Framework | Business Impact Analysis BIA Overview and Threshold | Authorised Payment Institution API | Electronic Money Institution E-money EMI | Small Payment Institution SPI

Figure 3- BIA Maximum Disruption Time Periods

The standard approach also adopts a threshold approach, where thresholds are set for each of the impact areas and the impact questions determine how quickly these thresholds are reached. Section 5.1.2 BIA Thresholds describes the threshold in more detail.

5.1.1 BIA Overview

The BIA compromises the following sections:

1. General Information

1.1. BIA Information- provides summary information on the business area and the assignees/approvers for the BIA
1.2. Department/ Team Overview- provides an overview of the team including location, description of activities and operating hours
1.3. Processes and functions- list the processes/functions performed by the department, with the summary FTE information.

2. Impacts

2.1. Business Impact: Profile Over Time- assessment of how the impact of a business interruption develops over the Maximum Disruption Time Periods (Figure 3 above) in the following areas: Regulatory, Financial, Customer Service, Reputational and Operational
2.2. Regulatory Deadlines- summarises any regulatory requirements the department must comply with.

3. Priorities

3.1. Business Impact: Threshold Analysis- displays the time periods for which the impact threshold has been breached, indicating an unacceptable level of impact
3.2. Department Recovery Requirements – captures the Maximum Disruption Time for the department, with a recommendation based on the threshold analysis
3.3. Process/Function Recovery Requirements -captures the Maximum Disruption Time(s) for the department Process(es).

4. Dependencies

4.1. Internal Dependencies – Upstream- captures information on any internal departments upon which the department completing the BIA is dependent
4.2. Internal Dependencies – Downstream-captures information on any internal departments which are dependent on the department completing the BIA
4.3. External Third-Party Dependencies-captures the information on any external third parties (e.g. service providers or other companies) upon which the department completing the BIA is dependent.
4.4. IT Service Dependencies- captures information on any IT Service upon which the department completing the BIA is dependent
4.5. End User Computing (EUC) Dependencies- captures information on any End User Computing applications upon which the department completing the BIA is dependent.

5.1.2 BIA Thresholds

The key output of the BIA is the Maximum Disruption Time for the department. This is based on answers given for each of the impact areas shown out in Figure 4 below:

The key steps are as follows:

1. Threshold for all BIAs – the impact threshold for each impact area has been set as “C. MEDIUM” for all BIAS across the Company.
2. Use answers to Impact questions to determine first threshold breach – since the impact questions capture the impact over the standard interruption time periods, this information can be used to determine if and how quickly the “C. MEDIUM” impact threshold in any of the impact areas is reached
3. Set Maximum Disruption Time for department and underlying processes/functions – the interruption time period where the first impact area threshold is reached is then suggested as the Maximum Disruption Time for the department. The department completing the BIA then selects Maximum Disruption Time for the department. This may be different to the suggested Maximum Disruption Time, although justification must be provided. The department completing the BIA then must specify the maximum downtime for each of the processes/functions identified in the BIA. This process-level Maximum Disruption Time can be different to the department Maximum Disruption Time, but cannot be shorter, so if for example the department-level Maximum Disruption Time of “SAME DAY (1-5HRS)” or longer, but cannot be “IMMEDIATE (<1 HR).” Also, at least one process must have the same Maximum Disruption Time as the department Maximum Disruption Time.

5.1.3 BIA Weighting and Scoring
Since the Maximum Disruption Time for a department is based on when thresholds are reached, it is not an absolute definition of criticality. An absolute value of the criticality of a department, which

will allow comparison across different businesses, can be determined from a consistent weighting/scoring approach.
The standard approach to BIA provides an overall “score” for each BIA, based on the responses to the impact questions. This allows departments to be compared against one another so that (e.g.) a priority order can be determined for a location as an input into any Major Incident Management decisions. The scoring is flexible enough to allow different weightings to be applied to different impact area questions, answers and interruption time periods, as shown in Figure 5 below:

Figure 5 – BIA Weighting Definition

6. BCM Framework – Develop the Strategy

Having identified the most critical processes and set a timeframe for their continuation, the BCM strategy for the department should now be developed. In the context of department-level planning, the BCM Strategy comprises one or more BCM Responses, which allow the department to recover from a range of Interruption Scenarios.
The Interruption Scenarios to be planned for are described in 6.1 BCM Interruption Scenarios. The BCM Responses to these scenarios are described in section 6.2 BCM Responses. There are numerous BCM Responses available to a department, each offering a different level of resilience and associated cost. Departments must plan for an interruption lasting up to one month or longer.
There are important organisational & technology factors to consider in the definition of BCM strategies (see sections 6.4 General Considerations and 6.5 Technology Considerations). Also, there may be local Regulatory and Compliance requirements that must be met.
Business areas may choose to define a “joined-up” BCM Strategy that applies across a number of departments or locations. For the purpose of this BCM Procedures document, we shall consider BCM Strategy and BCM Responses as they apply to a single department.

6.1 BCM Interruption Scenarios
The common list of interruption scenarios to be considered for all BCM planning activities is referred to as the Master Interruption Scenario List. This represents the minimum standard of scenarios that must be considered, although it is possible for departments to add Interruption Scenarios based on specific business need or regulatory requirement. The table below shows the Master Interruption

Scenario List, along with example causes. Note, these interruption scenarios are not mutually exclusive, and a single threat scenario (e.g. Terrorist bomb) may result in more than one interruption scenario being realised (e.g. Unavailability of Premises, Unavailability of Staff, etc.).

Optional Interruption Scenario (see Notes)

NOTES:

1. Optional scenario, applicable for locations identified as requiring partial-loss planning (e.g. iconic buildings, large call centres, etc.)
2. Applicable subject to requirement and agreement with BCM Governance
3. Standard telephony will be considered as an IT Service – the “Loss of Telephony” interruption scenario should consider the impact on telephony (e.g. Customer Service)

Figure 6 – Master Interruption Scenario List

6.2 BCM Responses
The BCM Strategy for a department comprises one or more BCM Responses – a department will typically have a range of BCM Responses available to it:

• Workload Resilience – where workload is either balanced across locations in BAU, or can be transferred to alternative locations during an interruption. This does not involve relocation of any staff.
• Staff Relocation – where staff are relocated to an alternate site (e.g. a Work Area Recovery site), typically within easy travelling distance of the main location.
• Home Working – where staff use remote access infrastructure to work from home
• Key Dependency Responses – where responses specific to a loss of a key dependency are invoked (e.g. alternate Supplier strategy, IT Service manual workaround, etc.)

The Generic BCM Response List does not include response strategies/plans for specific, high- likelihood threats that must also be planned for where appropriate (e.g. Hurricane Preparedness Plans, Earthquake Response Plans, Pandemic Readiness Plans, etc.). The Generic BCM Response List is shown in Figure 7 below.

Figure 7 – Generic BCM Response List

6.3 BCM Responses and Activation Times

The BCM Responses available to allow a department to recover from specific Interruption Scenarios are shown in Figure 9 below. This also sets out the appropriate Minimum BCM Response Activation Times for each response.
The Response Activation Time is the timeframe within which a BCM Response selected by a department must be available during an incident. GBRT calculates the Response Activation Time as the shortest Maximum Disruption Time for all the processes using that BCM Response.
The table Figure 8 in shows “Home Working” as a BCM Response suitable for all Response Activation
Times. However, the following conditions apply:

Figure 8 – Home Working Responses

Selection of Home Working as a BCM Response will of course depend also on the ability of a department to conduct work from home (often there are technology limitations) and whether home work is permitted from a regulatory/compliance perspective.
Once BCM Responses have been selected, requirements specific to that response (e.g. number of seats in a Work Area Recovery location, anticipated volumes for a Workload Shifting response, etc.) must be gathered.

6.4 General Considerations

6.4.1 Staff Relocation – Work Area Recovery Sites and Displacement Locations

A Work Area Recovery site or Displacement Location is key to support many of the Staff Relocation BCM Responses. Whilst there are many local factors that should be considered, key considerations include that a Work Area Recovery site or a Displacement Location should:

• Be located as far away as possible from the primary location, whilst allowing resumption of activities within Maximum Disruption Times;
• Ideally situated outside the metro-area where transportation & parking is adequate for extended (e.g. one month) use
• Be located on separate utility and telecom grids to the primary location
• Not share the same environmental risks (e.g. not on the same flood plain)
• Have sufficient seating capacity to allow continuity of business activities for an impacted location within Maximum Disruption Times
• Have ‘call redirection’ phone arrangements from the primary site where available/appropriate (e.g. personal extensions for critical areas, where services available, or limited to 800/main listed numbers, again where services exist and are cost-effective)
• Provide access to all critical IT services and market data
• Be as inconspicuous as possible without office branding where feasible
• Support dual-site working between primary and business resumption sites (e.g. pre-emptive measure for critical departments during or transportation disruption, severe weather, etc.)
• Utilise Virtual Desktop Infrastructure (VDI) where possible to simplify provision of user desktops which, if not utilised in BAU operations, should be verified at least quarterly
• Provide solutions to address any risks identified with control of information (e.g. Chinese Walls).

6.4.2 Workload Resilience

The majority of BCM Strategies in place today are of the Staff Relocation type and utilise BCM Responses depending on business resumption sites. Opportunities to utilise Workload Resilience BCM Responses, where workload – not staff – is moved between locations, should be actively considered and become an increasingly significant part of the BCM Strategies utilised by businesses.
There are different types of Workload Resilience BCM Response that can be considered:

• BAU active – active split across one or more locations (WR1, WR2, WR3) or workload shifting during an interruption (WR4, WR5, WR6)
• Distance between locations e.g. Same City (WR1, WR4), Different Cities (WR2, WR5) or Same Country/Regions (WR3, WR6)

For these responses to work when needed, the two locations would need the same business process/products, use standardised technology.
It is also important to note that any Workload Resilience solution will always involve business trade- offs because few locations would have the bandwidth to support another site and continue its own business at pre-interruption levels. Careful capacity and prioritisation planning are required in for such solutions.
Care should also be taken to ensure the Legal, Regulatory Compliance and Tax issues inherent in any cross-border solutions are considered appropriately.

6.4.3 Split-site operating models

Where offshoring is not practical, it may still be possible to decentralise staff to reduce concentration risks. For example, opportunities to move Support & IT staff to back-up sites or other in-country locations or establish split-site support services are realistic alternatives to consider.

6.4.4 Home Working

Working from home is a viable BCM response to consider for some departments, however it is not typically appropriate for many critical or customer -facing (e.g., customer service, IT Support) functions because of the problem it poses for remote business supervision and control.
The BCM Strategy cannot rely solely on Home Working BCM Responses and must also consider either Staff Relocation or Workload.

6.5 Technology Considerations

The technology that supports the vast majority of our business must be available at all times and accessible from any location.

6.6 Third Party management and BCM

Where a business/function is dependent on a Third Party for the supply of critical services, then care must be taken to ensure that the Third Party has satisfactory BCM strategies in place to support the business. The contractual arrangements with the suppliers should clearly address our BCM requirements. Hirett will be utilizing AWS Database and Cloud Services. Hirett entire infrastructure will be hosted on AWS, no other third-party services will be utilised. Hirett AWS instance will be hosted across multiple AWS regions to ensure resilience and business continuity.
AWS relationships will be managed and governed by AWS terms and policy. See link for details. https://aws.amazon.com/agreement/

6.7 Pandemic Response Strategies

Globally countries continue to be exposed to the risk of an influenza virus which is typically H1N1 for seasonal flu and H5N1 for avian flu. We continue to see very same cases in humans of avian flu and any potential pandemic here is very small, however there remains a risk of pandemic outbreaks.
Existing planning covers a severe pandemic and this would progressively be confirmed by the World Health Organisation leading potentially to a level 6 outbreak. As with the 2009 swine flu attack this could be relatively mild in its direct impact on humans and our operations and as such the three responses set out in Figure 9 below should be followed.

Figure 9 – Pandemic Response Phases

6.1  Records Management

Essential Records are business records without which the business would be unable to operate. They are either irreplaceable, time consuming or costly to replace. Depending on operational requirements, Essential Records can be both Primary and Secondary Records. Once Essential Records are identified, appropriate actions should be taken to ensure their availability in the event of major incident.

Essential Records must be detailed in the Business Continuity Plan. Details must be recorded of what these records are, how they are managed, (whether in paper or electronic), how they can be obtained and the timeframe that they are required during an incident.

7. BCM Framework

7.1  Plan Review and Update

All Business Impact Analysis and Business Continuity Plans must be reviewed and updated at least annually and within the last twelve calendar months or follows significant business change. Plans for critical areas may be reviewed more regularly (e.g. contacts section for a large plan may be reviewed quarterly), particularly where there is a large turn-over of staff.

Where new departments are created in the business or new strategies are adopted for existing departments, the following time-scales for the initial creation of plans and exercising of responses must be followed.

New Departments:

• Business Impact Analysis completed and approved within 3 months of creation of the department
• BC Plan completed and approved within 3 months of approval of the BIA for departments with a MDT of Immediate (<1HR), Same Day (1-5HRS) or Next Day (5-24HRS)
• BC Plan completed and approved within 6 months of approval of the BIA for departments with a MDT of Same Week (1-6 days) or longer
• BCM Responses, all responses must be exercised within 3 months of approval of the BC Plan New BCM Responses for existing BC Plans:
• All new BCM Responses must be exercised within 3 months of approval of the BC Plan

7.2  Training & Awareness

All staff should be familiar with their BC Plans. To ensure this, training & awareness programs should be provided when staff first join Hirett Online and at least annually thereafter and within the last twelve calendar months. Mandatory on-line BCM Training has also been developed in conjunction with Learning & Development and is mandatory for all staff on an annual basis. All new joiners will have to undergo this mandatory training as part of the “Discovery” programme.

Other recommendations to promote training and awareness include:

• Ensuring that BCM materials and, where possible, plans are viewable on the intranet
• Providing relevant staff with “wallet” cards of key contact numbers to use in case of plan invocation
• Establishing ‘Business Continuity’ emergency phone lines as an alternative method of communicating important messages should an event occur
• Ensuring that all relevant staff visit the Work Area Recovery or Displacement site periodically so that they are familiar with the location and seating arrangements
• Conducting individual briefing/induction and regular awareness training for business continuity co-ordinators.

Appendix A – Business Continuity Management (BCM) Definitions

1. Business Continuity Management

A strategic and tactical capability of the organisation to plan for and respond to incidents and/or business disruptions in order to continue business operations at an acceptable predefined level.

2. Business Continuity Planning

The process of developing prior arrangements and procedures that enable an organisation, businesses or departments to respond to an incident in a manner that critical business activities can continue within planned levels of disruption resulting in the creation of a Business Continuity Plan (BCP).

3. Business Impact Analysis (BIA)

The process of analysing the activities of business functions and the effect that a business disruption might have upon them. This should identify key dependencies and recovery time frames to minimise financial loss and any reputational damage.

4. Business Resilience

The combination of planning whether by businesses, IT, Corporate Real Estate, Human Resources or Service Delivery in ensuring the ability exists to maintain operations in the face of man-made or natural disaster events. This represents a collective effort against a wide range of threats.

5 Business Continuity Plan (BC Plan)

A plan to deal with a specific set of adverse circumstances. The plans need to be flexible in their creation given the variety and complexity of events which could impact a business(s).

6. Major Incident

A major incident is any disruptive event that is likely to have a significant effect on the organisation, locally, regionally where it is likely to result in significant financial loss, regulatory impact, adverse publicity, resource impact (people, buildings or systems), or any combination of the former.

7. Maximum Disruption Time

The duration after which the viability of a business will be significantly threatened because a product, service or operation cannot be resumed.

8. Recovery Time Objective (RTO)

A target set for the status and availability of data (electronic and paper) at the start of a recovery process. It is a point on time at which data or capacity of a process is in a known valid state and can be safely restored from.

9. Exercising

An activity that is performed to evaluate the effectiveness or capability of a, business continuity or incident management plan, or a service relative to specified time frames, measurements or scenarios in recovering impacted functions.