Business Continuity Plan BCP | Internal and External Communications | Change Management and Testing | Template for FCA Applications and Authorised Firms

1 Purpose and Scope

The purpose of this Business Continuity Plan (BCP) document is to ensure [Your Company] Payments is able to continue operating in the event of a critical issue or disaster that disrupts normal activity.

The scope of this document is to identify the critical situations which would cause [Your Company] to invoke the BCP as well as the mitigating actions and recovery plans to ensure business continues to perform as near to normal as possible.

The scenarios in scope for this document include but are not limited to:

• Natural disasters (flooding, extreme weather, epidemics)
• Wilful damage (terrorism, civil disorder, internal/external strike action or work stoppage, computer crimes and arson)
• Accidental damage (power failure, gas leaks, fire, impact by vehicle/aircraft, heating/ventilation/air conditioning failure)

2 Responsibilities

The [Title], [Your Name], is responsible overall for the BCP and is responsible for ensuring that business continuity is given full consideration for all aspects of the business that could be impacted by the scenarios in scope.

3 Plan Invocation

Over time the list of team members who are authorised to invoke the plan and documented scenarios wherein the plan should be invoked will be expanded upon and the BCP will be updated.

The initial BCP plan will be invoked by the CEO in agreement with the board in the case of one or more of the scenarios defined as in scope for the BCP occurring and causing:

• The services provided by [Your Company] to its customers are significantly impacted or unavailable
• The [Your Company] premises are significantly impacted due to being wholly or partially unavailable
• [Your Company] staff are significantly impacted by not having access to IT systems and/or telephony
• One or more 3^rd party supplier is impacted and can not provide their service to agreed levels
• Access to the [Your Company] premises to be difficult or personally hazardous due to external factors
• A significant issue at 3^rd party with whom [Your Company] does not have a direct relationship having an outage which indirectly affects [Your Company] and/or its customers significantly

4 Developing the BCP

The BCP is a living document and will be reviewed quarterly throughout the year to ensure it is current.

In addition, the BCP will be assessed for any new service or operation is introduced or an amendment is made to an existing service or operation, as part of the Change Management process.

Note: this includes changes by 3^rd party suppliers, to ensure that the BCP is still accurate and applicable.

5 Communications

The BCP plan is designed to ensure communication is maintained to the highest possible standard throughout any scenario, based on the best channels available.

For each critical 3rd party supplier:

• A list of key contact phone/email details will be maintained in an appendix of the BCP, including who at [Your Company] is authorised to contact the 3^rd party in order to notify them of a scenario occurring and the BCP being invoked. This will include mobile numbers for all key contacts to ensure communication is available if either party suffers a loss of landline telephony.
• The same appendix will also contain the current business continuity documentation from the supplier, so [Your Company] are clear on how to engage with the supplier if it is the 3^rd party that has a major issue which then impacts [Your Company]. This will then form a subset of [Your Company] own BCP document.
• At the time of writing, the critical supplier identified is [Your Company] – a specialist white label systems provider that will provide an end to end solution for almost all of the services that [Your Company] requires, except for the in house telephony and networked PCs (deemed critical) for the [Your Company] call centre and the [Your Company] company website (deemed not critical).

Internal communications:

• [Your Company] will use a Zoom conference call facility for all stakeholders to be able to provide internal updates on the scenario and confirm the steps taken so far as per the BCP to mitigate the scenario that is happening. If the [Your Company] premises are still operational, then the stakeholders based there will meet in person and the remainder will join via Zoom.
• These stakeholders are then responsible for cascading the information internally to their own teams via email or in person as appropriate and depending on the scenario
• Where landline telephony is not available, mobile phones or web access will be used to join the Zoom call.
• If telephony and email is unavailable, then communications to [Your Company] team members will be made via SMS text messages or closed Whatsapp group.

External communications:

• If telephony is still available, it is assumed that a high volume of inbound calls will be received creating longer than normal call wait times, so whilst trying to answer as many calls as possible, the inbound automated prompts will be updated with a brief recorded message to explain the latest update of what the impact is and what [Your Company] is doing about it, as well as when the impact is expected to have ceased.
• In addition, updates will be added frequently to the [Your Company] Payments website, providing the latest guidance to our customers of what services are impacted, expected time to resolution and any other related information.
• Where subscribed for electronic communication, customers will receive notifications of the situation through the [Your Company] mobile app and SMS messages to their phone.
• Regular updates will be posted via social media, including Twitter and Facebook, to extend the communication further.

6 Document Owner, Approver and Change History Record

The BCP is owned by the Chief Executive Officer and approved by the board.  Other stakeholders within [Your Company] will be added over time and they will be able to update the BCP as needed, adding a new version number, author name and a brief note of changes made to the log on the first page.  All new versions of the BCP will not be live until approved by the board.

7 Change management

[Your Company] change management process is enabled via a Change Board which meets monthly and is chaired by the Chief Executive Officer.  Any change, to processes, operations, technology or other aspect of [Your Company] business is raised via the Change Board and assessed by all stakeholders within the business to determine impacts, assess costs and timelines.  As part of the Change Board process, any changes raised are also assessed against the BCP, with the following possible outcomes:

• The proposed change has no impact to the BCP, no action needed.
• The proposed change does have an impact to the BCP, in which case the CEO will ensure that a full impact assessment is carried out and additional steps required are documented in the BCP. As per the process, the updated BCP will then go before the board for approval before it is accepted as the active version of the BCP.

8 Business Continuity Plan Testing

The BCP will be tested at least annually, or more often if there has been a significant change to the operation or new additions/amendments to the BCP.  This will be predominantly a rehearsal of the entire process of invoking the BCP for a specific scenario, including working through internal procedures and external 3^rd party procedures with suppliers, as a desktop exercise to ensure all participants are very familiar with all activities required.

Some physical tests will also take place as part of the testing exercise, including ensuring that procedures used when the main [Your Company] office is not accessible are operating as expected.  This includes switching part of the team to the alternate site and ensuring that all functions work correctly in terms of telephony and software systems access and testing of remote access from home for the same, as well.

By going through this exercise, improvements can be identified and added to a supplementary detailed [Your Company] workbook, which will go down to the level of specific checklists.

Following the completion of the test exercise, a summary report will be recorded to show which test activities were carried out, what the result was and a lessons learned section to ensure further improvements can be made to the BCP.

Appendix 1

[Your Company] has been identified as the critical supplier proving a white labelled product, branded as [Your Company] Payments.  The agreement with [Your Company] is being negotiated and once a contract is in place then all details of [Your Company] continuity plans will be added here.

[Your Company] will supply the following key components of the solution, under their existing licences and from hosted within their own PCI compliant data centres:

• Core account management
• Segregated / ringfenced customer bank account held at Clear Bank, fully protecting the customer funds and held completely separately to [Your Company] Payments own funds.
• Visa/Mastercard membership and compliance
• Card issuing and processing
• Mobile app and internet account servicing
• Customer messaging
• System compliance
• Physical and computer security for stored customer data and transactions
• Fraud handling
• Chargeback / disputes handling
• Online access to CRM system to be used by [Your Company] call centre staff at [Your Company] premises
• Customer due diligence / KYC processing for both individuals and businesses
• Connectivity to all payment types (direct debit, FPS, standing orders, BACS, CHAPS, international payments)
• Data backup including off site storage