Business Continuity Plan | Disaster Recovery Plan | Template for FCA Applications and Authorised Firms

1 Plan & Distribution Access

[Your Company Name]’s (hereinafter referred to as the “Company”) business continuity plan will be distributed to the relevant staff members of the business continuity and management teams*/locum or 3rd party firm*/nominated representative* [*DELETE AS APPLICABLE].

A master copy of this BCP document will always be maintained by the business continuity team leader or company owner and shall be located in a secure place off-site. For further risk mitigation, an electronic copy of this plan will be stored on a secure USB flash drive for printing on demand.

[br]

2 Introduction

Disaster Recovery (or Business Continuity Planning), is the processes, controls, measures, policies and procedures that together, enable a company to recovery and/or continue to trade following a natural or human-induced disaster or situation. All businesses should have some form of recovery program, however those in consumer credit and financial services industries are expected to have fully documented, robust and tested plans to protect consumer interests and safeguard assets.

Vital technology infrastructure and systems are susceptible to disruptions when dealing with potential threats and disaster recovery plans form an extensive program from documenting systems, assets and information flows, through to stress-testing, back-ups and continuity plans. Any event that compromises or negatively impacts standard operations within the business are documented, with mitigating actions or alternative solutions included in the plan should a threat occur.

A plan will usually include a range of threats, risks and disasters that could happen; internal and external; natural or human-based, enabling Directors and Senior Management to assess each scenario and implement measures and controls before the issue arises. It is essential in any Disaster Recovery Plan, to include all possible threats and risks and not just focus on the obvious ones such as fire, electricity outage or network virus. For example, if an illness or virus affected 80% of a business’s workforce, to would be difficult to continue operating as normal or if the office location became uninhabitable, plans for back-up sites should be included.

[br]

3 Policy Statement

The Company’s policy is to respond to any business disruption, emergency or crisis by safeguarding employees’ lives and firm property, mitigating risks to customers, continuing to comply with regulatory requirements whilst making financial and operational assessments and quickly recovering and resuming normal business operations.

We are prepared for both internal and external disruptions in our BCP provision and will take every measure and precaution to ensure that any disruptions to our normal business function is mitigated against and prepared for. It is our aim that no customer is caused undue harm or inconvenience by any disruption that we may incur. Our recovery plan considers all possible threat and risk scenarios and details the appropriate measures and actions the Company has in place should they occur.

[br]

4 Purpose

The purpose of this policy is to provide a flexible and documented response so that the Company can respond to a disruptive incident, maintain delivery of critical activities and services during any such incidents and resume ‘business as usual’ in the shortest time, with the least disruption.

This plan acts as a guidance and support document in the event of any threat scenario occurring and its development has included key stakeholder and prominent employees and suppliers.

[br]

5 Scope

The policy relates to all the Company staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.

[br]

6 Objectives

The Company is dedicated to restoring standard operating procedures as soon as is possible after any threat has occurred, and this recovery plan documents each aspect of the processes, measures and requirements to do that. We have several objectives for our recovery plan: –

• To develop, retain and maintain a detailed and up-to-date Disaster Recovery Plan (DRP)
• Understand the critical functions and activities of the business
• Identify, analyse, assess and document risks to the Company and continued operation
• Identify the key roles, responsibilities and contacts to respond to an emergency
• Maintain effective running of the business in the event of a crisis or emergency
• To ensure that all staff are aware of the DRP/BCP and their role in complying with its processes
• To minimise disruptions to the Company’s normal business operations
• To limit the extent and impact of any such disruption and/or damage
• To minimise the economic, client, customer and employee impact of any disruption
• To ensure that an alternative, adequate and appropriate means of operating is in place
• To ensure that employees and associated DRP/BCP suppliers are fully trained as to their part in any emergency procedure
• To provide a safe, swift and effective restoration to normal service

[br]

7 Disaster Recovery Plan

7.1 Distribution List

The below distribution list contains the names, contact details and DRP role of any employee, locums or 3rd party who has a copy of the DRP and who are fully aware of the procedures to be followed in the event of a crisis, threat or emergency.

This plan has been distributed to the relevant staff members of the business continuity and management teams and a master copy is maintained by the company Director and is in a secure place off-site. For further risk mitigation, an electronic copy of this plan is stored on a secure USB flash drive for printing on demand.

7.2 Business Impact Analysis

The Company has completed a full Business Impact Analysis (BIA) and a risk assessment to enable us to understand our critical functions, risks to the continued operation of the business and plan for recovery.

There are several key functions (referred to in this document as Critical Functions) that are essential to the normal operation of the Company and as such, require immediate restoration after an emergency incident.

The BIA enables the Company to differentiate the critical (urgent) and non-critical (non-urgent) functions of the business, this providing us with a priority order in which to allocate resources and start restoration actions and measures. Critical functions are then given a priority describe in which order of priority the critical functions are to be completed.

When carrying out a business impact and risk assessment on each area, we aim to assign a Recovery Time Objective (RTO) to each function. This is the maximum length of time that the Company can manage a disruption to this critical function before it threatens the Company’s viability or ability to operate normally.

ALL business functions must be assessed and added to the BIA. Use the below impact/probability matrix to assign a risk rating to each item on your BIA.

Completing the above BIA will provide all functions for the recovery plan and will differentiate critical from non-critical. Each company has their own definition of critical functions; however, they are usually those that must be restored within a maximum of 2-hours after the disaster and/or be mission critical in their impact and risk. All critical functions should now be added to the Critical Functions Checklist in order of restoration priority.

7.3 Critical Functions & Processes Checklist

Most areas of a business are essential to its overall functioning and operation; however, some are critical and should be afforded priority to resources, space and time in the event of an emergency. These functions and processes are known as ‘Critical Functions’ and should be operational within the shortest time possible.

Without such critical functions (technological, operational or supportive), the Company would be unable to achieve its objectives or meet regulatory and/or legal requirements. Critical functions include making/restoring back-ups, telephony system, internet, network security/access etc.

7.3.1 Critical Function Assessment & Recovery Process

The below assessment is completed for each critical function to ensure that it has a documented plan, recovery process, owner and timeframe.

7.4 Non-Critical Functions

What are the essential, but non-critical functions of the business that must be restored within the first 4-8 hours?

What are the essential, but non-critical functions of the business that must be restored within the first 8-24 hours?

What are the essential, but non-critical functions of the business that must be restored within the first 24-48 hours?

7.5 Specific Disaster Scenarios

When the BIA and Critical Function tables are completed, this will provide nearly all the actions, processes and resources required to get the Company functional after any form of crisis or emergency. However, some disasters require additional actions and requirements, which are detailed below.

In addition to the existing critical and non-critical functions that the Company have documented in this plan, below are additional requirements for specific emergencies: –

Fire

Earthquake

Site Evacuation

Employee Pandemic

Cyber-Attack

Bomb-Threat

7.6 Recovery Contact Lists

Only key staff and/or third parties are provided with a physical copy of the full Disaster Recovery Plan due to the sensitive and confidential nature of the content. However, should an emergency result in loss of communications, access to IT systems and/or access to business premises, it will be necessary to contact employees, suppliers, service providers and other third parties. The below lists provide the current contact details for all associates of the Company.

7.6.1 Employee Contact List

7.6.2 Key Suppliers Contact List

7.6.3 Key Customers Contact List

7.6.4 Utility Company Contact List

7.7 Office & Alternate Physical Locations

List the locations of any offices (registered and unregistered) and any ability to work from home should the need arise. It is a legal requirement to have an alternate site/option for recovering business as usual in the event of an emergency or business disruption and this site/option should be located in a different place to your usual business site to account for disaster recovery situations

[br]

8 Emergency Pack

As part of the Company’s recovery plan, we retain copies of back-up’s, key documents, spare keys, insurance documents, records and equipment in a secure, off-site at [insert location] in a readily available and up-to-date emergency pack. This pack is only accessible by the Director/IT Manager and [named employee/contact] and can be retrieved in the event of an emergency to aid in the recovery process.

[br]

9 Updates & Annual Review

The Company updates this plan whenever we have a material change to our operations, structure, business or location or to those of our clearing firm. In addition, we review and test this DRP annually, on [date], to modify any changes in our operations, structure, business or location or those of our clearing firm and to ensure that all steps, processes and functions are appropriate, functioning and effective.

[br]

10 Actions And Expenses Log

This table is used to record decisions, actions and expenses incurred in the recovery process and is used to provide information for the post-recovery debriefing, and to help provide evidence of costs incurred for any claim under an insurance policy.