1. Introduction
The company carries out frequent risk assessments and gap analysis reports to ensure that our compliance processes, functions and procedures are fit for purpose and that mitigating actions are in place where necessary, however should there be any compliance breaches, we are fully prepared to identify, investigate manage and mitigate with immediate effect and to reduce risks and impact.
2. Policy Framework
The Company has the below objectives with regards to Breach Management:
● To maintain a robust set of compliance procedures which aim to mitigate against any risk to business activities.
● To develop and implement strict compliance breach and risk assessment procedures that all staff are aware of and can follow.
● To ensure that any compliance breaches are reported to the correct regulatory bodies within the timeframes.
● To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents reoccurring.
● To use the Compliance Breach Incident Form for all breaches, regardless of severity so that any patterns in causes can be identified and corrected.
● To comply with regulating bodies and laws on compliance breach methods, procedures and controls
● To protect consumers, clients and staff – including their data, information and identity.
3. Scope
The policy relates to all the Company staff (permanent and temporary) and contracted vendors engaged with the Company. The policy has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
4. Service Availability
Service availability is monitored in production (live) environment with alerts generated via the system and email/SMS notifications in the event of system downtime or service disruptions.
The L1 Support team will identify service availability issues and escalate to relevant internal teams by raising an incident ticket in Jira. An incident is prioritised as follows;
Severity | Scenario | Response Time | Resolution Time |
P1 – High |
Critical incident where the service is down and application functions unavailable to more than 50% of customers. |
1 hour |
4 hours |
P2 – Medium |
One or more functions of the application has failed and/ or not functioning correctly but does not have direct impact on customers. A temporary workaround is available. |
24 hours |
4 days |
P3 – Low |
There is no impact on any functionality of the application. The incident is in the form of customer queries or support. |
3 days |
10 days |
Above-mentioned resolution times are only applicable for weekdays between 08:00AM and 17:30PM GMT. All out of hours incidents will be received and queued via our general automated email for resolution during office hours.
4.1. Incident Classification
The company identifies the following types of incidents will be classified as High. The impact, resolution and root-cause analysis report will be communicated to affected customers and the FCA.
• Denial of Service
• Unauthorised Access or Use
• Malicious Code
• Unplanned Downtime
4.2. Incident Ticket Workflow
When the company receives or raises an incident, the following depicts the flow of the incident ticket and resolution.
The creator and key stakeholders are updated on progress via comments in the ticket. Where required, a telephone conversation can be scheduled.
4.3 Incident Management Approach
The L1 Support team will normally be the first point of contact for identifying and to triage an incident. The steps involved include (but not limited to) the following;
• Review file/facts.
• Speak to relevant individual.
• Record outcome/recommendation in writing.
• If changes/improvements to procedures required flag for action.
• Confirmation of requirement to respond to complaints in line with FCA rules (all deadlines apply from the date the original complaint was received).
• Further holding letter or final response within four weeks.
• Final or other response within eight weeks.
• Requirement to inform customers of their right to refer the complaint to the Financial Ombudsman Scheme (FOS) if they are unhappy with the final response or if they do not get a response within eight weeks.
• The need to inform customers of the six-month deadline for contacting the FCA from the date of the final response.
• Staff will be trained on calls to keep customers informed of progress/delays – and, where possible, to record the conversations.
• Confirmation that copies of correspondence and notes from telephone conversations must be kept on file for each complaint.
• Outline procedure for systematic logging of complaints by date, nature, name, whether or not considered justified and confirmation of response dates/outcome.
• Confirmation of how/when/to whom the complaint handler should report complaints internally and make recommendations for revised practice where appropriate.
• Confirmation to ensure the details of the internal complaint handling procedures are published, and that a copy is supplied to a customer on request, or in response to a complaint not resolved by the end of the next business day of being received.
• Policy supporting the use of FCA’s standard Complaints Form and electronic reporting procedure via the Firms Online service.
4.4 Roles and Responsibilities
HirettOnline L1/L2 Support team |
Customer Support Team |
· Triage new incident tickets and manage incidents from active status to completion.
· Communicate with user for better understanding of issue. · Interface with L2 support team for resolution. · Update internal and external stakeholders with regular updates on resolution via Jira. |
HirettOnline /L2 Support team |
Technical Support Team |
· Interface with Operations and other internal teams to resolve.
· Update internal and external stakeholders with regular updates on resolution via Jira. · Provide resolution to incidents escalated by L1 team and/ or escalate to L3 support team. |
HirettOnline L3 Support team |
Application and Infrastructure Team | · Technical resolution (bug fixes).
· Manage issues escalated by L2 support teams. · Manage relationship with the vendor to support resolution of incidents. |
5. System Maintenance
The company will carry out system maintenance activities periodically to ensure effectiveness and efficiencies.
These maintenance activities will be communicated in advance to customers and are scheduled outside normal working hours to mitigate service disruption and customer impact.
6. Support Contact Details
The company customer support team can be contacted using; For HirettOnline L1/L2 Support team and Escalations.
• Jira Service Desk.
For General Enquires
• Info@hirett.co.uk
7. Evaluation
Following resolution of an incident, the company will undertake an internal and external assessment of how well the incident was managed. The assessment by way of surveys and interviews will include (but not limited to) assessing;
• How well the company support teams responded to an incident.
• How well documented procedures were followed and if adequate?
• Any steps or actions taken that could have delayed resolution.
• What the company support teams could do differently the next time.
• The corrective actions taken by the company to prevent similar incident occurring again.
• How quickly the incident was identified, reported and timeline for resolution.
• Recommendations for service and process improvement to improve the identifying, analysing and mitigation of future incidents.