BUSINESS CONTINUITY PLAN

 

PRINTED VERSIONS OF THIS DOCUMENT ARE NOT CONTROLLED

Policy Owner	Business Operations
Document Owner	Business Continuity Manager
Policy Custodian	The Concept Group Business Operations and Human Resources Departments
Preview Review Date	September 2024
Next Review Date	April 2026

DOCUMENT CONTROL AND INFORMATION

 

VERSION HISTORY

CONFIDENTIALITY CLAUSE & DISCLAIMER

COPYRIGHT (C) 2024 BY THE CONCEPT GROUP

Copyright © The Concept Group. This content is confidential and exclusively owned by The Concept Group. No portion of this material may be duplicated, disseminated in any format, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, nor disclosed to third parties without the direct written consent of The Concept Group beforehand. 

TABLE OF CONTENTS
 
1.0    INTRODUCTION............................................................................................................................................................................6
1.1    OBJECTIVE........................................................................................................................................................................................6
1.2    SCOPE................................................................................................................................................................................................6
1.3    ASSUMPTIONS...............................................................................................................................................................................6
1.4    BCP REVIEW AND UPDATE........................................................................................................................................................7
1.6    BCP EXERCISE AND TRAINING PROGRAM..........................................................................................................................7
1.7    INVOKING THE PLAN...................................................................................................................................................................8
2.0    DISASTER DEFINITION................................................................................................................................................................8
2.1    DISASTER DECLARATION...........................................................................................................................................................9
2.2    NOTIFICATION................................................................................................................................................................................9
3.0    BUSINESS CONTINUITY INCIDENTS & SCENARIOS........................................................................................................9
3.1    NOTIFICATION OF INCIDENT AFFECTING THE SITE......................................................................................................13
4.0    BUSINESS RECOVERY PHASE..................................................................................................................................................18
4.1    TRANSPORTATION OF STAFF FROM PRIMARY SITES TO RECOVERY SITE.............................................................19
4.2    RETURN TO PRIMARY SITE.......................................................................................................................................................19
4.3    CRITICAL SERVICES TO BE RECOVERED..............................................................................................................................19
5.0    BCP ROLES & RESPONSIBILITIES...........................................................................................................................................19
5.1    CRISIS MANAGEMENT TEAM (CMT)....................................................................................................................................19
5.2    INCIDENT RESPONSE TEAM (IRT)..........................................................................................................................................21
5.3    LOCAL RESPONSE TEAM (LRT)...............................................................................................................................................22
5.4    BUSINESS FUNCTION HEAD/MANAGER............................................................................................................................24
5.5    BUSINESS CONTINUITY MANAGER (BCM)........................................................................................................................24
5.6    IT TECHNICAL SUPPORT...........................................................................................................................................................25
6.0    COMMUNICATION PROCEDURES........................................................................................................................................25
6.1    INTERNAL COMMUNICATION...............................................................................................................................................26
6.2    EXTERNAL COMMUNICATION..............................................................................................................................................26
7.0    APPENDICES.................................................................................................................................................................................26

 

 

1.0    INTRODUCTION
Acknowledging the essential need to preserve uninterrupted business functions and safeguard the well-being of our employees, clientele, and assets, The Concept Group (TCG) is dedicated to enacting an all-encompassing Business Continuity Plan (BCP). This policy delineates our strategy for readiness, response, and recuperation in the face of incidents that could disrupt our standard operations.

1.1    OBJECTIVES
The objective of this Business Continuity Plan (BCP) is to:

•    Reduce Operational Interruptions: Aim to keep essential business functions running smoothly with as little pause as possible during and following a crisis.
•    Guard Company Resources: Protect both the tangible and intangible assets of the company, such as buildings, technology, data, and intellectual rights, from potential damage or loss.
•    Prioritize Staff Welfare: Ensure the health and safety of employees with definitive emergency protocols for evacuation and crisis management.
•    Preserve Customer Relations: Maintain the capacity to serve clients and fulfill their requirements, thus retaining their confidence and loyalty even in challenging times.
•    Limit Economic Impact: Diminish the adverse financial effects caused by unexpected disruptions, aiming to prevent revenue loss, control unforeseen expenses, and evade legal issues.
•    

1.2    SCOPE
The scope of this plan is limited to the recovery of this business function, following a major incident/crisis.

 

1.3    ASSUMPTIONS
•    Availability of Key Personnel: It is presumed that essential personnel, such as team leaders or their designated substitutes, will be reachable and able to assume their responsibilities after a disaster or crisis occurs.
 •    Document and Record Safety: It is assumed that this plan, alongside all critical records, is securely stored at a location away from the primary site and can be retrieved without issues in the aftermath of a crisis.
•    Technology and Infrastructure Readiness: An assumption is made that necessary technological tools and infrastructure will be operational at a backup location, ensuring continuity of critical business functions.
•    Individualized Support Plans: It is expected that each support department or unit will maintain its own continuity strategy, which includes specialized recovery tactics, essential resource listings, and procedural guidelines.
•    Financial Resilience: Financial resources, including emergency funds, are readily accessible to cover unexpected expenses related to the crisis and recovery efforts, ensuring the organization's financial stability.
•    Regulatory Compliance: The organization remains compliant with all relevant laws, regulations, and industry standards throughout the duration of the crisis, mitigating legal and compliance risks.

1.4    BCP REVIEW AND UPDATE
This policy will be reviewed bi-annually or following significant changes to our operations or business environment. Revisions will be made as necessary to ensure the ongoing effectiveness of the business continuity program.

1.6    BCP EXERCISE AND TRAINING PROGRAM
The implementation of this plan will include at least an annual exercise or training session. The primary goals of conducting these exercises and training sessions are to:
•    Guarantee that all members of the organization clearly understand their specific duties and responsibilities within the context of the plan.
•    Provide comprehensive information regarding potential threats and hazards, along with the appropriate protective measures to be taken.
•    Review and reinforce the procedures for office notifications, warnings, and the established communication systems to ensure they are understood and can be effectively executed.
 •    Emphasize the correct protocols to be followed in response to a crisis, ensuring that all team members are prepared to act swiftly and efficiently.
•    Familiarize staff with the locations of alternate facilities and the deployment of backup strategies, ensuring operational continuity when primary systems are compromised.
•    Conduct rigorous tests of our preparedness strategies and continuity plans to identify areas of strength and potential improvement, enhancing overall resilience.
•    Additionally, these training sessions will serve to reinforce the organization's commitment to maintaining a state of readiness, fostering a culture of preparedness and continuous improvement. By regularly updating and practicing our Business Continuity Plan, we aim to minimize the impact of any disruption and safeguard the interests of our stakeholders.

1.7    INVOKING THE PLAN
This plan becomes effective when a disaster occurs. Normal problem management procedures will initiate the plan, and remain in effect until operations are resumed at the original location and control is returned to the appropriate functional management.

2.0    DISASTER DEFINITION
Any loss of utility service (power, water), connectivity (system sites), or catastrophic event (weather, natural disaster, vandalism), fire, civil disturbances, labour union strikes that causes an interruption in the service provided by TCG. The plan identifies vulnerabilities and recommends measures to prevent extended service outages.

2.1    DISASTER DECLARATION
The Crisis Management Team (CMT) and Location Response Coordinator (LRT) are responsible for declaring a disaster for technical services and activating the various recovery teams as outlined in this plan.
In a major disaster situation affecting multiple business units, the decisions to declare a disaster will be determined by the CMT Chairman. The CMT and LRT will respond based on the directives specified by the chairman. 

2.2    NOTIFICATION
Regardless of the circumstances or the identity of the person(s) first made aware of the disaster, the Crisis Management Team (CMT) must be activated immediately in the following cases:
•    One (1) or more critical systems is down concurrently for three (3) or more hours
•    One (1) or more sites is down concurrently for three (3) or more hours
•    Any problem at any system or network facility that would cause either of the above conditions to be present or there is certain indication that either of the conditions are about to occur.
The CMT should have a group mail for easy communication and possibly a WhatsApp group.

3.0    BUSINESS CONTINUITY INCIDENTS & SCENARIOS
Business Continuity Recovery is based on the worst-case scenario. This therefore means that for any strategy adopted, the response will be scalable dependent on how severe the disaster is. The main scenarios however that are planned for are:

 

 

Outage Scenarios	Causes	Business Process Continuity Strategy/Response
Loss of Utilities	Electrical outages Water outages, PHCN, Fire outbreaks	•      Immediate Action: Activate emergency power sources like generators for critical operations. Use backup water supplies if available. Put alternate recovery site on standby. Implement water rationing if the outage is prolonged, prioritizing critical areas such as restrooms and kitchens. •      Communication: Notify utility providers and all affected stakeholders about the outage. •      Alternative Arrangements: If prolonged, relocate critical operations to another site with utilities. •      Restoration: Coordinate with utility companies for timely restoration. Review and adjust operations as utilities are restored. •      Fire Outbreaks: Provide fire alarm system, firefighting equipment and immediate evacuation procedures in the event of fire incidents.
Denial        of                     Building	Strikes, health & safety, fire	•      Inform all staff and relevant parties (e.g. regulators,

Access		partners and suppliers). •      Select and prepare the designated staff to move to Business Recovery site. •      Activate business recovery site (access, platform start-up and data restore). •      Move key processes to the business recovery site. •      Inform     inter-dependencies     of     the     process                   change (contacting details). •      Implement remote work policies for all employees who can perform their duties offsite. •      Activate the alternate site for critical •      operations that require physical presence. •      Coordinate with property management and emergency services to regain access as soon as it is safe. •      Incident Management procedures will also be initiated and captured via the HRIS Portal. •      Continued assessment of situation.
Technology Failure	Fire, server damage, loss of application/telecommunica tion /network/ data	•      Immediate Diagnosis: Quickly diagnose the issue to understand the extent of the failure and inform all parties •      Activate Redundancies: Switch to backup systems or use alternate internet service providers if available and move to recovery site. •      Vendor Coordination: Work with IT support and internet service providers to resolve the issue. •      Manual Processes:  Temporarily revert to manual operations if feasible and secure.
Technology-Related Breaches	Data and System Breaches, and Cyber Attacks	•      Identify potential threats: Data breaches, ransomware attacks, phishing attempts, DDoS attacks, insider threats. •      Identify critical systems and data breached: Customer databases, financial transactions, operational platforms •      Evaluate impact: impact on IT infrastructure, software, data and any breach of employee cybersecurity. •      Assess likelihood and potential impact of each threat on

							business operations, reputation, and regulatory compliance. •      Isolate affected systems or networks to prevent further spread of the incident. •      Deploy cybersecurity tools to remove malicious code and restore affected data from backups. •      Restore critical systems and data from backups when affected with consideration to desired Recovery Time Objective (maximum tolerable duration) and Recovery Point Objective (data loss tolerance). •      Verify integrity of restored data and systems before resuming normal operations. •      Conduct a thorough review after each cyber incident to assess response effectiveness and identify areas for improvement.
Unavailability                                            of Personnel			Pandemic				•      Inform all staff and relevant parties (e.g. regulators, partners and suppliers). •      Follow instructions stated by the national health body which includes measures to minimize risk of contamination. •      Prepare processes for key staff to work from alternative location. •      Customer re-direct when travelling into location. •      Inform inter-dependencies of the process change (contacting details). •      Continued assessment of situation.
			Riot, elections, civil unrest, kidnap, issues affecting life & TCG’s strategic objectives				•      Prepare processes for key staff to work from alternative location. •      Customer re-direct when travelling into location. •      Inform inter-dependencies of the process change. •      Move key processes to the business recovery site.
							•      Continued assessment of situation. For employees: •      Cross-Training: Ensure employees are cross-trained to handle essential tasks of absent colleagues. •      Remote Work: Enable remote work capabilities to keep operations running. •      Temporary Staffing: Engage temporary staff or redistribute tasks among available employees. •      Employee Support: Provide necessary support to employees preventing their availability, aiming for a swift return.
Unavailability Vendors	of	Key	Unavailability of vendor, late supply of service.				•      Alternate Vendors: Identify and activate relationships with alternate vendors. •      Inventory Management: Increase stock of critical supplies or seek local alternatives. •      Vendor Communication: Maintain open lines of communication for updates on vendor status and potential resolution timelines. •      Follow instructions stated in the procurement policy.
Disruption to Transport			Civil riot	unrest,	fuel	scarcity,	•      Remote Work: Encourage or mandate remote work to avoid transportation issues. •      Flexible Hours: Implement flexible working hours or staggered shifts to accommodate disrupted transport schedules. •      Local Accommodation: Arrange for local accommodations for critical staff if needed. •      Communication: Keep employees informed about transport disruptions and the company’s response.

 

3.1    NOTIFICATION OF INCIDENT AFFECTING THE SITE

On-duty personnel responsibilities

During work hours	Upon observation or notification of a potentially serious situation during working hours at a system/facility, ensure that personnel on site have enacted standard emergency and evacuation procedures if appropriate and notify the Location Response Coordinator.
Out-of-work hours	Technical Services personnel should contact the Local Response Coordinator.

 

The process flow below details the approach for the Crisis Management Team (CMT) to activate and implement the Business Continuity Plan (BCP), ensuring effective incident management and minimal operational impact.
1.    Identify and Assess Incident

The process starts with detecting a potential operational disruption, followed by a swift evaluation to gauge its severity and impact. This is done by the Local Response Coordinator (LRC) who in turn informs the CMT of the result of the assessment. The LRC will contact (CMT) when any of the following conditions exist:
•    One or more facilities are down concurrently for five or more hours.
•    Any problem at any system or location that would cause the above condition to be present or there is a certain indication that the above condition is about to occur.

The LRC will provide the following information:
•    Location of disaster
•    Type of disaster (e.g., fire, hurricane, flood)
•    Summarize the damage (e.g., minimal, heavy, total destruction)
•    Emergency Command Centre location and phone contact number; a meeting location that is close to the situation, but away from the disaster scene
•    An estimated timeframe of when a damage assessment group can enter the facility (if possible).
The LRC will document assessment results using Assessment and Evaluation Forms contained in the appendix.

2.    Activate BCP

Based on the information obtained, the CMT decides (with the LRC) how to respond to the event: mobilize IRT, repair/rebuild existing site(s) with location staff, or relocate to a new facility. The decision to activate the Business Continuity Plan is made by the Crisis Management Team (CMT) chairman. The CMT is then mobilized to tackle the incident.
•    If a disaster is not declared, the Location Response Team will continue to address and manage the situation through its resolution and provide periodic status updates to the CMT.
•    If a disaster is declared, the Location Response Coordinator will notify the Incident Response Team members immediately for deployment.
•    Declare a disaster if the situation is not likely to be resolved within predefined time frames. The person who is authorized to declare a disaster must also have at least one (1) backup who is authorized to declare a disaster in the event the primary person is unavailable.

3.    Communicate with Stakeholders
Once a disaster is declared, the Incident Response Team (IRT) is mobilized. The CMT informs all relevant stakeholders, including employees, customers and vendors about the incident and the activation of the Business Continuity Plan, executing the communication strategy.

4.    Implement Recovery Strategy

The IRT will initiate and coordinate the appropriate recovery actions. IRT members assemble at the command centre (as determined by the CMT) as quickly as possible. Where there is no command centre, employees are allowed to go any convenient location of their choice within the state. Critical business functions are identified and prioritized. On arrival, the IRT will:
•    Conduct an on-site inspection of affected areas to assess damage to essential hardcopy records (files, manuals, contracts, documentation, etc.) and electronic data
•    Obtain information regarding damage to the facility (s) (e.g., environmental conditions, physical structure integrity, furniture, and fixtures) from the LRC/LRT.
•    Develop a Restoration Priority List, identifying facilities, vital records and equipment needed for resumption activities that could be operationally restored and retrieved quickly.
•    Develop a Salvage Priority List, identifying sites and records which could eventually be salvaged.
•    Contact the CMT and decide whether the situation requires the initiation of business recovery plans (long-term disaster i.e., greater than 60 days) or if work can return to the primary location (short-term i.e., less than 60 days)..
Based on the information obtained from the LRT/IRT, the CMT decides whether to continue to the business recovery phase of this plan. If the situation does not warrant this action, the LRT/IRT will continue to address the situation at the affected site(s). The IRT will provide periodic status updates to the CMT Chairman.
NOTE: The business recovery phase of this plan will be implemented when resources are required to support full restoration of system and/or facility functionality at an alternate recovery site (e.g., another company office, vendor hot site, cold site) that would be used for an extended period of time.

5.    Distribute Resources

Essential resources and personnel are allocated for recovery, with external support secured if necessary.

6.    Monitor and Adjust Recovery

The CMT oversees recovery efforts, making necessary adjustments based on ongoing assessments and provides stakeholder updates.

7.    Normalize Business Operations

Efforts shift towards restoring regular business operations, beginning with the most crucial functions.

8.    Evaluate and Learn

A thorough review of the incident and response is conducted to evaluate the BCP's effectiveness, documenting lessons learned for future improvements.

9.    Communicate Findings
Outcomes from the evaluation are shared with stakeholders, with action taken to enhance the organization’s future resilience and response.

NOTE: During the Initial Response Phase, service may be shifted to alternate sites to allow operations to begin functioning and provide service to customers. Initially reduced service may be provided until sites can be fully restored. Within 60 days the system and facilities should be functional at 100%.