03 Resolver Company Business Continuity Policy by ISO 22301

1. Purpose, scope, and users

The purpose of this Policy is to define the objective, scope, and basic rules for business continuity management.
This Policy is applied to the entire Business Continuity Management System (BCMS).
Users of this document are all employees of Resolver, as well as all suppliers and outsourcing partners who have a role in the BCMS.

2. Reference documents

  • ISO 22301 standard, clauses 4.1, 4.3, 5.3, 6.2, and control 9.1.1
  • ISO/IEC 27001 standard, clause 3.2.1, 3.2.2, .3.2.3
  • Project Plan for Implementation of the Business Continuity Management System
  • List of statutory, regulatory, contractual, and other requirements
  • Risk Treatment Plan
  • Preparation Plan for Business Continuity
  • Procedure for Corrective Action
  • Resolver Standard SLA

3. Business Continuity Management

3.1 Purpose of business continuity management

The purpose of business continuity management is to identify potential threats to an organization and the impacts to business operations those threats might cause and to provide a framework for building organizational resilience with the capability of an effective response.

3.2 Links to general objectives and other documents

With the implementation of business continuity, Resolver wants to fulfill its strategic objectives:

  • Resolver is an Amazing place to work
  • Deliver an exceptional customer experience
  • Be the leader of the Integrated Security, Risk and Compliance space in selected markets
  • Extend our reach and influence
  • Build a financially sustainable and scalable business

More information about department-specific business objectives please see at “Enterprise Risk Management” Application at Resolver Core: https://core.resolver.com

Business continuity management is implemented compliant to requirements listed in the List of statutory, regulatory, contractual, and other requirements, and within the framework defined by the following documents:

3.3 Setting business continuity objectives

CEO in conjunction with the rest of Top management is responsible for setting the objectives for the whole BCMS and the method for measuring the achievement of those objectives – those objectives and methods are documented in Enterprise Risk Management” Application at Resolver Core. CEO is responsible for reviewing those objectives at least once a year.

Objectives for individual elements of the BCMS are proposed and documented by BC Coordinator and approved by CEO, CFO, and CISO – these objectives must be reviewed at least once a year by the same persons who have proposed them.

Actions to achieve these objectives will be determined in the Risk Treatment Plan, Preparation Plan for Business Continuity, corrective actions according to Procedure for Corrective Action, and Management Review.

3.4 Scope

Business Continuity Management System is implemented for the entire organization Resolver with special attention paid to activities identified during Business Impact Analysis.

The organization’s business locations included in the scope:

  • Resolver Inc. Headquarter. 111 Peter Street, Suite 804, Toronto, ON, M5V 2H1, Canada
  • 1200-10025 102A Avenue, Suite 1200, Edmonton, AB, T5J 2Z2, Canada
  • Unit 6, Level 1, 112 High Street, Rangiora 7400, New Zealand
  • 707 Virginia Street East, Suite 1000, Charleston, WV 25301, United States of America
  • 1250 Borregas Ave, Suite 138, Sunnyvale, CA, 94089-1309, United States of America
  • #606-608, Wing 1, Level 6, “D” Block, Cyber Gateway, Madhapur Hyderabad, Telangana State, 500081, India

Organizational units included in the scope:

  • Customer Support Department
  • DevOps Department
  • IT Department
  • Professional Service
  • Legal Department
  • Customer Success Department
  • Development/Engineering Department
  • QA Department
  • Financial Department
  • HR Department
  • Executive Department
  • Product Management Department
  • Sales Department
  • Marketing Department

3.5 Key products and services

The following key products and services are provided by Resolver Inc. within the scope defined in the previous section:

  • Core
  • Perspective
  • RiskVision
  • GAL
  • GRC Cloud
  • WRM
  • Ballot

Business continuity management must ensure that the above-mentioned products and services will recover to a pre-defined level.

All activities related to these products and services are listed in the Business Continuity Strategy.

3.6 Responsibilities for business continuity management

General responsibilities:

  • BC Coordinator is responsible for ensuring that business continuity management is established and implemented according to this Policy, and for providing all necessary resources
  • BC Manager is responsible for operational implementation and maintenance of the Business Continuity Management System (BCMS)
  • BC Coordinator must review the BCMS at least once a year or each time a significant change occurs and prepare a review report. The purpose of management review is to establish the suitability, adequacy, and effectiveness of the BCMS

Specific responsibilities:

  • Business Continuity (BC) Coordinator is responsible for adopting and implementing the Training and Awareness Plan which applies to all persons who have a role in business continuity management
  • Arrangements related to business continuity must be exercised and tested at least once a year using various methods in order to assess whether they can protect organizations’ activities – for this purpose BC Coordinator must write an Exercising and Testing Plan which must be approved by top management; after each exercising and testing, BC Coordinator must prepare an Exercising and Testing Report
  • BC Coordinator is responsible for adopting and implementing the BCMS Maintenance and Review Plan so that all BCMS elements are functional and up-to-date
  • Each time a Business Continuity Plan, Recovery Plan or Incident Response Plan is activated, the BC Coordinator is responsible for reviewing the effectiveness of business continuity management
  • BC Coordinator is responsible for monitoring nonconformities, false alarms, actual incidents, etc., and for raising preventive actions as required

3.7 Measurement

Resolver will measure the following:

  1. Whether the objectives set according to this Policy are fulfilled – at least once a year, normally before the Management Review
  2. Effectiveness and adequacy of business continuity plans – at a frequency set in the Business Continuity Plan itself

BC Coordinator will prepare a report of measurement results, while analysis and evaluation of the results will be done at the Management Review.

3.8 Policy communication

BC coordinator in coordination with the CEO, CFO, and CISO have to ensure that all employees of Resolver, as well as suppliers and outsourcing partners who have a role in the BCMS, are familiar with this Policy.

3.9 Support for BCMS implementation

Hereby the CEO, CFO, and CISO declare that all elements of BCMS implementation will be supported with adequate resources in order to achieve all goals and objectives set according to this Policy, as well as satisfy all identified requirements.

4. Validity and document management

This document is valid as of July 2020.

The owner of this document is an Information Security Analyst, who must check and if necessary update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • number of employees and suppliers/outsourcing partners who are not familiar with this document
  • nonconformity of business continuity management with legislation and regulations, contractual obligations, and other internal documents of the organization
  • ineffectiveness of BCMS implementation and maintenance
  • unclear responsibilities for BCMS implementation

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.