06 Resolver Company Business Continuity Strategy by ISO 22301

1. Purpose, scope, and users

The purpose of this document is to define how Resolver will ensure that all conditions for the resumption of business activities in the case of a disaster or other disruptive incidents are met. It forms the basis for preparing the Business Continuity Plan and recovery plans.
This document is applied to the entire BCMS scope as defined in the Business Continuity Management Policy.
Users of this document are members of top management and persons implementing the business continuity management project.

2. Reference documents

  • ISO 22301 standard, clauses 8.3 and 8.4.2
  • Business Continuity Policy
  • Business Impact Analysis questionnaires
  • Risk assessment report (Core ERM app)

3. Strategy input

BC Coordinator is responsible for coordinating the creation of a BCP plan by BC team leads, ensuring the plan is updated in a regular base and enacting the plan in case of a crisis event.

3.1. Business Impact Analysis

The Business Impact Analysis established that 12 activities support key products and services – please see Appendix 1 for a list of such activities.
The maximum tolerable period of disruption (maximum acceptable outage) for each activity has been determined in the Business Impact Analysis Questionnaire – please see Appendix 2.
Appendix 3 determines recovery time objectives for each activity, taking into account dependencies on other activities.

3.2. Risk management

Assessment of risks that could affect business continuity is described in the Risk Assessment report. The highest risks which could lead to a disruptive incident, i.e., business disruption identified during risk assessment are the following:

  • Fire
  • Earthquake
  • Flood
  • Snowstorm
  • Internet connection breakdown
  • Interruption of power supply
  • Pandemic

For all the mentioned risks/incidents it is necessary:

  • to apply preventive action to reduce the probability of such incidents – the actions are described in the Risk Treatment Plan
  • to apply preventive action in order to minimize possible consequences of such incidents – these actions are also described in the Risk Treatment Plan
  • to prepare event scenarios which describe how such incidents could affect the organization’s operations; scenarios are provided in Appendix 4 of this Strategy and must be used at a later point for testing plans
  • to define in the Incident Response Plan the appropriate way to respond to each of the incidents

4. Strategy input

4.1. Crisis Management Team and Crisis Management Support Team

4.1.1. Crisis Management Team

If business continuity plans are activated, a working body called Crisis Management Team is formed which is authorized to make any decisions to resolve the situation. Members of the Crisis Management Team are:

  • CFO – Business Continuity Coordinator (BC Coordinator)
  • CISO
  • CEO
  • PR Manager – Marketing Director, public relations coordinator.
  • HR – Resource planning
  • Legal Counsel
  • VP Services
  • DevOps Director
  • Business Continuity (BC) Manager (Primary: Corporate controller . Backup: Information Security Analyst)

The Crisis Management Team is managed by the Crisis Manager/ BC Coordinator. CFO will perform the function of Crisis Manager, and in the case of his/her absence the function will be performed by CEO / CISO and so on according to the Crisis Management Team structure and decision.
The Crisis Management Team manages the disruptive incident from a facility called the Command Centre, the location of which is specified in item 5.1 of this Strategy.

4.1.2. Crisis Management Support Team

The Crisis Management Support Team has the function of relieving the Crisis Management Team from administrative and other operational activities, in order to focus on managing the disruptive incident.

Members of the Crisis Management Support Team are:

  • DevOps team members
  • Development team members
  • HR team members
  • IT team members
  • Finance team members
  • Support team members
  • Marketing team members

The Crisis Management Support Team shall work on locations specified by the Crisis Management Team.

4.1.3. Command Centre Equipment

To serve the Crisis Management Team and Crisis Management Support Team the Command Centre must be equipped as follows:

Name of resourceDescriptionAmountWhen the resource is necessary
Applications / databases:   
Box   immediately
Office 365   immediately
Slack   immediately
RingCentral  immediately
ZenDesk  within 2 hours
Jira  within 2 hours
Data stored in electronic form:   
Business Continuity Strategy and plans for all activities  within 2 hours
Data stored on paper:   
Business Continuity Strategy and plans for all activities  immediately
IT and communications equipment:   
Workstations  within 2 hours
Telephones RingCentral  immediately
Mobile phones  immediately
Communication channels:   
Internet access  immediately
Telephone: RingCentral  immediately
 Slack  immediately
e-mail service (Office 365)  immediately
Zoom or equivalent alternative; Teams, WebEx  within 2 hours
Facilities and infrastructure:   
Computer network  within 2 hours
Furniture  immediately
External services:   
Electricity  immediately
 HVAC  within 2 hours

[27A1] [27A1]Depending on the number of members in the Crisis Management Team and if necessary in Crisis Management Support Team.

 

BC Manager is responsible for preparing the Crisis Management Team and the Crisis Management Support Team for their role during a disruptive incident. BC Manager is responsible for equipping the Command Centre.

4.2. Reporting and decision making

Incidents are reported in the following way:

  • all incidents related to IT and communications technology are reported to the IT department over Slack channel, direct e-mail to it@resolver.com, Helpdesk ticket, or phone call.
  • all other incidents are reported to BC Coordinator

If the persons mentioned are unable to resolve the incident, they must inform the Crisis Manager who decides whether to activate recovery plans.

Authorizations for making decisions are the following:

Type of decisionWho is authorized
How small incidents related to IT and communications technology are resolvedEmployees in the IT Department
How all other small incidents are resolvedBC Manager
Making a decision about activating recovery plansCrisis Manager
Implementing all tasks necessary for the recovery of individual activitiesRecovery Manager for individual activities
Selecting information to be provided to the public media during a disruptive incidentPR Manager
Purchases during the disruptive incident – up to $100,000BC Co-ordinator
Purchases during the disruptive incident – over $100,000CFO or CEO
IT team is allowed to make an urgent purchase beyond their spend and without getting C-level approval up to $100k in ONLY the following circumstances:

  • Appropriate C-Level management team members can’t be reached due to outage and
  • In order to restore critical systems which may affect company:
    • to suffer significant penalties
    • reputational damage which may possibly lead to full business disruption
IT Manager.

BC Manager is responsible for preparing employees in Resolver Inc. to recognize and react to incidents related to IT and communications technology BC Manager is responsible for preparing employees in Resolver Inc. to handle other incidents.

4.3. Cooperation with authorities

The following persons are in charge of coordination with state authorities and emergency services:

AuthorityWho is in charge
PoliceBC Manager
AmbulanceBC Manager
Fire serviceBC Manager

The mentioned persons must implement all preliminary activities to ensure interoperability with authorities during a disruptive incident is at a satisfactory level. Preliminary activities may include obtaining instruction from authorities regarding the type of information required in the case of a disruptive incident and how the organization is expected to react.

4.4. Building evacuation and assembly points

Each building is evacuated as specified in the building evacuation plan in the case of fire.

After evacuating the building employees must gather at the following assembly points:

LocationAssembly Point 1Assembly Point 2
 111 Peter Street, Suite 804, Toronto,North-East corner of Peter and Richmond 
1200-10025 102A Avenue, Suite 1200, Edmonton In front of the building at the main entrance 
Unit 6, Level 1, 112 High Street, Rangiora In front of the building at the main entrance 
707 Virginia Street East, Suite 1000, Charleston In front of the building at the main entrance 
1250 Borregas Ave, Suite 138, Sunnyvale In front of the building at the main entrance 
606-608, Wing 1, Level 6, “D” Block, Cyber Gateway, Madhapur Hyderabad In front of the building at the main entrance 

Note: if Assembly Point 1 is unavailable, employees must gather at Assembly Point 2.

The business Continuity Coordinator is responsible for preparing and maintaining evacuation plans in the case of fire.

4.5. Means of communication

The following means of communication will be used in the case of a disruptive incident – those at the top of the list are to be used first, those near the bottom are used only if the former is out of order:

  1. mobile phones (business and private)
  2. telephones (business and private)
  3. E-mail (sent from business or private computers)
  4. Messaging services – e.g.: Zoom, Slack, Skype

IT Manager is responsible for acquiring/preparing and when necessary maintaining the mentioned means of communication to ensure they are available during a disruptive incident.

4.6. Transportation to alternative sites

Employees of the organization will be transported from the primary to the alternative site in the following ways:

ActivityMeans of transport
Crisis Management Team and Crisis Management Support Teamusing public transportation, on foot, by private car, by business car; by rented bus;
All the other activitiesPublic transportation

The business Continuity Coordinator is responsible for providing for all means of transportation.

4.7. Transportation to alternative sites

Resolver will handle relations with interested parties by designating persons to communicate with them in the case of the disruptive incident by the following means of communication:

 [Telephone][Meetings][E-mail][Press Conference][Public Media]
[Employees]HR teamVP of Talent and CultureVP of Talent andN/AN/A
[Owners /shareholders]CEO and CFOCEO, CFO, and CISOCEO and CFOCEOCEO
[Employees’ relatives]HR TeamVP of Talent and Culture with CEO with CISOVP of Talent and CultureN/AN/A
[Clients]Account Managers (Smaller Clients) after consulting with General CounselCISO or/and CEO for the larger clients in collaboration with General CounselCEO in collaboration with General CounselMarketing Director, CEO, CISO, and General CounselMarketing Director, CEO, CISO, and General Counsel
[Public media]Marketing Director in collaboration with General CounselMarketing Director in collaboration with General CounselMarketing Director in collaboration with General CounselMarketing Director, CEO, CISO, and General CounselMarketing Director, CEO, CISO, and General Counsel
[Associations]Marketing teamMarketing DirectorMarketing Director  
[Emergency services]Operations Coordinator in LegalCEO, CFO, CISO, and General CounselCISO in collaboration with General CounselMarketing Director, CEO, CISO, and General CounselMarketing Director, CEO, CISO, and General Counsel
[various state authorities]Operations Coordinator in LegalMarketing Director, CEO, CFO, CISO, and General CounselMarketing Director in collaboration with General CounselMarketing Director, CEO, CISO, and General CounselMarketing Director, CEO, CISO, and General Counsel

PR Manager is responsible for preparing all the above-mentioned persons for communicating during the disruptive incident.

PR Manager is responsible for preparing templates for the media statements, which would cover all disruptive incidents related to the above-mentioned highest risks.

5. Resource Strategy

5.1. Sites and infrastructure

Resolver’s General approach for resource strategy

Recovery sites of Resolver are the following:

NamePrimary siteAlternative Site StrategyMin. number of workplacesEquipment*Alternative site – closeAlternative site – remote
Command Centre111 Peter St. TorontoWorking at home or some other remote location. Command Center activities do not require access to company physical facilities.

All critical documentation is available online through Share BOX folders or Microsoft OneDrive or stored locally on the Crisis Management Team member computers

 All Resolver employees are provided with mobile workstationsN/AEdmonton
Legal Department111 Peter St. TorontoWorking from Home2Same as aboveN/AN/A
IT Department111 Peter St. TorontoRent a Disaster recovery center from a specialized organization7Same as above  
       

 

*Terms used in this column have the following meaning:

a)  cold – a site with no infrastructure or equipment

b)  warm – a site with pre-installed basic infrastructure (network, etc.), links, and equipment for which the procurement periods are long

c)   hot – a site with pre-installed infrastructure, all equipment, links, and software

d)  mirrored – a site with previously installed infrastructure, all equipment, links and software, and real-time data

5.2. Suppliers and outsourcing partners

Relations with suppliers and outsourcing partners must be managed in the following way:

Name of supplier/outsourcing partnerStrategy
 [a) services are contracted from several suppliers or outsourcing partners simultaneously – if one partner is unavailable, the services of another can be used)
 b) obliging the suppliers/outsourcing partners by contract to deliver the product or service regardless of the disruptive incident and define penalties (in this way suppliers/outsourcing partners are obliged to introduce business continuity, and transferring a part of the financial risk to them)
 c) alternative suppliers or outsourcing partners should be defined (in this way the transfer of business can be prepared, although the business relationship does not start until a disruptive incident occurs)
 d) return of activities back to the organization (preparing the organization to take over activities that have been outsourced)]
Telcom (Internet provider) 
IT Maintenance 

IT Managers are responsible for managing relations with suppliers and outsourcing partners to ensure interoperability during a disruptive incident is at a satisfactory level.

5.3. Applications/databases

All the necessary applications and databases will be installed at the alternative site if they are required within 24 hours from the disruptive incident; for those applications and databases which are not required within 24 hours, the installation media will be stored at the alternative site.

IT Manager is responsible for application/database installation and/or for the preparation of installation media.

5.4. Data

Backup copies of data shared by several activities must be made at following intervals:

Name of the application, database, folder, document:Frequency of creating backup copiesBackup procedure
  [a) applications/databases – automated server-based backup procedure;
b) electronic documents – storage in intranet folders for which backup copies are created automatically;
c) paper documents – receiving all fax documents by electronic means, or scanning the documents, or copying them and storing at two separate locations]
Office 365Every 12 hoursAutomated
ZendeskEvery 12 hoursAutomated
BambooHREvery 12 hoursAutomated
SalesforceEvery 12 hoursAutomated
IntactEvery 12 hoursAutomated

Note: the frequency for creating backup copies of data used only by a single activity is defined in the strategy for the said activity.

IT Department is responsible for creating backup copies of the above-mentioned data

5.5. Avoiding a single point of failure

The following strategies are used to avoid a single point of failure which can cause a disruption of an activity:

Single point of failureThe activity where it occursAvoidance Strategy
System administratorsIT DepartmentWrite process descriptions, Internal Articles, Knowledge Base.
   

CISO is responsible for implementing the single point of failure avoidance strategy.

5.6. Providing financial resources

The resolver needs to maintain a cash balance of $1.5 M CAD for ongoing working capital activities.

In the case of a disruptive incident, financial resources will be provided in the following way:

(a) a stand-by arrangement with Scotiabank.

CFO is responsible for making all necessary arrangements concerning the provision of financial resources.

6. Recovery strategy for individual activities

The recovery strategy for individual activities is defined in Appendices 6 to [number] to this Strategy.

The person specified as Recovery Manager for an individual activity is responsible for writing Recovery Plans for this activity. BC Manager is responsible for preparing all resources necessary for individual activities.

7. Implementing all necessary preparations

Appendix 5 lists all necessary preparations for the implementation of this Strategy. BC Manager must define necessary financial and other resources, and set deadlines for the implementation of each preparation; BC Manager is in charge of monitoring coordination and execution of all preparatory actions, as well as of reporting about their implementation.

8. Managing records kept on the basis of this document

Record nameStorage locationThe person responsible for the storageControl for record protectionRetention time
Business Continuity Plan (in electronic form)The computer of BC Manager and shared box folderBC CoordinatorOnly Top Management and BC Managers have the right to make entries and changes to Plan data.The Plan is stored for a period of 3 years

9. Validity and document management

This document is valid as of August 2020.

The owner of this document is BC Manager, who must check and if necessary update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • whether the organization succeeded in recovering activities within the recovery time objective
  • whether all necessary preparations for business continuity have been implemented

10. Appendices

  • Appendix 1_2and3 ISO 22301 (List of Activities, Recovery Priorities for Activities, Recovery Time Objectives for Activities)
  • Appendix 4 – Examples of Disruptive Incident Scenarios
  • Appendix 6+ – Activity Recovery Strategy for [name of activity]

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.