The purpose of this document is to define how Resolver will ensure that all conditions for the resumption of business activities in the case of a disaster or other disruptive incidents are met. It forms the basis for preparing the Business Continuity Plan and recovery plans.
This document is applied to the entire BCMS scope as defined in the Business Continuity Management Policy.
Users of this document are members of top management and persons implementing the business continuity management project.
BC Coordinator is responsible for coordinating the creation of a BCP plan by BC team leads, ensuring the plan is updated in a regular base and enacting the plan in case of a crisis event.
The Business Impact Analysis established that 12 activities support key products and services – please see Appendix 1 for a list of such activities.
The maximum tolerable period of disruption (maximum acceptable outage) for each activity has been determined in the Business Impact Analysis Questionnaire – please see Appendix 2.
Appendix 3 determines recovery time objectives for each activity, taking into account dependencies on other activities.
Assessment of risks that could affect business continuity is described in the Risk Assessment report. The highest risks which could lead to a disruptive incident, i.e., business disruption identified during risk assessment are the following:
For all the mentioned risks/incidents it is necessary:
If business continuity plans are activated, a working body called Crisis Management Team is formed which is authorized to make any decisions to resolve the situation. Members of the Crisis Management Team are:
The Crisis Management Team is managed by the Crisis Manager/ BC Coordinator. CFO will perform the function of Crisis Manager, and in the case of his/her absence the function will be performed by CEO / CISO and so on according to the Crisis Management Team structure and decision.
The Crisis Management Team manages the disruptive incident from a facility called the Command Centre, the location of which is specified in item 5.1 of this Strategy.
The Crisis Management Support Team has the function of relieving the Crisis Management Team from administrative and other operational activities, in order to focus on managing the disruptive incident.
Members of the Crisis Management Support Team are:
The Crisis Management Support Team shall work on locations specified by the Crisis Management Team.
To serve the Crisis Management Team and Crisis Management Support Team the Command Centre must be equipped as follows:
|Name of resource||Description||Amount||When the resource is necessary|
|Applications / databases:|
|ZenDesk||within 2 hours|
|Jira||within 2 hours|
|Data stored in electronic form:|
|Business Continuity Strategy and plans for all activities||within 2 hours|
|Data stored on paper:|
|Business Continuity Strategy and plans for all activities||immediately|
|IT and communications equipment:|
|Workstations||within 2 hours|
|e-mail service (Office 365)||immediately|
|Zoom or equivalent alternative; Teams, WebEx||within 2 hours|
|Facilities and infrastructure:|
|Computer network||within 2 hours|
|HVAC||within 2 hours|
[27A1] [27A1]Depending on the number of members in the Crisis Management Team and if necessary in Crisis Management Support Team.
BC Manager is responsible for preparing the Crisis Management Team and the Crisis Management Support Team for their role during a disruptive incident. BC Manager is responsible for equipping the Command Centre.
Incidents are reported in the following way:
If the persons mentioned are unable to resolve the incident, they must inform the Crisis Manager who decides whether to activate recovery plans.
Authorizations for making decisions are the following:
|Type of decision||Who is authorized|
|How small incidents related to IT and communications technology are resolved||Employees in the IT Department|
|How all other small incidents are resolved||BC Manager|
|Making a decision about activating recovery plans||Crisis Manager|
|Implementing all tasks necessary for the recovery of individual activities||Recovery Manager for individual activities|
|Selecting information to be provided to the public media during a disruptive incident||PR Manager|
|Purchases during the disruptive incident – up to $100,000||BC Co-ordinator|
|Purchases during the disruptive incident – over $100,000||CFO or CEO|
|IT team is allowed to make an urgent purchase beyond their spend and without getting C-level approval up to $100k in ONLY the following circumstances:||IT Manager.|
BC Manager is responsible for preparing employees in Resolver Inc. to recognize and react to incidents related to IT and communications technology BC Manager is responsible for preparing employees in Resolver Inc. to handle other incidents.
The following persons are in charge of coordination with state authorities and emergency services:
|Authority||Who is in charge|
|Fire service||BC Manager|
The mentioned persons must implement all preliminary activities to ensure interoperability with authorities during a disruptive incident is at a satisfactory level. Preliminary activities may include obtaining instruction from authorities regarding the type of information required in the case of a disruptive incident and how the organization is expected to react.
Each building is evacuated as specified in the building evacuation plan in the case of fire.
After evacuating the building employees must gather at the following assembly points:
|Location||Assembly Point 1||Assembly Point 2|
|111 Peter Street, Suite 804, Toronto,||North-East corner of Peter and Richmond|
|1200-10025 102A Avenue, Suite 1200, Edmonton||In front of the building at the main entrance|
|Unit 6, Level 1, 112 High Street, Rangiora||In front of the building at the main entrance|
|707 Virginia Street East, Suite 1000, Charleston||In front of the building at the main entrance|
|1250 Borregas Ave, Suite 138, Sunnyvale||In front of the building at the main entrance|
|606-608, Wing 1, Level 6, “D” Block, Cyber Gateway, Madhapur Hyderabad||In front of the building at the main entrance|
Note: if Assembly Point 1 is unavailable, employees must gather at Assembly Point 2.
The business Continuity Coordinator is responsible for preparing and maintaining evacuation plans in the case of fire.
The following means of communication will be used in the case of a disruptive incident – those at the top of the list are to be used first, those near the bottom are used only if the former is out of order:
IT Manager is responsible for acquiring/preparing and when necessary maintaining the mentioned means of communication to ensure they are available during a disruptive incident.
Employees of the organization will be transported from the primary to the alternative site in the following ways:
|Activity||Means of transport|
|Crisis Management Team and Crisis Management Support Team||using public transportation, on foot, by private car, by business car; by rented bus;|
|All the other activities||Public transportation|
The business Continuity Coordinator is responsible for providing for all means of transportation.
Resolver will handle relations with interested parties by designating persons to communicate with them in the case of the disruptive incident by the following means of communication:
|[Telephone]||[Meetings]||[E-mail]||[Press Conference]||[Public Media]|
|[Employees]||HR team||VP of Talent and Culture||VP of Talent and||N/A||N/A|
|[Owners /shareholders]||CEO and CFO||CEO, CFO, and CISO||CEO and CFO||CEO||CEO|
|[Employees’ relatives]||HR Team||VP of Talent and Culture with CEO with CISO||VP of Talent and Culture||N/A||N/A|
|[Clients]||Account Managers (Smaller Clients) after consulting with General Counsel||CISO or/and CEO for the larger clients in collaboration with General Counsel||CEO in collaboration with General Counsel||Marketing Director, CEO, CISO, and General Counsel||Marketing Director, CEO, CISO, and General Counsel|
|[Public media]||Marketing Director in collaboration with General Counsel||Marketing Director in collaboration with General Counsel||Marketing Director in collaboration with General Counsel||Marketing Director, CEO, CISO, and General Counsel||Marketing Director, CEO, CISO, and General Counsel|
|[Associations]||Marketing team||Marketing Director||Marketing Director|
|[Emergency services]||Operations Coordinator in Legal||CEO, CFO, CISO, and General Counsel||CISO in collaboration with General Counsel||Marketing Director, CEO, CISO, and General Counsel||Marketing Director, CEO, CISO, and General Counsel|
|[various state authorities]||Operations Coordinator in Legal||Marketing Director, CEO, CFO, CISO, and General Counsel||Marketing Director in collaboration with General Counsel||Marketing Director, CEO, CISO, and General Counsel||Marketing Director, CEO, CISO, and General Counsel|
PR Manager is responsible for preparing all the above-mentioned persons for communicating during the disruptive incident.
PR Manager is responsible for preparing templates for the media statements, which would cover all disruptive incidents related to the above-mentioned highest risks.
Resolver’s General approach for resource strategy
Recovery sites of Resolver are the following:
|Name||Primary site||Alternative Site Strategy||Min. number of workplaces||Equipment*||Alternative site – close||Alternative site – remote|
|Command Centre||111 Peter St. Toronto||Working at home or some other remote location. Command Center activities do not require access to company physical facilities.|
All critical documentation is available online through Share BOX folders or Microsoft OneDrive or stored locally on the Crisis Management Team member computers
|All Resolver employees are provided with mobile workstations||N/A||Edmonton|
|Legal Department||111 Peter St. Toronto||Working from Home||2||Same as above||N/A||N/A|
|IT Department||111 Peter St. Toronto||Rent a Disaster recovery center from a specialized organization||7||Same as above|
*Terms used in this column have the following meaning:
a) cold – a site with no infrastructure or equipment
b) warm – a site with pre-installed basic infrastructure (network, etc.), links, and equipment for which the procurement periods are long
c) hot – a site with pre-installed infrastructure, all equipment, links, and software
d) mirrored – a site with previously installed infrastructure, all equipment, links and software, and real-time data
Relations with suppliers and outsourcing partners must be managed in the following way:
|Name of supplier/outsourcing partner||Strategy|
|[a) services are contracted from several suppliers or outsourcing partners simultaneously – if one partner is unavailable, the services of another can be used)|
|b) obliging the suppliers/outsourcing partners by contract to deliver the product or service regardless of the disruptive incident and define penalties (in this way suppliers/outsourcing partners are obliged to introduce business continuity, and transferring a part of the financial risk to them)|
|c) alternative suppliers or outsourcing partners should be defined (in this way the transfer of business can be prepared, although the business relationship does not start until a disruptive incident occurs)|
|d) return of activities back to the organization (preparing the organization to take over activities that have been outsourced)]|
|Telcom (Internet provider)|
IT Managers are responsible for managing relations with suppliers and outsourcing partners to ensure interoperability during a disruptive incident is at a satisfactory level.
All the necessary applications and databases will be installed at the alternative site if they are required within 24 hours from the disruptive incident; for those applications and databases which are not required within 24 hours, the installation media will be stored at the alternative site.
IT Manager is responsible for application/database installation and/or for the preparation of installation media.
Backup copies of data shared by several activities must be made at following intervals:
|Name of the application, database, folder, document:||Frequency of creating backup copies||Backup procedure|
|[a) applications/databases – automated server-based backup procedure;|
b) electronic documents – storage in intranet folders for which backup copies are created automatically;
c) paper documents – receiving all fax documents by electronic means, or scanning the documents, or copying them and storing at two separate locations]
|Office 365||Every 12 hours||Automated|
|Zendesk||Every 12 hours||Automated|
|BambooHR||Every 12 hours||Automated|
|Salesforce||Every 12 hours||Automated|
|Intact||Every 12 hours||Automated|
Note: the frequency for creating backup copies of data used only by a single activity is defined in the strategy for the said activity.
IT Department is responsible for creating backup copies of the above-mentioned data
The following strategies are used to avoid a single point of failure which can cause a disruption of an activity:
|Single point of failure||The activity where it occurs||Avoidance Strategy|
|System administrators||IT Department||Write process descriptions, Internal Articles, Knowledge Base.|
CISO is responsible for implementing the single point of failure avoidance strategy.
The resolver needs to maintain a cash balance of $1.5 M CAD for ongoing working capital activities.
In the case of a disruptive incident, financial resources will be provided in the following way:
(a) a stand-by arrangement with Scotiabank.
CFO is responsible for making all necessary arrangements concerning the provision of financial resources.
The recovery strategy for individual activities is defined in Appendices 6 to [number] to this Strategy.
The person specified as Recovery Manager for an individual activity is responsible for writing Recovery Plans for this activity. BC Manager is responsible for preparing all resources necessary for individual activities.
Appendix 5 lists all necessary preparations for the implementation of this Strategy. BC Manager must define necessary financial and other resources, and set deadlines for the implementation of each preparation; BC Manager is in charge of monitoring coordination and execution of all preparatory actions, as well as of reporting about their implementation.
|Record name||Storage location||The person responsible for the storage||Control for record protection||Retention time|
|Business Continuity Plan (in electronic form)||The computer of BC Manager and shared box folder||BC Coordinator||Only Top Management and BC Managers have the right to make entries and changes to Plan data.||The Plan is stored for a period of 3 years|
This document is valid as of August 2020.
The owner of this document is BC Manager, who must check and if necessary update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.