07 Resolver Business Continuity Plan ISO 22301

1. Purpose, scope, and users

The purpose of the Business Continuity Plan is to define precisely how Resolver Inc. will manage incidents in the case of a disaster or other disruptive incident, and how it will recover its activities within set deadlines. The objective of this plan is to keep the damage to a disruptive incident at an acceptable level.

This plan is applied to all critical activities inside the scope of the Business Continuity Management System (BCMS).

Users of this document are all staff members, both inside and outside the organization, who have a role in business continuity.

2. Reference documents

  • ISO 22301 standard, clause 8.4
  • List of statutory, regulatory, contractual, and other requirements
  • Business Continuity Policy
  • Business Impact Analysis questionnaires
  • Business Continuity Strategy

3. Business Continuity Plan

3.1. Plan Content

The Business Continuity Plan consists of these major parts:

  • Business Continuity Plan – defines top-level rules for business continuity
  • Incident Response Plan – Appendix  1 – a plan that defines the direct response to the occurrence of various types of incidents
  • Disaster Recovery Plan – a plan that defines the recovery of IT infrastructure and IT services
  • Recovery plans for individual activities – these are prepared separately for each activity – Appendix  7+ and on – plans dealing with the recovery of necessary resources for each activity

Each of these plans defines its activation procedure.

3.2. Assumptions

For this plan to be effective, at least 50% of the resources and arrangements specified in the Business Continuity Strategy need to be prepared.

3.3. Appointment and Authorities

The following bodies are formed when a disruptive incident occurs:

Crisis Management Team
Members: Substitutes: Role:
CFO   Business Continuity (BC) Coordinator
CISO COO Crisis Management Team member
CEO   Crisis Management Team member
DevOps Director   Crisis Management Team member
HR Director   Crisis Team member
Corporate controller   BC Manager
IT Directors    
Information Security Analyst   BC Manager (backup)
Crisis Management Support Team
Members: Substitutes: Role:
IT team    
DevOps Team    
Support team    
HR Team    
Marketing Team    

The purpose of the Crisis Management Team is to make all key decisions and coordinate actions during the disruptive incident; the purpose of the Crisis Management Support Team is to relieve the Crisis Management Team from administrative and other operational activities, in order to focus on managing the disruptive incident. Members of the Crisis Management Support Team are directly responsible for the Crisis Management Team.

Recovery managers for individual activities are appointed in the recovery plans for the said activities.

Authorizations for action during the disruptive incident are the following:

Type of decision Who is authorized
How small incidents related to IT and communications technology are resolved Employees in the IT Department
How all other small incidents are resolved Employees in the Information Security Department
Making a decision about invoking recovery plans BC Coordinator
Making a decision about the selection of an alternative site (use of the close or remote alternative site) BC Coordinator
Informing employees about the invocation of recovery plans BC Coordinator; if he/she is unable to do it, then the recovery manager for individual activity
Implementing all tasks necessary for the recovery of individual activities Recovery Manager for individual activity
Content of the communication for different interested parties VP Customer Success
Selecting information to be provided to the public media during the disruptive incident VP Customer Success
Purchases during the disruptive incident – over CAD$100000 CEO and CFO
Purchases during the disruptive incident – up to CAD$100000 BC Coordinator

3.4. Plan activation; plan deactivation

The Incident Response Plan will be activated automatically in case an incident occurs, or a potential incident is threatening its activities. The Incident Response Plan is deactivated after an incident has been contained or eradicated.

Disaster Recovery Plan and recovery plans for particular activities are activated exclusively by the BC Coordinator’s decision if he/she assesses that a particular activity will be interrupted for a period longer than the recovery time objective for that activity.  The decision of the BC Coordinator may be written or oral.

Disaster Recovery Plan and recovery plans may be deactivated by recovery managers for individual activities when they establish that all conditions for the resumption of business activities have been met. Disaster Recovery Plan and recovery plans are deactivated by resuming normal business activities

3.5. Communication

The following means will be used for communication between the Crisis Management Team and activities, and between activities themselves – they are ordered according to priority (the first one from the list is to be used first; in case it is not available, the next one is used):

  1. mobile phones (business and private)
  2. telephones (business and private)
  3. E-mail (sent from business or private computers)
  4. Messaging services – e.g.: Zoom, Slack, Skype

BC Coordinator in the Crisis Management Team is responsible for coordinating communication with all activities.

Responsibilities for communicating with particularly interested parties are specified in the Incident Response Plan.

3.6. Site and Transportation

BC Coordinator is responsible for ensuring access to each provided alternative site. Appendix 3 specifies all provided alternative sites.

Responsibilities for transportation to alternative sites are specified in Appendix 4 – Transportation Plan.

3.7. Order of recovery for activities

Activities must be recovered in the following order:

No. Name of activity Recovery time objective
#1 Customer Support Department 1 hour
#2 DevOps Department 1 hour
#3 IT Department 4 hours
#4 Professional Services 4 hours
#5 Information Security Department 4 hours
#6 Legal Department 8 hours
#7 Development/Engineering Department 8 hours
#8 QA Department 8 hours
#9 Finance Department 24 hours
#10 HR Department 48 hours
#11 Executive Department 48 hours
#12 Product Management Department 72 hours
#13 Sales Department 72 hours
#14 Marketing Department 96 hours

3.8. Interdependencies and interactions

The dependencies and interactions between activities, as well as with suppliers and external parties, are detailed in the Incident Response Plan, the Disaster Recovery Plan, and individual recovery plans for activities.

3.9. Required resources

Resources that are required for the recovery of the activities are listed in their recovery plans; the resources required for the recovery of IT infrastructure and IT services are listed in the Disaster Recovery Plan.

3.10. Regular review of business impact analysis

BC Manager must conduct a review of the Business Impact Analysis Questionnaires and update the Business Continuity Strategy accordingly. The review is conducted at least once a year, or more frequently in case of significant organizational changes, a significant change in technology, change of business objectives, changes in the business environment, etc.

The Command Centre, which serves the Crisis Management Team and Crisis Management Support Team, is equipped as follows:

Name of resource Description Amount When the resource is necessary The person responsible for obtaining the resource
Applications / databases:        
Office 365 Online SaaS service   immediately IT manager
Slack Online SaaS service   1 hour  
Salesforce Online SaaS service   4 hours  
Data stored in electronic form:        
Business Continuity Strategy and plans for all activities All documentation stored online in the Shared Box folder and One Drive and local machines   immediately  
Data stored on paper:        
Business Continuity Strategy and plans for all activities     immediately  
IT and communications equipment:        
Workstations     immediately  
Mobile or landline phones     immediately  
Printer / Fax Machine     within 2 hours  
Communication channels:        
Telephone landlines  RingCentral   immediately  
Internet access     immediately  
Facilities and infrastructure:        
Computer network     immediately  
Furniture     immediately  
External services:        
Electricity     immediately  

4. Restoring and resuming business activities from temporary measures

The purpose of restoration and resuming the business activities from temporary measures is to bring the business operations back to business-as-usual – to the normal state as it was prior to the disruptive incident.

The steps described in this section are not time-critical – they are to be performed in proportion with the impact of the disruptive incident and in accordance with available resources. The decision to activate each of the following steps is made by the BC Coordinator.

The following steps need to be performed, in this order:

  1. Preservation of the damaged assets and evaluation of damage
  2. Assessment of the situation and determining options and responsibilities
  3. Developing an action plan – determining the steps needed to return activities to the normal state

4.1. Preservation of damaged assets and evaluation of damage

BC Coordinator will nominate the team for preserving the damaged assets – the focus of this team is to prevent the damage from spreading.

BC Coordinator will nominate the team for evaluation of the damage. The evaluation must consist of the following: name of the asset, location of the asset, type of damage, and cost of damage.

4.2. Assessment of the situation & determining options and responsibilities

Depending on the extent of the damage, the BC Coordinator needs to decide the following: (1) whether to move back to the primary location or look for a new location, (2) whether to purchase new equipment or repair the existing, (3) when and where the operations of activities that do not support key products and services (activities with lower priority) will be recovered/resumed, and (4) whether there are enough human resources to support normal operations, etc.

Based on these decisions the BC Coordinator must nominate responsible persons for the following:

a)     Making claims against insurance policies

b)    Restoring facilities

c)     Acquiring new facilities

d)    Logistics for moving to other locations

e)     Repairing the equipment

f)      Purchasing new equipment

g)    Hiring new personnel

h)     Recovering lower priority activities

4.3. Developing action plans

Each responsible person must develop an action plan for his/her area of responsibility, which will – amongst other information – contain the following:

(1) steps to be taken,

(2) required human resources,

(3) required financial resources, and

(4) deadlines.

The BC Coordinator must define

(1) how to provide the necessary funding,

(2) procurement process and authorizations,

(3) which reports will be sent to the Crisis Management Team, and

(4) who will review the steps once they are complete?

5. Validity and document management

This document is valid as of August 2020.

This document is stored in the following way:

  • the electronic form of the document is stored in the following way: shared folder in Box: Link should be provided

The owner of this document is an Information Security Analyst who must check and if necessary update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • Did activities recover within the required time?
  • Are recovery plans and Incident Response Plan synchronized?
  • Did exercising and testing achieve objectives?

6. Appendices

  • Appendix 1 – Incident Response Plan
  • Appendix 6 – Disaster Recovery Plan

EFFECTIVE ON: September 2020

REVIEW CYCLE: Annual at least and as needed

REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.