- Corporate Security
- Governance, Risk & Compliance
- Information Security
The purpose of the Business Continuity Plan is to define precisely how Resolver Inc. will manage incidents in the case of a disaster or other disruptive incident, and how it will recover its activities within set deadlines. The objective of this plan is to keep the damage to a disruptive incident at an acceptable level.
This plan is applied to all critical activities inside the scope of the Business Continuity Management System (BCMS).
Users of this document are all staff members, both inside and outside the organization, who have a role in business continuity.
The Business Continuity Plan consists of these major parts:
Each of these plans defines its activation procedure.
For this plan to be effective, at least 50% of the resources and arrangements specified in the Business Continuity Strategy need to be prepared.
The following bodies are formed when a disruptive incident occurs:
|Crisis Management Team|
|CFO||Business Continuity (BC) Coordinator|
|CISO||Crisis Management Team member|
|CEO||Crisis Management Team member|
|DevOps Director||Crisis Management Team member|
|HR Director||Crisis Team member|
|Corporate controller||BC Manager|
|Information Security Analyst||BC Manager (backup)|
|Crisis Management Support Team|
The purpose of the Crisis Management Team is to make all key decisions and coordinate actions during the disruptive incident; the purpose of the Crisis Management Support Team is to relieve the Crisis Management Team from administrative and other operational activities, in order to focus on managing the disruptive incident. Members of the Crisis Management Support Team are directly responsible for the Crisis Management Team.
Recovery managers for individual activities are appointed in the recovery plans for the said activities.
Authorizations for action during the disruptive incident are the following:
|Type of decision||Who is authorized|
|How small incidents related to IT and communications technology are resolved||Employees in the IT Department|
|How all other small incidents are resolved||Employees in the Information Security Department|
|Making a decision about invoking recovery plans||BC Coordinator|
|Making a decision about the selection of an alternative site (use of the close or remote alternative site)||BC Coordinator|
|Informing employees about the invocation of recovery plans||BC Coordinator; if he/she is unable to do it, then the recovery manager for individual activity|
|Implementing all tasks necessary for the recovery of individual activities||Recovery Manager for individual activity|
|Content of the communication for different interested parties||VP Customer Success|
|Selecting information to be provided to the public media during the disruptive incident||VP Customer Success|
|Purchases during the disruptive incident – over CAD$100000||CEO and CFO|
|Purchases during the disruptive incident – up to CAD$100000||BC Coordinator|
The Incident Response Plan will be activated automatically in case an incident occurs, or a potential incident is threatening its activities. The Incident Response Plan is deactivated after an incident has been contained or eradicated.
Disaster Recovery Plan and recovery plans for particular activities are activated exclusively by the BC Coordinator’s decision if he/she assesses that a particular activity will be interrupted for a period longer than the recovery time objective for that activity. The decision of the BC Coordinator may be written or oral.
Disaster Recovery Plan and recovery plans may be deactivated by recovery managers for individual activities when they establish that all conditions for the resumption of business activities have been met. Disaster Recovery Plan and recovery plans are deactivated by resuming normal business activities
The following means will be used for communication between the Crisis Management Team and activities, and between activities themselves – they are ordered according to priority (the first one from the list is to be used first; in case it is not available, the next one is used):
BC Coordinator in the Crisis Management Team is responsible for coordinating communication with all activities.
Responsibilities for communicating with particularly interested parties are specified in the Incident Response Plan.
BC Coordinator is responsible for ensuring access to each provided alternative site. Appendix 3 specifies all provided alternative sites.
Responsibilities for transportation to alternative sites are specified in Appendix 4 – Transportation Plan.
Activities must be recovered in the following order:
|No.||Name of activity||Recovery time objective|
|#1||Customer Support Department||1 hour|
|#2||DevOps Department||1 hour|
|#3||IT Department||4 hours|
|#4||Professional Services||4 hours|
|#5||Information Security Department||4 hours|
|#6||Legal Department||8 hours|
|#7||Development/Engineering Department||8 hours|
|#8||QA Department||8 hours|
|#9||Finance Department||24 hours|
|#10||HR Department||48 hours|
|#11||Executive Department||48 hours|
|#12||Product Management Department||72 hours|
|#13||Sales Department||72 hours|
|#14||Marketing Department||96 hours|
The dependencies and interactions between activities, as well as with suppliers and external parties, are detailed in the Incident Response Plan, the Disaster Recovery Plan, and individual recovery plans for activities.
Resources that are required for the recovery of the activities are listed in their recovery plans; the resources required for the recovery of IT infrastructure and IT services are listed in the Disaster Recovery Plan.
BC Manager must conduct a review of the Business Impact Analysis Questionnaires and update the Business Continuity Strategy accordingly. The review is conducted at least once a year, or more frequently in case of significant organizational changes, a significant change in technology, change of business objectives, changes in the business environment, etc.
The Command Centre, which serves the Crisis Management Team and Crisis Management Support Team, is equipped as follows:
|Name of resource||Description||Amount||When the resource is necessary||The person responsible for obtaining the resource|
|Applications / databases:|
|Office 365||Online SaaS service||immediately||IT manager|
|Slack||Online SaaS service||1 hour|
|Salesforce||Online SaaS service||4 hours|
|Data stored in electronic form:|
|Business Continuity Strategy and plans for all activities||All documentation stored online in the Shared Box folder and One Drive and local machines||immediately|
|Data stored on paper:|
|Business Continuity Strategy and plans for all activities||immediately|
|IT and communications equipment:|
|Mobile or landline phones||immediately|
|Printer / Fax Machine||within 2 hours|
|Facilities and infrastructure:|
The purpose of restoration and resuming the business activities from temporary measures is to bring the business operations back to business-as-usual – to the normal state as it was prior to the disruptive incident.
The steps described in this section are not time-critical – they are to be performed in proportion with the impact of the disruptive incident and in accordance with available resources. The decision to activate each of the following steps is made by the BC Coordinator.
The following steps need to be performed, in this order:
BC Coordinator will nominate the team for preserving the damaged assets – the focus of this team is to prevent the damage from spreading.
BC Coordinator will nominate the team for evaluation of the damage. The evaluation must consist of the following: name of the asset, location of the asset, type of damage, and cost of damage.
Depending on the extent of the damage, the BC Coordinator needs to decide the following: (1) whether to move back to the primary location or look for a new location, (2) whether to purchase new equipment or repair the existing, (3) when and where the operations of activities that do not support key products and services (activities with lower priority) will be recovered/resumed, and (4) whether there are enough human resources to support normal operations, etc.
Based on these decisions the BC Coordinator must nominate responsible persons for the following:
a) Making claims against insurance policies
b) Restoring facilities
c) Acquiring new facilities
d) Logistics for moving to other locations
e) Repairing the equipment
f) Purchasing new equipment
g) Hiring new personnel
h) Recovering lower priority activities
Each responsible person must develop an action plan for his/her area of responsibility, which will – amongst other information – contain the following:
(1) steps to be taken,
(2) required human resources,
(3) required financial resources, and
The BC Coordinator must define
(1) how to provide the necessary funding,
(2) procurement process and authorizations,
(3) which reports will be sent to the Crisis Management Team, and
(4) who will review the steps once they are complete?
This document is valid as of August 2020.
This document is stored in the following way:
The owner of this document is an Information Security Analyst who must check and if necessary update the document at least once a year.
When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:
EFFECTIVE ON: September 2020
REVIEW CYCLE: Annual at least and as needed
REVIEW, APPROVAL & CHANGE HISTORY: Last time reviewed and approved in August 2020 by Resolver’s Information Technology Security team.