FundApps' platform's technical resilience is built to address multiple adverse scenarios and relies on high availability and disaster recovery capabilities.

Adverse Scenarios

These scenarios are:

• Single or multiple data centres (but not all data centres) fail within an AWS region;

• Data loss or database corruption;

• Breaking changes;

• Insufficient capacity;

• Misconfigurations.

High Availability

High availability is achieved through:

• Highly redundant networking;

• Compute and data storage distributed across availability zones (*) within an AWS region(Europe (Ireland)).

Furthermore, the user interface, the API, the compute, and the data storage for client positions use a multi-site active/active strategy. The data storage for client results uses a warm standby strategy.

This architecture allows an automated response to outage scenarios affecting one or more data centres within an AWS region (Europe (Ireland)).

Availability Zones(*) consist of one or more discrete data centres, each with redundant power, networking, and connectivity, housed in separate facilities.

Disaster Recovery

Disaster recovery is achieved through the use of one or several of these capabilities:

• Automated backups stored in multiple data centres across two different AWS regions (Europe (Ireland) and Europe (Frankfurt));

• Restoring data from backup to a database in the same or a different data centre within an AWS region (Europe (Ireland));

• Redeploying the last known good version of the platform's software

Our disaster recovery process is intended to meet a 4-hour RTO (Recovery Time Objective) and a 30-minute RPO (Recovery Point Objective).

These capabilities are tested every 12 months to ensure RTO and RPO can be met, and reports are available on our policy portal.

FundApps' platform's disaster recovery capabilities

Continual Improvement

The existing technical environment is designed to be resilient, but there are always risks that could impact the availability of our service. These known risks are recorded on a risk register in accordance with our risk management framework and monitored for change in status. Opportunities for improvement are sought as part of the ongoing risk management process and the strategic development of the business.

Overview

Our clients include high profile companies with high availability and service expectations. It is therefore vital that FundApps maintain service and in the event of disruption, are able to effectively manage the incident and communicate with all key interested parties.

Any loss of service from the data centres or our key services will impact the reputation of FundApps, result in loss of revenue through service credits and other compensations, and potentially damage FundApps irreparably in the marketplace.

NOTE: This document describes the management systems framework intended for compliance with ISO 22301. It is designed to provide some documentation that is needed by ISO 22301, with pointers to the other key documents, and is aligned in structure to ISO 22301 for ease of assessing compliance.

Scope

The scope of the Business Continuity Management System includes:

• The following locations:

  • FundApps offices (London, GB; New York, USA; Singapore, Singapore)

  • Amazon data centres in:

    • Dublin

    • Frankfurt

• Included in the scope are all FundApps staff and any key contractors working on behalf of FundApps

All data centre provision and hardware operations are outsourced to Amazon Web Services. FundApps do not have cause to visit these locations. All data centre staff and operations are outside the scope. All of FundApps’ products and services are within scope.

Leadership

Top management commitment

Top management commitment is demonstrated through the policy endorsed by the management team including Andrew White, CEO, Toby O'Rourke, CTO, and the participation of the top management team in the Crisis Management Team and their active involvement in the associated exercising alongside operational teams.

Management commitment

Management commitment is shown by:

• Policy and objectives endorsed by the CEO;

• Integration of business continuity into the FundApps process model;

• Promoting the improvement of the existing business continuity provisions to meet good practice as now recognized in ISO 22301;

• Committing all business areas to supporting business continuity development;

• Participation of management in BIA process and encouraging relevant team members to contribute too;

• Participation of management, deputies and team members in exercising at business unit level.

As part of establishing the BCMS the following has been undertaken:

• Establishing roles, responsibilities and competencies and associated training programme;

• Defining acceptable risk;

• Establishing internal audit procedures and programme;

• Establishing management review processes that monitor the effectiveness of the BCMS;

• Demonstrating continual improvement.

Staff welfare

Following a disruptive incident, our highest priority is staff welfare, so they are safe and able to address the other matters arising from the incident.

This includes ensuring safe evacuation from affected premises, safe containment within affected premises, ensuring that staff are paid in a timely manner, and managing all issues arising from disruptive incidents that directly impact on staff.

Awareness of the BCMS

FundApps’s management team have experience from other organisations that promoted an awareness of the need for business continuity and consequently the resilience of the service has always been a key consideration. This has been re-enforced by some planned activities such as moving office, recent transport strikes and planned maintenance in the data centre requiring a planned failover to the alternate data centre. All such events are recorded within the BCMS.

Needs and expectations of interested parties

FundApps considered all potential interested parties and referred to Figure 2 to ensure comprehensive coverage.

FundApps’s key interested parties include:

• FundApps’ shareholders – FundApps is a privately held company and not quoted on the LSE or elsewhere;

• FundApps’ staff;

• FundApps’ clients;

• Financial Services regulators who preside over the activities of FundApps’ clients.

Media handling

Media handling is undertaken directly by the CEO. Further media handling during an incident is undertaken within the Crisis Management process, with specific guidance in the Crisis Management Plan.

Neighbours

Neighbours activities have been considered as part of the risk assessment, in order to identify any areas where neighbours’ activities may pose risks to FundApps operations. FundApps have liaised with the landlord’s agents and other building occupants regarding business continuity issues, in particular rehearsing evacuation procedures, sharing information and liaising with the emergency services.

Emergency services

Emergency Services will in most circumstances deal with the landlords – i.e. the hosting provider at the data centres and the landlord’s agents at FundApps office. In some circumstances, FundApps may specifically be contacted and one such circumstance was explored during the 2014 Crisis Management exercise which required working with the Ambulance, Police and HPA.

FundApps Staff

FundApps’s staff have expectations that FundApps will continue to employ them and treat them fairly with due care in the event of a disruptive incident.

All staff are required to provide emergency contact details and these are held in our internal portal, providing a means of contacting staff outside of the normal channels and allowing FundApps to provide information to the emergency services should the need arise.

Pressure groups

FundApps have not been specifically targeted by pressure groups but are aware that they and their clients may be targeted due to the general discontent with financial services firms following the financial crisis. This is specifically reviewed as part of the business continuity risk assessment and is under constant review as part of the maintenance and enhancement of the ISMS.

Compliance with relevant laws & regulations

FundApps complies with all applicable UK Laws including Health and Safety at Work Act 1974 and these are detailed in the ISMS. FundApps have no specific legal and regulatory obligations to implement business continuity management. This is reviewed annually as part of the overall BCMS review. This review is a simple process:

1. Identify any key changes to legislation that may apply to FundApps;

2. Review new clients or changes to existing clients’ business to determine if there are any legal and regulatory requirements on them that may imply new or changed requirements on FundApps;

3. Any issues that arise are included as non-conformities within the BCMS where they will be assigned ownership and resolved.

FundApps Clients

New clients’ legal and regulatory requirements are always considered during the sales process.

FundApps’ target clients are Financial Services Firms who have advanced business continuity programmes including There is an expectation in clients that FundApps will have business continuity management in place, this forming an implicit or explicit part of the contractual relationship with the clients.

Clients are responsible for the IT DR relating to their services. FundApps offer and will build resilient services with appropriate IT DR. A plan has been lodged with FundApps within its BCMS. FundApps are therefore contractually obligated to enact these when a major incident occurs. Clients therefore have a reasonable expectation that FundApps have the capacity and capability to do this.

Shareholders

FundApps’s shareholders have a reasonable expectation that the company will continue to operate and make returns on capital. Consequently ensuring that unexpected and difficult incidents are managed effectively is an implied requirement on FundApps of their financial backers.

The Business Continuity Policy is maintained by the security team and is endorsed by:

• Andrew White, CEO,

• Toby O'Rourke, CTO.

It is an open document and available to all employees through our internal portal and on request to any interested party.

Roles, responsibilities and authorities

The Business Continuity Management System (BCMS) is the responsibility of the security team. It is his responsibility to ensure that the BCMS is established, implemented, operated and maintained.

The BCMS defines the incident response structure and what supporting business continuity plans are required. The BCMS defines the Exercise Programme which is agreed for each coming calendar year and approved by management through the business continuity management forum. Each plan has a designated owner.

Each business continuity plan owner and they are responsible for:

• Defining impacts to their business area that may arise following a disruptive incident

• Identifying risks to their business

• Defining their requirements following any disruptive incident

• Populating a standard FundApps business continuity plan and maintaining this plan

• Reviewing their business continuity plan on a 6 monthly basis and when significant changes occur to ensure details are current

• Undertaking basic exercises as required in the Exercise Programme according to the guidelines provided

• Participating in other exercises as agreed in the annual Exercise Programme

• Notifying the Head of Information Security of issues arising from reviews, exercises or any other pertinent matters.

Risks and opportunities

FundApps currently has three offices in London, New York and Singapore. The team work from home and away from the office on a regular basis and no data is uniquely held in the office or on the laptops with which they access the systems. Consequently, there is little direct dependence on the office and the team are able to work away from this location with little difficulty.

Business continuity objectives

FundApps’ business continuity objectives are:

• Ensure the safety of staff and other occupants for which they are responsible within the buildings;

• Minimize disruption to clients and hence protect reputation and standing;

• Enable a return to normal operations in the shortest practical time with the minimum of disruption;

• Establish, implement and maintain a BCMS compliant with ISO22301.

Awareness and Communication

FundApps raise awareness about Business Continuity needs to staff during induction and through regularly planned BCP tests.

This is to ensure staff:

• Are aware of their role in business continuity and what will be expected of them following a disruptive incident

• Understand their role in maintaining and improving the BCMS.

Staff who hold specific roles receive training and take part in exercising to ensure that they are ready to fulfil those roles. Any enquiries from staff requiring further details are passed to the security team or CTO.

External communication includes existing and prospective clients and suppliers:

• Existing and prospective clients will be informed of FundApps’ business continuity arrangements in outline and will receive a copy of the policy on request.

• Suppliers are asked to provide information on their business continuity arrangements during the procurement process.

Client enquiries are initially dealt with by the business teams. Where additional detail is required, these are referred to the security team or CTO.

Any communication with the local community would be by the landlord or the emergency services. Media communications are dealt with by the CEO.

The Environment Agency and the Met Office provide information on flooding and weather, and these have been identified as the only regional or national threat advisory systems. FundApps monitor these when necessary, i.e. when a warning is issued that is pertinent to FundApps. As no direct flood risk has been identified, the focus of the monitoring is on the effect it may have on staff and travel disruptions. This is considered business as usual activity and is incorporated into the incident response when necessary, and is included in the exercising programme too.

FundApps have recognised that communication following a disruptive incident can be challenging and that normal means of communication may not suffice. In order to address this, FundApps have sought to ensure that many communication channels are available including but not limited to:

• Slack which enables rapid communication through a messaging system and details of who is available.

• Mobile phones. Mobile phone numbers are the main point of contact for clients to senior management, for sales and technical staff.

• Email (both personal and FundApps) can be used to communicate to all staff and to clients and suppliers.

• SMS Text messaging to provide short messages.

• Landline numbers where possible for staff.

It is recognised that in extreme circumstances all of these channels can become unavailable. Communication methods are exercised as part of the exercise programme and reviewed following incidents.

Incident Detection

Incidents which can lead to a crisis can be detected in several ways as described hereafter:

• Incidents within the data centres are detected by:

  • FundApps own monitoring detects the external availability of our service and the internal availability and correct functioning of our internal services. Alerts will be raised through our monitoring software and dealt with through the incident management process.

  • Data centre staff and automated monitoring also notify FundApps of underlying issues with infrastructure via a public status page.

• Incidents at the FundApps office are detected by:

  • The landlords’ agents follow their procedure to notify occupants of the building, specifically via FundApps facilities

  • Directly by FundApps staff who raise this with FundApps facilities or the MMC out of hours.

• Incidents externally are detected by:

  • Media coverage

  • Directly by contact with the Emergency Services.

  • Once notified, the relevant personnel assess whether the incident is managed through normal business-as-usual procedures or whether further escalation is required. This is based on both experience and knowledge of the individuals and by reference to the impact criteria table in the Crisis Management Plan where necessary.

• When the Crisis Management Team (as defined in the Business Continuity Plan) is activated, the initial incident details are recorded on the Incident Report Form and subsequent updates are recorded on the “Status Report Form”. The Crisis Management Team (CMT) keep a record of issues, actions and communications and log all activity as part of the process.

• The Business Continuity Plan provides supporting information for the CMT to Assemble, Meet and Manage the incident including monitoring the situation and developments. It also explicitly requires consideration of closing the incident and reviewing what has been learned. Further details can be found in the Business Continuity Plan.

• The CMT have received training and have responded to several challenging incidents. Post-incident reports are available.

• Ongoing exercising is designed to ensure that the CMT are well equipped to deal with incidents of all sorts and this includes relevant deputies. Similarly, every business area has undertaken basic training and exercising, has had to respond to real incidents and ongoing exercising is aimed at ensuring that the whole incident response structure operates effectively.

Maintenance of staff contact details

In the event of an incident which requires the full or partial invocation of the Business Continuity Plan, it is vital that the Company is able to contact all of its personnel quickly and efficiently.

In preparation for this, a number of actions take place:

• Employee contact information is stored in the Google Drive which is externally hosted.

• In addition, each employee has contact numbers already stored in their mobile phones.

FundApps Documentation

In order to maintain consistency, legibility and accessibility all BCMS documentation is held as an electronic copy within FundApps’s document management system GitHub.

A summary of the main documents and its owner can be found in this document. Each document will be approved by the owner prior to issue, as will any subsequent updates. The approval process will typically be conducted via email.

GitHub has built-in version control which allows anyone with sufficient access to view previous versions and therefore facilitates comparison between versions. Unwanted documents are removed from the repository but are retrievable by IT. Documents can only be checked out for updates by those with appropriate access. Each document has an assigned Owner and GitHub tracks whether documents have been appropriately approved.

Risk and Impact Assessment

Please see our risk management section for information about how we assess risks, their likelihood impact and our risk appetite.

Establish and implement business continuity procedures

These are documented as a set of documents which together support the incident response. There is a Business Continuity Plan to support the Crisis Management Team (CMT) and plans to support IT Recovery in the event of a data centre failure. A short plan for the management of the immediate response has also been developed.

Exercising and testing

An annual programme of exercising is documented and agreed. This is then executed by the security team and the relevant business areas. Audit processes ensure that business exercises are completed and are effective. Actions arising are captured by the security team and ownership is assigned for execution.

The team undertake regular tests of the IT recovery and these are recorded in Google Drive. Any issues arising are tracked through the raising of tickets as part of business-as-usual fault resolution.

Monitoring and management of risks

Identified Business Continuity risks and associated action plans are discussed during the monthly security meetings. These meetings have the following attendees:

• CTO

• Security team

BCMS Review

The security team reviews the FundApps Business Continuity Management System and submits changes to the management forum for validation, at a minimum, on an annual basis.

FundApps has performed a business impact analysis and maintains a risk register as part of our business continuity management system. The full risk register is maintained here [Restricted to FundApps staff]. We do not include the full details here, but below is a summary of the risks that we have analysed.