LogoLogo
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome to FundApps' Policy Portal
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan for a 3 year cycle
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
      • Third Party Risk Management
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
      • The FundApps Code for Third Parties
  • Legal Information
    • 📖General Terms
      • Fair Usage Policy
      • Third Party Data Provider Terms
    • DORA
      • Operational Resilience Statement
      • Statement on Contractual Compliance
      • Subcontractors and Service Location
      • Threat-Led Penetration Tests (TLPT) Policy
    • Insurance
    • 🌍Carbon Neutral
  • Policy Change Log
    • March 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • August 2024
    • July 2024
    • June 2024
    • April 2024
    • February 2024
    • January 2024
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • June 2023
    • February 2023
    • December 2022
    • October 2022
    • September 2022
    • June 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Roles, responsibilities and authorities
  • Risks and opportunities
  • Business continuity objectives
  • Awareness and Communication
  • Incident Detection
  • Maintenance of staff contact details
  • FundApps Documentation
  • Risk and Impact Assessment
  • Establish and implement business continuity procedures
  • Exercising and testing
  • Monitoring and management of risks
  • BCMS Review

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Business Continuity

Business Continuity Policy

The Business Continuity Policy is maintained by the security team and is endorsed by:

  • Andrew White, CEO,

  • Toby O'Rourke, CTO.

It is an open document and available to all employees through our internal portal and on request to any interested party.

Roles, responsibilities and authorities

The Business Continuity Management System (BCMS) is the responsibility of the security team. It is his responsibility to ensure that the BCMS is established, implemented, operated and maintained.

The BCMS defines the incident response structure and what supporting business continuity plans are required. The BCMS defines the Exercise Programme which is agreed for each coming calendar year and approved by management through the business continuity management forum. Each plan has a designated owner.

Each business continuity plan owner and they are responsible for:

  • Defining impacts to their business area that may arise following a disruptive incident

  • Identifying risks to their business

  • Defining their requirements following any disruptive incident

  • Populating a standard FundApps business continuity plan and maintaining this plan

  • Reviewing their business continuity plan on a 6 monthly basis and when significant changes occur to ensure details are current

  • Undertaking basic exercises as required in the Exercise Programme according to the guidelines provided

  • Participating in other exercises as agreed in the annual Exercise Programme

  • Notifying the Head of Information Security of issues arising from reviews, exercises or any other pertinent matters.

Risks and opportunities

FundApps currently has three offices in London, New York and Singapore. The team work from home and away from the office on a regular basis and no data is uniquely held in the office or on the laptops with which they access the systems. Consequently, there is little direct dependence on the office and the team are able to work away from this location with little difficulty.

Business continuity objectives

FundApps’ business continuity objectives are:

  • Ensure the safety of staff and other occupants for which they are responsible within the buildings;

  • Minimize disruption to clients and hence protect reputation and standing;

  • Enable a return to normal operations in the shortest practical time with the minimum of disruption;

  • Establish, implement and maintain a BCMS compliant with ISO22301.

Awareness and Communication

FundApps raise awareness about Business Continuity needs to staff during induction and through regularly planned BCP tests.

This is to ensure staff:

  • Are aware of their role in business continuity and what will be expected of them following a disruptive incident

  • Understand their role in maintaining and improving the BCMS.

Staff who hold specific roles receive training and take part in exercising to ensure that they are ready to fulfil those roles. Any enquiries from staff requiring further details are passed to the security team or CTO.

External communication includes existing and prospective clients and suppliers:

  • Existing and prospective clients will be informed of FundApps’ business continuity arrangements in outline and will receive a copy of the policy on request.

  • Suppliers are asked to provide information on their business continuity arrangements during the procurement process.

Client enquiries are initially dealt with by the business teams. Where additional detail is required, these are referred to the security team or CTO.

Any communication with the local community would be by the landlord or the emergency services. Media communications are dealt with by the CEO.

The Environment Agency and the Met Office provide information on flooding and weather, and these have been identified as the only regional or national threat advisory systems. FundApps monitor these when necessary, i.e. when a warning is issued that is pertinent to FundApps. As no direct flood risk has been identified, the focus of the monitoring is on the effect it may have on staff and travel disruptions. This is considered business as usual activity and is incorporated into the incident response when necessary, and is included in the exercising programme too.

FundApps have recognised that communication following a disruptive incident can be challenging and that normal means of communication may not suffice. In order to address this, FundApps have sought to ensure that many communication channels are available including but not limited to:

  • Slack which enables rapid communication through a messaging system and details of who is available.

  • Mobile phones. Mobile phone numbers are the main point of contact for clients to senior management, for sales and technical staff.

  • Email (both personal and FundApps) can be used to communicate to all staff and to clients and suppliers.

  • SMS Text messaging to provide short messages.

  • Landline numbers where possible for staff.

It is recognised that in extreme circumstances all of these channels can become unavailable. Communication methods are exercised as part of the exercise programme and reviewed following incidents.

Incident Detection

Incidents which can lead to a crisis can be detected in several ways as described hereafter:

  • Incidents within the data centres are detected by:

    • FundApps own monitoring detects the external availability of our service and the internal availability and correct functioning of our internal services. Alerts will be raised through our monitoring software and dealt with through the incident management process.

    • Data centre staff and automated monitoring also notify FundApps of underlying issues with infrastructure via a public status page.

  • Incidents at the FundApps office are detected by:

    • The landlords’ agents follow their procedure to notify occupants of the building, specifically via FundApps facilities

    • Directly by FundApps staff who raise this with FundApps facilities or the MMC out of hours.

  • Incidents externally are detected by:

    • Media coverage

    • Directly by contact with the Emergency Services.

    • Once notified, the relevant personnel assess whether the incident is managed through normal business-as-usual procedures or whether further escalation is required. This is based on both experience and knowledge of the individuals and by reference to the impact criteria table in the Crisis Management Plan where necessary.

  • When the Crisis Management Team (as defined in the Business Continuity Plan) is activated, the initial incident details are recorded on the Incident Report Form and subsequent updates are recorded on the “Status Report Form”. The Crisis Management Team (CMT) keep a record of issues, actions and communications and log all activity as part of the process.

  • The Business Continuity Plan provides supporting information for the CMT to Assemble, Meet and Manage the incident including monitoring the situation and developments. It also explicitly requires consideration of closing the incident and reviewing what has been learned. Further details can be found in the Business Continuity Plan.

  • The CMT have received training and have responded to several challenging incidents. Post-incident reports are available.

  • Ongoing exercising is designed to ensure that the CMT are well equipped to deal with incidents of all sorts and this includes relevant deputies. Similarly, every business area has undertaken basic training and exercising, has had to respond to real incidents and ongoing exercising is aimed at ensuring that the whole incident response structure operates effectively.

Maintenance of staff contact details

In the event of an incident which requires the full or partial invocation of the Business Continuity Plan, it is vital that the Company is able to contact all of its personnel quickly and efficiently.

In preparation for this, a number of actions take place:

  • Employee contact information is stored in the Google Drive which is externally hosted.

  • In addition, each employee has contact numbers already stored in their mobile phones.

FundApps Documentation

In order to maintain consistency, legibility and accessibility all BCMS documentation is held as an electronic copy within FundApps’s document management system GitHub.

A summary of the main documents and its owner can be found in this document. Each document will be approved by the owner prior to issue, as will any subsequent updates. The approval process will typically be conducted via email.

GitHub has built-in version control which allows anyone with sufficient access to view previous versions and therefore facilitates comparison between versions. Unwanted documents are removed from the repository but are retrievable by IT. Documents can only be checked out for updates by those with appropriate access. Each document has an assigned Owner and GitHub tracks whether documents have been appropriately approved.

Risk and Impact Assessment

Please see our risk management section for information about how we assess risks, their likelihood impact and our risk appetite.

Establish and implement business continuity procedures

These are documented as a set of documents which together support the incident response. There is a Business Continuity Plan to support the Crisis Management Team (CMT) and plans to support IT Recovery in the event of a data centre failure. A short plan for the management of the immediate response has also been developed.

Exercising and testing

An annual programme of exercising is documented and agreed. This is then executed by the security team and the relevant business areas. Audit processes ensure that business exercises are completed and are effective. Actions arising are captured by the security team and ownership is assigned for execution.

The team undertake regular tests of the IT recovery and these are recorded in Google Drive. Any issues arising are tracked through the raising of tickets as part of business-as-usual fault resolution.

Monitoring and management of risks

Identified Business Continuity risks and associated action plans are discussed during the monthly security meetings. These meetings have the following attendees:

  • CTO

  • Security team

BCMS Review

The security team reviews the FundApps Business Continuity Management System and submits changes to the management forum for validation, at a minimum, on an annual basis.

PreviousBusiness Continuity Management SystemNextBusiness Continuity Risk Register

Last updated 1 year ago

Was this helpful?