Business Continuity Framework
Overview
Our customers include high profile companies with high availability and service expectations. It is therefore vital that FundApps maintain service and in the event of disruption, are able to effectively manage the incident and communicate with all key interested parties.
Any loss of service from the data centres or our key services will impact the reputation of FundApps, result in loss of revenue through service credits and other compensations, and potentially damage FundApps irreparably in the marketplace.
NOTE: This document describes the management systems framework intended for compliance with ISO 22301. It is designed to provide some documentation that is needed by ISO 22301, with pointers to the other key documents, and is aligned in structure to ISO 22301 for ease of assessing compliance.
Staff welfare
Following a disruptive incident, our highest priority is staff welfare, so they are safe and able to address the other matters arising from the incident.
This includes ensuring safe evacuation from affected premises, safe containment within affected premises, ensuring that staff are paid in a timely manner, and managing all issues arising from disruptive incidents that directly impact on staff.
Technical resilience
The existing technical environment is designed to be resilient but there are always risks that could impact the availability of our service. These known risks are recorded on a risk register in accordance with our risk management framework and monitored for change in status. Opportunities for improvement are sought as part of the ongoing risk management process and the strategic development of the business.
Awareness
FundApps’s management team have experience from other organisations that promoted an awareness of the need for business continuity and consequently the resilience of the service has always been a key consideration. This has been re-enforced by some planned activities such as moving office, recent transport strikes and planned maintenance in the data centre requiring a planned failover to the alternate data centre. All such events are recorded within the BCMS.
Needs and expectations of interested parties
FundApps considered all potential interested parties and referred to Figure 2 to ensure comprehensive coverage.
Figure 2: Potential interested parties (from ISO 22313)
FundApps’s key interested parties include:
FundApps’ shareholders – FundApps is a privately held company and not quoted on the LSE or elsewhere;
FundApps’ staff;
FundApps’ customers;
Financial Services regulators who preside over the activities of FundApps’ customers.
Media handling
Media handling is undertaken directly by the CEO. Further media handling during an incident is undertaken within the Crisis Management process, with specific guidance in the Crisis Management Plan.
Neighbours
Neighbours activities have been considered as part of the risk assessment, in order to identify any areas where neighbours’ activities may pose risks to FundApps operations. FundApps have liaised with the landlord’s agents and other building occupants regarding business continuity issues, in particular rehearsing evacuation procedures, sharing information and liaising with the emergency services.[b]
Emergency services
Emergency Services will in most circumstances deal with the landlords – i.e. the hosting provider at the data centres and the landlord’s agents at FundApps office. In some circumstances, FundApps may specifically be contacted and one such circumstance was explored during the 2014 Crisis Management exercise which required working with the Ambulance, Police and HPA.
FundApps Staff
FundApps’s staff have expectations that FundApps will continue to employ them and treat them fairly with due care in the event of a disruptive incident.
All staff are required to provide emergency contact details and these are held in our internal portal, providing a means of contacting staff outside of the normal channels and allowing FundApps to provide information to the emergency services should the need arise.
Pressure groups
FundApps have not been specifically targeted by pressure groups but are aware that they and their customers may be targeted due to the general discontent with financial services firms following the financial crisis. This is specifically reviewed as part of the business continuity risk assessment and is under constant review as part of the maintenance and enhancement of the ISMS.
Compliance with relevant laws & regulations
FundApps complies with all applicable UK Laws including Health and Safety at Work Act 1974 and these are detailed in the ISMS maintained for compliance with ISO 27001. FundApps have no specific legal and regulatory obligations to implement business continuity management. This is reviewed annually as part of the overall BCMS review. This review is a simple process:
Identify any key changes to legislation that may apply to FundApps;
Review new customers or changes to existing customers’ business to determine if there are any legal and regulatory requirements on them that may imply new or changed requirements on FundApps;
Any issues that arise are included as non-conformities within the BCMS where they will be assigned ownership and resolved.
FundApps Customers
New customers’ legal and regulatory requirements are always considered during the sales process.
FundApps’ target customers are Financial Services Firms who have advanced business continuity programmes including There is an expectation in customers that FundApps will have business continuity management in place, this forming an implicit or explicit part of the contractual relationship with the customers.
Customers are responsible for the IT DR relating to their services. FundApps offer and will build resilient services with appropriate IT DR. A plan has been lodged with FundApps within its BCMS. FundApps are therefore contractually obligated to enact these when a major incident occurs. Customers therefore have a reasonable expectation that FundApps have the capacity and capability to do this.
Shareholders
FundApps’s shareholders have a reasonable expectation that the company will continue to operate and make returns on capital. Consequently ensuring that unexpected and difficult incidents are managed effectively is an implied requirement on FundApps of their financial backers.
Scope of the BCMS
The BCMS scope includes:
The following locations:
FundApps offices (London, GB; New York, USA; Singapore, Singapore)
Amazon data centres in:
Dublin
Frankfurt
Included in the scope are all FundApps staff and any key contractors working on behalf of FundApps
All data centre provision and hardware operations are outsourced to Amazon Web Services. FundApps do not have cause to visit these locations. All data centre staff and operations are outside the scope. All of FundApps’ products and services are within scope.
Leadership
Top management commitment
Top management commitment is demonstrated through the policy endorsed by the management team including Andrew White, CEO, Toby O'Rourke, CTO, and the participation of the top management team in the Crisis Management Team and their active involvement in the associated exercising alongside operational teams.
Management commitment
Management commitment is shown by:
Minuted agreement to develop a BCMS compliant with ISO 22301;
Policy and objectives endorsed by the CEO;
Integration of business continuity into the FundApps process model;
Commissioning of Oprel to provide expertise and resources to develop and establish the BCMS;
Appointing the CTO to be responsible for to implement business continuity and supporting the CTO to do so (e.g. through the provision of budget);
Promoting the improvement of the existing business continuity provisions to meet good practice as now recognized in ISO 22301;
Committing all business areas to supporting business continuity development;
Participation of management in BIA process and encouraging relevant team members to contribute too;
Participation of management, deputies and team members in exercising at business unit level.
As part of establishing the BCMS the following has been undertaken:
Establishing roles, responsibilities and competencies and associated training programme;
Defining acceptable risk;
Establishing internal audit procedures and programme;
Establishing management review processes that monitor the effectiveness of the BCMS;
Demonstrating continual improvement.
Policy
The Business Continuity Policy is maintained by the CTO and is endorsed by:
Andrew White, CEO,
Toby O'Rourke, CTO.
It is an open document and available to all employees through our internal portal, and on request to any interested party.
Roles, responsibilities and authorities
The Business Continuity Management System (BCMS) is the responsibility of the CTO. It is his responsibility to ensure that the BCMS is established, implemented, operated and maintained to meet the needs of FundApps and to comply with ISO 22301. It is his responsibility to ensure that accredited certification is obtained and maintained for the BCMS.
The BCMS defines the incident response structure, and what supporting business continuity plans are required. The BCMS defines the Exercise Programme which is agreed for each coming calendar year and approved by management through the business continuity management forum. Each plan has a designated owner.
Each business continuity plan owner and they are responsible for:
Defining impacts to their business area that may arise following a disruptive incident
Identifying risks to their business
Defining their requirements following any disruptive incident
Populating a standard FundApps business continuity plan and maintaining this plan
Reviewing their business continuity plan on a 6 monthly basis and when significant changes occur to ensure details are current
Undertaking basic exercises as required in the Exercise Programme according to the guidelines provided
Participating in other exercises as agreed in the annual Exercise Programme
Notifying the CTO of issues arising from reviews, exercises or any other pertinent matters.
Planning
Risks and opportunities
FundApps currently has three offices in London, New York and Singapore. The team work from home and away from the office on a regular basis and no data is uniquely held in the office or on the laptops with which they access the systems. Consequently there is little direct dependence on the office and the team are able to work away from this location with little difficulty.
Oprel were engaged to provide the necessary expertise in business continuity as it was recognised that FundApps did not have the necessary in-house expertise. FundApps will take on FundApps ongoing support and maintenance of the BCMS FundApps, following hand-over and assessed training if required. In addition, specific training may be undertaken to enable auditing of compliance with ISO 22301.
Business continuity objectives
FundApps’ business continuity objectives are:
Ensure that FundApps have competent and confident people who can deal with disruptive incidents howsoever caused, in a timely and controlled manner.
Ensure the safety of staff and other occupants for which they are responsible, within the buildings;
Minimize disruption to clients and hence protect reputation and standing;
Enable a return to normal operations in the shortest practical time with the minimum of disruption;
Establish, implement and maintain a BCMS compliant with ISO22301 demonstrated through accredited certification.
FundApps’ legal obligations are to be found in our information security policy.
Planning implementation
Toby O'Rourke, CTO, is charged with implementing business continuity management to meet the requirements of ISO 22301 in his capacity as CTO, FundApps.
Expertise will be provided by Operational Resilience Ltd, specifically led by Dave Austin, who will lead FundApps through the implementation and check that this is compliant with the needs of ISO 22301.
The work to establish the BCMS began in June 2014 and is anticipated to complete by the end of 2014, with accredited certification to follow depending on the availability of auditors. All areas of the business will need to take part including in the BIA, plan development and exercising. CTO will assist in the facilitation of the risk assessment, in ensuring that the documentation is stored in the FundApps document repository and in FundApps document formats.
The success of the implementation will be judged by the achievement and maintenance of accredited certification.
Awareness
The business continuity policy is published on the FundApps Web site and within the FundApps Intranet and is freely available to all staff. Their attention is drawn to it at induction and on regular occasions at least annually as part of the online tool used by Security and Compliance. The tool allows for the dissemination of key messages, tracks that all staff have undertaken the necessary modules and checks that they have understood the key points. Security and Compliance monitor these results and take action where issues are identified. See also 5.4.
Communication
FundApps communicate to staff:
At induction
Regularly in accordance with the Awareness Plan
This communication will ensure that all staff:
Are aware of FundApps’s ISO 22301 certification and the importance of this in assuring customers, both existing and potentialAre aware of their role in business continuity and what will be expected of them following a disruptive incident
Understand their role in maintaining and improving the BCMS.
Staff who hold specific roles receive training and take part in exercising to ensure that they are ready to fulfil those roles. Any enquiries from staff requiring further details are passed to the CTO.
External communication includes existing and prospective customers and suppliers:
Existing customers will be informed of FundApps’ business continuity arrangements in outline and will receive a copy of the policy on request. A standard Customer Statement originated by the CTO is provided for this purpose.
Prospective customers will be informed of ISO accreditation as part of assurance to them
Suppliers are asked to provide information on their business continuity arrangements during the procurement process and this is updated annually.
Customer enquiries are initially deal with by the business teams based on the Customer Statement originated by the CTO. Where additional detail is required, these are referred to the CTO.
In addition, shareholders and customers will be informed of the achievement of ISO 22301 certification.
Any communication with the local community would be by the landlord or the emergency services. Media communications are dealt with by the CEO.
The Environment Agency and the Met Office provide information on flooding and weather, and these have been identified as the only regional or national threat advisory systems. FundApps monitor these when necessary, i.e. when a warning is issued that is pertinent to FundApps. As no direct flood risk has been identified, the focus on the monitoring is on the effect it may have on staff and travel disruptions. This is considered business as usual activity and is incorporated into the incident response when necessary, and is included in the exercising programme too.
FundApps have recognised that communication following a disruptive incident can be challenging and that normal means of communication may not suffice. In order to address this, FundApps have sought to ensure that many communication channels are available including but not limited to:
Slack which enables rapid communication through a messaging system and details of who is available.
Mobile phones. Mobile phone numbers are the main point of contact for customers to senior management, for sales and technical staff.
Email (both personal and FundApps) can be used to communicate to all staff and to customers and suppliers.
SMS Text messaging to provide short messages.
Landline numbers where possible for staff.
It is recognised that in extreme circumstances all of these channels can become unavailable. Communication methods are exercised as part of the exercise programme and reviewed following incidents.
All communications processes relating to management of disruptive incidents are documented in the incident response structure and the related plans. In summary:
Detection:
Incidents within the data centres are detected by:
FundApps own monitoring detects the external availability of our service, and the internal availability and correct functioning of our internal services. Alerts will be raised through our monitoring software and dealt with through the incident management process.
Data centre staff and automated monitoring also notify FundApps of underlying issues with infrastructure via a public status page.
Incidents at FundApps office are detected by:
The landlords’ agents who follow their procedure to notify occupants of the building, specifically via FundApps facilities
Directly by FundApps staff who raise this with FundApps facilities or the MMC out of hours.
Incidents externally are detected by:
Media coverage
Directly by contact with the Emergency Services.
Once notified, the relevant personnel assess whether the incident is managed through normal business as usual procedures or whether further escalation is required. This is based on both experience and knowledge of the individuals and by reference to the impact criteria table in the Crisis Management Plan where necessary.
When the Crisis Management Team (as defined in the Crisis Management Plan) is activated, the initial incident details are recorded on the Incident Report Form and subsequent updates are recorded on the “Status Report Form”. The Crisis Management Team (CMT) keep a record of issues, actions and communications and log all activity as part of the process.
The Crisis Management Plan (CMP) provides supporting information for the CMT to Assemble, Meet and Manage the incident including monitoring the situation and developments. It also explicitly requires consideration of closing the incident and reviewing what has been learned. Further details can be found in the CMP.
The CMT have received training and have responded to several challenging incidents. Post incident reports are available.
Ongoing exercising is designed to ensure that the CMT are well equipped to deal with incidents of all sorts and this includes relevant deputies. Similarly every business area has undertaken basic training and exercising, has had to respond to real incidents and ongoing exercising is aimed at ensuring that the whole incident response structure operates effectively.
Maintenance of staff contact details
In the event of an incident which requires the full or partial invocation of the Business Continuity Plan, it is vital that the Company is able to contact all of its personnel quickly and efficiently.
In preparation for this, a number of actions take place:
Employee contact information is stored in the Google Drive which is externally hosted.
In addition, each employee has contact numbers already stored in their mobile phones.
FundApps Documentation
In order to maintain consistency, legibility and accessibility all BCMS documentation is held as an electronic copy within FundApps’s document management system GitHub.
A summary of the principle documents and its owner can be found in this document. Each document will be approved by the owner prior to issue, as will any subsequent updates. The approval process will typically be conducted via email.
GitHub has built-in version control which allows anyone with sufficient access to view previous versions and therefore facilitates comparison between versions. Unwanted documents are removed from the repository but are retrievable by IT. Documents can only be checked out for update by those with appropriate access. Each document has an assigned Owner and GitHub tracks whether documents have been appropriately approved.
Operation
Operational planning and Control
The completion of the BCMS will define the successful outcome of the implementation, the BCMS will contain all supporting documentation required. A project plan was agreed between Oprel and FundApps to outline overall timescales and ISO 22301 is used as the benchmark for completeness[g].
Known planned changes include the take-on of more staff and the transfer from the existing data centres to a new provider in new locations. The transition and change in the business will require the BIA to be under review throughout this period, and any steps arising to be taken.
The key outsource relationship is with Amazon AWS [h]who manage the data centres and this is strictly controlled. Contracts with these organisations are available on the FundApps online document store [1]
Risk and Impact assessment
Please see our (risk management framework)[../risk-management/] for information about how we assess risks, their likelihood impact and our risk appetite.
Business Continuity Strategy
The BC Strategy is detailed in the BC Strategy section of the BIA report in the BCMS.
Supplier evaluation is undertaken by FundApps as part of both the procurement and ongoing management of suppliers[i]. This is documented in the ITSN [j]process although it is also recognised that some suppliers fall outside of this process at present. These are still checked by FundApps where necessary and are also identified as part of the BIA process and further steps taken where necessary.
Establish and implement business continuity procedures
These are documented as a set of documents which together support the incident response. There is a Crisis Management Plan (CMP) to support the Crisis Management Team (CMT) and plans to support IT Recovery in the event of a data centre failure. A short plan for management of the immediate response has also been developed.
Exercising and testing
An annual programme of exercising is documented and agreed. This is then executed by the CTO and the relevant business areas. Audit processes ensure that business exercises are completed and are effective. Actions arising are captured by the CTO and ownership assigned for execution.
The team undertake regular tests of the IT recovery and these are recorded in Google Drive. Any issues arising are tracked through the raising of tickets as part of business as usual fault resolution.
Performance evaluation
Monitoring, measurement, analysis and evaluation
FundApps will monitor the progress of the BCMS implementation and will measure this by completion, ensuring that all documentation is accessible on Google Drive.
Management Review
The FundApps Business Continuity & Security Management Forum is the forum through which the management review of business continuity is undertaken. This corresponds to the Monitor and Review (Check) stage of the BCMS. The Management Forum reviews the FundApps’s BCMS quarterly to ensure its continuing suitability, adequacy and effectiveness and seek opportunities for improvement where appropriate. The FundApps CTO is responsible for ensuring that these meetings are documented and that records are maintained for inspection.
The FundApps Business Continuity & Security Management Forum [k]is chaired by the CHAIR and consists of:
• Plan owners;
• Representation from HR & Facilities, Finance, Enterprise Architecture, Operations, CEO;[l]
• CTO.
FundApps’s BC Management Forum undertakes a formal review of business continuity through regular meetings. The agenda for these meetings includes, during the course of 12 months:
Results of BCMS audits;
Reports on BCM arising from internal review, including self-assessment;
Reports on key supplier capability, in particular DC PROVIDER;
Any relevant feedback from external parties such as customers and regulators;
Techniques, products and procedures that could improve FundApps’s BCMS performance and effectiveness;
The status of corrective actions previously agreed and authorised;
The contents of the risk register and in particular, outstanding unmanaged risks, threats and vulnerabilities not fully addressed and newly identified risks. Particular account will be taken of the National Risk Register;
Any changes to FundApps or externally that may impact on the effectiveness and efficiency of the BCMS;
Recommendations for improvement;
Results from exercises and the status of the exercise programme;
Lessons from incidents;
Emerging good practice and guidance;
Results from the education, training and awareness programme;
The FundApps business impact analysis, business requirements and overall arrangements.
The minutes of these meetings document where these items are discussed and the actions arising. These are tracked through a spreadsheet that is discussed as a standing item on the Management Forum’s agenda. The outcomes generally are decisions and actions relating to:
a) vary the scope of the BCMS;
b) improve the effectiveness of the BCMS;
c) modify BCM strategy and procedures, as necessary, to respond to internal and external events that could impact on the BCMS, including changes to:
a. business requirements;
b. resilience requirements;
c. business processes affecting the existing business requirements;
d. statutory, regulatory and contractual requirements; and
e. levels of risk and/or levels of risk acceptance;
f. key suppliers;
d) meet resource needs; and
e) ensure relevant funding and budget requirements are met.
The management review is formally recorded by the minutes of each meeting and determines and authorizes the preventive and corrective actions (see below). The overall process is described by figure 1.
Improvement
Nonconformity and corrective action
When deviations from the policy are identified, these are raised with the CTO and logged on the nonconformities spreadsheet. Ownership is assigned according to appropriate responsible business area and acted upon. The nonconformities are then tracked for completion of appropriate actions to resolve the issues by the Compliance and Security team, and status is reported through the business continuity management forum.
Continual improvement
The overall operation of the BCMS is designed to ensure that FundApps continue to maintain and enhance their business continuity capability and effectiveness over time. The periodic review of policy and objectives, the management review process encompassing audit results, responses to actual incidents, preventive and corrective actions and changes to the FundApps organization and environment ensures that continual improvement is inherent in the operation of the system.
Last updated
Was this helpful?
