The FundApps business continuity plan (BCP) is available
Our customers include high profile companies with high availability and service expectations. It is therefore vital that FundApps maintain service and in the event of disruption, are able to effectively manage the incident and communicate with all key interested parties.
Any loss of service from the data centres or our key services will impact the reputation of FundApps, result in loss of revenue through service credits and other compensations, and potentially damage FundApps irreparably in the marketplace.
NOTE: This document describes the management systems framework intended for compliance with ISO 22301. It is designed to provide some documentation that is needed by ISO 22301, with pointers to the other key documents, and is aligned in structure to ISO 22301 for ease of assessing compliance.
Following a disruptive incident, our highest priority is staff welfare, so they are safe and able to address the other matters arising from the incident.
This includes ensuring safe evacuation from affected premises, safe containment within affected premises, ensuring that staff are paid in a timely manner, and managing all issues arising from disruptive incidents that directly impact on staff.
FundApps’s management team have experience from other organisations that promoted an awareness of the need for business continuity and consequently the resilience of the service has always been a key consideration. This has been re-enforced by some planned activities such as moving office, recent transport strikes and planned maintenance in the data centre requiring a planned failover to the alternate data centre. All such events are recorded within the BCMS.
FundApps considered all potential interested parties and referred to Figure 2 to ensure comprehensive coverage.
Figure 2: Potential interested parties (from ISO 22313)
FundApps’s key interested parties include:
FundApps’ shareholders – FundApps is a privately held company and not quoted on the LSE or elsewhere;
FundApps’ staff;
FundApps’ customers;
Financial Services regulators who preside over the activities of FundApps’ customers.
Media handling is undertaken directly by the CEO. Further media handling during an incident is undertaken within the Crisis Management process, with specific guidance in the Crisis Management Plan.
Emergency Services will in most circumstances deal with the landlords – i.e. the hosting provider at the data centres and the landlord’s agents at FundApps office. In some circumstances, FundApps may specifically be contacted and one such circumstance was explored during the 2014 Crisis Management exercise which required working with the Ambulance, Police and HPA.
FundApps’s staff have expectations that FundApps will continue to employ them and treat them fairly with due care in the event of a disruptive incident.
All staff are required to provide emergency contact details and these are held in our internal portal, providing a means of contacting staff outside of the normal channels and allowing FundApps to provide information to the emergency services should the need arise.
FundApps have not been specifically targeted by pressure groups but are aware that they and their customers may be targeted due to the general discontent with financial services firms following the financial crisis. This is specifically reviewed as part of the business continuity risk assessment and is under constant review as part of the maintenance and enhancement of the ISMS.
FundApps complies with all applicable UK Laws including Health and Safety at Work Act 1974 and these are detailed in the ISMS maintained for compliance with ISO 27001. FundApps have no specific legal and regulatory obligations to implement business continuity management. This is reviewed annually as part of the overall BCMS review. This review is a simple process:
Identify any key changes to legislation that may apply to FundApps;
Review new customers or changes to existing customers’ business to determine if there are any legal and regulatory requirements on them that may imply new or changed requirements on FundApps;
Any issues that arise are included as non-conformities within the BCMS where they will be assigned ownership and resolved.
New customers’ legal and regulatory requirements are always considered during the sales process.
FundApps’ target customers are Financial Services Firms who have advanced business continuity programmes including There is an expectation in customers that FundApps will have business continuity management in place, this forming an implicit or explicit part of the contractual relationship with the customers.
Customers are responsible for the IT DR relating to their services. FundApps offer and will build resilient services with appropriate IT DR. A plan has been lodged with FundApps within its BCMS. FundApps are therefore contractually obligated to enact these when a major incident occurs. Customers therefore have a reasonable expectation that FundApps have the capacity and capability to do this.
FundApps’s shareholders have a reasonable expectation that the company will continue to operate and make returns on capital. Consequently ensuring that unexpected and difficult incidents are managed effectively is an implied requirement on FundApps of their financial backers.
The BCMS scope includes:
The following locations:
FundApps offices (London, GB; New York, USA; Singapore, Singapore)
Amazon data centres in:
Dublin
Frankfurt
Included in the scope are all FundApps staff and any key contractors working on behalf of FundApps
All data centre provision and hardware operations are outsourced to Amazon Web Services. FundApps do not have cause to visit these locations. All data centre staff and operations are outside the scope. All of FundApps’ products and services are within scope.
Top management commitment is demonstrated through the policy endorsed by the management team including Andrew White, CEO, Toby O'Rourke, CTO, and the participation of the top management team in the Crisis Management Team and their active involvement in the associated exercising alongside operational teams.
Management commitment is shown by:
Minuted agreement to develop a BCMS compliant with ISO 22301;
Policy and objectives endorsed by the CEO;
Integration of business continuity into the FundApps process model;
Commissioning of Oprel to provide expertise and resources to develop and establish the BCMS;
Appointing the CTO to be responsible for to implement business continuity and supporting the CTO to do so (e.g. through the provision of budget);
Promoting the improvement of the existing business continuity provisions to meet good practice as now recognized in ISO 22301;
Committing all business areas to supporting business continuity development;
Participation of management in BIA process and encouraging relevant team members to contribute too;
Participation of management, deputies and team members in exercising at business unit level.
As part of establishing the BCMS the following has been undertaken:
Establishing roles, responsibilities and competencies and associated training programme;
Defining acceptable risk;
Establishing internal audit procedures and programme;
Establishing management review processes that monitor the effectiveness of the BCMS;
Demonstrating continual improvement.
The Business Continuity Policy is maintained by the CTO and is endorsed by:
Andrew White, CEO,
Toby O'Rourke, CTO.
It is an open document and available to all employees through our internal portal, and on request to any interested party.
The Business Continuity Management System (BCMS) is the responsibility of the CTO. It is his responsibility to ensure that the BCMS is established, implemented, operated and maintained to meet the needs of FundApps and to comply with ISO 22301. It is his responsibility to ensure that accredited certification is obtained and maintained for the BCMS.
The BCMS defines the incident response structure, and what supporting business continuity plans are required. The BCMS defines the Exercise Programme which is agreed for each coming calendar year and approved by management through the business continuity management forum. Each plan has a designated owner.
Each business continuity plan owner and they are responsible for:
Defining impacts to their business area that may arise following a disruptive incident
Identifying risks to their business
Defining their requirements following any disruptive incident
Populating a standard FundApps business continuity plan and maintaining this plan
Reviewing their business continuity plan on a 6 monthly basis and when significant changes occur to ensure details are current
Undertaking basic exercises as required in the Exercise Programme according to the guidelines provided
Participating in other exercises as agreed in the annual Exercise Programme
Notifying the CTO of issues arising from reviews, exercises or any other pertinent matters.
FundApps currently has three offices in London, New York and Singapore. The team work from home and away from the office on a regular basis and no data is uniquely held in the office or on the laptops with which they access the systems. Consequently there is little direct dependence on the office and the team are able to work away from this location with little difficulty.
Oprel were engaged to provide the necessary expertise in business continuity as it was recognised that FundApps did not have the necessary in-house expertise. FundApps will take on FundApps ongoing support and maintenance of the BCMS FundApps, following hand-over and assessed training if required. In addition, specific training may be undertaken to enable auditing of compliance with ISO 22301.
FundApps’ business continuity objectives are:
Ensure that FundApps have competent and confident people who can deal with disruptive incidents howsoever caused, in a timely and controlled manner.
Ensure the safety of staff and other occupants for which they are responsible, within the buildings;
Minimize disruption to clients and hence protect reputation and standing;
Enable a return to normal operations in the shortest practical time with the minimum of disruption;
Establish, implement and maintain a BCMS compliant with ISO22301 demonstrated through accredited certification.
FundApps’ legal obligations are to be found in our information security policy.
Toby O'Rourke, CTO, is charged with implementing business continuity management to meet the requirements of ISO 22301 in his capacity as CTO, FundApps.
Expertise will be provided by Operational Resilience Ltd, specifically led by Dave Austin, who will lead FundApps through the implementation and check that this is compliant with the needs of ISO 22301.
The work to establish the BCMS began in June 2014 and is anticipated to complete by the end of 2014, with accredited certification to follow depending on the availability of auditors. All areas of the business will need to take part including in the BIA, plan development and exercising. CTO will assist in the facilitation of the risk assessment, in ensuring that the documentation is stored in the FundApps document repository and in FundApps document formats.
The success of the implementation will be judged by the achievement and maintenance of accredited certification.
The business continuity policy is published on the FundApps Web site and within the FundApps Intranet and is freely available to all staff. Their attention is drawn to it at induction and on regular occasions at least annually as part of the online tool used by Security and Compliance. The tool allows for the dissemination of key messages, tracks that all staff have undertaken the necessary modules and checks that they have understood the key points. Security and Compliance monitor these results and take action where issues are identified. See also 5.4.
FundApps communicate to staff:
At induction
Regularly in accordance with the Awareness Plan
This communication will ensure that all staff:
Are aware of FundApps’s ISO 22301 certification and the importance of this in assuring customers, both existing and potential
Are aware of their role in business continuity and what will be expected of them following a disruptive incident
Understand their role in maintaining and improving the BCMS.
Staff who hold specific roles receive training and take part in exercising to ensure that they are ready to fulfil those roles. Any enquiries from staff requiring further details are passed to the CTO.
External communication includes existing and prospective customers and suppliers:
Existing customers will be informed of FundApps’ business continuity arrangements in outline and will receive a copy of the policy on request. A standard Customer Statement originated by the CTO is provided for this purpose.
Prospective customers will be informed of ISO accreditation as part of assurance to them
Suppliers are asked to provide information on their business continuity arrangements during the procurement process and this is updated annually.
Customer enquiries are initially deal with by the business teams based on the Customer Statement originated by the CTO. Where additional detail is required, these are referred to the CTO.
In addition, shareholders and customers will be informed of the achievement of ISO 22301 certification.
Any communication with the local community would be by the landlord or the emergency services. Media communications are dealt with by the CEO.
The Environment Agency and the Met Office provide information on flooding and weather, and these have been identified as the only regional or national threat advisory systems. FundApps monitor these when necessary, i.e. when a warning is issued that is pertinent to FundApps. As no direct flood risk has been identified, the focus on the monitoring is on the effect it may have on staff and travel disruptions. This is considered business as usual activity and is incorporated into the incident response when necessary, and is included in the exercising programme too.
FundApps have recognised that communication following a disruptive incident can be challenging and that normal means of communication may not suffice. In order to address this, FundApps have sought to ensure that many communication channels are available including but not limited to:
Slack which enables rapid communication through a messaging system and details of who is available.
Mobile phones. Mobile phone numbers are the main point of contact for customers to senior management, for sales and technical staff.
Email (both personal and FundApps) can be used to communicate to all staff and to customers and suppliers.
SMS Text messaging to provide short messages.
Landline numbers where possible for staff.
It is recognised that in extreme circumstances all of these channels can become unavailable. Communication methods are exercised as part of the exercise programme and reviewed following incidents.
All communications processes relating to management of disruptive incidents are documented in the incident response structure and the related plans. In summary:
Detection:
Incidents within the data centres are detected by:
FundApps own monitoring detects the external availability of our service, and the internal availability and correct functioning of our internal services. Alerts will be raised through our monitoring software and dealt with through the incident management process.
Data centre staff and automated monitoring also notify FundApps of underlying issues with infrastructure via a public status page.
Incidents at FundApps office are detected by:
The landlords’ agents who follow their procedure to notify occupants of the building, specifically via FundApps facilities
Directly by FundApps staff who raise this with FundApps facilities or the MMC out of hours.
Incidents externally are detected by:
Media coverage
Directly by contact with the Emergency Services.
Once notified, the relevant personnel assess whether the incident is managed through normal business as usual procedures or whether further escalation is required. This is based on both experience and knowledge of the individuals and by reference to the impact criteria table in the Crisis Management Plan where necessary.
The CMT have received training and have responded to several challenging incidents. Post incident reports are available.
Ongoing exercising is designed to ensure that the CMT are well equipped to deal with incidents of all sorts and this includes relevant deputies. Similarly every business area has undertaken basic training and exercising, has had to respond to real incidents and ongoing exercising is aimed at ensuring that the whole incident response structure operates effectively.
In the event of an incident which requires the full or partial invocation of the Business Continuity Plan, it is vital that the Company is able to contact all of its personnel quickly and efficiently.
In preparation for this, a number of actions take place:
Employee contact information is stored in the Google Drive which is externally hosted.
In addition, each employee has contact numbers already stored in their mobile phones.
In order to maintain consistency, legibility and accessibility all BCMS documentation is held as an electronic copy within FundApps’s document management system GitHub.
A summary of the principle documents and its owner can be found in this document. Each document will be approved by the owner prior to issue, as will any subsequent updates. The approval process will typically be conducted via email.
GitHub has built-in version control which allows anyone with sufficient access to view previous versions and therefore facilitates comparison between versions. Unwanted documents are removed from the repository but are retrievable by IT. Documents can only be checked out for update by those with appropriate access. Each document has an assigned Owner and GitHub tracks whether documents have been appropriately approved.
Known planned changes include the take-on of more staff and the transfer from the existing data centres to a new provider in new locations. The transition and change in the business will require the BIA to be under review throughout this period, and any steps arising to be taken.
Please see our (risk management framework)[../risk-management/] for information about how we assess risks, their likelihood impact and our risk appetite.
The BC Strategy is detailed in the BC Strategy section of the BIA report in the BCMS.
An annual programme of exercising is documented and agreed. This is then executed by the CTO and the relevant business areas. Audit processes ensure that business exercises are completed and are effective. Actions arising are captured by the CTO and ownership assigned for execution.
The team undertake regular tests of the IT recovery and these are recorded in Google Drive. Any issues arising are tracked through the raising of tickets as part of business as usual fault resolution.
FundApps will monitor the progress of the BCMS implementation and will measure this by completion, ensuring that all documentation is accessible on Google Drive.
The FundApps Business Continuity & Security Management Forum is the forum through which the management review of business continuity is undertaken. This corresponds to the Monitor and Review (Check) stage of the BCMS. The Management Forum reviews the FundApps’s BCMS quarterly to ensure its continuing suitability, adequacy and effectiveness and seek opportunities for improvement where appropriate. The FundApps CTO is responsible for ensuring that these meetings are documented and that records are maintained for inspection.
• Plan owners;
• CTO.
FundApps’s BC Management Forum undertakes a formal review of business continuity through regular meetings. The agenda for these meetings includes, during the course of 12 months:
Results of BCMS audits;
Reports on BCM arising from internal review, including self-assessment;
Reports on key supplier capability, in particular DC PROVIDER;
Any relevant feedback from external parties such as customers and regulators;
Techniques, products and procedures that could improve FundApps’s BCMS performance and effectiveness;
The status of corrective actions previously agreed and authorised;
The contents of the risk register and in particular, outstanding unmanaged risks, threats and vulnerabilities not fully addressed and newly identified risks. Particular account will be taken of the National Risk Register;
Any changes to FundApps or externally that may impact on the effectiveness and efficiency of the BCMS;
Recommendations for improvement;
Results from exercises and the status of the exercise programme;
Lessons from incidents;
Emerging good practice and guidance;
Results from the education, training and awareness programme;
The FundApps business impact analysis, business requirements and overall arrangements.
The minutes of these meetings document where these items are discussed and the actions arising. These are tracked through a spreadsheet that is discussed as a standing item on the Management Forum’s agenda. The outcomes generally are decisions and actions relating to:
a) vary the scope of the BCMS;
b) improve the effectiveness of the BCMS;
c) modify BCM strategy and procedures, as necessary, to respond to internal and external events that could impact on the BCMS, including changes to:
a. business requirements;
b. resilience requirements;
c. business processes affecting the existing business requirements;
d. statutory, regulatory and contractual requirements; and
e. levels of risk and/or levels of risk acceptance;
f. key suppliers;
d) meet resource needs; and
e) ensure relevant funding and budget requirements are met.
The management review is formally recorded by the minutes of each meeting and determines and authorizes the preventive and corrective actions (see below). The overall process is described by figure 1.
When deviations from the policy are identified, these are raised with the CTO and logged on the nonconformities spreadsheet. Ownership is assigned according to appropriate responsible business area and acted upon. The nonconformities are then tracked for completion of appropriate actions to resolve the issues by the Compliance and Security team, and status is reported through the business continuity management forum.
The overall operation of the BCMS is designed to ensure that FundApps continue to maintain and enhance their business continuity capability and effectiveness over time. The periodic review of policy and objectives, the management review process encompassing audit results, responses to actual incidents, preventive and corrective actions and changes to the FundApps organization and environment ensures that continual improvement is inherent in the operation of the system.
The existing technical environment is designed to be resilient but there are always risks that could impact the availability of our service. These known risks are recorded on a risk register in accordance with our and monitored for change in status. Opportunities for improvement are sought as part of the ongoing risk management process and the strategic development of the business.
Neighbours activities have been considered as part of the risk assessment, in order to identify any areas where neighbours’ activities may pose risks to FundApps operations. FundApps have liaised with the landlord’s agents and other building occupants regarding business continuity issues, in particular rehearsing evacuation procedures, sharing information and liaising with the emergency services.
When the Crisis Management Team (as defined in the ) is activated, the initial incident details are recorded on the Incident Report Form and subsequent updates are recorded on the “Status Report Form”. The Crisis Management Team (CMT) keep a record of issues, actions and communications and log all activity as part of the process.
The Crisis Management Plan () provides supporting information for the CMT to Assemble, Meet and Manage the incident including monitoring the situation and developments. It also explicitly requires consideration of closing the incident and reviewing what has been learned. Further details can be found in the .
The completion of the BCMS will define the successful outcome of the implementation, the BCMS will contain all supporting documentation required. A project plan was agreed between Oprel and FundApps to outline overall timescales and ISO 22301 is used as the benchmark for completeness.
The key outsource relationship is with Amazon AWS who manage the data centres and this is strictly controlled. Contracts with these organisations are available on the FundApps online document store
Supplier evaluation is undertaken by FundApps as part of both the procurement and ongoing management of suppliers. This is documented in the ITSN process although it is also recognised that some suppliers fall outside of this process at present. These are still checked by FundApps where necessary and are also identified as part of the BIA process and further steps taken where necessary.
These are documented as a set of documents which together support the incident response. There is a Crisis Management Plan () to support the Crisis Management Team (CMT) and plans to support IT Recovery in the event of a data centre failure. A short plan for management of the immediate response has also been developed.
The FundApps Business Continuity & Security Management Forum is chaired by the CHAIR and consists of:
• Representation from HR & Facilities, Finance, Enterprise Architecture, Operations, CEO;
Ref
Risk Identified
Guidance notes
Risk type
1
Pandemic (flu like infection)
Widespread flu
National
2
Terrorist attack against UK generally
Dealt with under location risks
National
3
Regional or national power failure
National
4
Fuel supply crisis
Political instability at home or abroad makes petrol/diesel difficult to acquire
National
5
Solar weather
Major flares from the Sun can disrupt networks, electricity grids and infrastructure in unpredicatble ways
National
6
Criminal activity aimed specifically against Fund Apps
Organizations someitmes targeted to move funds or act as a trusted party fronting for criminal activity
Organisational
7
Espionage against Fund Apps for high profile clients
Organizations are sometimes targetted for espionage in order to gain insight into confidential information in client
Organisational
8
Malicious damage by member of staff
Staff who are being disciplined or recently dismissed or suffering mental illness
Organisational
9
Loss of key individuals
Staff may be ill, have accidents or leave for other work
Organisational
10
Earthquake
Location - Natural
11
Volcano
Identified as a National Risk too
Location - Natural
12
Fluvial flooding
Flooding from rivers
Location - Natural
13
Flash (pluvial) flooding
Flash floods follow intense rain
Location - Natural
14
Severe weather (snow)
Snow fall over large part of the area and remaining for 1 week
Location - Natural
15
Severe weather (prolonged low temperatures)
Persistent low temperatures
Location - Natural
16
Severe weather (Heat Wave)
Temperatures exceeding 32C and minimum overnight exceeding 15C over 5 days
Location - Natural
17
Severe weather (drought)
Prolonged shortage of rainfall or failure in water supply
Location - Natural
18
Outbreak of severe illness or communicable disease
May arise from local transmission of disease or collective exposure to food pathogens or legionella et al
Location - Health
19
Impact to building from road traffic accident
Location - traffic
20
Road traffic accident blocking access roads
Road intersection few LGVs
Location - traffic
21
Road traffic incident with hazardous chemicals
Construction traffic may pass, petrol station opposite office
Location - traffic
22
Road traffic incident or fire with gas/gas cylinders
Construction traffic with gas cylinders almost certainly passes office
Location - traffic
23
Rail accident
Old Street Tube Station only nearby line
Location - traffic
24
Air accident
Aircraft directly impacting site
Location - traffic
25
Neighbouring businesses
Activities of neighbours may expose Fund Apps to risks
Location
26
Criminal activity against site
Opportunistic or directed activity
Location
27
Terrorist action in vicinity
Fund Apps not targeted but impacted by nearby attack
Location
28
Terrorist action against site
Fund Apps not target per se, but site attacked for some perceived connections
Location
29
Effectiveness of Physical security
Criminals, terrorists, demonstrators can all be discouraged and prevented by effective perimeter security
Perimeter
30
Utility supply to site - Electricity
Liable to localised mains failure, substation fire and disturbance through ground works
Perimeter
31
Utility supply to site - Gas
Liable to disturbance through ground works
Perimeter
32
Utility supply to site - Water
Liable to disturbance through ground works. Loss through systemic failures in distribution system.
Perimeter
33
Utility supply to site - Sewerage
Liable to disturbance through ground works
Perimeter
34
Utility supply to site - Telecomms
Liable to disturbance through ground works and loss of local exchange
Perimeter
35
Building roof
Roofs may leak giving rise to structural damage or flooding
Building
36
Building structure
Overall structure must be sound to withstand severe weather, tremors etc.
Building
37
Building structure
Asbestos - danger to health and needs controlled operations for works
Building
38
Building basement areas
May be liable to flood from above or groundwater
Building
39
Building - internal water supplies
Pipes and tanks must be in good condition and not positioned where they will cause significant damage
Building
40
Building - M&E
M&E provides the air handling, chillers, boilers and electrical infrastructure for the operation of the premises
Building
41
Fire within building
Rare but highly disruptive and damaging with a risk to life
Building
42
Loss or disruption to key supplier
Suppliers, distributors and others are key to any business operation
3rd parties
43
Loss of local IT infrastructure services
Office IT loss
IT
44
Loss of IT applications
Servers or storage failures in DCs
IT
45
Cyber attack
Fund Apps targetted or simply collateral damage to other attack(s)
IT
FundApps has performed a business impact analysis and maintains a risk register as part of our business continuity management system. The full risk register is . We do not include the full details here, but below is a summary of the risks that we have analysed.
