Business Continuity Strategy
Purpose
This document provides the strategy of the approach taken by Ultima Business Solutions Limited (‘Ultima’), to the development and implementation of an appropriate business continuity framework, to ensure the company’s continuing ability to deliver services to its customers.
Aims
Business continuity management has two fundamental aims:
Building resilience to disruption.
Developing the capability for an effective response that safeguards the interests of its interested parties, reputation, brand and value-creating activities.
Assumptions
In designing this strategy, Ultima has made the assumptions that:
By adopting a cloud strategy with trusted vendors, with a robust history of up-time, the risk of Ultima’s key systems being unavailable for more than a 12-hour period will be minimal.
No disruptive situation will simultaneously disable the cloud-based systems, the Ultima computer systems based at Gainsborough House, Manor Park, Reading, RG2 0NA and the nominated alternative datacentre to be used by network operations.
Sufficient staffing levels are available to be able to fulfil the needs of providing a basic level of functionality.
Principles
The following principles support the delivery of the objective and strategic aims of business continuity management for Ultima operations:
A Policy has been developed which shall be maintained to provide management direction and support business continuity, in accordance with business requirements and relevant laws and regulations;
The business continuity response shall be focused on the identified business requirements for the recovery of prioritised activities;
Strategic responses shall be designed to deal with identified disruptive situations
Identified risks shall be assessed and either accepted or action taken to reduce or remove the risk. These shall be managed within the Risk Register; Plans shall be developed and maintained for:
The management of the response to disruption;
Each of the prioritised business activities deemed critical.
All Ultima staff able to work remotely (due to the nature of their work) already have laptop computers and can maintain an acceptable and uninterrupted level of service without corporate office facilities.
Ultima’s CRM and Finance systems are cloud based, with a very minimal level of HR and warehousing information retained on an on-premise platform, deployed on high availability infrastructure. Key business and customer data shall be stored in an appropriate CRM and or ITSM solution which shall be cloud based.
All third parties providing systems or services that support the identified critical activities shall have service level agreements and adequate business continuity arrangements in place, to ensure continuity of operation.
Scope
Ultima has defined a Business Continuity Strategy and Business Continuity Plan relevant to the business in general and to support service delivery to Ultima’s Managed Service customers. The Ultima strategy and plan may not meet the recovery time objectives or recovery point objectives of a specific customer system.
Where identified by the customer, Ultima will work with customers to architect redundancy in their systems to meet their RTO/RPO specifications.
The scope of this Business Continuity Strategy shall extend to all employees and teams, unless the employee works permanently at a customer site, and they agree that their business continuity arrangements shall take precedence.
This Business Continuity Strategy shall work in conjunction with Ultima’s Business Continuity plan.
Responsibilities
The Chief Executive Officer has overall responsibility for ensuring that all parts of the company have appropriate business continuity arrangements in place and for approving this strategy.
The Board is responsible for this document and shall provide staff with appropriate education and training thereon.
The Board is responsible for ensuring that appropriate service level agreements, resilience, recovery and response mechanisms are in place in respect of the third-party services.
Departmental managers, in conjunction with the Board, shall be responsible for implementing and communicating this document and the associated processes.
Are responsible for maintaining awareness of this document and the associated processes.
No. | Situation | Risk assessment (based on Ultima risk methodology, doc ref 026FR |
Potential impact | Strategic approach |
---|---|---|---|---|
1 | Cyber-attack, including, but not limited to, Ransomware, phishing emails, man in the middle attacks |
likelihood – remote impact – high RTO/RPO dependent on specific situation |
Unable to access information, possible breach of data, inability to provide services and operations. |
|
2 | ITSM Cloud based solution fails | likelihood – remote impact – medium RTO 2hrs RPO 1 hr |
Unable to receive or deal with some customer service requests. Possible breach of contractual SLAs. |
Short term (up to 1 day) Manual call recording and sharing of information via shared portal. Short term (up to 1 week) – reconstruction of KnowledgeBase records and continued manual call recording. Additional considerations for long term (over 1 week) – identification of alternative provider. |
3 | Finance and or CRM Cloud based solution fails |
likelihood – remote impact – medium RTO 10 hrs RPO < 5 seconds |
Unable to provide quotes to customers through formal mechanisms. Unable to transact through formal mechanisms. Unable to record activities in compliance with stakeholder requirements / expectations. |
IT team to engage with support provider, if relevant, to remediate. Vendor relationship manager to engage with relevant solution provider. Short term (up to 1 day) – Manual quotes and processes Short term (up to 1 week) – reconstruction of records using on premise systems and continued manual processes. Additional considerations for long term (over 1 week) – identification of alternative provider. |
4 | Not all staff are available to work (e.g., pandemic) |
likelihood – remote impact – low |
Staff unavailability resulting in an inability to receive or deal with some client enquiries in accordance with normal expectations. |
|
5 | Cloud based solution (excluding ITSM, CRM and Finance systems) and or datacentre / cloud storage fails |
likelihood – remote impact – dependent on solution |
Dependent on solution. |
|
6 | The Reading building and all facilities have been rendered unusable. AND not all staff are available to work |
likelihood – remote impact – low |
Staff unavailability resulting in an inability to receive or deal with some client enquiries in accordance with normal expectations. Unable to access inventory in warehouse. Internal IT configuration support will need to be relocated. Cloud based (key operational systems) systems unaffected. |
Short term (up to 1 week):
Additional considerations for long term (over 1 week):
|
7 | hardware, telephony or facilities failure (whilst the third-party cloud services and associated datacentres remain fully functional). |
likelihood – remote impact – none |
Internal IT and or warehouse are possibly unable to connect to on premise systems. Cloud based (key operational systems) systems unaffected. Majority of staff unaffected. |
|
8 | Access to building not permitted | likelihood – remote impact – none |
Unable to access inventory in warehouse. Internal IT configuration support will need to be relocated. Majority of staff unaffected. Cloud based (key operational systems) and on-premise systems unaffected. |
|
9 | The Reading building and all facilities have been rendered unusable |
likelihood – remote impact – none |
Unable to access inventory in warehouse. No phone system. Internal IT configuration support will need to be relocated. Majority of staff unaffected. Cloud based systems (key operational systems) unaffected. On-premise systems inaccessible (minimal impact on contractual obligations). |
Ultima IT and or TSC to recover on-premise systems using appropriate supplier.Short term (up to 1 week):
Additional considerations for long term (over 1 week):
|
This policy has been executively signed off and approved by Scott Dodds, Chief Executive Officer, 5th July 2024