Business Continuity Strategy

Purpose

This document provides the strategy of the approach taken by Ultima Business Solutions Limited (‘Ultima’), to the development and implementation of an appropriate business continuity framework, to ensure the company’s continuing ability to deliver services to its customers.

Aims

Business continuity management has two fundamental aims:

Building resilience to disruption.

Developing the capability for an effective response that safeguards the interests of its interested parties, reputation, brand and value-creating activities.

Assumptions

In designing this strategy, Ultima has made the assumptions that:

By adopting a cloud strategy with trusted vendors, with a robust history of up-time, the risk of Ultima’s key systems being unavailable for more than a 12-hour period will be minimal.

No disruptive situation will simultaneously disable the cloud-based systems, the Ultima computer systems based at Gainsborough House, Manor Park, Reading, RG2 0NA and the nominated alternative datacentre to be used by network operations.

Sufficient staffing levels are available to be able to fulfil the needs of providing a basic level of functionality.

Principles

The following principles support the delivery of the objective and strategic aims of business continuity management for Ultima operations:

A Policy has been developed which shall be maintained to provide management direction and support business continuity, in accordance with business requirements and relevant laws and regulations;

The business continuity response shall be focused on the identified business requirements for the recovery of prioritised activities;

Strategic responses shall be designed to deal with identified disruptive situations

Identified risks shall be assessed and either accepted or action taken to reduce or remove the risk. These shall be managed within the Risk Register; Plans shall be developed and maintained for:

The management of the response to disruption;
Each of the prioritised business activities deemed critical.

All Ultima staff able to work remotely (due to the nature of their work) already have laptop computers and can maintain an acceptable and uninterrupted level of service without corporate office facilities.

Ultima’s CRM and Finance systems are cloud based, with a very minimal level of HR and warehousing information retained on an on-premise platform, deployed on high availability infrastructure. Key business and customer data shall be stored in an appropriate CRM and or ITSM solution which shall be cloud based.

All third parties providing systems or services that support the identified critical activities shall have service level agreements and adequate business continuity arrangements in place, to ensure continuity of operation.

Scope

Ultima has defined a Business Continuity Strategy and Business Continuity Plan relevant to the business in general and to support service delivery to Ultima’s Managed Service customers. The Ultima strategy and plan may not meet the recovery time objectives or recovery point objectives of a specific customer system.

Where identified by the customer, Ultima will work with customers to architect redundancy in their systems to meet their RTO/RPO specifications.
The scope of this Business Continuity Strategy shall extend to all employees and teams, unless the employee works permanently at a customer site, and they agree that their business continuity arrangements shall take precedence.
This Business Continuity Strategy shall work in conjunction with Ultima’s Business Continuity plan.

Responsibilities

The Chief Executive Officer has overall responsibility for ensuring that all parts of the company have appropriate business continuity arrangements in place and for approving this strategy.

The Board is responsible for this document and shall provide staff with appropriate education and training thereon.

The Board is responsible for ensuring that appropriate service level agreements, resilience, recovery and response mechanisms are in place in respect of the third-party services.

Departmental managers, in conjunction with the Board, shall be responsible for implementing and communicating this document and the associated processes.

Are responsible for maintaining awareness of this document and the associated processes.

No. Situation Risk assessment (based on
Ultima risk methodology,
doc ref 026FR
Potential impact Strategic approach
1 Cyber-attack, including, but not
limited to, Ransomware, phishing
emails, man in the middle attacks
likelihood – remote
impact – high
RTO/RPO dependent on specific
situation
Unable to access information,
possible breach of data, inability
to provide services and
operations.
  • IT and Professional Services staff to resolve. Insurance
    company to be contacted. Contact made with relevant
    experts to assist, remediate and identify information
    breached. Report in line with the law and relevant
    contractual obligations.
  • Continued education of staff following incident in relation
    to identification scenarios leading to an attack along with
    examples of best practice and risky behaviours
2 ITSM Cloud based solution fails likelihood – remote
impact – medium
RTO 2hrs
RPO 1 hr
Unable to receive or deal with
some customer service requests.
Possible breach of contractual
SLAs.
Short term (up to 1 day) Manual call recording and sharing
of information via shared portal.
Short term (up to 1 week) – reconstruction of
KnowledgeBase records and continued manual call
recording.
Additional considerations for long term (over 1 week) –
identification of alternative provider.
3 Finance and or CRM Cloud based
solution fails
likelihood – remote
impact – medium
RTO 10 hrs
RPO < 5 seconds
Unable to provide quotes to
customers through formal
mechanisms.
Unable to transact through
formal mechanisms.
Unable to record activities in
compliance with stakeholder
requirements / expectations.
IT team to engage with support provider, if relevant, to
remediate.
Vendor relationship manager to engage with relevant
solution provider.
Short term (up to 1 day) – Manual quotes and processes
Short term (up to 1 week) – reconstruction of records using
on premise systems and continued manual processes.
Additional considerations for long term (over 1 week) –
identification of alternative provider.
4 Not all staff are available to work
(e.g., pandemic)
likelihood – remote
impact – low
Staff unavailability resulting in
an inability to receive or deal
with some client enquiries in
accordance with normal
expectations.
  • Redeploy staff to key areas based on Impact Analysis.
  • Key areas to be identified by the BCM and continually
    reviewed during the BC Event for appropriateness.
5 Cloud based solution (excluding
ITSM, CRM and Finance systems) and
or datacentre / cloud storage fails
likelihood – remote
impact – dependent on solution
Dependent on solution.
  • Supplier manager to liaise with provider to assess the
    duration of outage.
  • Plan for alternative supplier if outage extends beyond an
    acceptable time frame.
6 The Reading building and all facilities
have been rendered unusable.
AND
not all staff are available to work
likelihood – remote
impact – low
Staff unavailability resulting in
an inability to receive or deal
with some client enquiries in
accordance with normal
expectations.
Unable to access inventory in
warehouse.
Internal IT configuration support
will need to be relocated.
Cloud based (key operational
systems) systems unaffected.
  • Redeploy staff to key areas based on Impact Analysis.
  • Key areas to be identified by the BCM and continually
    reviewed during the BC Event for appropriateness.
  • Building to be secured, depending on nature of failure,
    and appropriate third-party supplier to be contacted to
    resolve.

Short term (up to 1 week):

  • All goods to be delivered direct to customers or via
    approved configuration site;
  • Internal IT team to relocate IT infrastructure support;
  • Invoke phone system problem and remote working
    procedure;
  • Consider reinstatement of on-premise systems using back
    up tapes.

Additional considerations for long term (over 1 week):

  • Reinstate on-premise systems using back up tapes
    (should data have been lost);
  • Liaise with customers in relation to specific contractual
    arrangements
7 hardware, telephony or facilities
failure (whilst the third-party cloud
services and associated datacentres
remain fully functional).
likelihood – remote
impact – none
Internal IT and or warehouse are
possibly unable to connect to on
premise systems.
Cloud based (key operational
systems) systems unaffected.
Majority of staff unaffected.
  • Building to be secured, depending on nature of failure,
    and appropriate third-party supplier to be contacted to
    resolve.
  • Ultima IT work to recover failure.
  • Use of on-premise systems to be manually recorded and
    or limited until such time as access is resolved.
  • Internal IT team to relocate specific IT infrastructure
    support, as appropriate.
  • Invoke phone system problem and remote working
    procedure;
  • Reinstate on-premise systems using back up tapes
    (should data have been lost).
8 Access to building not permitted likelihood – remote
impact – none
Unable to access inventory in
warehouse.
Internal IT configuration support
will need to be relocated.
Majority of staff unaffected.
Cloud based (key operational
systems) and on-premise
systems unaffected.
  • All goods to be delivered direct to customers or via
    approved configuration site;
  • Internal IT team to relocate IT infrastructure support;
  • Invoke phone system problem and remote working
    procedure;
  • Liaise with landlord to get emergency access to building
    as and when necessary.
9 The Reading building and all facilities
have been rendered unusable
likelihood – remote
impact – none
Unable to access inventory in
warehouse.
No phone system.
Internal IT configuration support
will need to be relocated.
Majority of staff unaffected.
Cloud based systems (key
operational systems) unaffected.
On-premise systems inaccessible
(minimal impact on contractual
obligations).
Ultima IT and or TSC to recover on-premise systems using
appropriate supplier.Short term (up to 1 week):

  • All goods to be delivered direct to customers or via
    approved configuration site;
  • Internal IT team to relocate IT infrastructure support;
  • Invoke phone system problem and remote working
    procedure;
  • Consider reinstatement of any on-premise systems using
    back up tapes.

Additional considerations for long term (over 1 week):

  • Obtain serviced office accommodation for staff who
    would face difficulty with remote working, if any, and if
    conditions permit such relocation;
  • Reinstate any on-premise systems using back up tapes
    (should data have been lost).
Ultima-Logo-footer

© 2022 Ultima Business Solutions Limited. All rights reserved. | Registered Address: Gainsborough House, Manor Farm Road, Reading, England, RG2 0NA | Company Registration 02521249 Registered in England & Wales