Business Continuity Policy Statement
Introduction
Automedi Limited (“the Company”) is committed to providing the best possible experience to its customers and the best possible relationships with employees, shareholders and suppliers. To ensure the consistent availability and delivery of its products and services, The Company has developed the following business continuity and disaster recovery (BCP/DR) policy in support of a comprehensive program for BC, DR and overall business survivability.
The Company, like any other, is exposed to potential risks that could disrupt or destroy critical business functions and/or the production and delivery of Company goods and services. Our strategy for continuing business in the event of an incident is to ensure the safety and security of all employees; and to continue critical business functions, production and delivery of products and services from predefined alternative sites. Where digital services are employed, this includes multivendor strategies for Cloud services.
Purpose and Scope
The purpose of the BCP/DR policy is to ensure that all Company business activities continue at normal or near-normal performance following any incident with the potential to disrupt or destroy the Company.
The scope of this policy is the entire Company, its subsidiaries, offices and employees in the United Kingdom.
Statement of Policy
Each department in the Company is responsible for preparing current and comprehensive business continuity plans (BCP) for its operations. Certain departments, such as Information Technology (IT) are also responsible for disaster recovery plans (DRP) to ensure that any damage or disruptions to critical assets is minimized and these assets restored to normal or near-normal operation as quickly as possible.
When a plan is completed, approved and implemented, each plan will include procedures and support agreements ensuring on-time availability and delivery of products and services. Each plan is certified annually for compliance with the BCP/DR policy.
The Company recognizes the importance of an active and fully supported BCP/DR program to ensure the safety, health and continued availability of employment of its employees and the production and delivery of quality goods and services for customers and other stakeholders. The Company requires the commitment of each employee, department and vendor in support of the activities required to protect Company assets, mission and survivability.
Policy Leadership
The Managing Director is designated as the corporate management liaison responsible for the BCP/DR program. Resolution of issues in the development of, or support of, all BCP/DR plans and associated activities should first be coordinated with the BCP/DR Team and appropriate internal or external organizations before submitting to the corporate management liaison. The issue resolution process is defined in the following section.
Verification of Policy Compliance
BCP/DR compliance verification is managed by the BCP/DR Team with support from other relevant internal departments. Each plan must define appropriate procedures, staffing, tools and workplace planning activities necessary to meet compliance requirements. Plan templates have been developed to facilitate the plan development process, and these templates shall be used for all plans. Detailed policy compliance verification activities are defined by the BCP/DR Team and are included in the Appendix at the end of this policy.
BCP/DR Compliance Verification is required annually and facilitated by the BCP/DR team. Temporary verification is only approved by the BCP/DR team with good reason. The maximum delay for compliance is 1 year from the original date of compliance.
Penalties for Non-Compliance
In situations where a Company department does not comply with the BCP/DR policy, the BCP/DR Team will prepare a brief stating the case for non-compliance and present it to the BCP/DR corporate management liaison for resolution. Failure to comply with BCP/DR policies within the allotted time for resolution may result in verbal reprimands, notes in personnel files, termination and other remedies as deemed appropriate.
Appendix A: Additional Policy Schedule
The Company is responsible for business continuity (and, where appropriate, disaster recovery) for each area and is required to have a documented BC plan, signed and countersigned by the BCP/DR corporate management liaison.
Each department must have a BCP/DR coordinator to assist in the implementation and maintenance of BCP/DR plans, as well as readiness reporting for that department.
BCP/DR readiness within the Company must be reported on a quarterly basis to the BCP/DR corporate management liaison.
Deviations from this policy must be approved by the BCP/DR corporate management liaison and others he/she shall designate. The internal audit department will review policy compliance. In order to facilitate appropriate continuity of service, all platforms must be built with the aim of securing 99.95% uptime. In order of increasing precedence, this includes, but is not limited to:
- Engineering fully scalable systems
- Eradicating a single point of failure
- Load balancing traffic across availability zones (two separate datacenters as a minimum)
- Multi-regional deployments where appropriate
- Multi-vendor deployments where appropriate
- All production platforms must aim to service markets closest to them, as much as practicable, without exposing information to jurisdictions upon which the organization has little control. This is particularly important in the case of data protection and the upcoming GDPR where entry into US Jurisdiction risks access to EU data and this, positioning the organization at risk of a data protection breach.
- Unless otherwise required, all jurisdictions and accounts for those jurisdictions, will be wholly disparate and separate from other accounts. ICT will consider all transit of information from one data jurisdiction to another.
Authorisation & Signed Declaration
This Policy has been approved & authorised by the board