Business Continuity Plan Policy
For those involved in re-establishing the operational delivery of services following a major incident.
Introduction
Intrepid Ltd's Business Continuity Plan (BCP) has been written for those who will be involved in re-establishing the operational delivery of services following a major incident.
The purpose of the plan is to provide a flexible response so that Intrepid Ltd can:
Respond to a disruptive incident (incident management)
Maintain delivery of critical activities/services during an incident (business continuity)
Return to ‘business as usual’ (resumption and recovery)
Alexander Preston, CTO, is this Plan’s Owner and responsible for ensuring that it is maintained, exercised and updated in accordance with internal requirements for business continuity.
Definitions
An emergency is any event which causes, or has the potential to cause injury, loss of life, damage to property or significant business disruption.
A disaster is the escalation of an emergency to the point where normal conditions are not expected to be recovered for at least 24 hours.
General Information
Intrepid Ltd has adopted the ‘’Plan-Do—Check-Act’’ PDCA model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of the organisation’s Business Continuity Management system (aligned to ISO22301)
Review and Training
This document will be reviewed, evaluated and updated by the Senior Management team every year as well, as whenever there are significant changes in personnel, equipment, operating software or recovery strategies.
Mechanisms for raising awareness include:
involving staff in the development of the strategy;
written and oral briefings;
learning from internal and external incidents; and
discussion based exercises
All new staff are made aware of the organisations BCP arrangements on joining and have access to the plan at any time.
Characteristics of the Business Continuity Plan will be monitored and analysed where appropriate. Monitored information includes:
Reports on business continuity incidents that have invoked a formal response.
Ensuring all staff are able to perform all aspects of their work remotely
Ensuring access controls are in place, appropriate and centrally managed (remote access possible)
Annual review of all measures in place, with actions taken where weaknesses are found.
Communication of BCP plan to all staff on at least an annual basis.
Associated Documents/information
The Business Continuity Plan should be read in conjunction with:
Fire evacuation plan (the operation of which does not necessarily activate the BCP)
As we are in a shared office, the Fire Safety and evacuation procedures are determined by the shared office owner.
Details of these are available in the Intrepid office space, on the back door of the office.
Health & Safety Policy including the Intrepid Office Risk Assessment - updated March 2024
Emergency Contact Information
An emergency information pack is kept on Intrepid’s company Confluence pages and includes:
Emergency contacts list (securely held in the HR database)
Contact with all staff is also available through other electronic means (teams, email) which is accessible by all staff.
Confluence is a secure and cloud based platform therefore enables remote access with an Internet connection and cuts out many of the on-site potential disaster risks (fire, flood, loss and damage of physical storage media).
A paper copy of the emergency contacts is also kept securely in the registered office in case access to the online database is not available.
Strategy and Plan Activation
A business continuity incident is an event or occurrence that disrupts, or might disrupt, normal service delivery below acceptable predefined levels, where special arrangements need to be implemented until services can return to an acceptable level.
The purpose of this Business Continuity Plan (BCP) is to provide the internal framework to prepare for, respond to and recover from business and service disruption irrespective of the cause.
This Plan will be activated in response to an incident causing significant disruption to normal service delivery/business, particularly the delivery of key/critical activities. Examples of circumstances triggering activation of this Plan include:
Loss of key staff or skills e.g. above normal levels of absenteeism due to illness
Loss of critical systems e.g. ICT failure
Denial of access, or damage to, facilities e.g. loss of a building through fire
Loss of a key resource e.g. a major supplier vital to the delivery of a key service
Notification of a Pandemic or national incident
Staff communication will be via email and Microsoft Teams if operable, or by use of the telephone lists if not.
The following organisations may need to be advised of the implementation of the Business Continuity Plan as soon as possible:
Sub-Contractors
Key client contacts
Insurance Advisors
Roles and Responsibilities
Managing Director
The MD is responsible for the implementation and co-ordination of the BCP, including:
Co-ordination of status reports/communication for the benefit of all audiences (including staff, temporary workers, contract stakeholders, framework providers and subcontractors)
Maintaining the BCP in an up-to-date format by delegating responsibility to the Operations Lead for updates.
Incident Management Team (IMT)
Lead by the MD, the Incident Management Team includes all members of the Senior Management Team / Heads of Departments, and the Office Manager. Additional members of the team will be recruited to match the specific needs of the incident.
The IMT is responsible for acting under the direction of the MD (or their Deputy) to restore normal conditions as soon as possible.
Purpose of the Incident Management Phase
Protect the safety of staff, visitors and the wider community
Protect vital assets e.g. equipment, data, reputation etc
Ensure necessary communication takes place
Support the Business Continuity phase
Support the Recovery and Resumption phase
Ensuring the Insurance company is updated as appropriate
Staff
Staff are required to co-operate with the IMT in support of the BCP.
In the event that staff are sent home, they should remain available during normal working hours to assist with necessary tasks.
Evacuation of Office Premises and Safeguarding of Staff
Designated Fire Warden’s (Halkin office) - Joni Duncan
Actions
Action | Details |
|---|---|
Evacuate the building if necessary | Use normal evacuation procedures for the building |
Fire Warden / Senior person onsite (if no Fire Warden in the office) to ensure the following: | Upon evacuation of the building you are responsible for the following:
|
Call emergency services (if outside of normal Halkin reception hours - 8:30am - 6pm, Mon-Fri) | TEL: 999 The Fire Warden / most Senior person onsite at the time of the emergency is responsible for completing this action |
Person on-site to notify manager & Intrepid Fie Warden (if the latter not on site) | Do not enter the building |
Fire Warden / Senior person onsite (if no Fire Warden in the office) to ensure the following: | Upon evacuation of the building you are responsible for the following:
|
Check that all staff, contractors and any visitors have been evacuated from the building and are present. Consider safety of all staff, contactors and visitors as a priority | Use of office calendar to confirm who was in the office on any day. The Fire Warden (or the most Senior person onsite if no Fire Warden that day) is responsible for completing this action. |
Alert staff | Alert any staff due to arrive on-site soon of the incident, and tell them to await further instructions |
Ensure log of incident is started and maintained throughout the incident phase | The log template can be found in the Incident Management Log |
Record names and details of any staff, contractors or visitors who may have been injured or distressed in the incident. | The Incident Management Team is responsible for completing this action |
Forward details of any fatalities or injuries in the incident to HR (depending on scale of incident) and agree action that will be taken. | The Incident Management Team is responsible for completing this action The HR contact to forward this information to is Joni Duncan. |
Assess impact | Senior team meet to assess the scale of the incident & decide next steps |
Consider whether the involvement of other teams, services or organisations are required to support the management of the incident | Depending on the incident the following may be approached to assist with incident management:
|
Closure during a Business Day
Evacuation of the office should not constitute closure of the Business during the day. The Company uses remote working and therefore all staff are not in the office at the same time.
In the event that a Delivery team has to evacuate the office, then the Delivery Lead is responsible for considering the relevant project deadlines, and if considered necessary, informing the relevant Client.
Immediate Places of Safety
In the event of a major incident on site requiring the Halkin office to be closed, staff will assemble at the primary assembly point.
Off-Site Place of Safety
If it becomes necessary to evacuate the site completely, staff and workers will be escorted to the identified place of safety in accordance with local procedures.
Business Recovery if an incident occurs
Loss of Office Space
In the event that the Office space is unusable then staff will be informed through the communication channels and instructed to work remotely until further notice.
Replacement site facilities ae not considered necessary. If an incident occurs then staff will be directed to work from home. All staff are set up to work from home.
Lockdown Procedure - Office
It is now possible to envisage circumstances where the business may wish to lock itself in, to secure staff and workers from an outside threat. This circumstance is described as a ‘lockdown’.
If a lockdown is declared:
The most Senior person onsite at the time of the incident will be responsible and will implement the lockdown via word-of-mouth or by using the company’s electronic communication means (teams, email, SMS).
All staff will remain indoors and will keep away from windows.
Infrastructure incident
An infrastructure incident can include the loss of computer / telephony systems, internet access, or power.
Step 1: Understand the extent of the loss
Infrastructure | Details | Responsible Person(s) |
|---|---|---|
Microsoft services (teams / office phone lines) | Contact phone provider to ascertain extent of outage. | IT team |
Internet | Contact internet provider to ascertain extent of outage. | IT team & Office Manager (to speak to Halkin) |
Mains power | Contact power provider to ascertain extent of outage. | Office Manager (to speak to Halkin) |
Home working infrastructure | Infrastructure at an individual’s home is taken out. In this instance, the affected person(s) will be instructed to work from the office / find other suitable working location while the infrastructure is restored. | Relevant individual. |
If outage is temporary, inform staff to stay put and await further instructions. If the outage is ongoing:
Step 2: Business continuity
Critical activity | Details | Responsible Person(s) |
|---|---|---|
Phones (Office) | Staff to use personal mobile phones. Contact telephone provider to forward office lines to staff mobiles | IT team |
Internet (Office) | Staff to use home internet connections. If home connection unavailable IT team to provide 5G modems or instruct staff to work from an alternative location where wifi is available. | IT team |
Mains power (Office) | Staff to work from home until power is restored. If power outage is widespread and staff homes are also affected contact local shared office providers to rent desk space. | Office Manager |
Staff incident
A staff incident can include a sudden family emergency, injury or other event which renders a key member of staff suddenly unable to work.
Step 1: Ensure no service interruption
Critical activity | Details | Responsible Person(s) |
|---|---|---|
| All members of staff should have team members who can perform their roles, even if it is in a reduced capacity. Identify the relevant person and support them in carrying out business-critical activities | All staff |
2. Assess extent of loss | Identify whether the affected staff member’s absence is likely to be temporary, longer-term, or permanent. Keep in mind this may be a difficult period for the staff member and / or their family. | Line manager |
If the staff loss is temporary, support the member of staff who will be filling the gap until the absent member of staff returns. If the absence is long-term or permanent:
Step 2: Business continuity
Critical activity | Details | Responsible Person(s) |
|---|---|---|
| Follow the standard recruitment procedure to find a full-time, part-time or fixed-term contract (as appropriate) replacement. | Line Manager & HR |
Recovery phase
The purpose of the recovery phase is to resume normal working practices for the entire organisation. Where the impact of the incident is prolonged, normal operations may need to be delivered under new circumstances e.g. from a different building.
Action | Details | Responsible Person(s) |
|---|---|---|
Agree and plan the actions required to enable recovery of normal working practices | Agreed actions will be detailed in an action plan and set against time scales with responsibility for completion clearly indicated. | Senior Management Team |
Respond to any long term support needs of staff | Depending on the nature of the incident, we may need to consider providing support services | Senior Management Team |
Publicise that there is now ‘business as usual’ | Inform customers through normal channels that our business is operating as normal | Senior Management Team |
Carry out a debrief of the incident and complete report to document opportunities for improvement and any lessons identified | This should be reviewed to ensure key actions resulting from the incident are implemented within designated time scales. | Senior Management Team |
Review this Continuity Plan in light of lessons learned from incident and the response to it | Implement recommendations for improvement and update this plan. Ensure a revised version of the plan is read by all members of staff. | Senior Management Team |
Pandemic Threat / Mass Staff Unavailability
Loss of staff is considered a generic threat to operations. The spread of a virus capable of impacting on operational service delivery is now considered genuine and serious.
In the event of mass staff illness, the Senior Management Team will shut the office to all staff, visitors and temporary workers.
If required by law, all control measures will be put in place according to the government requirements/guidance in place at that time.
Other Threats Incident and Threat Types
The following Other Threats have been considered
Finance Process Breakdown – payments to staff & suppliers fail. Backup of finance systems occur on a regular basis and the company has two bank accounts so if one bank is down, payments can be made from another bank.
Failure of key software services - this has been considered as part of the company’s cyber essentials certification and backups are in place where relevant/possible. Appropriate security controls are in place and are reviewed at least quarterly.
Evacuation due to Nearby Incident
Bad Weather prolonged
Strikes