Business Continuity Plan · This Business Continuity Plan (BCP) is applicable to the business functions, employees, ... who are responsible for managing the rapid and orderly resumption

Classification: PUBLIC

© Quadient

Business Continuity Plan

Author: Allan Morrison

Valid from: 17-03-2020

Version No.: V2.0

Approved by: Warren Tait


Document name: Business Continuity Plan

© Quadient Page 2/50

Distribution List

Distribution Type Public – for distribution as required

To: (must know)

CC: (for information)

Change Control

Modification Notice Author Date Version Changes Highlight

Issue 1.0 Allan Morrison 12/03/20 V1.0 Approved for issue W Tait

Issue 2.0 Allan Morrison 17/03/20 V2.0 Minor Text changes




Table of contents

1 Activate the Plan ............................................................................................................................................ 5

1.1 Authority to Activate this Plan ................................................................................................................ 5

1.2 The Media ............................................................................................................................................... 5

1.3 Document References ............................................................................................................................. 5

2 Overview ........................................................................................................................................................ 6

2.1 Scope ....................................................................................................................................................... 6

2.2 Approach ................................................................................................................................................. 6

2.3 Objectives ................................................................................................................................................ 7

2.4 Recovery Time Requirements ................................................................................................................. 7

3 Organisation ................................................................................................................................................... 9

3.1 Recovery Teams – Head Office and Regional Offices .............................................................................. 9

3.2 Recovery Teams – DCS, Slough ............................................................................................................. 14

4 Roles and Responsibilities ............................................................................................................................ 17

4.1 Management Team ............................................................................................................................... 17

4.2 First Responder Team ........................................................................................................................... 18

4.3 IT Team .................................................................................................................................................. 19

4.4 Facilities Team ....................................................................................................................................... 20

4.5 Managed Services Team – DCS ............................................................................................................. 21

5 Processes ...................................................................................................................................................... 22

5.1 Activation .............................................................................................................................................. 22

5.2 Developing Situations ........................................................................................................................... 23

5.3 Business Resumption ............................................................................................................................ 23

6 Procedures ................................................................................................................................................... 27

6.1 Management Team ............................................................................................................................... 27

6.2 First Responder Team ........................................................................................................................... 30

6.3 IT Team .................................................................................................................................................. 33

6.4 Facilities Teams ..................................................................................................................................... 37

6.5 Managed Services Team - DCS .............................................................................................................. 41

6.6 Other (Agile) Employees ....................................................................................................................... 43

7 Maintenance and Testing ............................................................................................................................. 44

7.1 Maintenance of BCP Documentation .................................................................................................... 44

7.2 DCS Managed Services Disaster Recovery Testing ................................................................................ 44

7.3 BCP Testing ............................................................................................................................................ 45




APPENDIX D – Media Management ...................................................................................................................... 47

Procedures for Dealing with the Media ............................................................................................................ 47

APPENDIX E – Event Log ........................................................................................................................................ 48

Glossary ................................................................................................................................................................. 49

List of Figures

Figure 1: Outage and Recovery Times..................................................................................................................... 8

Figure 2: Quadient UK Ltd Recovery Team Structure ............................................................................................. 9

Figure 3: Management Team ................................................................................................................................ 10

Figure 4: First Responder Team ............................................................................................................................ 11

Figure 5: IT Team ................................................................................................................................................... 12

Figure 6: Facilities Team ........................................................................................................................................ 13

Figure 7: DCS Recovery Team Structure ............................................................................................................... 14

Figure 8: Management Team - DCS....................................................................................................................... 15

Figure 9: Managed Services Team – DCS .............................................................................................................. 16

Figure 10: Facility Team - DCS ............................................................................................................................... 16

Figure 11: BCP Activation Stages ........................................................................................................................... 22

Figure 12: Business Resumption Process .............................................................................................................. 25




1 Activate the Plan

To activate this plan in the event of a serious disruptive incident, refer to: Section 6, Procedures

1.1 Authority to Activate this Plan

The Chief Operating officer (COO) has the authority to activate actions within this plan. If he is unavailable, another Exec Director or the Director QMS and Transformation may also activate the plan.

The COO will assume the role, and the associated responsibilities, of Management Team Leader. The COO may delegate the Management Team Leader role, or if he is unavailable, another Executive Director may assume the Management Team Leader Role. This will normally revert to the VP/Director of Operations. See section 3, Organisation.

1.2 The Media

Members of staff must follow the Media Management Procedure for Dealing with the Media. – See Appendix D.

1.3 Document References

Relevant documents which may need to be referred to when the plan is activated include:

Description Location

Recovery Team Call Trees Microsoft Teams – Project Picard

IT Risk Assessment Microsoft Teams – Project Picard

BCP Risk Assessment Microsoft Teams -Project Picard

Acceptable Use Policy Quadient Sharepoint – Form Farm

http://sharepoint.ad.neopost.com/departments/Pages/FormsAndPolicies.aspx

Homeworking Policy Quadient Sharepoint – Form Farm


Emergency Evacuation Process Sharepoint - QHSE

http://sharepoint.ad.neopost.com/departments/qhse/Shared Documents/HS06-Fire Emergency Evacuation.docx





http://sharepoint.ad.neopost.com/departments/qhse/Shared%20Documents/HS06-Fire%20Emergency%20Evacuation.docx






2 Overview

2.1 Scope

This Business Continuity Plan (BCP) is applicable to the business functions, employees, premises and assets of the Quadient UK Ltd organisation including Data Capture Solutions (DCS); a Quadient company. This group comprises the businesses previously known as Neopost Ltd, Quadient UK and Data Capture Solutions (DCS).

These business units operate from various premises within the United Kingdom, with offices and production units located in London, Slough, Bristol, Birmingham, Wakefield and Livingston.

2.1.1 Exclusions

• This BCP does not address the recovery of any Quadient UK Ltd’s business operations or processes not identified as critical.

• A disruptive incident of such a magnitude that there are insufficient personnel to resource the recovery in order to meet Quadient UK Ltd’s objectives is also excluded.

2.2 Approach

This document may be released to selected customers and other interested parties as required. It has been copied from the internal BCP document but any confidential information has been redacted to allow distribution to a wider audience.

For each of the above business units a Business Impact Analysis (BIA) was conducted which identified those processes regarded as critical, together with the physical and virtual resources required to support them.

The BIA determines the maximum time that each critical process, its resources and infrastructure could be disrupted for, without causing unacceptable damage to the business or its customers. The likelihood and severity of each potential disruption is then analysed using a risk assessment process.

A disruptive incident is defined as an event that interrupts a critical business process hence reducing Quadient UK Ltd’s ability to provide normal service to its customers. The Maximum Allowable Outage (MAO) for the businesses as a whole has been defined as 3 working days. A disruptive incident causing an outage exceeding, or likely to exceed, this period is defined as significant. A declaration that such an incident has occurred, and that the BCP has been activated, begins the recovery process described in this document.

The BCP details the communications structure, roles and responsibilities of the Recovery Teams, and other personnel, who are responsible for managing the rapid and orderly resumption of critical processes.

The BCP may be activated where a significant disruptive incident affects one of the following areas:

Premises: An unplanned event that causes any site to be inaccessible, or unusable for a period exceeding, or likely to exceed, the MAO

People: An incident that prevents employees from carrying out their normal activities, for example pandemic illness or major travel breakdown

IT: A major breakdown or loss of IT infrastructure, hardware or application which cannot be recovered within the MAO

Depending on the nature and severity of the incident, the activation of the BCP can be modified so that, for example, specific groups of staff may work remotely, or changes can be made to working time or location for staff who will work in one of the offices or other locations.




At every stage of activation of this plan, from initial reporting of a disruptive incident, through to return to business as usual, preserving the security of Quadient UK Ltd information and assets will be given appropriate consideration. The level of security afforded during the activation shall be at least as high as that in place prior to the incident occurring.

2.3 Objectives

The objectives of the BCP are to continue to serve customers; minimize financial loss to the organisation; and mitigate the negative effects disruptions can have on strategic plans, reputation, operations, credit quality, market position, and compliance with contractual obligations, applicable laws and regulations.

The primary objective is to provide for restoration and continuation of those processes the organisation has defined as critical through Business Impact Analysis. This is accomplished by developing and maintaining a detailed plan that will organise and govern recovery operations following a significant disruptive event. The BCP must:

• provide the information and procedures necessary to respond to an incident, notify personnel and recovery teams, recover data and resume processing as soon as possible after a disruptive incident.

• create a recovery structure strong enough to provide guidance to all interrelated groups, yet flexible enough to allow Quadient UK Ltd personnel to respond to whatever type of disruptive incident may occur.

• provide specific action plans for each relevant functional area.

• identify those activities necessary to resume full services.

• establish a return to a business as usual (BAU).

2.4 Recovery Time Requirements

The following requirements are a result of the Business Impact Analysis process, which forms part of the Quadient UK Ltd BCP:

• Maximum Acceptable Outage (MAO). The maximum allowable outage is the amount of time Quadient UK Ltd’s critical processes may be unavailable before business operations are severely impacted. The MAO encompasses all activities from point of impact to point of resumption of critical processes as described in Section 5.1, Activation. The overall MAO for Quadient UK Ltd is 3 working days.

• Recovery Time Objective (RTO). The Recovery Time Objective is the time taken to recover the in-scope services from BCP activation to the point where the Recovery Teams are able to provide the critical business processes. The overall RTO for Quadient UK Ltd is 2 working days. However, where a customer has specifically requested a shorter period we shall endeavour to comply and keep the customer informed.

• Recovery Point Objective (RPO). The recovery point objective is the worst data loss that the Quadient UK Ltd is willing to accept. This is the point from which recovery of lost data must take place if applicable. The RPO is defined as 1 working day.




RTO

MAO

Service Interruption

Time

RPO

Resumption of Critical Processes BCP Activation

Figure 1: Outage and Recovery Times




3 Organisation

3.1 Recovery Teams – Head Office and Regional Offices

A Recovery Team strategy has been employed for the BCP. For the Head Office and UK Regional Offices, the Recovery Team, figure 2, comprises a management team made up of senior management staff and three sub-teams responsible for the successful execution of the BCP. The team titles are given below:

• The Management Team (MT)

• The First Responder Team (FRT)

• The IT Team (ITT)

• The Facilities Team (FT)

Figure 2: Quadient UK Ltd Recovery Team Structure




3.1.1 Management Team

The Management Team, figure 3, comprises the Executive Directors and is led by the COO. It is responsible for deciding on the correct action to take following a disruptive incident and coordinating and directing all activities during the recovery period. The team will decide if the incident is significant and damaging enough to activate the BCP.

Following BCP activation, this team begins the communication process, with the other recovery teams providing sufficient information to allow them to take the necessary action.

The team is also responsible for communications with the media, key vendors, key clients, stakeholders and other Quadient entities as necessary. This team is responsible for the on-going recovery program and for keeping this plan current during its activation.

Figure 3: Management Team




3.1.2 First Responder Team

The First Responder Team, figure 4, comprises staff from the Cashiers, Customer Experience (CX), Installation and Onboarding departments.

The purpose of the First Responder Team is to operate the established BCP processes and procedures in line with their training and this plan. Their aim is to continue to provide critical business processes to the minimum acceptable level, until a return to business as usual.

Figure 4: First Responder Team




3.1.3 IT Team

The IT Team, figure 5, comprises staff from Group IT Infrastructure, Applications and Desktop Support.

The purpose of the IT Team is to provide IT support to any business unit before, during, and after, a BCP activation. Its primary responsibility is to ensure that the First Responder Team, and other staff involved in maintaining critical business processes, have the necessary hardware, IT infrastructure and access to software applications to be able to operate effectively. This team is also responsible for restoring computing services at the existing or alternative facilities as appropriate.

Figure 5: IT Team




3.1.4 Facilities Team

The Facilities Team, figure 6, comprises senior management and other facilities staff. However, a small team also exists in the DCS site in Slough, Berkshire, see section 3.2.3.

The primary purpose of this team, following a disruptive incident, is to take all necessary actions to provide for the safety of staff or other persons affected by the incident.

Subsequently, the team is responsible for securing the site against unauthorised access and then conducting an in-depth damage assessment with recommendations to management for the required repair or restoration activities.

When the recovery plan is provided by the Management Team, the Facilities Team takes responsibility for salvage and restoration of the primary site to operational status as quickly as possible. In extreme circumstances, the team may be needed to prepare an alternative facility for occupation.

Figure 6: Facilities Team




3.2 Recovery Teams – DCS, Slough

The DCS business unit, in Slough, Berkshire, operates in a more autonomous manner and therefore employs its own Recovery Team, figure 7, which works closely with the head office team and includes the IT Team (see section 3.1.3 above) as necessary. The DCS Recovery Team comprises a management team made up of senior management staff and two sub-teams, plus the IT Team. The team titles are given below:

• The Management Team (MT)

• The Managed Services Team (MST)

• The Facility Team (FT)

• The IT Team (ITT) – as required

In the event of a significant disruptive incident, it is fundamentally important that all Recovery Teams liaise at the earliest possible point and, subsequently, throughout the activation of the BCP.

Figure 7: DCS Recovery Team Structure




3.2.1 Management Team - DCS

The DCS Management Team, figure 8, is led by the COO, and comprises the senior management responsible for the DCS business unit.

Following BCP activation, this team begins the communication process. Other recovery teams will provide sufficient information to allow them to take the necessary action.

The team is also responsible for communications with the media, key vendors, key clients, stakeholders and other Quadient entities as necessary. This team is responsible for the on-going recovery program and for keeping this plan current during its activation.

Figure 8: Management Team - DCS




3.2.2 Managed Services Team – DCS

The DCS Managed Services Team, figure 9, comprises the management and key staff of the operational functions of the unit.

Following BCP activation, this team will ensure that customer scanning and workflow services are maintained in accordance with specific sales contracts.

If the primary site in Slough, Berkshire, is unavailable, the MST will work with local and Head Office functions to set up operations at an alternative facility, the Disaster Recovery (DR) Site.

Figure 9: Managed Services Team – DCS

3.2.3 Facility Team - DCS

The DCS Facility Team, figure 10, will work closely with the Quadient UK Ltd IT Facilities Team, during a BCP activation, to assess and report any damage, damage mitigation, salvage, and physical restoration of the office environment.

The primary purpose of this team, following a disruptive incident, is to take all necessary actions to provide for the safety of staff or other persons affected by the incident. Subsequently, the team is responsible for securing the site against unauthorised access.

When the recovery plan is provided by the Management Team, both Facilities Teams will take responsibility for salvage and restoration of the primary site to operational status as quickly as possible. In extreme circumstances, the team may be needed to assist with the preparation of the DR Site for occupation.

Figure 10: Facility Team - DCS




4 Roles and Responsibilities

4.1 Management Team

Management Team roles and responsibilities, for all Quadient UK Ltd business units, are summarised in Error! Reference source not found..

Team Role Owner Responsibility

Management Team Leader

Chief Operating Officer Activate the BCP. Senior manager to oversee recovery.

Alternative Mgmt. Team Leader

Nominated member of the Exec or senior Management

Full authority to act if Team Leader is not available.

Recovery operations VP Director of Operations Communications with Facilities and IT teams. Oversight of recovery activities.

Finance Management Finance Director UK & Ireland

VP Director of Operations

Communications with First Responder team.

Authority to purchase goods and services, and to release funds required to achieve recovery.

Legal and Corporate COO

VP Director of Operations

Legal and contractual decisions and actions.

Human Resources Management

HR Director All Human Resources decisions and actions.

Communications Management

HR Director

Office Manager - DCS

Authority to speak for the organisation. Provides written text to IT and Communications Manager for onward communication to employees and others.

Customer Communications

VP & MD Mail Related Solutions

Ensures key customers are contacted and informed of the situation on a regular basis

Customer Communications

VP & Marketing Director UK & Ireland

Ensures that appropriate information is delivered to customers through all available marketing channels

Table 1: Management Team Roles and Responsibilities




4.2 First Responder Team

First Responder Team roles and responsibilities are summarised in Table 2.


FRT Team Leader Cashiers Manager Communications with team members through functional team leaders. Coordinating the team’s activities to ensure all in-scope processes are managed effectively.

Alternative FRT Team Leader

Nominated team member Full authority to act if Team Leader is not available.

Recrediting processes Team members Ensure all key recrediting processes, identified during BIA, are carried out effectively

Customer Contact Management

CX Team Leader

Installation & Onboarding Team Leader

Receiving contacts from customers and ensuring that the correct action is taken to resolve any reported issues.

Team communication Communications Representative

Nominated team member to hold contact details, devise team communication plan and ensure that the team and key stakeholders have an effective method of communicating.

Table 2: First Responder Team Roles and Responsibilities




4.3 IT Team

The IT Team roles and responsibilities, for all Quadient UK Ltd business units, are summarised in Table 3.


IT Team Leader IT Service Manager

Head of Global Infrastructure

Technical Director - DCS

Communication with team members. Coordinating the team’s activities to ensure all in-scope processes are effectively supported.

Liaison with Facilities and Management teams to help understand the nature and extent of a disruptive incident.

Advise if the IT systems can be recovered and provide expected timescale and cost.

If the primary site cannot be recovered, work with Facilities and Management teams to locate and equip an alternative site.

Alternative Team Leader

Nominated team member Full authority to act if team leader is not available.

Network Services Recovery

Team members Recovery of data network infrastructure. Includes recovery of hardware equipment, connectivity, applications and data.

Server Recovery Team members Recovery of critical servers.

Support to Credifon FRT

Team members Ensure that recrediting, and other in-scope Credifon processes, are effectively supported with IT applications and systems.

Support to Managed Services - DCS

Team members Ensure all IT applications and systems are available to Managed Services, DCS, so that they can deliver contractual requirements.

Process support Team members Ensure that all critical, in-scope processes, are effectively supported with IT hardware, applications and systems.



Table 3: IT Team Roles and Responsibilities




4.4 Facilities Team

Facilities Team roles and responsibilities, for all Quadient UK Ltd business units, are summarised in Table 4


Facility Team Leader Director of QMS & Transformation

Communications with team members.

Oversee facilities functions, safety and security.

Carry out and manage; damage assessment, damage mitigation, salvage, reconstruction and alternative site setup as required.

Liaison with Management, IT and Managed Services teams to help understand the nature and extent of a disruptive incident.

Advise if the primary site building and infrastructure can be recovered, together with expected timescale and cost.



Security Team members Ensure security of the primary site during and following a disruptive incident. Liaise with site agents, security and management to ensure that the best available methods are employed.

Source alternative premises

Nominated team member If the primary site cannot be recovered, work with all Recovery teams to locate and equip an alternative site.

Building and Utilities Nominated team member Plan, arrange and manage recovery of primary site and utilities as required.

Building and Utilities - DCS

Office Manager -DCS

Supplies and services Nominated team member Manage the logistics of pausing and restarting the supply of materials and services to the primary or alternative site.

Supplies and services - DCS

Office Manager -DCS

Incoming post Nominated team member Arrange collection of incoming post from a local sorting office.

Manage the sorting and delivery of mail, especially:

• to ensure that cheques and other Credifon documents are passed to Cashiers

• secure delivery of incoming customer documents, via a courier to the DR site if applicable.

Table 4: Facilities Team Roles and Responsibilities




4.5 Managed Services Team – DCS

Managed Services Team roles and responsibilities, for the DCS business unit, are summarised in Table 5


Team Leader Managed Services Director Communications with team members.

Oversee effective resumption of Managed Services processes.

Manage relocation to DR site if required.



Transfer to DR site Team members Liaise with Facilities teams at Slough and Stratford to prepare the Birmingham DR site.

Organise team attendance rotas, including travel and accommodation if necessary.

Incoming post and customers’ documents

Team members Arrange collection of mail from local sorting office.

Arrange collection of customers’ hardcopy documents and delivery, by courier, to DR site.



Table 5: managed Services Team - DCS Roles and Responsibilities




5 Processes

This section describes, at a high-level, the processes that will be followed after a significant disruptive incident has occurred. For further information on the actions that will be taken, refer to Section 6, Procedures.

5.1 Activation

Following the occurrence of a disruptive incident, there are three processes that will take place prior to the activation of the BCP:

• Incident Alert – from notification of an incident, the Recovery Team members are contacted and appraised of the situation.

• Investigation and Report – to ascertain whether a disruptive incident is significant, assess the nature and extent of the effect and to report to the recovery team.

• Activation Assessment – to ascertain if the predetermined MAO is likely to be compromised and decide to activate the BCP.

RTO ≤2 days

MAO ≤ 3 days

Service Interruption

Time*

RPO ≤1 day

Resumption of Critical Processes

BCP Activation

Incident Alert

≤2 hours

Investigate & Report

≤6 hours

Activation Assessment

≤2 hours

*Times specified are working hours or working days

Figure 11: BCP Activation Stages

The existing issue management processes may successfully control, mitigate or correct the effects of an incident, within the above timeframe, without the need to activate the BCP. However, if it is clear that the incident will, or is likely to, result in a failure to achieve the MAO, the BCP should be activated as soon as possible.




5.2 Developing Situations

Exceptions to the above activation processes exist where there has not been one specific disruptive incident

but where a situation is developing and requires a flexible response.

Epidemic or pandemic diseases are a case in point, where service interruption occurs over a period of time and

is constantly changing. In this case the Corporate Committee for Business Continuity will form a Corporate

Crisis Team who will issue guidance for the whole of the Quadient business, worldwide. A local Crisis Team will

also be formed in the UK to review and distribute this guidance and implement any specific measures which are

contained within it.

Response plans and processes in such situations must be flexible and reactive to the situation as it develops. In

the case of infectious disease this will involve the introduction of prevention processes such as issuing hygiene

advice to staff, deep cleaning premises and avoiding large gatherings.

The discovery of the disease within premises occupied by Quadient UK Ltd will normally result in the

evacuation of the premises to prevent further spread, and to allow deep cleaning to take place.

By making best use of current technology and accessing data and systems through the cloud, most of the

identified critical processes can be operated simply by arranging for employees to work from home. This can be

achieved quickly and effectively and will achieve resumption of the key processes with the minimum of

disruption.

Where the infection is discovered in premises occupied by a customer, processes that require staff to travel to

those premises will be reviewed to assess the risk and take appropriate action.

Advice and information will be taken from official websites in such a situation. For example:

https://www.gov.uk/

https://www.nhs.uk/

When a developing disruptive situation arises, such as epidemic or pandemic disease, Quadient UK Ltd will

prepare and distribute a specific policy to provide customers, employees and other interested parties with all

the relevant information about how we will respond to the situation and how we plan to continue to provide

our critical business processes.

This document will be reviewed and updated as the situation develops. The response plan to the Novel

Coronavirus (COVID-19), in March 2020, is an example of this type of plan.

5.3 Business Resumption

Quadient UK Ltd actively employs agile working practices and uses the latest infrastructure technology which means that the reaction to many disruptive incidents will be to arrange for employees to work from home and continue to provide the identified critical processes. This will result in the minimum, or even zero disruption to these processes.

However, this cannot be used as a permanent solution and this section provides the approach to restoring the primary site or establishing an alternative site if required.

The extent and timing of the recovery activities will vary depending upon the nature of the disruptive incident. Actions taken must be planned and coordinated to occur in parallel in order to establish stable operations within the minimum timescale. Detailed activities are contained in Section 6: Procedures.

https://www.gov.uk/

https://www.nhs.uk/




If it the decision is made to relocate the DCS Managed Services operation to the DR site in Birmingham for the duration of the incident, this decision must be communicated as soon as possible so that the DR site can be made ready. Key Managed Services employees will then be relocated and the data and applications accessed from the new location.

A decision to either re-establish the primary site or occupy an alternative site should also be made as soon as practically possible after a disruptive incident occurs. This allows all the affected areas to adapt their procedures and staffing according to the expected length of the outage. This may, however, not fall within the predetermined MAO because a situation can develop and a site, initially reported as usable, may be declared unsafe following further investigations or occurrences.

The alternatives to be considered are:

1. Whether the primary site is to be restored to original operating status. This may require the repair, rebuild of IT infrastructure or the establishment of new IT infrastructure.

2. If the decision is made to source a new primary site is chosen, this will require:

• Locating suitable premises

• Analysis and risk assessment of the new site for suitability, taking all requirements of the business into account

• Drawing up of lease agreements

• Fit-out of the new premises

• New arrangements with suppliers and service providers to be established

• Establishment of new IT infrastructure in accordance with current requirements and specifications

An undertaking of this magnitude will not be achieved in a short timescale. Therefore the Management Team, with the assistance of the other recovery teams, will continually review the situation and make the necessary interim decisions to relocate employees to other regional offices or to work from home. A short-term lease, or leases, may be established for office and/or production facilities to cover the period until the new primary site is available.




Figure 12: Business Resumption Process




5.3.1 Debriefing

Prior to closure of the BCP activation and standing down of the Recovery Teams, a debriefing of all participants should be conducted. A debriefing will ensure that:

• all required recovery and normal business resumption tasks have been performed

• ongoing system, business and client impacts are being addressed

• Quadient UK Ltd can ascertain and understand the cause, nature and impact of the disruptive incident on the organisation

• financial impacts are clearly identified and documented for insurance claims

• lessons learned are clearly identified and incorporated into a knowledge database for future BCP development and incident management

• deficiencies in the current process are clearly identified in such a way that projects can be established to rectify them or mitigate them.

A report should be produced covering the above-mentioned aspects. This should be contained in a central knowledge register with lessons learned incorporated into a new BCP.




6 Procedures

Note: throughout this section of this document, ‘Time Elapsed’ refers to the time, in working hours and days, from the first report of a significant disruptive incident to the Management team.

6.1 Management Team

The applicable management team - Head Office and Regional Offices or DCS - is responsible for the entire incident recovery process; from when the team is brought together until the all in-scope services have been returned to the primary site or a new location. The Management Team Leader or delegate, with input from other relevant personnel, has the exclusive authority to activate the BCP. See Section 1.1; Authority to Activate this Plan.

The Management Team will make strategic and tactical decisions, ensure adherence to legal requirements and provide any necessary funding to assist the recovery process.

This team decides on the communication process with the other recovery teams and ensures that the process is followed.




6.1.1 Management Team Actions

Item Action Responsible Time Elapsed

Comments

1 Following a reported incident, gather known information and convene a meeting with the Recovery Teams to appraise them of the situation.

Management Team leader

≤2 hours This may be a physical, phone or Microsoft Teams® meeting for example.

2 Obtain a full report of the nature and extent of the disruptive incident and any injuries that may have occurred.


≤6 hours Obtain as much information as possible about the event and its potential effects. If the event relates to the premises, establish the usability of the building: safety of staff and others.

3 Make initial assessment to establish if the MAO will be breached, the usability of the premises and the required actions.

Decide whether, and how, to activate BCP.


Director QMS & Transformation

≤8 hours This can be full activation with Recovery Teams working remotely or partial activation as necessary.

4 On BCP activation, communicate details of the incident and decision to activate BCP to all Recovery Teams and applicable managers.

VP & Operations Director

Finance Director

≤8 hours Includes extent of activation and the actions to be initially carried out by each of the Recovery Teams and other key employees required to deliver the critical business processes. See contact details in Appendix A.

5 Create and deliver incident and resumption communication for employees

HR Director 1 day This should provide information on the incident and the actions to be taken by employee groups. Managers of critical processes will be made aware separately and will provide further details as necessary.

Content should be provided to IT, for emailing to all employees and placed on the Quadient Hub or other media, as appropriate. This will require regular updates as the situation develops and returns to Business As Usual.

6 Create and deliver incident and resumption communication for all other recipients, e.g.:

• Other Quadient entities

• Management of building and surroundings

• Customers

• Suppliers

• The media

HR Director 1 day This communication is likely to be necessarily brief given the timescale it is delivered within. Further bulletins will be required to update applicable parties as the situation develops and returns to Business As Usual.





Comments

7 Set meeting and reporting schedule for Recovery Teams

Management Team

1st day Subsequent meetings will depend on the incident and the location of Management Team members. The Recovery Teams should be informed of what, how and when to report.

8 Liaise with other Recovery Team members and any other necessary agencies to continually gather information about the development of the incident.

Management Team

As required

9 Make strategic decision relating to:

• relocating the DCS Managed Service function to the DR site

• carrying out repairs the primary site

• locating and setting up alternative premises as necessary

Management Team

As required

10 Make strategic and tactical decisions relating to resumption of all business processes and direct others as applicable.

Management Team

As applicable

11 Provide necessary funds to return to BAU Finance Director As required

12 Coordinate with Recovery Teams to return to BAU Management Team

As applicable

13 Return to BAU Management Team

As applicable

14 Following return to BAU, review BCP processes and document any lessons learned

Management Team

As applicable



©Quadient Page 30/50

6.2 First Responder Team

The First Responder Team (FRT) is a mixed team, trained to react to a set of circumstances preventing the delivery of customer-facing critical business processes. Their aim is to restart the provision of these processes, including franking machine recrediting services, within the target time: the Recovery Time Objective. These services must be delivered to at least to the minimum acceptable level, until a return to business as usual.

The team is drawn from various departments who normally provide the services. Their skill level is such that a small number of staff can provide all of the critical services to an acceptable level.

The First Responder Team is able to work in the Head Office building or at their own homes, dependent upon the nature and extent of the actual disruptive incident. Their primary responsibility is to continue to provide customers with an effective service.




6.2.1 First Responder Team Actions

The following applies for every foreseeable disruptive incident whether it affects: People, IT or Premises.

Item Action Responsible Time

Elapsed

Comments

1 Liaise with Management Team to provide initial

assessment of an incident

FRT leader ≤2 hours Includes description of disruptive incident indicating severity and likely

duration.

This will be appropriate only if the incident relates to functions within the

working practices of the FRT.

2 On notification of activation of the BCP, have

prepared a workload plan for team and other

department employees.

Team leaders

within the FRT

≤8 hours The FRT is a team within a group of departments. Many employees in these

departments are able to work remotely even if they are not designated as

part of the FRT.

This is an initial plan which may change or develop as the incident and

actions progress.

3 Contact each FRT member, using call tree, and

appraise them of situation

Team leaders

within the FRT

1 day The call tree cascades down such that each functional team leader will call

their direct reports

4 Nominate communications representative and

appraise them of communications plan

FRT leader 2nd day Devise an appropriate plan for regular communications with the

Management Team. Ensure contact numbers are available.

5 Set review meeting timetable FRT leader 2nd day Decide method, frequency and times for team meetings to check progress

and take remedial action if necessary.

The following steps relate to a situation where the Head Office is unusable. These steps can be modified to allow working from the office instead of from home

5 Set up operations in team members’ homes.

Connect to required apps data through cloud or

online links.

Check that all systems are available and that an

effective telephone system is operational.

FRT 2nd day Team members have been provided with adequate IT equipment for the task

and are compliant with relevant security policies. Team members must

comply with all ISMS polices particularly the Acceptable Use Policy and the

Home Working Policy





Elapsed

Comments

6 Provide customer contact services (critical business

processes) and key franking machine recrediting

processes to any customers who require assistance

• Initial credit

• Banking

• Customer support: technical

• Customer support: account maintenance

• Asset withdrawal

FRT By RTO Systems should be available as normal. If any problems are discovered,

contact the IT Team by email of phone.

Carry out those activities agreed as critical so that existing customers are

able to recredit their franking machines.

Cashiers manager must ensure that bank cards, card readers and pin

generators are available to staff

7 Participate in regular team meetings FRT As reqd.

8 Return to BAU FRT As reqd. When instructed by FRT leader.

9 Review BCP processes and document any lessons

learned

FRT As reqd. Provide detailed feedback of how well the BCP worked.




6.3 IT Team

The IT Team (ITT) includes hardware, software, network and communications experts drawn from the entire IT departments responsible for all Quadient UK Ltd business units.

The expertise possessed by this team is critical to understanding the nature and extent of a disruptive incident and is equally fundamental in the recovery and business resumption stages. The team will evaluate an incident, report its findings to the Management Team and assist with the decision making needed for a full recovery.

The ITT must be on hand to support the other recovery teams and any employee involved in delivering critical processes, so early communication between the teams is critical.

The first objective of the ITT is to ensure that the FRT, and any employees involved in delivering critical business processes, are able to provide the minimum acceptable level of service to customers, including those who need to recredit their franking machines using the Credifon system.

Most internal ‘customers’ of the ITT are assumed to be agile workers setting up in their homes in the absence of a normal place of work, however, the DCS Managed Services function is a special case which utilises a Disaster Recovery site in the Birmingham Regional office. The ITT would be required to provide prompt technical assistance to ensure that this function became operational again as soon as possible.

The second team objective is to recover any lost or damaged infrastructure, data and applications which may involve repair or rebuilding of systems remotely or on-premise, in the Cloud or, in extreme situations, by transferring operations to an alternative location.




6.3.1 IT Team Actions



Elapsed

Comments

1 Liaise with Management Team to provide initial

assessment of an incident

ITT Team Leader ≤2 hours Description of disruptive incident indicating severity and likely duration.

This will be appropriate if the incident relates to functions involving or

requiring IT services.

2 Carry out a detailed investigation of the extent and

severity of an incident and report to the

Management Team

ITT ≤6 hours Safety of people must take priority over any other factor.

Must include an assessment of whether the MAO will be breached and will

allow the Management Team to decide if the BCP should be activated.


prepared a workload plan for team.

IT Team Leader ≤8 hours This is an initial plan which may change or develop as the incident and

actions progress.

4 Contact each ITT member, using call tree, and


ITT Team leader 1 day The call tree cascades down from the initial notification by the Exec member

to functional team leaders and individuals; see call trees - Appendix B.

5 Deliver email communication, received from HR

Director, to all employees.

ITT Team Leader 1 day

6 If the disruptive incident causes the prolonged

failure of the Managed Services operation at DCS,

set up DR facilities in Birmingham office.

Provide support to Managed Services as required.

Provide server IP addresses to Manages Services to

access from DR site.

ITT 2 days

7 Nominate communications representative ITT Team leader

2 days Devise an appropriate plan for regular communications with the

Management Team. Ensure contact numbers are available.





Elapsed

Comments

8 Set review meeting timetable ITT Team leader

2 days Decide method, frequency and times for team meetings to check progress

and take remedial action if necessary.

9 Monitor and evaluate situation and the effect on IT

infrastructure and applications

ITT

Facilities Team

2 days This is an initial plan which may change or develop as the incident and

actions progress

The following steps relate to a situation where the primary site is unusable. If applicable, these steps can be modified to allow working from the site.

10 If access to primary site is compromised, set up

operations in team members’ homes as necessary

ITT 2nd day All team members have been provided with IT equipment which is adequate

for the task and compliant with the relevant security policies. Team

members must ensure they comply with all ISMS polices, particularly the

Acceptable Use Policy and the Home Working Policy

11 Advise all other IT staff, not given recovery tasks, to

be on standby at home

Communication

Representative

2nd day This is current practice for these members of staff and no additional actions

or controls are required.

12 Provide IT support to FRT to ensure that all in-scope

applications are available to allow continuation of

critical processes and recrediting services

ITT

Start of

Day 3

Until BAU

All IT applications listed in the ‘IT Application Risk Assessment’ must be

available and operative by the start of the 3rd day following the reported

incident.


networks and systems are available to allow

continuation of critical processes and recrediting

services

ITT Start of

Day 3

Until BAU

Nominate team members to recovery tasks as necessary

14 Provide IT support to agile employees to ensure that

all in-scope applications are available to allow

continuation of critical business processes

ITT 3rd day

until BAU

All IT applications listed in the ‘IT Application Risk Assessment’ must be

available and operative by the start of the 3rd day following the reported

incident.


networks and systems are available to allow

continuation of critical business processes.

ITT 3rd day

until BAU

Nominate team members to recovery tasks as necessary





Elapsed

Comments

16 Recover all compromised IT systems, equipment,

software, hardware and data

ITT

Facilities Team –

if required

As soon as

possible

This action is entirely dependent on the nature and extent of the disruptive

incident.

The ITT may have to work closely with other departments to recover lost

data or mitigate its effects.

17 Salvage and recover primary site if possible.

If not possible, work with other Recovery Teams to

source alternative interim and permanent premises.

ITT

Facilities Team

As soon as

possible

This action is entirely dependent on the nature and extent of the disruptive

incident.

18 Source, plan, and assist with fit-out of alternative

interim or permanent premises

Facilities Team

Management

Team

ITT

As

required

19 Provide all necessary supplies, contracts, parts and

equipment to alternative premises

Facilities Team

Management

Team

ITT

As

required

20 Return to BAU ITT As

required

When instructed by Management Team

21 Review BCP processes and document any lessons

learned

ITT As

required




6.4 Facilities Teams

Responsibility for facilities management lies with the team managed by the Director of QMS and Transformation, based in the Head Office in Stratford, London. However, a small team also exists in the DCS site in Slough, Berkshire, to provide local support and knowledge.

Although these teams operate autonomously, their functions are broadly similar and this section will combine their actions under the BCP except where there are substantial differences

In the event of a significant disruptive incident affecting any Quadient UK Ltd premises, or access to them, a Facilities Team (FT) member should, firstly, inform a member of the Management Team and then stay close to the scene to gather information and to provide any necessary guidance and assistance.

Safety of people must take priority, and the Emergency Services should be called if necessary. The FT member should remain in place, if possible, to help direct them on arrival.

If evacuation is necessary, all personnel should immediately proceed to the prearranged Assembly Point, well clear of the building. If there have been any injuries, people who can offer first aid and medical help should be informed as quickly as possible.

Following the occurrence of a significant disruptive incident the expertise of the Facilities Team is critical to understanding its nature and severity. The FT will evaluate the incident, report their findings to the Management Team and assist with the decision making needed to assist a full recovery.

The team’s objective is to recover any lost or damaged buildings and infrastructure. This may involve repair or construction work within the existing premises or, in extreme situations, transferring operations to an alternative location which will include managing the fit-out and commissioning of services and equipment.

The FT will also ensure that, if the primary site become unavailable, incoming post is held in a local sorting office awaiting collection by a member of staff. This will then be sorted and delivered manually as required.

For the Head Office, any financial Credifon-related documents will be passed to a Cashier member of the FRT without delay. For DCS, post would need to be forwarded, or couriered, to the DR site in Birmingham.




6.4.1 Facilities Team Actions

The following applies for every foreseeable disruptive incident whether it affects: People or Premises.


Comments

1 Liaise with Management Team to provide initial assessment of an incident

FT Member or Team Leader

≤2 hours Description of disruptive incident indicating severity and likely duration.

Emergency services should be called and given assistance as a priority if that is necessary.

2 Carry out a detailed investigation of the extent and severity of an incident and report to the Management Team

FT Team Leader ≤6 hours Safety of people must take priority over any other factor.

Must include an assessment of whether the MAO will be breached and will allow the Management Team to decide if the BCP should be activated.

3 On notification of activation of the BCP, have prepared a workload plan for team.

FT Team Leader ≤8 hours This is an initial plan which may change or develop as the incident and actions progress.

4 Contact each FT member, using call tree, and appraise them of situation

FT Team leader 1 day The call tree cascades down from the initial notification by the Exec member to the functional team leader and individuals; see call trees - Appendix B.

5 Nominate communications representative FT Team leader 2 days Devise an appropriate plan for regular communications with the Management Team. Ensure contact numbers are available.

6 Set review meeting timetable FT Team leader 2 days Decide method, frequency and times for team meetings to check progress and take remedial action if necessary.

7 Liaise building or campus management to gain insight into the ongoing status of the incident

Team Leader 2 days Until BAU

Building inspectors will report to the management agent with information relating to if, and when, the building can be reoccupied.

8 If access to primary site is compromised, set up operations in team members’ homes as necessary

FT 2 days All team members have been provided with IT equipment which is adequate for the task and compliant with the relevant security policies. Team members must ensure they comply with all ISMS polices, particularly the Acceptable Use Policy and the Home Working Policy





Comments

9 If the disruptive incident causes the prolonged failure of the Managed Services operation at DCS, set up DR facilities in Birmingham office.

Provide support to Managed Services as required.

ITT 2 days

10 Arrange storage and collection of incoming mail at local sorting office.

Facilities Team 2 days

11 Collect, sort and delivery incoming post where it is of an urgent nature.

Nominated team member

Daily

12 Stratford Head Office: deliver cheques and remittances etc. to Cashiers members of FRT,

Nominated team member

Daily

13 Plan recovery operations, including inspection and quotation for: construction, minor repair, decoration, reconnection of utilities, supplies of equipment and consumables

Facilities Team Until BAU Liaise with Management and IT Recovery teams throughout

14 Source and engage suppliers and contractors. Manage progress of the work through to successful completion.

Facilities Team Until BAU Liaise with Management and IT Recovery teams throughout

15 If the primary site is inaccessible and new premises are required, assist with sourcing, fit-out and commissioning of the alternative premises.

Facilities Team

Management Team

IT Team

As required

Alternative premises may be a short-term temporary lease or a new primary site. The timescale and effort required for these two options will be vastly different.

16 Source suppliers and set up provision of all necessary supplies, service contracts and consumables to the recovered or alternative premises

Facilities Team

Management Team

IT Team

As required





Comments

17 Return to BAU Facilities Team As required

When instructed by Management Team

18 Review BCP processes and document any lessons learned

Facilities Team As required



©Quadient

Page 41/50

6.5 Managed Services Team - DCS

The Managed Services Team – DCS, (MST), is a compact group which comprises the management and leadership staff of the operational unit.

Following BCP activation, this team will ensure that the Managed Services processes are delivered to customers with the minimum of disruption, in accordance with contractual requirements are far as reasonably practicable.

This includes scanning and workflow services for hard and soft copy documents which are currently delivered for processing to the DCS primary site in Slough, Berkshire. Due to the requirement to process hard copy documents this operation cannot be fully agile, hence a physical building and processing equipment must be available.

If the primary site in Slough is unavailable, the MST will work with local and Head Office teams to set up operations at an alternative facility; the Disaster Recovery (DR) Site. The DR site is located in the Birmingham Regional Office.

In the event that this DR site needs to be occupied by DCS Managed Services, the MST must inform the Birmingham Office Manager and the Director QMS and Transformation, as soon as possible, so that the necessary preparations can be made. The location for this operation will be secured such that only Managed Services – DCS staff will have access to it, except in an emergency.

Once the DR site has been set up, further arrangements must be made by the MST to relocate some of the Managed Services staff and to divert the delivery of documents to it.




6.5.1 Managed Services Team - DCS Actions



Elapsed

Comments

1 Liaise with Management Team - DCS to provide

initial assessment of an incident

MST Team Leader ≤2 hours Description of disruptive incident indicating severity and likely duration.

This is appropriate if the incident relates to the Managed Services functions.

2 Carry out a detailed investigation of the extent and

severity of an incident and report to the

Management Team - DCS

MST

Facility Team -

DCS

≤6 hours Safety of people must take priority over any other factor.

Must include an assessment of whether the MAO will be breached and will

allow the Management Team - DCS to decide if the BCP should be activated.


prepared a workload plan for team.

MST Team Leader ≤8 hours This is an initial plan which may change or develop as the incident and

actions progress.

4 Contact each MST member, using call tree, and


MST Team leader 1 day The call tree cascades down from the initial notification by the Exec member

to the functional team leader and individuals; see call trees - Appendix B.

5 If the primary site is inaccessible, the Validation and

Scanner PCs at the DR site must be booted up and

configured to access the relevant servers.

MST Team leader 2 days If the Slough primary site is inaccessible but the comms room and servers are

still operational, it is these servers that will be accessed. If the comms room

is also unavailable, the backup servers must be accessed.

6 An emergency team of Managed Services staff must

be relocated in the Birmingham office (DR site),

either by commuting daily or finding local

accommodation for a longer period.

MST 2 days Up to 5 validation staff, a scanner operator and functional management will

occupy the DR site; see Section 6.5, above, for location address.

Key contracts can be managed for a period of time. The acceptable period of

DR working depends on the contracts current at the time.

7 Return to BAU MST As

required

When the primary site is restored, or an alternative site commissioned,

relocate the Managed Services function and return to full production.

8 Review BCP processes and document any lessons learned

Facilities Team As required




6.6 Other (Agile) Employees

For all other critical business processes, not addressed by the Recovery Team actions above, the necessary

resources required to continue providing these processes are not dependant on access to any business

premises.

Risk assessment has considered the Resilience, Risk and Recovery of all assets which are required to continue

to operate these processes, and has demonstrated that the applications, infrastructure and data required are

less likely to be compromised, are sufficiently protected by backups and/or can be recovered in less time than

required for the MAO.

All employees engaged in providing these processes are termed as ‘agile’, meaning that they are equipped with

IT hardware and software which allows them to work remotely without detrimental effect to their

performance.

Following activation of the BCP, these employees will be contacted directly by their functional managers – or

by the global email delivered by the IT department, and will work from their homes, provided that an adequate

broadband facility is available.

Each member of staff has received training and is aware of the security policies in force within Quadient UK Ltd

– particularly the Acceptable Use Policy and the Home Working Policy - and will ensure that levels of security

will be maintained which are at least as high those provided within their applicable places of work.




7 Maintenance and Testing

7.1 Maintenance of BCP Documentation

The BCP will be reviewed and updated at least annually, or when a significant business change occurs.

The Director of QMS and Transformation will:

• Obtain assessments of the conditions, status, capabilities and availability of IT infrastructure and applications including the availability of backups.

• Use the above to update the IT and BCP Risk Assessments

• Perform studies requested by the Management Team to improve the efficiency of equipment and IT systems recovery procedures.

• Prepare periodic status reports for the Management Team.

• Plan and coordinate BCP testing and prepare test results and recommendations for plan improvement.

• Maintain and distribute this plan.

In order to ensure that the BCP remains current, all changes and revisions must be reviewed and approved by an Executive Director.

A regular Exec. review of the whole plan will form part of the BCP testing process. The Exec. may deputise others to carry out this review and present a report for their approval. Details of the items to be considered in the review are given in Section 7.3: BCP Testing.

7.2 DCS Managed Services Disaster Recovery Testing

Due to the nature of some functions within DCS Managed Services physical scanning equipment and the presence of a number of operators is a necessity. This has been accommodated by providing a Disaster Recovery site in the Birmingham Regional office, setting up the necessary communications infrastructure and purchasing redundant equipment which is securely stored at the office.

Because of this added complexity, and the need for a number of staff who would have to be relocated to this office, special tests have been scheduled.

On a quarterly basis, a member of the Managed Services Team will travel to the Birmingham office to boot up all PCs and scanning equipment and ensure that in connects to the servers at the primary site. Failover to the backup servers will be also be checked by a prearranged protocol managed by the IT department.




7.3 BCP Testing

The BCP will be tested in accordance with the following schedule.

Test Description Objectives Responsible Frequency

Initial Walkthrough

A step-by-step consideration of the Recovery Teams’ Action Plans with reference to the Business Continuity Plan document.

Ensure that the Action Plans are workable, complementary and do not contradict each other or the BCP document

Once at launch

Full Walkthrough

An end-to-end consideration of the Business Continuity Plan document and the Recovery Teams’ Action Plans using theoretical event scenario(s).

1. Ensure the plan can work for a range of foreseeable incidents 2. Ensure that the teams know what to do in each scenario 3. Check we can meet the MAO of 3 days

Annual

Call Tree test Use call trees to phone team members, using a pre-prepared script, starting from the top. This represents the BCP being activated.

Ensure that all phone numbers are valid Ensure recipients answer calls Evaluate and report the probable success if this was a real event.

At launch and annually

IT Infrastructure and Application Risk Assessment

Review of the IT Infrastructure and Application Risk Assessments to ensure that they are up to date and include all current and necessary IT systems and applications necessary for the critical business processes.

To ensure that IT Risk Assessments remain valid for each application and IT infrastructure element which was considered. Review the values chosen for likelihood and consequence. Review the completion and effectiveness of control measures. Add any additional IT considerations to the RA. Ensure that the information provided in Appendix C, System recovery Requirements is correct and up to date.

Annual

BCP Risk Assessment

Review of the BCP Risk Assessment to ensure it is up to date and includes all current risks and that the itemised controls are appropriate and implemented.

To ensure that Risk Assessment remains valid for each area that was considered.

Review the values chosen for likelihood and consequence to ascertain that they remain correct.

Review the completion and effectiveness of control measures and add any additional considerations to the risk assessment which may have become relevant.

Annual




Test Description Objectives Responsible Frequency

Annual Exec Review

Overview of entire plan by the board of directors.

This review comprises the following sections:

To ensure the plan remains current and applicable and in line with current and future business strategy.

Review and approve recovery strategy, including RTO and MAO.

Ensure Business Resumption process remains applicable.

Annual

Business Impact Analysis

Review of all process BIAs and the list of critical business processes to ensure they remain up to date.

Confirm RTO for each remains applicable.

To ensure that Business Impact Analysis remains valid for each team which was considered.

To add any additional considerations to the BIA which may have become relevant.

Annual

Procedures Review

Review of Section 6, Procedures.

To ensure that the procedures documented for the each of the Recovery Teams remains valid and up to date.

Review, with consideration of: Appendices: A, Key Contacts List and B, Call Trees remain current.

Check content of BIAs to ensure they remain valid and in agreement with above.

Annual

Document Review

Review of BCP document to ensure locations, personnel and scope remain valid. Detailed review of Sections 1 to 4: Activate the Plan, Overview, Organisation and Roles and Responsibilities.

To ensure that changes which have taken place in the relevant areas of the business are accurately reflected in the BCP document.

Annual




APPENDIX D – Media Management

Procedures for Dealing with the Media

When a crisis occurs, the media may cold-call staff. Staff should avoid providing information to the media directly as this could lead to different versions of events being provided by different people. In the event of calls being received, follow the procedures below.

• Take down the name, organisation and contact numbers for the media person calling and advise them that “a spokesperson will be in touch with them as soon as possible.”

• Responses must be polite but advise that you are not in a position to assist them. However, you will ensure that a company spokesperson will be calling them back.

• It is important to clearly identify the publication and contact details.

• Following an activation of the BCP staff should avoid giving out contact details of senior company management or others within the company.

• Pass the names and contact details of any media callers to the Communications Manager.

• The Communications Manager will provide consistent communications to any media callers




APPENDIX E – Event Log

Use the log below to record events during an activation of the BCP. This can be used during the debriefing and lessons learned phase.

ELAPSED

TIME

SINCE

Incident

BCP Ref.

RECOVERY TASK

TEAM

ACTUAL

START

TIME

ACTUAL

END

TIME

COMMENTS/PROBLEMS




Glossary

ACTIVATION: The implementation of the procedures, activities, and plans described in the BCP in response to an emergency or a significant disruptive incident.

ALERT: Notification that a potentially significant disruptive incident situation exists or has occurred; direction for the recipient to stand by for possible activation of the BCP.

ALTERNATIVE SITE: An alternative operating location to be used by business functions when the primary facilities are inaccessible.

ALTERNATIVE WORK AREA: Office recovery environment complete with office infrastructure (desk, telephone, workstation, and associated hardware, communications, etc).

APPLICATION RECOVERY: The component of BCP recovery that deals specifically with the restoration of business system software and data, after the processing platform has been restored or replaced.

BACKUP GENERATOR: An independent source of power, usually fuelled by diesel or gas.

BUSINESS AS USUAL (BAU). The normal execution of standard functional operations within an organization – forms a possible contrast to projects or programmes which might introduce change.

BUSINESS CONTINUITY: Process of developing advance arrangements and procedures that enable an organisation to respond to an event in such a manner that critical business functions continue to, at least, the minimum acceptable standard.

BUSINESS CONTINUITY PLAN (BCP): The document that defines the resources and actions required to manage the business recovery process in the event of a disruption. The plan is designed to assist in restoring the business process within the stated recovery goals.

BUSINESS CONTINUITY PROGRAM: An ongoing program supported and funded by executive staff to ensure business continuity requirements are assessed, resources are allocated, and recovery and continuity strategies and procedures are completed and tested.

BUSINESS IMPACT ANALYSIS (BIA). A systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of an outage, disaster, accident or emergency.

COLD SITE: An alternative facility that already has the environmental infrastructure in place required to recover critical business functions or information systems, but does not have any pre-installed computer hardware, communications network, etc. These must be provisioned at time of disruptive incident.

COMMAND CENTRE: Facility, separate from the main facility, and equipped with adequate communications equipment from which initial recovery efforts are manned and media-business communications are maintained. The management team may use this facility temporarily to begin coordinating the recovery process until any alternative sites are functional.

CONTACT LIST: A list of team members and/or key players to be contacted. (Mobile Number, Home Number, Pager, etc.)

DAMAGE ASSESSMENT: The process of assessing damage, following a disruptive incident, to computer hardware, records, office facilities, etc and determining what can be salvaged or restored and what must be replaced.

DECLARATION: A formal announcement by authorised personnel that a disruptive incident or severe outage is predicted or has occurred, and that the Business Continuity Plan has been activated.

DISASTER RECOVERY: Activities and programs designed to return Quadient UK Ltd operations to an acceptable condition. The ability to respond to an interruption in services by implementing a disaster recovery plan to restore Quadient UK Ltd critical business functions.




DISASTER RECOVERY PLAN: The document that defines the resources and actions required to manage the business recovery process in the event of a disruption. The plan is designed to assist in restoring the business process within the stated recovery goals.

DISRUPTIVE INCIDENT: An unplanned debilitating or catastrophic event causing significant damage or loss. Any event that causes an organisation to be unable to provide critical business functions for a pre-determined period of time.

EMERGENCY: A sudden, unexpected event requiring immediate action due to potential threat to health and safety, the environment, or property.

HOT SITE: An alternative facility that already has the computer, communications and environmental infrastructure in place that are required to recover critical business functions or information systems.

INVOCATION: The implementation of the procedures, activities, and plans described in the BCP in response to

an emergency or a significant disruptive incident.

MAXIMUM ACCEPTABLE OUTAGE (MAO): The maximum acceptable outage is the amount of time that

can elapse before an adverse impact becomes unacceptable or intolerable. In this context, an adverse

impact is caused by failure to provide products or services or to perform an activity. The MAO encompasses all

activities from point of impact to point of resumption of critical services.

MAXIMUM TOLERABLE PERIOD OF DISRUPTION (MTPD): The maximum acceptable outage is the amount

of time that can elapse before an adverse impact becomes unacceptable or intolerable. In this context,

an adverse impact is caused by failure to provide products or services or to perform an activity. The MAO

encompasses all activities from point of impact to point of resumption of critical services.

OFF-SITE STORAGE: Alternative facility, other than the primary site, where duplicate vital records and documentation may be stored for use during recovery from a disruptive incident.

RECOVERY POINT OBJECTIVE (RPO): The point in time to which systems and data must be recovered after an outage (e.g., end of the previous day’s processing). RPOs are often used as the basis for the development of backup strategies.

RECOVERY TEAM: The Recovery Team is made up of a number of separate sub-teams and comprises key executive directors as well as employees in relevant roles (e.g. Communications, Facilities and IT).

RECOVERY TIME OBJECTIVE (RTO): The period of time within which systems, applications or functions must be recovered after an activation of the BCP. RTOs are often used to determine whether or not to implement the recovery strategies and plan.

WARM SITE: An alternative processing site which is equipped with some hardware, and communication interfaces, electrical and environmental infrastructure which is only capable of providing backup after additional provisioning, additional software, or modifications.