Business Continuity and Incident Management Policy
LYL Inventories Ltd – Business Continuity and Incident Management Policy
Last Updated: 12th November 2024
Purpose
This policy outlines LYL Inventories Ltd’s procedures for managing incidents that could disrupt business operations, such as natural disasters, power outages, or data breaches. The goal is to minimize client impact, maintain essential functions, and ensure a swift return to normal operations.
Scope
This policy applies to all operational areas within LYL Inventories Ltd. It encompasses staff, contractors, facilities, technology, and any external parties or stakeholders that support business continuity.
1. Objectives
- Minimise Disruption: Reduce downtime and ensure critical business operations continue during incidents.
- Protect Data and Assets: Secure data, assets, and intellectual property from loss or unauthorised access.
- Maintain Client Communication: Ensure clear, consistent communication with clients and stakeholders during disruptions.
- Swift Recovery: Restore full operational capacity as quickly and efficiently as possible.
2. Incident Management Procedures
2.1. Incident Identification
All employees and contractors must promptly report incidents, including data breaches, system outages, or safety hazards, to the Incident Response Team (IRT).
2.2. Incident Response Team (IRT)
The Incident Response Team comprises key staff responsible for overseeing incident management. This team includes:
- Incident Manager: Leads response efforts and coordinates resources.
- IT Lead: Addresses technical issues, manages data recovery, and ensures secure system access.
- Communication Lead: Handles client and stakeholder communications.
- Health and Safety Officer: Manages any physical risks to staff or clients and ensures safety compliance.
2.3. Immediate Response Protocol
Upon identification of an incident, the IRT will:
- Assess Severity: Determine the incident’s impact on operations, safety, and data security.
- Contain the Issue: Take immediate actions to prevent further escalation. This includes securing data, isolating affected systems, and addressing hazards.
- Notify Relevant Parties: Inform affected employees, clients, and stakeholders of the incident. In case of a data breach, the Data Protection Officer will notify affected individuals and, if required, the Information Commissioner’s Office (ICO) within 72 hours.
- Document the Incident: Record the incident’s details, including time, date, impact, and initial containment steps.
2.4. Incident Classification Levels
Incidents are classified into levels based on severity to streamline response efforts:
- Level 1 (Minor Incident): Minor disruptions, such as brief internet outages, that have minimal impact. Resolved within 1-2 hours.
- Level 2 (Moderate Incident): Incidents that disrupt one or more key operations, such as power outages. Requires a coordinated response; resolution within 24 hours.
- Level 3 (Severe Incident): Major incidents, such as data breaches or significant facility damage, impacting most operations. Requires a full-scale response and may involve external support; resolution within several days.
2.5. Post-Incident Review
Once the incident is resolved, the IRT conducts a post-incident review to analyse causes, evaluate response effectiveness, and identify areas for improvement. Findings are documented for future reference.
3. Business Continuity Strategies
3.1. Data Backup and Recovery
- Frequency: Daily backups of all critical business data are performed and stored securely in both cloud and offsite locations.
- Data Recovery: In the event of data loss, backups enable quick restoration. IT leads test data recovery procedures quarterly to ensure readiness.
3.2. Alternative Work Arrangements
- Remote Work Setup: Employees are equipped to work remotely in case of facility disruptions. Secure VPNs and remote access protocols are in place to maintain data security.
- Alternative Work Location: If the main office is inaccessible, employees may use designated alternate locations or remote setups as instructed by the IRT.
3.3. Redundant Systems
- Communication Platforms: Backup communication tools (such as secondary email systems and mobile communication apps) are in place to maintain internal and client communications.
- IT Infrastructure: Key IT systems are designed with redundancy to prevent single points of failure, ensuring service continuity.
3.4. Supplier and Partner Coordination
- Service Agreements: Maintain agreements with critical suppliers to prioritise support during incidents.
- Partner Communication: Keep suppliers and partners informed of incidents that may impact joint operations, facilitating coordinated response efforts.
4. Communication Protocols
Effective communication is crucial to managing client expectations and maintaining trust. Pre-drafted communications and response templates are prepared for different incident scenarios.
4.1. Internal Communication
- Initial Notification: Employees are informed of the incident status, response actions, and specific instructions via email or text.
- Regular Updates: Periodic updates are provided until the incident is resolved.
4.2. Client and Stakeholder Communication
- Incident Notification: Clients are notified of any incidents that may impact service delivery, outlining what to expect and an estimated timeline for resolution.
- Ongoing Updates: Regular status updates are provided to clients and stakeholders.
- Resolution Communication: Once the incident is resolved, clients are informed and assured of any remedial steps taken to prevent future occurrences.
4.3. Media and Public Relations (if applicable)
For major incidents with public or regulatory implications, the Communication Lead will prepare statements to address potential inquiries.
5. Emergency Contacts and Resources
A list of emergency contacts, including IT support, local emergency services, and essential contractors, is maintained and updated regularly.
- Emergency Contact List: All employees receive a copy of emergency contacts for easy reference.
- Resource Kit: An emergency kit, including PPE, first-aid supplies, and backup power resources, is available at the office for immediate use.
6. Roles and Responsibilities
- Incident Manager: Oversees incident response, coordinates the IRT, and ensures resolution.
- IT Lead: Handles data security, backup recovery, and technology-related incident response.
- Communication Lead: Manages client and public communications, ensuring clear and timely updates.
- Health and Safety Officer: Manages employee and facility safety, implementing health and safety protocols during incidents.
All employees must adhere to instructions provided by the IRT and report any ongoing issues during an incident to ensure the best possible outcome.
7. Review and Testing
Annual Review
The Business Continuity Plan is reviewed annually to ensure all procedures are up-to-date, effective, and aligned with current business needs. Changes in technology, operations, or staffing may prompt additional updates.
Testing and Drills
- Data Recovery Drills: Conducted quarterly to test backup recovery times and data integrity.
- Remote Work Drills: Semi-annual drills to ensure all employees can switch to remote work seamlessly.
- Emergency Drills: Fire, evacuation, and safety drills conducted twice annually to prepare employees for on-site emergencies.
Post-Test Evaluation
Each test is followed by an evaluation to identify areas for improvement, and adjustments are made as necessary to enhance response readiness.
8. Compliance and Continuous Improvement
Compliance
This policy complies with relevant legislation, including GDPR for data security incidents, and the Health and Safety at Work Act 1974 for on-site safety.
Continuous Improvement
Feedback from post-incident reviews and employee input informs updates to the Business Continuity and Incident Management Plan. By refining response protocols, we aim to enhance resilience and maintain service standards for our clients.
9. Contact Information
For questions or concerns regarding this Business Continuity and Incident Management Plan, or to report an incident, please contact:
Incident Response Team (IRT) – LYL Inventories Ltd
Email: IRT@lylinventories.com
Phone: 01277 283022
Address: 86-90 Paul Street, London, EC2A 4NE