Business Resilience Policy
Purpose
The purpose of our Business Resilience Policy (BRP) is to outline the technological, management and operational practices, which ensure the resilience of the company in the face of uncontrolled events that threaten to seriously disrupt operations or endanger business continuity for unacceptable time intervals, including external events such as natural and technological disasters, social, political or economic upheavals, and internal events such as major crises and loss of critical infrastructure or key personnel.
The BRP constitutes a more comprehensive and holistic approach than a Business Continuity Plan (BCP) or a Disaster Recovery Plan (DRP), since rather than being responsive and reactive in nature, it focuses on building resilience traits into the design of business processes and of everyday normal operations of the company, thus ensuring preparedness and readiness in the face of major risks.
The Business Resilience Policy is addressed:
-
internally to all the company’s staff in the framework of awareness activities aimed to sustain a resilience culture as well as promote preparedness;
-
externally, to customers and any interested party, to build confidence in the company's ability to ensure the continuity of its operations, as well as ensure the continuity of the operations of any third party that depends on the company’s service in the face of adverse events.
Business Resilience Principles
The key drivers of resilience are technology, organisation and culture. The principles determine how the company operates in normal everyday circumstances so that It may be inherently ready to quickly adapt to unforeseen conditions created by an adverse event, emergency or crisis, rather than prescribing a response.
Technological Resilience
The purpose of technological resilience principles is to allow the company to continue to operate as usual from any available locations, with any available equipment and under any conditions. This allows the company to continue to operate in case of natural and technological disasters, or social, political or economic upheavals. The very concept of distributed remote work minimises the probability of simultaneous disruption to all locations where operations may be dispersed.
Moreover, technological resilience allows the company to rapidly deploy alternatives in case of technological disaster disrupting a third party provider’s service availability or any other case of loss of critical infrastructure.
Technological resilience principles include:
-
Independence from physical location: Agilis has no need for any physical location whatsoever. The company has no dependency whatsoever from physical or owned technical infrastructure, location dependent equipment or physical space to conduct its operations. This allows the company to change location at minimal time or even operate in a purely geographically dispersed fashion and to be indifferent to physical or technological disasters threatening its premises.
-
Complete digitisation: Independence from physical location and equipment is achieved through a complete digitisation of all operations. All information and information flows are completely digitised and remotely accessible from any location and without need for any special equipment or even company owned equipment. The company practices preclude the use of printed documents, records or any hardcopy, as well as removable storage media and all information is remotely accessible. Hardcopies received from customers or partners are immediately digitised and kept by a third party provider and information in removable media is uploaded and the media destroyed.
-
Complete virtualisation: Agilis staff can collaborate effectively without need for physical presence. The company has invested in remote collaboration platform tools, ranging from messaging and collaboration to virtual whiteboards and meeting facilities and all personnel is trained to use them and uses them effectively already for everyday normal operations. There will be no need for a “switch” to a remote mode of working and collaboration. Company telecommunications are completely virtualised and routed into the collaboration platform so that all company staff is transparently accessible by customers and partners at the company’s telephone numbers in any location and equipment they happen to use.
-
Cloud only information infrastructure: All information and all business processes and activities are supported by independent Cloud SaaS business applications and tools set up to be remotely accessible without need for special or even controlled equipment. Backups are outsourced to third party service providers and no backup media is kept by the company. All cloud information service providers are assessed for their own information security and business continuity measures.
-
Independence from equipment: As regards tools that must be locally installed on workstations and devices, only software that can be remotely downloaded is used while local configuration and data are automatically synced in the cloud to minimise the time and overhead needed to restore a working environment in any available device. Device configuration and control is also done remotely, allowing the use of any available equipment and eliminating the need for equipment pre-configuration or physical presence of IT support staff. No information is locally stored on workstation and devices.
-
Information distribution and independence: Different independent cloud services are used, reducing the impact of disaster or loss of a single information service provider. Independent third party backup service providers are used to backup information in cloud services, and when backup is undertaken by the same provider it is ensured that backup files are kept in different data centres. Disaster recovery plans for critical information services are designed to include the possibility of quick deployment of the service in an alternative service or service provider.
Organisational and Operational Resilience
Organisational and operational resilience principles allow the company to flexibly adapt its very structure, operations and work organisation to face acute shortage or loss of resources or personnel. Moreover organisational and operational resilience allows the quick realignment of available resources in case of crises that demand coordinated and focused effort.
-
Deputies for key persons: Persons in management roles always have a deputy who participates in all project management and planning activities, contacts with customers et.c and can undertake the management role with minimum handover effort and risk.
-
Self managed teams: Process and project teams are self managed and decide collectively on technical approaches and methods, as well as planning and work allocation in the framework of agile project management methodologies. This team based agile approach ensures that all team members have knowledge of the entire project or activity and can undertake any task. Since agile project management is based on the allocation of elementary tasks including rapid iterations of user-requirements - design - implementation - review and acceptance, all team members who undertake such tasks in a self-managed team are eventually involved in all the aspects of a project or activity, avoiding expertise silos.
-
Broad roles and jobs: Roles and job descriptions are broad and encompass the full life cycle of a project or activity avoiding narrow specialisations. Team members are expected to have the knowledge and competence to undertake a variety of different tasks and in the context of self managed teams are given the opportunity to acquire experience in different work areas.
-
Participative management: Management meetings involve entire teams and are not restricted to management level persons. All team members are aware of all emergent issues, problems, risks and plans. Team leaders are more team captains, actually undertaking tasks and working on them themselves, providing guidance and mentoring, rather than being team managers restricted to coordination and management.
-
Swallow management structures and practices enable the quick and effective coordination and alignment of resources, as well as responsiveness whenever needed.
-
Pool of external resources: A pool of available external resources must be maintained including partners with which collaboration is already established and to which parts of business processes may be outsourced if needed.
Cultural Resilience
Cultural resilience is the entrenchment of a resilience-oriented culture in the company’s values and the values of all personnel and is the enabler of the technological and management / operational pillars of a resilience strategy. It implies that all the company’s staff, at all levels of responsibility know how to respond to crises and realign themselves and the company’s resources as required. This is accomplished by many cultural traits, such as:
-
A work environment informed by values of openness, trust, empowerment, encouragement of initiative and resourcefulness that are not only explicitly endorsed but cultivated in everyday practice.
-
A collective memory of how the company has proved resilient in adverse circumstances in the past.
-
A spirit of continuous innovation, experimentation and early adoption of new technologies, methods and practices in everyday practices.
-
A willingness to challenge established ways of doing things while at the same time taking change seriously and addressing systematically its risks.
-
A spirit of self-reliance and confidence that the company can quickly acquire in depth knowledge in new fields if required, when recurse to external support may prove difficult or impossible.
QMS-021-P v.2