1. Document Control

• Document Title: Business Continuity and Disaster Recovery Policy

• Document Identifier: POL-ALL-010

• Version Number: v1.0

• Approval Date: <23 June 2025>

• Effective Date: <23 June 2025>

• Review Date: <23 June 2026>

• Document Owner: <Chief Risk Officer>

• Approved By: <Executive Risk and Compliance Committee>

2. Purpose

The purpose of this Business Continuity and Disaster Recovery (BC/DR) Policy is to define the strategic framework for preparing for, responding to, and recovering from business disruptions and disasters that may affect . The policy ensures the organization can maintain critical operations, protect assets, and restore services in the event of natural disasters, cyberattacks, pandemics, infrastructure failures, or other significant incidents.

This policy aligns with ISO/IEC 27001:2022 Controls A.5.29–A.5.31 and SOC 2 Trust Criteria CC7.1 and CC7.4, which mandate the implementation of continuity and recovery capabilities to reduce operational and reputational risk. Through effective planning and regular testing, aims to minimize downtime, uphold service-level agreements, and ensure the safety and continuity of operations under adverse conditions.

3. Scope

This policy applies to all business units, employees, systems, services, and third-party providers responsible for delivering critical business functions. It covers:

• Continuity of business operations during disruptive events

• Recovery of IT infrastructure, data, and communications systems

• Activation of the Disaster Recovery (DR) plan and emergency response

• Roles and responsibilities for response teams

• Coordination with third parties, regulators, and clients during disruptions

The policy encompasses both planned disruptions (e.g., facility maintenance) and unplanned crises (e.g., ransomware attacks, earthquakes).

4. Policy Statement

shall:

1. Develop and maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) for all critical business processes and systems.

2. Identify critical systems and data through Business Impact Analysis (BIA) and assign Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).

3. Ensure that all business continuity strategies are documented, regularly tested, and updated.

4. Establish clearly defined roles and escalation paths for activating the BCP and DRP.

5. Maintain alternate communication, workspaces, and infrastructure to support operations during an outage.

6. Ensure data backups are performed routinely and stored securely in geographically diverse locations.

7. Provide ongoing training and awareness to staff to ensure readiness and rapid execution during crises.

5. Safeguards

The following safeguards support continuity and recovery:

6. Roles and Responsibilities

• Chief Risk Officer (CRO): Oversees enterprise-wide continuity and recovery strategy and compliance.

• Business Continuity Manager: Maintains BCP/DR documentation, coordinates training and testing, and manages incident escalation.

• IT Disaster Recovery Lead: Executes infrastructure failover, data restoration, and communications during IT outages.

• Department Heads: Ensure continuity plans exist for business-critical functions under their control.

• All Employees: Participate in training, follow continuity protocols, and report obstacles during activation.

7. Compliance and Exceptions

Compliance with this policy is validated through:

• Annual plan reviews and testing exercises

• Audit trails of backup jobs and DR simulations

• Assessment of third-party continuity controls (e.g., vendor SLAs)

Exceptions must be documented, risk-assessed, and formally approved by the CRO. Any exception will be reviewed quarterly and must include compensating controls.

8. Enforcement

Violations of this policy, such as failure to maintain continuity documentation or non-participation in testing, may result in:

• Departmental performance reviews

• Mandatory remedial training

• Internal disciplinary action (for employees)

• Contract termination or penalties (for vendors)

During a crisis, failure to comply with response protocols may result in additional review or liability, depending on the impact of the failure.

9. Related Policies/Documents

• POL-ALL-001: Information Security Policy

• POL-ALL-009: Incident Response Policy

• PRC-ALL-013: Business Continuity Plan Template

• PRC-ALL-014: Disaster Recovery Playbook

• ISO/IEC 27001:2022: A.5.29–A.5.31

• SOC 2 Trust Criteria: CC7.1, CC7.4

10. Review and Maintenance

This policy and the associated BCP/DRP documents must be reviewed at least annually or after any major incident, organizational change, or test result indicating inadequacy. The Business Continuity Manager, in coordination with IT and executive stakeholders, is responsible for ensuring plans remain up-to-date, tested, and accessible.