The goal of Bondora's business continuity planning is to ensure business activities continue during emergencies and that business activities and IT systems are restored following emergencies. This section reviews non-IT related business continuity activities. IT-related business continuity issues were addressed in the "IT risk"? section.
Emergencies are any business interruptions that occur independently of Bondora, which includes, but is not limited to, a loss of personnel; problems associated with the physical location or infrastructure of Bondora; a failure or similar issue involving Bondora's information systems; and external accidents (e.g., fire).
Bondora's business continuity process is managed by the Management Board in accordance with the business continuity plans developed for each area, as set out below:
- Customer service and channels - includes events that affect client servicing and communications channels;
- Buildings, physical security and transport - includes responding to fires, floods and other such events at Bondora locations; security-related threats, such as robberies, terrorism, and frauds; and the transport of staff and data media;
- Information security related to IT and communications - includes information security incidents, IT support in emergency situations that are unrelated to IT, and handling situations involving data communication and telephony;
- Staff - includes situations that affect human resources, such as a loss of life, mass illness, etc., and organizing communications as appropriate with relatives and other relevant parties;
- Credit - includes handling credit process-related situations;
- Legal - includes providing legal support in extraordinary circumstances and responding to legal-related emergency situations;
- Department managers - includes implementing business continuity plans in the respective areas; and
- Other areas, as determined by the Management Board.
Each business continuity plan clearly sets out responsibilities and lines of authority. Changes in Bondora's commercial processes, staff and resources (e.g. information systems, software applications) are recorded in the relevant business continuity plans.
All business continuity plans contain the following components:
- Emergency procedures designed to ensure staff safety;
- The function of information services, the roles and obligations of suppliers that provide recovery services, and the administrative support staff of service users;
- Communications plans for informing interested parties, including staff, clients and the Estonian Financial Supervision Authority, of an extraordinary event and the recovery status;
- List of system resources for which alternatives may be required, such as hardware, external devices, software, etc.;
- Prioritized list of applications, required recovery times and expected performance norms;
- Sufficiently detailed step-by-step recovery scenarios, along with appropriate responses, beginning withsituations where there is limited damage and ending with those where the damage is significantly greater;
- Description of special devices and accessories (e.g. communications devices, telephones, etc.) that may be needed, along with designated and alternative sources;
- Testing schedule, prior test results, and additional measures implemented as a result of prior tests;
- List of contractual service providers, services they provide, and expected responses;
- Information about the whereabouts of important resources, including back-up locations for critical agreements, client files, operational systems, applications, data files, user manuals and programs, and system and user documentation;
- Up-to-date information for staff members in key positions - names, addresses, telephone numbers, other communications devices; and
- Alternatives for recommencing professional activity, as in the case where systems have been restored at an alternative location but where employee workplaces have been destroyed.
Business continuity plans require that backup copies of critical data, resources and other materials be kept in appropriate locations.
The Management Board, an employee designated by the latter, or a third-party will notify those individuals listed in the business continuity plan that the has been implemented. The Management Board is responsible for notifying the Estonian Financial Supervision Authority.
Within three working days, at the latest, after regular business activities have been restored, a description of the incident, including the following data, must be submitted to the Estonian Financial Supervision Authority:
- Time of the disruption;
- Extent and impact of the disruption;
- Description of steps taken to address the disruption;
- Cause of the disruption; and
- Measures that will be implemented to avoid similar disruptions in future.
The Management Board regularly, at least once a year, reviews and approves business continuity plans and test results. Following the launch of a new critical business process infrastructure component, or software application; important staff changes; or other developments as is deemed necessary, the Management Board will review business continuity plans and test results more frequently.
Business continuity plans are evaluated by an internal auditor; an external audit may also be performed, if necessary.