2023-04-11 NOTICE: The following policy or plan is currently under internal review and may not be up-to-date or fully aligned with our organization's current practices or procedures. Please check back shortly, or contact us for more information.

Business Continuity Plan

Last updated: 2023-03-30

The Fox and Geese Business Continuity Plan (BCP) establishes procedures to ensure the restoration of critical business functions and processes in the event of a disaster or other disruption. This plan works in conjunction with the Fox and Geese Disaster Recovery Policy and Plan to provide a comprehensive approach to maintaining business operations during and after a crisis. The Business Continuity Plan is maintained by the Fox and Geese Business Continuity Team.

The following objectives have been established for this plan:

  1. Identify the organization's critical business functions and processes that must be maintained during a disruption.
  2. Develop and implement strategies to ensure the continuity of critical business functions and processes during and after a disaster.
  3. Assign roles and responsibilities to designated personnel for the execution of the Business Continuity Plan.
  4. Establish a clear communication plan to keep employees, partners, customers, and stakeholders informed during a crisis.
  5. Conduct regular training and awareness programs for employees on business continuity procedures and their roles during a crisis.
  6. Implement a process for documenting lessons learned after tests or actual business continuity events.
  7. Review and update the Business Continuity Plan regularly to ensure its continued effectiveness and alignment with the organization's evolving needs.

Business Impact Analysis (BIA)

A Business Impact Analysis (BIA) should be conducted to identify the critical business functions and processes for Fox and Geese as a SaaS software provider, assess the potential impact of disruptions, and determine the acceptable downtime for each function or process. The BIA should include:

  1. Identification of critical business functions and processes.
  2. Determination of the maximum tolerable downtime (MTD) for each critical function or process.
  3. Assessment of the potential financial, operational, and reputational impacts of disruptions.
  4. Identification of dependencies between critical functions and processes and the resources required to support them.

Critical Business Functions and Processes with MTDs

  1. Software Services Availability - Ensuring that the software services are accessible and functional for customers.

    • MTD: 2 hours
  2. Customer Support - Providing prompt and effective assistance to customers experiencing issues or having inquiries.

    • MTD: 4 hours
  3. Data Backup and Recovery - Regularly backing up and storing critical data to ensure its availability in the event of a disruption.

    • MTD: 12 hours
  4. Billing and Invoicing - Processing customer payments and managing billing-related inquiries.

    • MTD: 24 hours
  5. Software Development and Maintenance - Continuously developing and maintaining the software product to meet customer needs and ensure functionality.

    • MTD: 48 hours
  6. Sales and Marketing - Attracting new customers and maintaining relationships with existing clients.

    • MTD: 72 hours
  7. Human Resources - Overseeing employee management, recruitment, and payroll processing.

    • MTD: 96 hours
  8. Administrative Functions - Managing day-to-day operations, such as office management, procurement, and IT support.

    • MTD: 120 hours

Business Continuity Strategies

Based on the results of the BIA, appropriate business continuity strategies should be developed and implemented to ensure the continuity of critical business functions and processes. These strategies may include:

  1. Redundancy and diversification of key resources, such as personnel, equipment, and suppliers.
  2. Remote work arrangements and alternative work locations for employees.
  3. Use of cloud-based services and applications to ensure data accessibility and system functionality.
  4. Development of manual workarounds for automated processes.
  5. Regular backup and offsite storage of critical data and information.

Fox and Geese SaaS Service Availability and Customer Support Strategies

For Fox and Geese, ensuring software service availability and providing prompt customer support are critical aspects of business continuity. The following strategies have been implemented to ensure uninterrupted service and support during a disruption:

  1. Fox and Geese Multi-Cloud Deployment: Fox and Geese software is deployed across multiple cloud service providers to minimize dependency on a single provider. This approach maintains availability even if one provider experiences an outage.

  2. Fox and Geese Microservices Architecture: Fox and Geese has adopted a microservices architecture for its software, which allows for the independent scaling and deployment of individual components. This approach enables the isolation of issues and prevents them from affecting the entire system.

  3. Automated Monitoring and Alerting: Fox and Geese uses automated monitoring and alerting tools to detect potential issues in the application and infrastructure. This enables the swift identification and resolution of problems, minimizing downtime.

  4. Backup and Failover Systems: Fox and Geese has established backup systems and failover mechanisms for critical components of its software. This ensures that if a component fails, a backup system can quickly take over and maintain service availability.

  5. Customer Support Redundancy: Fox and Geese has built a distributed customer support team that operates from multiple locations, ensuring that support remains available even if a particular location is affected by a disruption.

  6. Self-Service Support: Fox and Geese has developed a comprehensive self-service support portal for customers. This helps reduce the reliance on live customer support and ensures that customers can access assistance even during a disruption.

  7. Remote Work Infrastructure: Fox and Geese has invested in remote work infrastructure, such as collaboration tools and secure remote access systems, enabling customer support and other critical teams to work remotely during a disruption.

  8. Service Level Agreements (SLAs): Fox and Geese has established clear SLAs with third-party service providers, including cloud providers and external support partners, to ensure that they are committed to maintaining service availability and providing prompt support during disruptions.

By implementing these strategies, Fox and Geese ensures the continuity of software service availability and effective customer support during disruptions.

Activation Procedures

In the event of a disruption or crisis, the following activation procedures should be followed:

  1. The Business Continuity Coordinator (BCC) assesses the situation and determines if the Business Continuity Plan should be activated.
  2. The BCC notifies the Business Continuity Team and other relevant stakeholders about the activation of the plan.
  3. The Business Continuity Team assesses the impact of the disruption on critical business functions and processes and prioritizes their recovery based on their MTD and potential impact.

Recovery Procedures

For each critical business function and process, the Business Continuity Plan should include detailed recovery procedures to be followed during a crisis. These procedures may involve:

  1. Implementing alternative work arrangements or locations for employees to ensure the continuity of critical functions.
  2. Coordinating with the IT department and Disaster Recovery Coordinator (DRC) to restore disrupted systems or data.
  3. Establishing procedures for manual workarounds or alternative suppliers, if applicable.
  4. Ensuring effective communication with employees, partners, customers, and stakeholders regarding the recovery progress.

Post-Crisis Procedures

After the crisis has been resolved, the following post-crisis procedures should be followed:

  1. The BCC and Business Continuity Team assess the effectiveness of the Business Continuity Plan and identify areas for improvement.
  2. The team documents lessons learned from the crisis and updates the plan accordingly.
  3. The BCC conducts a post-crisis debriefing with the Business Continuity Team and other relevant stakeholders to review the response to the crisis and identify opportunities for improvement.

Business Continuity Team

The Fox and Geese Business Continuity Team is responsible for the development, implementation, and maintenance of the Business Continuity Plan. The team should consist of representatives from key departments and functions within the organization, including:

  1. Senior Management
  2. Human Resources
  3. Information Technology
  4. Operations
  5. Finance
  6. Sales and Marketing
  7. Customer Support
  8. Legal and Compliance

Communication Plan

A clear communication plan is essential during a crisis to keep employees, partners, customers, and stakeholders informed about the situation and the steps being taken to restore business operations. The communication plan should include:

  1. Designated spokespersons for different stakeholder groups.
  2. Communication channels to be used, such as email, phone, social media, and the company website.
  3. Frequency of updates and the type of information to be shared.
  4. A process for addressing inquiries and concerns from stakeholders.

Training and Awareness

A training and awareness program should be established to ensure that employees are aware of the business continuity procedures and their roles during a crisis. The program should include:

  1. Regular training sessions on the business continuity plan and procedures.
  2. Clear documentation of roles and responsibilities for each employee during a crisis.
  3. Periodic reviews and updates to the training program to ensure it remains relevant and effective.

Testing and Maintenance

The Business Continuity Plan should be tested regularly to ensure its effectiveness and identify any gaps or areas for improvement. Testing may include tabletop exercises, simulations, or full-scale exercises that involve the activation of the plan and the execution of critical tasks. The plan should be reviewed and updated at least once every 12 months or as needed based on the results of testing and lessons learned.

Crisis Management

In the event of a crisis, the Business Continuity Team should convene to assess the situation, activate the appropriate response strategies, and coordinate the organization's efforts to restore normal business operations. This may involve:

  1. Assessing the impact of the disruption on critical business functions and processes.
  2. Prioritizing the recovery of critical functions and processes based on their MTD and potential impact.
  3. Activating the appropriate response strategies, such as remote work arrangements, manual workarounds, or alternative suppliers.
  4. Coordinating communication efforts to keep stakeholders informed and address their concerns.
  5. Monitoring the situation and adjusting the response strategies as needed.

Plan Update Frequency

This Business Continuity Plan is reviewed and updated at least once every 12 months to ensure its continued effectiveness and alignment with the organization's evolving needs.

Applicable Standards

Applicable Standards from the HITRUST Common Security Framework

  • 12.a - Developing and Implementing Continuity Plans Including Business Impact Analysis

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(7)(i) - Contingency Plan

Roles and Responsibilities

The following roles and responsibilities have been assigned to designated personnel to ensure the effective execution of the Business Continuity Plan:

  1. Business Continuity Coordinator (BCC) - The BCC is responsible for overseeing the development, implementation, and maintenance of the Business Continuity Plan. This includes coordinating with the Disaster Recovery Coordinator (DRC) and other relevant stakeholders to ensure a seamless integration of both plans during a crisis.

  2. Business Continuity Team Members - Team members are responsible for executing their assigned tasks and responsibilities during a crisis, as outlined in the Business Continuity Plan. This may include assessing the impact of the disruption, activating response strategies, coordinating communication efforts, and supporting the recovery of critical functions and processes.

  3. Senior Management - Senior management is responsible for providing strategic direction and support for the Business Continuity Plan, ensuring that adequate resources are allocated to its development, implementation, and maintenance. They are also responsible for approving the plan and any updates or changes that may be required.

  4. Department Heads - Department heads are responsible for ensuring their respective departments are prepared to respond effectively during a crisis, as outlined in the Business Continuity Plan. This includes ensuring their staff are aware of their roles and responsibilities, participating in training and awareness programs, and providing support for the recovery of critical functions and processes.

  5. Employees - All employees are responsible for being aware of their roles and responsibilities during a crisis, as outlined in the Business Continuity Plan. They are also expected to participate in training and awareness programs and follow the procedures and guidelines established in the plan.

By assigning clear roles and responsibilities, Fox and Geese can ensure a coordinated and effective response to any crisis, minimizing the impact on its business operations and ensuring a timely recovery.

Training and Testing Frequency

The Business Continuity Plan should be tested regularly to ensure its effectiveness and identify any gaps or areas for improvement. Testing may include tabletop exercises, simulations, or full-scale exercises that involve the activation of the plan and the execution of critical tasks. The plan should be reviewed and updated at least once every 12 months or as needed based on the results of testing and lessons learned.

To ensure that all employees are prepared to respond effectively during a crisis, regular training and awareness programs should be conducted. These programs should include:

  1. Training sessions on the Business Continuity Plan and procedures, covering topics such as roles and responsibilities, response strategies, and communication guidelines.
  2. Simulation exercises to provide employees with hands-on experience in executing their assigned tasks and responsibilities during a crisis.
  3. Regular reviews and updates to the training program to ensure it remains relevant and effective.

By conducting regular training and testing, Fox and Geese can ensure that all employees are prepared to respond effectively during a crisis, minimizing the impact on its business operations and ensuring a timely recovery.