Part 1: Business Continuity Plan (BCP)
1. Objective
This Business Continuity Plan (BCP) outlines strategies and procedures to mitigate risks and maintain essential functions during emergencies or unforeseen events.
Business continuity efforts are supervised by senior management for each key functional area within Timetabling Solutions and are supported by executive management.
2. Scope
This BCP applies to all operations for restoring critical business processes in the event that various resources are unavailable, including the loss of buildings, technology, human resources, third-party vendors, and vital records.
Our Data Breach Response Plan will deal with incidents regarding actual or potential data breaches, which have specific legal requirements.
3. Risk Assessment
Potential risks to information assets and business processes may include:
Natural disasters (earthquakes, floods, fire)
Health-related (e.g., COVID-19)
Cyberattacks
Equipment failures
Human errors or malicious activities
4. Business Continuity Strategies
a) Professional Services Continuity
In-person Training: Trainers are scheduled with alternating weeks to avoid dependency on a single person. Venues must be capable of converting events online within 24 hours.
Consultation Services: A senior consultant remains on standby for substitutions.
Client Communication: Clients are informed of cancellation rights and refund policies; liability for travel/accommodation costs is disclaimed.
b) Work Anywhere Capability
All staff have remote working capability with cloud-based systems, SIM-enabled laptops, and mobile-accessible phone systems.
5. Preservation Strategies
Critical documents are securely stored online with access controls, MFA, encryption, and weekly audits.
Infrastructure is monitored for vulnerabilities.
Employees receive training on safeguarding assets.
6. Incident Response Coordination
Classification:
Critical Incident – High Priority
Major Incident – Medium Priority
Minor Incident – Low Priority
Incident Response Team:
Incident Manager: General Manager
Technical Lead: Director of Software
Communications Lead: Office Manager
7. Documentation, Testing, and Review
All incidents documented in a 'Post Incident Review' list.
Tabletop and simulation exercises are conducted.
Annual plan review and updates are required.
8. Recovery Objectives (RTO and RPO)
To ensure effective disaster recovery, each system has defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO):
RTO (Recovery Time Objective): Maximum acceptable time to restore service after a disruption.
RPO (Recovery Point Objective): Maximum acceptable age of data that can be restored (i.e., how much data loss is tolerable).
| System / Service | Priority | RTO | RPO | Notes |
|---|---|---|---|---|
| Cloud Applications (Timetabling) | High | 4 hours | 12 hours | High-availability infrastructure and daily differential backups. |
| CRM | Medium | 12 hours | 24 hours | Daily backups at 5:00 PM Central Time. |
| Ticketing System | Medium | 12 hours | 24 hours | Critical for client support continuity. |
| Accounting Software | Medium | 24 hours | 24 hours | Vendor-managed, typically restored via vendor SLAs. |
| Desktop Data Files (OneDrive/SharePoint) | Medium | 4–6 hours | 12 hours | Files synced continuously to SharePoint with local copies. |
| Archived / Legacy Data | Low | Up to 72 hours (3 business days) | Up to 7 days | Access delayed unless specifically required. |
Part 2: Disaster Recovery Plan (DRP)
1. Objective
This DRP outlines the technical and procedural steps to recover critical IT systems, data, and services after a disruption.
2. Scope
This DRP covers all Timetabling Solutions' technology infrastructure, including:
Cloud Applications
CRM & Ticketing System
Accounting Software
Desktop Data Files
3. Backup Strategies
a) Cloud Applications
7 Days point-in-time restore
12-hour differential backup
4 Weeks long-term retention
b) CRM
Daily backups at 5:00 PM Central Time
c) Desktop Data Files
Files saved in OneDrive, synced with SharePoint for redundancy
4. Recovery Priorities and Procedures
Priority: HIGH
Systems: Cloud Applications
Response:
Immediate escalation to incident response team
Deploy failover mechanisms
Communicate updates via Freshstatus and other channels
Validate restoration and resume operations
Priority: MEDIUM
Systems: CRM, Ticketing, Accounting
Response:
Restore after high-priority systems are stable
Allocate resources based on impact
Stakeholder updates via Freshstatus and other channels
Priority: LOW
Systems: Archived data, reports, legacy systems
Response:
Restore once high/medium systems are operational
Apply workarounds if necessary
Internal updates via Microsoft Teams, email, or calls
5. Communication Protocol
External updates are managed via:
Freshstatus page
Social media
Voicemail, email replies
Internal updates coordinated via Teams and direct communication
6. Escalation and External Support
If internal response is insufficient, the Incident Manager may escalate to:
External disaster recovery specialists
Cloud service providers or vendors
7. DR Testing and Maintenance
DR procedures will be tested via simulations or recovery drills at least annually.
The DRP will be revised based on test outcomes and technology changes.