Watani Iron Steel Co.

Business Continuity
Management

1
 Document Control

Version control

Master Location Riyadh, Saudi Arabia

Document Name Business Continuity Management

Document Edit/Review History

Version Date Comments Prepared/Revised by

The first issuance of the Business

1.0 xx xx 202x
Continuity Management

Document Approval History

Date Name Position/Title Signature

Distribution of Final Document

Name Position/Title

2
 Glossary: Abbreviations & Terms Definitions
In this Charter, except where the context otherwise demands, the following words and expressions shall have
the following meaning:

Abbreviation Definition

Board The Board of Directors of the WISC

(CEH): Certified Ethical Hacker
DRP Disaster Recovery Plans
Business Continuity Management
BCM

CEO Chief Executive Officer

BCM Business Continuity Management
VPN Virtual Private Networks
MFA Multi-Factor Authentication
SIEM Security information and event management
RDP Remote Desktop Protocols
CEH Certified Ethical Hacker (
BIA Business Impact Analysis
CISM Certified Information Security Manager
CFO Chief Financial Officer
CISSP Certified Information Systems Security Professional
CMT Crisis Management Team
CMA Capital Market Authority
CISO Chief Information Security Officer
DoA Delegation of Authorities
HR Human Resources
ISO International Organization for Standardization
IT Information Technology
KPI Key Performance Indicator
KSA Kingdom of Saudi Arabia
DRC Disaster Recovery Center
NIST National Institute of Standards and Technology
(RTO) Recovery Time Objective
NRC Nomination and Remuneration Committee
RPO Recovery Point Objective
Incident Command System (ICS)
Business applications
Any application used by employees to perform various business functions in the entity.
Business Continuity

3
The organization's ability to continue provision of IT and business services at determined and pre-accepted
levels after the occurrence of a disruption event.
Business impact analysis (BIA)
Determine important activities and priorities of the institution, in addition to determining the extent of reliability
between various activities, minimum resources needed for recovery, and the extent of the impact that the business
interruption can cause.

4
 Table of Contents

1. Definitions........................................................................................................................................................5
2. Introduction......................................................................................................................................................8
2.1. Background...............................................................................................................................................8
2.2. Purpose of the .........................................................................................................................................8
2.3. Functional Scope and Applicability...........................................................................................................8
2.4. Implementation........................................................................................................................................8
2.5. Ownership, Revision, and Update............................................................................................................8
2.6. Disclaimer.................................................................................................................................................9
2.7. Confidentiality..........................................................................................................................................9
2.8. Accreditation............................................................................................................................................9
3. Composition of the Committee......................................................................................................................10
3.1. Membership Principles...........................................................................................................................10
3.2. Appointment of the Chairman of the Committee...................................................................................10
3.3. Appointment of the Secretary of the Committee...................................................................................10
3.4. Appointment and termination of members of the Committee..............................................................11
4. Authorities of the Committee.........................................................................................................................11
5. Competences and Responsibilities.................................................................................................................12
5.1 Competences and Responsibilities of the Committee............................................................................12
5.2 Responsibilities of the Chairman and Vice-Chairman of the Committee................................................13
5.3 Responsibilities of the Secretary of the Committee................................................................................13
5.4 Qualifications of Committee Members...................................................................................................14
6. Meetings.........................................................................................................................................................15
7. Committee's Report........................................................................................................................................16
8. Committee's Methodology.............................................................................................................................16
9. Remuneration.................................................................................................................................................17

5
1. Definitions

In this Charter, except where the context otherwise demands, the following words and expressions shall have
the following meaning:

Term Definition

Cybersecurity Administrative, operational, and technical controls (measures or counter-

Controls measures) stipulated in the information system for protecting the confidentiality,
integrity, and availability of the system and its information.
WISC Watani Iron Steel Company
A program involves developing, implementing, and maintaining strategies, plans,
BCM and procedures to minimize the impact of disruptions and enable the
organization to recover and resume operations quickly.
The Board serves as the highest governing body of the WISC. Its role is to manage
and ensure that policies are developed and performance is monitored by the
Board of
WISC's articles of association, shareholder resolutions, and legal requirements. All
Directors
board decisions and actions are accountable to the general assembly of
shareholders.
A board committee is a WISC of individuals appointed or elected by a board of
Committee
directors to perform a specific task or function on behalf of the Board.
Corporate Governance is the rules, practices, and processes by which the WISC is
Corporate
directed and controlled. Corporate Governance involves fair treatment and
Governance
balancing the interests of the many stakeholders at the WISC.

It is a professional certification offered by the International Council of E-

Certified Ethical Commerce Consultants (EC-Council). It is designed to validate the skills and
Hacker knowledge of individuals in ethical hacking.

is a critical component of business continuity planning. It is a systematic process

Business Impact
that identifies, analyzes, and evaluates the potential impacts of disruptions on
Analysis (BIA)
essential functions of business and processes.
A Crisis Management Team (CMT), also known as an Incident Management Team
(IMT) or Emergency Management Team (EMT), is a group of individuals
Crisis responsible for managing and coordinating an organization's response to a crisis
Management or emergency. The team typically comprises vital executives, managers, and
Team subject matter experts from various departments or disciplines within the
organization.

RDP provides a graphical interface for users to connect to a remote desktop or

server. This allows users to access files, applications, and resources on the remote
Remote desktop
machine as if sitting in front of it. It is commonly used for remote administration,
access technical support, and accessing office resources from off-site locations.

Certified Certified Information Systems Security Professional (CISSP) is a globally

6
 Information
recognized certification in information security. The International Information
Systems Security
System Security Certification Consortium, also known as (ISC), offers it.
Professional
(CISSP)
Cybersecurity
Committee It aims to help capital market institutions obtain good cybersecurity practices
established by CMA.

Risk is the uncertainty around current or future events and outcomes that could
bring up adverse impacts either in the form of direct loss of earnings and capital
Risk or imposition of constraints on the WISC's ability to meet its business objectives,
hinder the ability to conduct business or take benefit of opportunities to enhance
business.
The strategy adopted for managing the WISC's key material risks developed at the
WISC level in line with the strategic objectives and business plans, considering the
WISC's Risk Capacity, Risk Appetite, and Risk Limits. It lays out the risk
Risk Strategy
management philosophy and risk Governance. It specifies the risk management
approach for Risk Identification, assessment, response, monitoring, and reporting
consistently across the WISC.
DRC is a physical or virtual facility that organizations or government agencies
Disaster
establish to support disaster recovery efforts. It is a central location where
Recovery
individuals, businesses, and communities affected by a disaster can access
Center
resources, information, and assistance to aid recovery.
Any circumstance or event related to information systems with the potential to
affect capital adversely market institution's business (including mission, functions,
image, or reputation), organizational assets, or individuals through an information
Threat
system via unauthorized access, destruction, disclosure, modification of
information, and/or denial of service. Also, the potential for a threat source to
successfully exploit a particular
information system vulnerability.
A weakness found in computer systems, programs, or applications, a set of
Vulnerability
procedures, or anything that makes cybersecurity triggered by a threat.
Service Level An agreement between two parties, where one party is the customer and the
Agreement other is the service provider, clarifies services that the service provider must
render and criteria that must be met to render the service.
A disaster recovery and business continuity planning concept refers to the
Recovery Time maximum acceptable downtime or outage duration for a system, service, or
Objective business process. It represents the targeted duration an organization aims to
recover its operations after a disruption or failure.
It is a metric used in disaster recovery planning to determine the maximum
The Recovery acceptable amount of data loss an organization can tolerate during a system or
Point Objective service disruption. It represents the point in time to which data must be
recovered to resume normal operations without significant loss or impact.
Incident It is a standardized management framework for command, control, and
Command coordination of emergency response operations. It provides a structured
System approach to managing incidents, ranging from small-scale local events to large-
scale disasters or emergencies involving multiple agencies and jurisdictions.

7
8
2. INTRODUCTION
2.1. Background
Business Continuity Management (BCM) is a holistic management process that helps organizations identify
potential threats and vulnerabilities, develop strategies to mitigate those risks, and establish plans and
procedures to ensure the continuity of critical business functions during a disruption. It involves proactive
planning and preparation to minimize the impact of unexpected events and enable organizations to recover and
resume operations as quickly as possible.

2.2. Purpose of the Business Continuity Management

Business Continuity Management (BCM) aims to enable organizations to effectively respond to and recover from
disruptive incidents or events, ensuring the continuity of critical business functions and minimizing the impact
on operations.
2.3. Functional Scope and Applicability
Business Continuity Management (BCM) is crucial for organizations to maintain critical business functions during
and after a disruptive incident. This includes IT continuity planning, risk management, crisis management, and
regulatory compliance. BCM is applicable across various sectors and must be urgently implemented to ensure
resilience and safeguard stakeholders' interests.

2.4. Implementation
Implementing Business Continuity Management (BCM) involves a systematic and phased approach to ensure an
organization's effective development, implementation, and maintenance of a comprehensive BCM program.
Ownership, Revision, and Update
2.5. Disclaimer

This Business Continuity Management was prepared for application purposes. The content of this Business
Continuity Management could be updated to address some business requirements as and when they become
available.

2.6. Confidentiality

The contents of this Business Continuity Management are strictly confidential, and no information should be
shared, discussed, or disclosed to people outside of the WISC without the written approval of the CEO.

2.7. Accreditation
Accreditation in Business Continuity Management (BCM) refers to the recognition or certification of an
organization's BCM program by an external accrediting body or certification scheme. Accreditation provides
independent verification that an organization has implemented a BCM program that meets specific standards or
criteria.

9
3. Critical elements of BCM Include:
 3.1 Business Continuity Plan (BCP)
A Business Continuity Plan (BCP) is a strategic document that outlines the procedures and protocols an
organization will follow to ensure the continued operation of critical business functions during and after a
disruptive event. It is designed to minimize the impact of potential threats or incidents, such as natural
disasters, technological failures, pandemics, or any other unforeseen circumstances that can disrupt regular
business operations.
The purpose of a Business Continuity Plan is to provide a framework for effectively responding to and
recovering from these disruptions, minimize downtime, reduce financial losses, protect the organization's
reputation, and ensure the safety of employees and stakeholders. It is essential to risk management and a
roadmap to guide the organization through a crisis.

Critical components of a Business Continuity Plan typically include:

1. Business Impact Analysis (BIA): This involves identifying critical business functions and determining the
potential impact of disruptions on these functions. It helps prioritize recovery efforts by understanding each
disruption's financial, operational, and reputational consequences.
2. Risk Assessment: Identifying and assessing potential risks and threats that could disrupt business
operations. It includes evaluating internal and external risks, such as natural disasters, cyber-attacks, supply
chain disruptions, or other events that can impact the organization.
3. Emergency Response Procedures: This section outlines the immediate actions to be taken when a
disruptive event occurs. It includes procedures for employee safety, emergency communication, evacuation
plans, and any other steps necessary to protect life and property.
4. Business Recovery Strategies: This section outlines strategies and plans for recovering critical business
functions after a disruption. It includes alternative work arrangements, backup systems and data recovery,
resource allocation, and other measures necessary to restore operations.
5. Communication Plan: This component outlines the communication channels and protocols to be used
during a crisis. It includes internal and external communication strategies, critical contact information, and
procedures for keeping stakeholders informed.
6. Training and Testing: Regular training and testing are crucial to ensure the effectiveness of the Business
Continuity Plan. This involves conducting drills, simulations, and exercises to familiarize employees with their
roles and responsibilities during a crisis and to identify any gaps or areas for improvement in the plan.
7. Plan Maintenance: A Business Continuity Plan is a living document that should be reviewed, updated, and
maintained regularly. It should reflect changes in the organization's structure, processes, technologies, and
any new risks or threats that emerge over time.

10
 3.2 Emergency Response
Emergency response refers to the immediate actions and procedures implemented to address and mitigate the
impacts of an emergency or crisis. It involves the coordinated efforts of individuals, organizations, and systems
to protect lives, minimize damage, and restore order and safety.

Critical elements of emergency response include:

1. Preparedness: Preparedness involves activities undertaken in advance to enhance readiness for emergencies.
This includes developing emergency response plans, conducting risk assessments, training personnel, and
establishing communication protocols. Preparedness ensures that resources, systems, and personnel are in
place to respond to emergencies effectively.
2. Detection and Early Warning: Timely detection and early warning systems are essential for identifying and
alerting relevant authorities and individuals about potential emergencies. This can include monitoring systems,
alarms, and communication channels that provide early indicators of impending crises, such as natural disasters,
hazardous incidents, or security threats.
3. Emergency Communication: Clear and effective communication is vital during emergencies. It involves
disseminating information about the emergency, providing instructions to affected individuals, and coordinating
response efforts. Communication channels can include public announcements, emergency hotlines, social
media, and other means of reaching affected populations.
4. Evacuation and Sheltering: In situations where immediate evacuation is necessary, emergency response plans
should outline evacuation routes, assembly points, and procedures for safely moving people away from the
affected area. Adequate sheltering arrangements should also be made for individuals who cannot be
immediately evacuated.
5. Emergency Services: Emergency response teams, such as fire departments, police, medical personnel, and
other specialized units, play a crucial role in responding to emergencies. These teams are trained to provide
medical assistance, rescue operations, fire suppression, law enforcement, and other essential services during
crises.
6. Resource Mobilization: Emergency response requires mobilizing resources, including personnel, equipment,
supplies, and facilities. This may involve deploying additional personnel from other locations, activating mutual
aid agreements with neighboring organizations, or requesting assistance from government agencies, non-
governmental organizations, or the private sector.
7. Incident Command System: The Incident Command System (ICS) is a standardized organizational structure for
managing emergency responses. It establishes a transparent chain of command, assigns roles and
responsibilities, and facilitates coordination among agencies and organizations involved in the response. The ICS
enables effective decision-making, resource allocation, and communication during emergencies.
8. Damage Assessment and Recovery: After the initial response phase, the focus shifts toward assessing the
extent of damage, evaluating the needs for recovery and reconstruction, and initiating the recovery process.
This involves conducting damage assessments, coordinating cleanup and repair efforts, and supporting affected
individuals and communities.

11
3.3 Crisis Management
Crisis management refers to the strategic planning, coordination, and execution of actions to effectively
navigate and mitigate the impacts of a crisis or emergency. It involves a series of processes and activities to
minimize harm, preserve reputation, and restore normalcy in the face of a significant and disruptive event.

Critical elements of crisis management include:

1. Risk Assessment and Planning: Crisis management begins with a thorough assessment of potential risks
and vulnerabilities that an organization may face. This involves identifying potential crises, evaluating their
likelihood and potential impact, and developing strategies and plans to address them. A crisis management
plan outlines the roles, responsibilities, and actions to be taken during a crisis.
2. Crisis Communication: Communication is a critical component of crisis management. Effective
communication ensures accurate and timely information is disseminated to stakeholders, including
employees, customers, suppliers, media, and the public. Crisis communication aims to provide updates,
instructions, and reassurance and to manage the organization's reputation during the crisis. It involves
designated spokespersons, clear messaging, and communication channels that reach the target audience.
3. Incident Response and Coordination: When a crisis occurs, activating the crisis management plan and
establishing an incident response or crisis management team is essential. This team is responsible for
coordinating the response efforts, making critical decisions, and allocating resources effectively. The team
should include representatives from relevant departments or functions within the organization, and it may
also involve external stakeholders, such as government authorities or industry experts.
4. Operational Continuity: Crisis management involves ensuring the continuity of essential business
operations during the crisis. This may include activating backup systems, relocating operations, implementing
alternative processes, or securing supply chains. The goal is to minimize disruption and maintain the
organization's ability to deliver products or services to customers, even under challenging circumstances.
5. Stakeholder Support and Management: Crisis management includes addressing the needs and concerns of
stakeholders affected by the crisis. This involves providing support, resources, and assistance to affected
individuals or communities. It also involves managing relationships with various stakeholders, such as
regulators, government agencies, media, customers, and investors, to maintain trust and address their
expectations.
6. Learning and Improvement: After managing a crisis, conducting a post-crisis evaluation and analysis is
essential. This includes identifying lessons learned, evaluating the effectiveness of the crisis management
plan, and identifying areas for improvement. By learning from the crisis experience, organizations can
enhance their preparedness and response capabilities for future crises.

Crisis management is an ongoing process that requires proactive planning, regular training, and continuous
evaluation. Organizations can effectively navigate crises, protect their reputation, and emerge stronger from
challenging situations by adopting a systematic and comprehensive approach to crisis management.

3.4 Disaster Recovery

Disaster recovery refers to the process and strategies implemented to restore and recover critical systems,
operations, and data after a significant disruption or disaster. It focuses on minimizing downtime, recovering
essential functions, and restoring normalcy as quickly and efficiently as possible.
12
Critical elements of disaster recovery include:

1. Business Impact Analysis (BIA): A business impact analysis assesses the potential impact of a disaster on
critical business functions, processes, and systems. It helps prioritize recovery efforts by identifying the most
essential systems, data, and processes that must be restored first.
2. Recovery Time Objective (RTO) and Recovery Point Objective (RPO): RTO and RPO are critical metrics in
disaster recovery planning. RTO specifies the maximum acceptable downtime for a system or process, while
RPO determines the maximum acceptable amount of data loss. These metrics guide the development of
recovery strategies and help determine the redundancy and backup required.
3. Data Backup and Recovery: Data backup is critical to disaster recovery. It involves creating regular backups
of essential data and storing them in secure off-site or cloud locations. In a disaster, data recovery
procedures are implemented to restore the data to its previous state.
4. System Recovery: System recovery focuses on restoring critical IT systems and infrastructure. This may
involve rebuilding or restoring servers, networks, and other essential components. Redundant systems,
failover mechanisms, and backup configurations are often used to expedite recovery.
5. Alternative Work Arrangements: In the aftermath of a disaster, physical workspaces may be unavailable or
inaccessible. Disaster recovery plans often include provisions for alternative work arrangements, such as
remote work, temporary workspaces, or off-site recovery centers, to ensure that employees can continue
their work.
6. Testing and Exercising: Regular testing and exercising of the disaster recovery plan are crucial to ensure its
effectiveness. This involves conducting drills, simulations, or tabletop exercises to validate the plan, identify
gaps or weaknesses, and train employees on their roles and responsibilities during recovery.

7. Vendor and Supplier Recovery: Organizations rely on external vendors and suppliers for various services
and resources. Disaster recovery plans may include strategies to coordinate with these partners to ensure
their recovery and continuity plans align with the organization's recovery needs.

8. Communication and Stakeholder Management: Clear and timely communication is essential during
recovery. Stakeholders, including employees, customers, suppliers, and partners, must be informed about
the progress of recovery efforts, any temporary changes or disruptions, and the expected timeframe for the
complete restoration of services.

9. Plan Maintenance and Updates: Disaster recovery plans should be regularly reviewed, updated, and
maintained to reflect changes in the organization's infrastructure, systems, and processes. This ensures that
the plan remains aligned with the evolving needs and technologies of the organization.

3.5 Business Impact Analysis

Business Impact Analysis (BIA) is a process that identifies and assesses the potential impacts of disruptions or
incidents on an organization's critical business functions, processes, and resources. It is a crucial component
of business continuity planning and helps prioritize recovery efforts based on the impact and criticality of
each function.

13
The primary objectives of a Business Impact Analysis are as follows:

1. Identify Critical Functions: The BIA helps identify and prioritize critical business functions and processes
essential to the organization's operations. These functions are typically those that, if disrupted, would
significantly impact the organization's ability to deliver products or services, meet regulatory requirements,
maintain customer satisfaction, or generate revenue.
2. Determine Impact: The BIA assesses the potential impact of disruptions on critical functions. This includes
evaluating a disruption's financial, operational, reputational, legal, and regulatory consequences. The effect
can be measured regarding financial losses, customer dissatisfaction, regulatory non-compliance, increased
downtime, or other relevant factors.
3. Evaluate Dependencies: The BIA identifies dependencies among different functions, processes, systems,
and resources within the organization. This includes understanding the interdependencies between
departments, technology systems, suppliers, and other external entities. Evaluating dependencies helps
assess the ripple effects of disruption and enables better prioritization and decision-making during recovery.
4. Define Recovery Objectives: The BIA helps establish recovery objectives for each critical function based on
the impact assessment. Recovery objectives define the desired timeframe for restoring each function to an
acceptable level of operation. They are typically expressed in terms of Recovery Time Objectives (RTO) and
Recovery Point Objectives (RPO), determining the maximum tolerable downtime and data loss for each
function.
5. Resource Requirements: The BIA identifies the resources required to recover critical functions. This
includes personnel, technology systems, equipment, facilities, data, and other resources necessary for
resuming operations. Organizations can allocate resources effectively and prioritize investments in recovery
capabilities by understanding resource requirements.

6. Risk Mitigation: The BIA highlights vulnerabilities and risks associated with critical functions. It helps
identify potential threats that can impact the organization, such as natural disasters, cyber-attacks, supply
chain disruptions, or human errors. Organizations can develop strategies and counter-measures to mitigate
disruptions' likelihood and impact by understanding these risks.

3.6 Risk Management

Risk management identifies, assesses, and mitigates risks to minimize their negative impact on an
organization's objectives. It involves systematically analyzing potential risks, developing strategies to handle
them, and monitoring and reviewing the effectiveness of risk mitigation measures. Effective risk
management helps organizations make informed decisions, reduce losses, and enhance their ability to
achieve their goals.

The key components of risk management include:

1. Risk Identification: The first step in risk management is identifying potential risks that could affect the
organization. This involves systematically examining internal and external factors, such as operational
processes, market conditions, regulatory changes, technological developments, and human factors, to
identify potential threats and opportunities.

14
2. Risk Assessment: Once risks are identified, they must be assessed regarding their likelihood of occurrence
and potential impact. This helps prioritize risks and allocate resources based on their significance. Risk
assessment techniques may include qualitative or quantitative methods, such as risk matrices, probability
analysis, or scenario analysis.
3. Risk Mitigation: Risk mitigation involves developing strategies and actions to reduce the likelihood or
impact of identified risks. This may include implementing controls, safeguards, or preventive measures to
minimize the probability of risks occurring. It can also involve developing contingency plans, backup systems,
or alternative processes to mitigate the impact of risks should they materialize.
4. Risk Response: Risk response involves selecting the most appropriate action to address identified risks.
Common risk response strategies include accepting the risk, transferring the risk through insurance or
contracts, mitigating the risk through control measures, or avoiding the risk by changing or discontinuing
certain activities.
5. Risk Monitoring and Review: Risk management is an ongoing process that requires continuous monitoring
and review. This involves tracking the effectiveness of risk mitigation measures, reassessing risks as new
information becomes available, and adapting strategies as the business environment changes. Regular
reviews ensure that risk management practices remain relevant and practical.
6. Communication and Reporting: Effective risk management involves clear and transparent communication
of risks and risk mitigation efforts to stakeholders. This includes providing timely and accurate information
about risks, their potential impact, and the organization's risk management strategies. Regular reporting and
communication mechanisms help stakeholders understand the organization's risk profile and promote
accountability.
7. Risk Culture and Governance: Risk management should be embedded in the organization's culture and
supported by appropriate governance structures. This includes promoting risk awareness and responsibility
throughout the organization, establishing clear roles and responsibilities for risk management, and
integrating risk considerations into decision-making processes at all levels.

3.7 Resilience and Reputation Management

Resilience and reputation management are two interconnected concepts that play a crucial role in the
success and sustainability of organizations. While resilience focuses on an organization's ability to withstand
and recover from disruptions, reputation management is concerned with safeguarding and enhancing the
organization's image and standing in the eyes of stakeholders.

Resilience:
Resilience refers to an organization's capacity to anticipate, adapt, and recover from significant disruptions or
crises. It involves building the necessary capabilities and processes to withstand and respond effectively to
challenges, whether they are internal or external. Resilience is not just about bouncing back to the pre-
disruption state but also about learning from the experience and improving the organization's ability to
navigate future uncertainties.

Critical elements of resilience include:

15
 1. Risk Management: Resilience starts with robust risk management practices that identify and assess
potential threats and vulnerabilities. By understanding risks and their potential impact, organizations can
develop strategies to mitigate and manage those risks effectively.
2. Business Continuity Planning: Organizations should have robust business continuity plans that outline
strategies and actions to maintain essential functions and operations during and after a disruption. These
plans typically include risk assessment, crisis response, communication, and recovery steps.
3. Redundancy and Flexibility: Resilience involves building redundancy and flexibility into critical systems,
processes, and supply chains. This may include backup systems, alternative suppliers, diversified distribution
channels, or cross-trained employees. Redundancy and flexibility help ensure the organization can continue
operating despite unexpected disruptions.
4. Crisis Management: Effective crisis management processes and teams are crucial for resilience. This
involves clear decision-making protocols, effective communication strategies, mobilizing resources, and
responding swiftly to crises.

3.8 Reputation Management:

Reputation management is the proactive management of an organization's image, credibility, and standing
with its stakeholders. It involves building and maintaining a positive reputation and addressing any issues or
challenges that may arise to protect the organization's brand and relationships.

Key elements of reputation management include:

1. Stakeholder Engagement: Organizations must actively engage with their stakeholders, including
customers, employees, investors, regulators, and the public. This involves understanding stakeholders' needs
and expectations, maintaining open lines of communication, and addressing concerns and feedback promptly
and transparently.

2. Branding and Communication: Effective branding and communication strategies are critical in reputation
management. Organizations should develop a strong brand identity and consistently communicate their
values, mission, and commitments to stakeholders. Clear and transparent communication builds trust and
enhances the organization's reputation.
3. Crisis Communication: When faced with a crisis or adverse event, organizations must handle
communication effectively to minimize reputational damage. This involves timely and transparent
communication, providing accurate information, acknowledging mistakes, and demonstrating a commitment
to resolving the issue.
4. Social Responsibility and Ethical Practices: Organizations that demonstrate social responsibility and ethical
practices tend to have stronger reputations. Engaging in community initiatives, supporting sustainable
practices, and adhering to high ethical standards help build trust and enhance reputation.
5. Online Reputation Management: Managing online reputation is crucial in today's digital age. Organizations
should actively monitor and manage their online presence, including social media platforms, review sites,
and news outlets. Addressing negative feedback and engaging with online communities helps protect and
enhance reputation.

 3.9 Recovery Teams

16
Recovery teams are groups of individuals within an organization responsible for executing recovery efforts and
restoring normal operations following a disruption or crisis. These teams are essential to business continuity and
disaster recovery planning, as they provide a structured and coordinated approach to managing and recovering
from incidents.

Here are some common recovery teams and their roles:

1. Incident Management Team (IMT): The IMT is responsible for overall incident management and coordination.
They oversee the response efforts, assess the situation, and make critical decisions regarding resource
allocation, communication, and escalation. The IMT ensures that the organization's incident response plan is
followed and coordinates the activities of other recovery teams.

2. IT Recovery Team: The IT recovery team focuses on restoring and recovering IT systems and infrastructure.
This includes servers, networks, databases, and other technology components necessary for business
operations. The team implements backup and recovery procedures, tests system functionality, and works closely
with vendors or service providers to restore IT services.

3. Operations Recovery Team: The operations recovery team is responsible for restoring and resuming the
organization's core business processes and functions. They assess the impact of the disruption on operations,
develop recovery strategies, coordinate resource allocation, and ensure that critical business functions are
brought back online promptly.

4. Communications and Public Relations Team: This team handles communication during a crisis or disruption.
They develop and implement communication strategies to keep internal and external stakeholders informed
about the incident, recovery progress, and any actions they need to take. The team manages media relations,
issues public statements, and ensures consistent and accurate messaging.

5. Facilities and Infrastructure Recovery Team: The facilities and infrastructure recovery team focuses on
restoring physical facilities and infrastructure that may have been damaged or compromised during a disruption.
They coordinate repairs, assess safety and security concerns, and ensure that the workplace is suitable for
resuming normal operations.

6. Human Resources (HR) Recovery Team: The HR recovery team addresses the people-related aspects of the
recovery process. They assess the impact on employees, coordinate employee safety and well-being, implement
workforce continuity plans, and manage any HR-related issues arising from the incident. This includes employee
communication, relocation, support services, and coordination with external agencies, if necessary.

17
18
3. MEETINGS
a) The Committee shall meet at least four times a year or more as the Committee may determine;
additional meetings may be held from time to time as may be necessary at the request of the Board or
any of the Members;
b) A meeting of the Committee shall be convened by written notice being given by the Secretary at the
request of the Chairman to each Member (and invitee, as appropriate) not less than 7 days before the
date set for the meeting, except in cases of urgency, when a meeting may be convened on shorter
notice upon approval by a majority of the Members. The notice shall include the date, time, and location
of the meeting and shall be accompanied by a meeting agenda and appropriate briefing materials;
c) All Committee members are expected to attend all meetings, in person or via tele- or video conference;
d) For meetings of the Committee to reach a quorum, it shall be necessary for a majority of the Members
to be present. All decisions and actions of the Committee shall be approved by a resolution passed by
the affirmative vote of the majority of the Members attending the meeting of the Committee at which
the resolution is approved. The Chairman shall have a casting vote in the event of a tie. No Member shall
be entitled to vote on any matter in which they have a direct or indirect interest;
e) Only Committee members have the right to attend Committee meetings;
f) The Committee may invite members of WISC executives, external experts, or others to attend the whole
or part of the meeting to present their opinion, advice, or pertinent information;
g) At each meeting, the WISC Secretary shall attend to take notes, keep regular meeting minutes, and
report the same to the Committee Chairman;
h) Minutes of the Committee meetings shall be circulated to the Committee members and guests, as
appropriate;
i) In consultation with the Chairman, the Secretary shall also prepare the agenda and circulate it, together
with proper briefing materials, to the Committee members well before a meeting;
j) The Chairman shall represent the Committee in the Board's meetings and regularly report to the Board
regarding the Committee's activities and actions, including at the first WISC Board meeting following
each Committee meeting;
k) In the absence of the Chairman and an appointed deputy, the remaining Members present shall elect,
from amongst themselves, a Member to chair the meeting from those who would qualify under this
Charter to be appointed to that position;
l) Any Committee member shall have the right to submit items for inclusion on the agenda for a meeting;
m) Members shall declare any actual or potential conflict of interest concerning participation in the
Committee regarding specific agenda items at the start of each meeting.

19
4. COMMITTEE'S REPORT
a) The committee chairman shall submit a report to the Board on any critical issue and shall, upon
consultation with the Chairman of the Board, determine the items to be included in the Board meeting
agenda, in addition to any subjects not falling within the competence of other committees;
b) The Committee submits its approved minutes regularly to the Board of Directors;
c) The Cybersecurity Committee shall submit an annual report to the Board of Directors that shall include
the following:
1. Composition and responsibilities of the Committee.
2. Number of meetings held during the year and the number of meetings attended by each
Member.
3. An overview of the WISC's cybersecurity risk landscape, recent incidents, and compliance status.
4. Update on cybersecurity strategy, resource allocation, third-party risk management, employee
training, emerging technologies, and KPIs.
5. Summarize recommendations and action items to enhance cybersecurity resilience.

5. COMMITTEE'S METHODOLOGY
a) The Committee is responsible for creating a yearly plan that outlines the tasks it will perform in the
upcoming year. This plan should include work programs calculating the estimated cost and time needed
to complete each task. The plan must be submitted to the Board of Directors for approval;
b) The Committee should receive all relevant data, information, reports, records, correspondence, or any
other necessary material from the Board of Directors and the Executive Management. They should take
the required actions to facilitate the Committee's tasks without any limitations;
c) The Committee is authorized to collaborate with other board committees, when deemed necessary, to
enhance the efficiency and productivity of their respective tasks;
d) The Committee can request detailed data and information from the executive management to better
carry out its tasks, including reports on executive performance, remuneration benchmarking, industry
trends, and legal and regulatory updates;
e) Communication between the Committee and other committees should be clear to ensure a common
understanding of each Committee's responsibilities;
f) The Committee may engage external consultants, such as remuneration experts or executive search
firms, to provide independent advice and assistance in areas such as executive remuneration
benchmarking, market trends, and best practices;
g) An annual self-assessment is conducted to review the terms of reference and responsibilities of the
Committee, as well as the duties and obligations of its members. The purpose of this assessment is to
ensure the full implementation of all responsibilities outlined in this regulation;
h) Members shall receive induction training on the mandate of the Committee to keep them up-to-date
with the WISC's business objectives for the members to discharge their responsibilities effectively;
i) The Committee should collaborate closely with senior management, including the Chief Information
Security Officer (CISO) or equivalent, to ensure effective communication, alignment of objectives, and
implementation of cybersecurity initiatives.
j) The Committee shall formulate a succession plan, subject to the approval of the Board.

20
6. REMUNERATION
a) Any remuneration granted to the Members shall be in such form and amount as determined by the
General Assembly upon the recommendation of the Board, following the Applicable Law and best
industry practices;
b) A member of the Committee shall be entitled to an allowance for attending the Committee's sessions for
each meeting and an annual remuneration for the Member, which shall be calculated as of the date of
the approval of the Board to join the Member, and the attendance allowance shall apply if the meeting
is held remotely through the use of modern visual or audio means of communication or any other
electronic method;
c) The Secretary of the Committee shall be entitled to an annual remuneration and attendance allowance
for each meeting of the Committee;
d) The remuneration and attendance session allowance is calculated according to the remuneration policy
approved by the General Assembly.
e) The remuneration of the members of the Committee shall be disclosed in the annual report of the Board
of Directors of the General Assembly, and the report of the Board of Directors to the Ordinary General
Assembly shall include a comprehensive statement of all remuneration, expense allowance and other
benefits received by the Member during the fiscal year.

***

21