Document Number

Published MasterControl documents frequently use JavaScript.
If you are seeing this message, your viewer

either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
DOCUMENT NUMBER:
DOCUMENT TITLE:
DOCUMENT NOTES:
Document Information
Revision: Vault:
Doc Type: Status:
Date Information
Effective Date: Next Review Date:
Release Date: Expiration Date:
Control Information
Author: Previous Number:
Owner: Change Number:
All dates and times are in

Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
Signature Manifest
Document Number: CSOP-0000003 Acrobat. Revision: AA
Title: Business Continuity Management Policy and Plan For Hayco Group
All dates and times are in UTC+ 08:00 Time.
Review: CSOP-0000003 AA Business Continuity Management Policy and Plan For Hayco Group
Review
Name/Signature Title Date Meaning/Reason

WONG Gary (SHK43614) Manager 10 Jun 2019, 10:01:30 AM Reviewed
Review

Kevin Fung (SHK58520) 05 Jun 2020, 10:12:19 AM Reviewed
Review

Kevin Fung (SHK58520) 18 May 2021, 08:28:56 PM Reviewed
审核: CSOP-0000003 AA Business Continuity Management Policy and Plan For Hayco Group
Review

Kabi Chung (SHK59621) Senior Manager – Internal Audi 14 Dec 2021, 10:13:37 AM Reviewed
either Review:
does notCSOP-0000003 AA Business
support JavaScript or it is Continuity Management
disabled. If Policy
you are using and Plan
Adobe For Hayco
Acrobat, pleaseGroup
enable JavaScript.
Acrobat.
Review

Kabi Chung (SHK59621) Senior Manager – Internal Audi 14 Nov 2022, 12:59:48 PM Reviewed
Review

Yee Wan CHUNG (80000104) Senior Manager – Internal Audi 16 Oct 2023, 11:08:01 AM Reviewed
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
Acrobat.
CSOP
Acrobat.
TITLE CSOP NO. REV PAGE
Business Continuity Management Policy and Plan For CSOP-E01.03 AA 1 of 37
Hayco Group
REV CHANGE HISTORY PCO CSOP Issue Date

Author
AA - First release N/A Gary Wong 12-Apr-2018
CSOP Process Owner CSOP Author DD-MMM-YY Reviewed by DD-MMM-YY
Amii Tam Gary Wong 12-Apr-2018 Dan Panzica 12-Apr-2018

Approved Name / Title Signature DD-MMM-YY
- -
Dan Panzica / VP - QA - -
Bernard Lim / VP - Operations - -
- -
HQA003AQ
CSOP
Acrobat.
Hayco Group
Contents
Section Page
Policy 3
I General 4
II Management Responsibilities 6
III Program Management 8
IV Communication 10
V Business Continue Strategy 12
VI Immediate Actions and Escalation 14
VII BCP Teams 21
VIII Recovery Procedures 25
IX Performance and Monitoring 28
X Failures, Non-conformances and Corrective Action 31
XI Training 32
XII Testing and Exercise 34
XIII Record 37
HQA003AQ
CSOP
Acrobat.
Hayco Group
Business Continuity Management
Policy
The Business Continuity Management (“BCM”) policy provides the foundation for all business
continuity-related issues and activities within the organization. To achieve this, we will ensure
that this business continuity management plan is in compliance with:
a. Hayco policies;
b. Current applicable legislation, regulatory and statutory requirements and other
requirements to which Hayco subscribes to.
We recognize the importance of business continuity and require the company to have a
series of business-driven processes that establish a comprehensive strategic and
operational BCM framework which:
a. Proactively improves the company’s resilience against the disruption of its ability to
achieve its key objectives;
b. Provides a regularly rehearsed method (e.g. test & exercise) of restoring the
company’s critical business functions to an appropriate level within an agreed time
after a disruption;
c. Delivers a proven capability to manage disruptions to various business processes
and protect the company’s associates, reputation and financial position including
assets belonging to the company and its customers.
In this regard, every associate has a role in making sure that Hayco can continue to serve
our customers regardless of any disruption. This Policy illustrates our commitment to
ensure continuity of service delivery and operations through the continual improvement of
our BCM management system.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Business Continuity Management

BCM Plan
Section I - GENERAL
1.0 PURPOSE
In the event of a disaster which interferes with Hayco’s ability to conduct business from
one of its facilities, this plan is to be used by the responsible individuals to coordinate the
business recovery of their respective areas. The plan is designed to contain, or provide
reference to, all of the information that might be needed at the time of a business
recovery.
2.0 SCOPE
Applies to all operation locations in the Hayco Group
3.0 DEFINITIONS
BCM Plan Business Continuity Management Plan
BCP Leader Business Continuity Plan Leader
Disaster Any event that renders a business facility inoperable or unusable so
that it interferes with the organization’s ability to deliver essential
business services for or over five (5) working days.
MIS Management Information System. The IT department of Hayco
SAP System Application Program. An Enterprise Resources Program
adopted by Hayco
4.0 RESPONSIBILITIES
4.1 BCP Coordinator, BCP Leader, BCP Teams responsible to execute this Business
Continuity Management Plan (BCM Plan)
Team / Member Responsibilities
 Initiates disaster notification process and lead the

recovery exercise
BCP Leader
 Serves as liaison between business unit and
management team
Crisis Management  Advise the BCP Team Leader and provide support
Team (CMT) in strategic decision-making during an incident
HQA003AQ
CSOP
Acrobat.
Hayco Group
Emergency Human  Providing information regarding the disaster and

Resources Team recovery efforts to employees and families
 Activate the response plan

Administration Team  Arranging for the availability of necessary site
support services and equipment
 Activating the IT recovery plan

Information Technology
Recovery Team  Managing the IT disaster response and recovery
procedures
 Coordinate with different team and department in

BCP Coordinator
order to maintain and updating this BCM policy
Objectives
The objective of the Business Continuity Management Plan (BCM Plan) is to coordinate recovery
of critical business functions in managing and supporting the business recovery in the event of a
facilities disruption or disaster. This can include short or long-term disasters or other disruptions,
such as fires, epidemic decease, floods, earthquakes, explosions, terrorism, tornadoes, data loss
and corruption, cyber-attack, extended power interruptions, hazardous chemical spills, strikes
and other natural or man-made disasters.
The priorities in a disaster situation are to:

1. Ensure the safety of employees and visitors in the sites.
2. Mitigate threats or limit the damage that threats can cause disastrous business
interruption.
3. Have advanced preparations to ensure that critical business functions can continue.
4. Have documented plans and procedures to ensure the quick, effective execution of
recovery strategies for critical business functions.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section II – MANAGEMENT RESPONSIBILITIES

2.1 Role of Management
Management team is responsible for:
 Periodically reviewing the adequacy and appropriateness of its Business

Continuity strategy.
 Assessing the impact on this Business Continuity Plan of additions or changes to
existing business functions, procedures, equipment, and facilities requirements.
 Keeping recovery team personnel assignments current, taking into account
promotions, transfers, and terminations.
 Appoint appropriate representative or committee (e.g. Audit and Risk

Management Committee) to manage the BCM programme.
2.2 Role of Business Continuity Plan Leader (BCP Leader)

Business Continuity Plan Leader is responsible for:
 Initiates disaster notification process; i.e., communicates within a business unit.
 Serves as liaison between business unit and management team.
 Acts as team leader for the business unit recovery team.
 Tracks actual progress/completion of recovery activities against the projected

sequence of recovery events.
 Submits final disaster assessment reports and actions plan to the management
team.
2.3 Management Review and Continual Improvement

2.3.1 Business Continuity Management (BCM) Review Meetings
The review meeting will ensure the following with regards the BCM system:
 continuing suitability, adequacy and effectiveness of BCM policy, BCP
objectives and programs and staff assigned with BCM roles and responsibilities
 opportunities for continual improvement and implementation of best practices

HQA003AQ
CSOP
Acrobat.
Hayco Group
 changes if required as a result of changes to threat and risks
The Business Continuity Management Reviews should be undertaken regularly (e.g.

annually). Items to review during the meeting may include but not limit to:-
 results of audits and evaluations of compliance with legal requirements and
with other regulatory requirements
 results of tests and exercises
 communications(s) from external interested parties including complaints
 the resiliency performance of the organization
 the extent to which the objectives and targets are met
 status of corrective and preventive actions
 follow up actions from previous reviews
 changing circumstances including developments in legal and other

requirements related to BC & security aspects
 recommendations for improvement
Extraordinary meetings may be called at any time to address specific issues relating to
the BCM. These meetings are not required to address a full review of the BCM.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section III – PROGRAM MANAGEMENT

3.1 Introduction
An effective BCM plan will involve the participation of various managerial, operational,
administrative and technical disciplines that need to be coordinated throughout its life
cycle.
The plan should be managed within the framework and according to the principles
contained in the BCM Policy document.
3.2 Process
Management should:
 Develop and approve a BCM planning process and programme.
 Undertake or manage the appropriate BCM activities within the

organization:
o Business Disruption Risk Assessment
o Business Unit Business Impact Assessment review

o Business Continuity Plan & sub-plan review consistent with current
findings and recommendations
o BCM Test and exercise conduct and outcomes
o BCM awareness and training schedule for management and employees

o BCM Programme management review for currency
o BCM Internal audit conduct and findings
 Promote BC across the organization and externally where appropriate
 Maintain the BCM programme documentation
 Review the current state of readiness of organization required by
legislation and regulation

3.3 Methods and Techniques
The methods, tools and techniques to manage this BCM programme may include but not
limited to:
 Conduct of BCM Internal Audit
HQA003AQ
CSOP
Acrobat.
Hayco Group
 Periodic review of supplier and outsource provider relationship management

of business services and resources
 Periodic review relationship of emergency suppliers in BCM specialist
resources and services
 Periodic review of legal and regulatory environment
3.4 Outcomes
The outcomes of the BCM programme include:
 Documented BC management programme that is agreed by management
 Record of BCM programme review
 Documented BCM Strategy
 The overview of recovery solutions
 The BCM programme audit result
 Successful notification, escalation, invocation and recovery experiences

3.5 Review
This BCM programme should be managed on an ongoing basis.
The programme should be reviewed by internal or external audit (if appropriate) on a
predetermined timescale that they define.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section IV - COMMUNICATION
4.1Overview
The purpose of this section is to promotion the business continuity culture to be carried to
all employees as follows:
 Display of the BCM Policy to internal staff. These may also include BCM
advisories and sharing of BCM best practices
 Emphasis during BCM awareness training
 Feedback system
 Dissemination of information relating to BCM procedures and equipment

in use
4.2 External Communications

BCM communications to business partners may include:
 Promotion of the BCM management Policy
 Feedback system
 Dissemination of information relating to BCM procedures
Business partners will be requested to provide appropriate information relating to their

BCM practices and commitment to BCM. Every opportunity to promote BCM to business
partners is to be taken.
4.3 Crisis Communications

Apart from external communications with business partners, the organization shall
establish, implement and maintain warning and crisis communication process for
 detecting an incident;
 regular monitoring of an incident;
 internal communication within the organization and receiving, documenting
and responding to communication from interested parties;
 assuring availability of the means of communication during a disruptive
incident;
HQA003AQ
CSOP
Acrobat.
Hayco Group
 facilitating structured communication with emergency responders,
 recording of vital information about the incident, actions taken and decisions
made, and the following shall also be considered and implemented where
applicable:
i. alerting interested parties potentially impacted by an actual or

impending disruptive incident;
ii. assuring the interoperability of multiple responding organizations and
personnel;
iii. operation of a communications facility.
The crisis communication and warning process shall be regularly reviewed.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section V - BUSINESS CONTINUITY STRATEGY
5.1 Introduction
This section describes the strategy devised to maintain business continuity in the event of
a facilities disruption.
5.2 Business Function Recovery Priorities

The strategy is to recover critical Hayco business functions at the alternate site location. MIS
will recover IT functions based on the critical departmental business functions and defined
strategies.
Business functions recovery priorities are listed in Recovery Time Objectives Priority List.
5.3 Relocation Strategy and Alternate Business Site

In the event of a disaster or disruption to the office facilities, the strategy is to recover operations
by relocating to an alternate business site. The short-term strategies (for disruptions lasting two
weeks or less), which have been selected, include:
Primary Location Alternate Business Site
Site A Site B
Site B Site C
Site C Site B
HK Site C
DR (2018) DR Temporary Office in Free

Trade Zone, Industrial Estate
or Hotel
For all locations, if a long-term disruption occurs (i.e. major site destruction, etc.); the above
strategies will be used in the short-term (less than two weeks). The long-term strategies will be
to acquire/lease and equip new space in another site in the same metropolitan area.
HQA003AQ
CSOP
Acrobat.
Hayco Group
5.4 Recovery Plan Phases

The activities necessary to recover from a facilities disaster or disruption will be divided into four
phases. These phases will follow each other sequentially in time.
1. Disaster Occurrence
This phase begins with the occurrence of the disaster event and continues until a
decision is made to activate the recovery plans. The major activities that take place in
this phase includes: emergency response measures, notification of management,
damage assessment activities, and declaration of the disaster.
2. Plan Activation
In this phase, the Business Continuity Plans are put into effect. This phase continues until
the alternate facility is occupied, critical business functions reestablished, and restores
computer system service. The major activities in this phase include: notification and
assembly of the recovery teams, implementation of interim procedures, and relocation to
the secondary facility/backup site, and re-establishment of data communications.
3. Alternate Site Operations

This phase begins after secondary facility operations are established and continues until
the primary facility is restored. The primary recovery activities during this phase are
backlog reduction and alternate facility processing procedures.
4. Transition to Primary Site

This phase consists of any and all activities necessary to make the transition back to a
primary facility location.
5.5 On-line Access to Hayco Computer Systems

In the event of a facilities disruption, the MIS department should be to assist in establish remote
communications to any alternate business site location. If the data center is affected by a
disaster or disruption, the recovery procedures should include recovering processing at a
pre-determined alternate site. Services covered would include; phones, cellular phones,
communications and core applications like SAP, and all other services required for restoring
limited emergency service to the organization.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section VI - IMMEDIATE ACTIONS AND ESCALATION

Upon notification of a major incident or disaster, the BCP Team Leader will take the following
actions. The actions below are to occur immediately to ensure health and safety of all employees
(i.e., Evacuation and Location of Team Members).
HQA003AQ
CSOP
Acrobat.
Hayco Group
6.1 Immediate Actions - If you are at Work

6.1.1 Emergency Response
Follow evacuation team from factory admin department and/or public emergency
officials.
6.1.2 Assemble Team and Review Incident
Once employees have gathered in the designated evacuation assembly areas,
assemble your department team to determine their status.
If you are the first to view or report the incident, record initial event information to be
communicated to factory admin and/or the BCP Team Leader.
Name of Notifying Person:

Date/Time of Notification:
Location of Incident:
Description of Incident:
Injuries/Fatalities or
missing employees:
Threats to Life/Safety:
Property Damage:
Emergency Services
Contacted:
Utilities Impacted (yes/no):
Other:
1. Do not speak to the media. Employees are to refrain from talking about
company business to members of the press or broadcast organizations. Only
authorized personnel are permitted to release company-related information to the
media. If a representative of the news media from any publication, radio or
television station requests information from you, direct their inquiries to Corporate
Communications (i.e. Corporate Communication Manager).
2. BCP Leader and BCP teams will provide instructions to employees who are on
site. When the disaster has been declared, a standard greeting will notify
employees about any current situations, as well as provide updates and
instructions on crisis situations as issues are addressed.
3. The BCP Team Leader will decide whether or not to send employees home.
Instruct employees to return to their homes until the recovery sites are available.
It may take several days to properly equip the recovery site for staff to begin
HQA003AQ
CSOP
Acrobat.
Hayco Group
working. Employees who are able to do so will work from their homes during the
interim period.
6.2 Immediate Actions - If You Are Not At Work

6.2.1 Initial Communications
1. If you believe you are the first person to hear of an incident or potential disaster,
contact the BCP Team Leader or the alternate BCP Team Leader if the BCP Team
Leader is unavailable.
 Triggers for notification of the BCP Team Leader
 Serious injuries or fatalities
 Threat to lives and safety of employees
 Facility is damaged to the extent that employee relocation is required
 Disruption to critical business processes (e.g., inability to take, fulfill, or

deliver customer orders)
 Potential significant impact to revenue
 Media or public is aware of the incident
2. Inform the BCP Team Leader of your status and how to contact you.
3. The BCP leader will attempt to communicate with employees.
HQA003AQ
CSOP
Acrobat.
Hayco Group
6.3 Damage Assessment

Note: This process may occur before or after relocation to the recovery site and will
depend upon the severity of the disruption.
1. BCP Leader will assign appropriate personal to complete the damage assessment. If
necessary, BCP Leader will arrange a third-party engineering company to perform a
structural assessment prior to re-entry of the facility.
2. Department damage assessment will only occur once the site has been cleared for
re-occupancy by the Administration Team and appropriate authorities.
3. If instructed by the BCP Leader, each department lead will perform damage assessment
activities of their department’s workspace.
4. The BCP leader will determine what resources (computers, vital records, and
equipment) can be salvaged and what resources will need to be purchased. Each
individual department will be responsible for decisions concerning the priority of
salvage within its department.
5. The department leader will provide the list of salvaged and damaged resources to the
BCP Leader. The salvage priority of Hayco as a whole will be dictated based on given
circumstances by the BCP Leader. Ultimate decision will be taken to the BCP Leader
who answers to the CMT’s decision.
See the sample of Damage Assessment Form below.
HQA003AQ
CSOP
Acrobat.
Hayco Group
6.3.1 Damage Assessment Form
Begin damage assessment activities only after approval of the BCP Leader.
Area Surveyed: Surveyor: Date:
Phone: Time:
Sequence Details
General Work Area  Is work-area clean Yes [ ] No [ ]

of debris?
(if site is deemed Describe:
inhabitable by Facilities)
 Are there areas Yes [ ] No [ ]

where safety is a
concern? Describe:
 Is there soot, dust, Yes [ ] No [ ]

or water in the
area? Describe:
 Other Describe:
Contents  Are cabinets/ Yes [ ] No [ ]

shelves/racks
damaged? Describe:
 Is there damage to Yes [ ] No [ ]

cubicles or office
equipment? Describe:
 Other Describe:
Computer / Phone  Are telephones Yes [ ] No [ ]

operable?
Describe:
 Are workstations / Yes [ ] No [ ]

PC’s intact?
Describe:
Files and other  Are files destroyed? Yes [ ] No [ ]

Vital Records
Describe:
(Including hard and soft
(electronic) copies)
HQA003AQ
CSOP
Acrobat.
Hayco Group
Area Surveyed: Surveyor: Date:
Phone: Time:
Sequence Details
 Are files/vital Yes [ ] No [ ]

records missing?
Describe:
 Other Describe:
Process Equipment  Is equipment in its Yes [ ] No [ ]

original position?
Describe:
 Does equipment Yes [ ] No [ ]

appear damaged?
Describe:
 Other Describe:
Other Observations  Area Describe:
HQA003AQ
CSOP
Acrobat.
Hayco Group
6.4 Implement Recovery Strategies

Hayco has developed corporate-wide strategies for the recovery of IT systems and office
workspace. These strategies have been approved by management team. A description
of each strategy is provided at their local BCP Plan.
6.5 Activate Department Business Continuity Plans

1. The BCP Leader is responsible for instructing BCP Teams whether or not to activate
their portion of the BCP.
2. The BCP Team Leader will receive information about employee status and the nature of the
disruption from the Administration Team and other first responders in order to make a
decision regarding disaster declaration.
3. Each department lead will instruct their employees regarding the incident and any actions
they should take.
BCP Teams will implement the recovery procedures outlined in the Business Continuity
Plans.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section VII – BCP TEAMS

7.1 Purpose and Objective
This section of the plan identifies who will participate in the recovery process for the in this
Business Continuity Plan. The participants are organized into one or more teams. Each team
has a designated team leader and an alternate for that person. Other team members are
assigned either to specific responsibilities or as team members to carry out tasks as needed.
7.2 BCP Team Descriptions

This section lists the team formation and responsibilities.
1) Representatives from different functions
2) Develops procedures to recover essential business functions. (If no

essential business functions are identified, ensures the minimal level of planning
prepared, ensuring notification lists and evacuation procedures are developed.)
3) Identifies the resources needed to support restoration of essential

business functions, within the appropriate time frames.
4) Works with the technical support team to plan and execute disaster
recovery exercises to determine whether essential business functions can be recovered
within acceptable timeframes as outlined in the business recovery plan
5) Develops test plans; reviews test results and audit reports; plans and over
sees corrective actions, as required.
6) Sets up alternate site.
7) Oversees recovery logistics, travel, meals, and communications.
7.3 Function of each team
7.3.1 Crisis Management Team (CMT)
The CMT will advise the BCP Team Leader and provide support in strategic
decision-making during an incident.
The responsibilities of the CMT include:
 Organize and deploy corporate resources to assist with recovery efforts
 Provide strategic guidance to the functional head to cascade to their department
HQA003AQ
CSOP
Acrobat.
Hayco Group
 Act as media spokesperson (work in conjunction with Corporate Communications and

Customers)
7.3.2 Business Continuity Plan Leader (BCP Leader) – VP - Operation/ Alternative:

On duty Operation Director / Senior Site Manager
In the event of a disaster, the Business Continuity Plan Leader is responsible for
ensuring that the following activities are successfully completed:
 Works with the management to officially declare a disaster, and start the Disaster
Recovery/Business Continuation process to recover Hayco’s business functions at an
alternate site.
 Present Business Continuity Plan recovery status reports to management team on a daily
basis.
 Interface with appropriate work management personnel throughout the recovery process.
 Provide on-going support and guidance to the Business Continuity teams and personnel.
 Review staff availability and recommend alternate assignments, if necessary.
 Work with management to authorize the use of the alternate recovery site selected for
re-deploying critical Hayco resources.
 Review and report critical processing schedules and backlog work progress, daily.
7.3.3 Emergency Human Resources Team –

This team is responsible for:
 Providing information regarding the disaster and recovery efforts to employees and
families.
 Assisting in arranging cash advances if out of area travel is required.
 Notifying employee’s emergency contact of employee injury or fatality.
 Ensuring the processing of all life, health, and accident insurance claims as required.
 Coordinates temporary organization employee requests.
HQA003AQ
CSOP
Acrobat.
Hayco Group
7.3.4 Administration Team –

 Ensuring the recovery/restoration personnel has assistance with clerical tasks, errands,
and other administrative activities.
 Arranging for the availability of necessary site support services and equipment.
 Providing a channel for authorization of expenditures for all recovery personnel.
 Arranging travel and logistics for employees.
 Co-ordinate to collect costs related information to the recovery and restoration effort.
 Identifying and documenting when repairs can begin and obtaining cost estimates.
 Determining where forms and supplies should be delivered, based on damage to the
normal storage areas for the materials.
 Contacting suppliers to schedule specific start dates for the repairs.
 Taking appropriate actions to safeguard equipment from further damage or deterioration.
 Coordinating the removal, shipment, and safe storage of all furniture, documentation,
supplies, and other materials as necessary.
 Supervise all salvage and cleanup activities.
 Coordinating required departmental relocations to the recovery sites.
 Coordinating relocation to the permanent site after repairs are made.
 Assuring that arrangements are made for meals and temporary housing facilities, when
required, for all recovery personnel.
 Assuring order placement for consumable materials (forms, supplies, etc.) for processing
based upon input from the other teams.
 Establishing internal mail delivery procedures and process.
 Assuring that mail, and reports are redirected to the proper location as required.
 The safety of all employees.
 Inspecting the physical structure and identifying areas that may have sustained damage.
 Providing management with damage assessment reports and recommendations.
HQA003AQ
CSOP
Acrobat.
Hayco Group
7.3.5 Information Technology Recovery Team –

 Activating the IT recovery plan
 Managing the IT disaster response and recovery procedures.
 Mobilizing and managing IT resources.
 Coordinating all communications related activities, as required, with telephone & data
communications, PC, LAN support personnel, and other IT related suppliers.
 Assisting, as required, in the acquisition and installation of equipment at the recovery site.
 Ensuring that cellular telephones, and other special order equipment and supplies are
delivered to teams as requested.
 Participating in testing equipment and facilities.
 Participating in the transfer of operations from the alternate site as required.
 Coordinating telephone setup at the recovery site.
 Coordinating and performing restoration or replacement of all desktop PCs, LANs,

telephones, and telecommunications access at the damaged site.
 Coordinating Disaster Recovery/IT efforts between different departments in the same or

remote locations.
 Training Disaster Recovery/IT Team Members.
 Keeping management team and the Business Continuity Plan Leader appraised of
recovery status.
 Recovery of database and applications.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section VIII – RECOVERY PROCEDURES

8.1 Introduction
This section provides general guidelines for each local site to develop their recovery
strategy on facility relocation.
In the event the building and/or equipment located at your facility is unavailable, your site will
implement the strategy by relocating critical staff or shifting workload to different recovery sites.
8.1.1 Facility Relocation Tasks

These tasks list give guidelines on emergency response activities should be completed and the
responsibilities of each BCP Team.
Tasks and Procedures Responsible

1 1. Determine which recovery sites will be utilized by each department BCP Team
Leader
2 Notify the Operation Director / Manager at each recovery site to inform them of the BCP Team
relocation requirements and confirm the amount of seats available. Leader
 If the dormitories are impacted by the incident, determine how much space is
available at the plant dormitories.
 Arrange housing / hotels for staff who are staying in the dormitories
3 Arrange for emergency funds to pay suppliers for recovery services. Emergency HR
Team / Finance
4 Arrange transportation (e.g., buses or shuttles) to the recovery site to the recovery Administration
sites Team
5 Arrange for set up workstations with tables, chairs, and other equipment at the Administration
recovery sites Team
6 Set up workstations with computers, phones, and other technology components IT Recovery
Team
 Set up standard computers and phones.
 Set up infrastructure (bandwidth, storage, etc.) at each recovery site.
 Install client applications on PC’s as needed.
HQA003AQ
CSOP
Acrobat.
Hayco Group

7 Based on the resource requirements, assign staff to work from home or from the BCP Team
designated recovery site. Leader
 Identify which staff will be required immediately and which staff will be
phased in over time. Consider employee needs and family situations.
 Verify that staff who will work from home have the equipment they need.
 Contact the BCP Team Leader to request additional staff to be set up to work
from home
8 Instruct applicable staff to relocate to the recovery site. Each

Department
 Provide timeframe for relocation Lead
 Work with the BCP Team Leader and HR to determine if transportation

arrangements are being made for employees (i.e., shuttle buses, airplane tickets,
hotel reservations) for certain recovery sites
 Provide directions to the recovery site
 Provide information on site / security access (you will need to verify with the
BCP Team Leader the procedures to access the recovery site)
9 Check into the recovery site and find your department’s designated work area. Each
Department
Lead
10 Account for all team members within the department. Each

Department
Lead
11 Once all team members have been accounted for, hold a department meeting to: Each
Department
 Determine status of current projects and business processes. Lead
 Re-prioritize critical business processes based on disaster and recovery

circumstances.
 Assess mental / physical ability to commence work (i.e., some employees may
have medical conditions or family situations that limit their schedule).
HQA003AQ
CSOP
Acrobat.
Hayco Group

12 Ensure equipment (Computer, Phone, Applications) is functioning at recovery site Each
and coordinate with support staff as necessary (IT, site services, HR, etc.). Note: Department
Lead
Not all critical applications will be available upon relocation to the Recovery Site.
Implement manual workaround procedures as needed.
13 Retrieve any offsite vital records or necessary supplies as identified in your Team Each
Recovery Box Department
Lead
14 Contact staff who will not be required to work from the Recovery site and are not Each
capable to work from home. Inform them of any actions they should take until Department
Lead
they are needed at work again.
15 Contact insurance agency or broker to report the incident Finance
16 Activate production recovery / relocation Admin /

Operations
17 Other tasks
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section IX – PERFORMANCE AND MONITORING

9.1 Introduction
This procedure states the process to measure and monitor the performance of the BCM
system.
The BCM management system would incorporate both proactive and reactive monitoring
as follows:
 Proactive monitoring to check conformity to the organization continuity
activities.
 Reactive monitoring to investigate, analyze and record continuity management
system failures
9.2Methodology
Elements to be monitored include determining the extent to which:
 Equipment supporting recovery and emergency response is calibrated and in
working condition
 Operational procedures are adhere to
 BCM management system are meeting their stated objectives and KPIs/Targets
 Personnel responsible for emergency and response are adequately trained and
competent
 Non-conformances, continuity related deteriorations, failures and incidents are

proactively detected
To assist in performing proactive and reactive monitoring, the reporting process is to
implement a process of routine measurements to monitor the performance of the BCM
management system. This shall be conducted through the use of:
 Systematic inspection using checklist
 Reviewing and evaluating logistics including statistical patterns
 Inspection of equipment supporting emergency and response to check that they

are in good condition
 Analysis of documentation and records
 Stakeholder feedback
 If determined appropriate, outsourced supplier contract reviews for new,
additions or changes to BCM requirements
HQA003AQ
CSOP
Acrobat.
Hayco Group
9.3 Performance Monitoring & Measurement Matrix

The monitoring process is based on associated threats and risk from the Risk
Assessment including potential deterioration mechanism and its consequences. The
Performance Monitoring & Measurement Matrix Table (See Section 9.5 below) defines
the following parameters for monitoring:
 Continuity measurement & entity to be monitored
 frequency of monitoring
 personnel responsibility to carry out the monitoring
 type of monitoring report

Spot checks of critical tasks are to be included as part of the measurement regime in
order to assure conformity to continuity procedures and codes of practice.
9.4 Monitoring Report
The dedicated staff is to complete a Monitoring Report after each measurement. The
report is to detail any non-conformances to the BCM management system and provide
recommendations for improvement.
The monitoring reports will determine whether the organization’s BCM objectives as well
as the extent to which the BCM policy is met.
HQA003AQ
CSOP
Hayco Group
9.5 Performance Monitoring & Measurement Matrix Table (SAMPLE)

Entity to be
S/N BCM Measurement Method Type of BCM monitoring Report Frequency Responsibility
Monitored
Internal Audit
Systematic inspection Internal
1. Checklist BCM system Internal Audit report Annually
using checklist Auditors
Assessment
Inspection of
Physical
Equipment Equipment
Inspection Designated
2. supporting supporting emergency Maintenance Report Annually
Checklist Representative
emergency and and response
Assessment
response
a. Data records
b. Customer
feedback
Reviewing and c. Continuity
Designated
3. evaluating statistical Review of data incident Trend Analysis Report Annually
Representative
patterns d. Equipment
Breakdown
e. BCM Awareness
Training data
Business
Partners -
Annually
Interface Suppliers – Designated
4. Stakeholder Feedback Stakeholders Minutes
Meetings Annually Representative
Service
Providers –
Annually
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section X – FAILURES, NON-CONFORMANCES AND

CORRECTIVE ACTION
10.1 Business Continuity Failures
It is the duty of all employees (including visitors, contractors and business partners)
on site to immediately report the following Business Continuity failures:
 Business Continuity incidents and emergency situations
 Business Continuity near misses or false alarms
 Business Continuity breaches
 Non-conformance to Business Continuity procedures
Non-conformances may relate to procedures, equipment or personnel. Indicators to

facilitate the recognition of these failures include:
 Trend analysis from past incidents
 Updates from Risk Assessment
 Inspection reports
The BCM Coordinator or other designated person will record Business Continuity failures.
Investigation into the root cause of the non-conformance is to be conducted by the BCM
Coordinator in consultation with any staff involved in the operation/area. Thereafter,
corrective actions are to be drawn up in consultation with any staff involved in the
operation/area. Where necessary this should trigger or feed into the input of the Risk
Assessment & BIA for review.
Following completion of the action, the BCM Coordinator will implement and record
any changes in the documented procedures resulting from corrective action and will
include the required training where necessary.
10.2Reporting
Management or the designated committee is to review all Business Continuity related
failures, incidents, 8D report (for non-conformances and corrective action) as part of
their agenda items.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section XI – TRAINING
11.1 Introduction
The management is to identify the continuity training needs at their site in consultation
with key managers.
As a guideline this process is to incorporate the following:
 A systematic identification of the BCM awareness and competencies required at
each level and function within the organization
 Arrangements to identify and remedy any shortfalls between the level currently
possessed by the individual and the required continuity awareness and
competency
 The provision of any training identified as being necessary, in a timely and

systematic manner
 An assessment of individuals to ensure that they have acquired and that they
maintain, the knowledge and competency required
 The maintenance of appropriate records of an individual’s training and

competency
All BCM-related training material is to be reviewed by the management and the BCM
Coordinator. Training sessions will be arranged by the BCM Coordinator and Training
Department.
The BCM Coordinator is to determine the means and methods for providing BCM
Training. Training methods may include lectures, briefings, interactive video, computer
based training, simulations, instructional materials, signage and any other appropriate
approach.
The management, BCM Coordinator and Training Department may establish training
schedule to ensure that training is planned and provided for all related personnel.
11.2 BCM Awareness Training
The Training Department is responsible for ensuring that all related employees and
long-term contractors at the site received the BCM awareness training (e.g. at their
induction and orientation). Refresher briefings for all staff are to be conducted.
HQA003AQ
CSOP
Acrobat.
Hayco Group
The company is to ensure that BCM awareness training covers the following:
 BCM Policy
 An overview of the BCM system arrangements including specific roles and

responsibilities of BCM Leader / BCP Teams
 Specific BCM procedures in place
 Business Continuity Plans
For changes to BCM procedures, as well as any changes to regulatory requirements,

affected staff and relevant business partners are required to be informed. This can be
provided by way of formal briefings or other forms of communication.
Members of the BCP Teams are to undertake appropriate training to ensure they
understand their roles and responsibilities within the BCM system.
11.3 Reporting
Formal records are to be maintained for all training by the Training Department.
11.4 Training Evaluation and Effectiveness

The effectiveness of training is to be measured by a combination of assessment during
the training and through field checks. Consideration is also to be given to monitoring the
long term impact of the training.
Assessment of BC training and awareness across the organization shall be carried out at
two levels:
Programs level. The programs should meet the needs of business units supporting
the objectives of the BCM system.
People level. Participants are assessed after each program to check that training
received meets the objectives set, to fulfill their responsibilities in the BCM
system.
HQA003AQ
CSOP
Acrobat.
Hayco Group
Section XII – TESTING and EXERCISE

12.1 Purpose
The purpose of the exercise programme is to ensure that over a period of time:
 All information in plans is verified
 All plans are rehearsed
 All personnel (including deputies) are exercised
 Concepts and Assumptions
12.2 Objectives
Tests and exercises shall achieve the following objectives:-
 Verify that the BC plan or part thereof is viable and practical
 Verify that the recovery time scale and priorities can be met(e.g. the RTO)
 Verify that suppliers identified in the BC plan can support the recovery in a timely,
efficient and effective manner
 Verify that the resources identified in the BC plan can be activated and accessed in a
timely, efficient, effective and adequate manner
 Rehearse and train personnel who would be involved in the actual recovery
 Identify areas to be improved or fine-tuned
12.3 Outsourced Activities

The exercising of outsourced activities may be made a requirement of the contract and be
enforced through service level agreements.
Staff from the organisation and external parties involved in the recovery effort, shall
participate in periodic and systematic tests and exercises to ensure familiarity, proficiency,
alertness and response to disaster.
12.4 Testing
The infrastructure required to support tests and exercises of the BC plan shall be available,
adequate and operational in a timely manner. Management should ensure appropriate
infrastructure is available to perform scheduled test and exercises including computing
technology and equipment required if physical aspects of the BCP are to be tested.
Tests and exercises shall assess the following:-
HQA003AQ
CSOP
Acrobat.
Hayco Group
 Operation of Critical Business Functions (CBFs) during test and exercise conditions
 Backup, off-site storage and retrieval of information supporting the CBFs
 Critical processes supporting CBFs; staff and recovery teams supporting
 CBFs; alternate site(s), if they form part of the recovery strategy
 Internal and external interfaces
 The process during tests and exercises shall:-
 Draw up a list of all recovery processes(e.g. call-tree, relocation) and responsibilities of

related owners
 Decide on suitable type of exercise activity for each process
 Devise a timetable of exercise activities that ensures that, over a period, all relevant
personnel are included in the exercise activity
12.5 Recovery Processes

The exercise programme should include suitable activities to exercise the various facets of the
BCM strategies adopted. These may include:
 Technical - does the system and parts available
 Procedures - are the procedures correct
 Logistical - do the procedures work together in a logical fashion
 Timeliness - can the procedures achieve the required RTO for each activity
 Administrative - are the procedures manageable
 Personnel - are the right people involved and do they have the required skills, authority
and experience
12.6 Outcome & Deliverables

The outcomes of the BCM exercising programme process include:
 A timetable for an exercise programme
 Documentation of the testing results
HQA003AQ
CSOP
Acrobat.
Hayco Group
12.7 Review
During the test / exercise, the following items will be assessed:
 Attendance and preparedness.
 Task execution
 Leadership, coordination and control
 Feedback from participants
A debrief sessions shall be conducted after each test/ex with appropriate groups of participants
to review the results. The agenda of each debrief session shall include the following items:-
 Review results for deviation from the BC plan and procedures
 Identify corrective actions and propose recommendations for improvement
 Identify and assign responsibility for corrective actions and recommendations
 Establish schedule to complete all corrective actions and recommendations
12.8 Corrective Action Process

 The management or its delegate will ensure that outstanding corrective actions and
recommendations noted after each completed test/ exercise will be delegated for
action and followed up until satisfactory completion.
 For each recommendation or corrective action not able to be rectified due to costs or
current business operation constraints etc., a documented written request justifying
the deviation must be submitted by the respective Head of Department to seek waiver
and approval be granted by the management to review and provide such waiver from
such compliance. Decisions to waiver or not will be recorded in the management
meeting minutes.
HQA003AQ
CSOP
TITLE Acrobat. CSOP NO. REV PAGE
Hayco Group
XIII - Record
13.1 Form: HIA0001 Self- Assessment List
13.2 Form: HIA0002 BCP Team List
13.3 Form: HIA0003 Emergency Communication Call Tree

13.4 Form: HIA0004 Key Customer Contact List
13.5 Form: HIA0005 Emergency Supplier and External Aid List
13.6 Form: HIA0006 Risk Register
13.7 Form: HIA0007 Business Impact Analysis report
13.8 Form: HIA0008 Recovery Priority List
13.9 Form: HIA0009 Alternative Site Assessment
13.10 Form: HIA0010 Response Matrix
HQA003AQ

Document Number

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Document Number

Uploaded by

Copyright:

Available Formats

Published MasterControl documents frequently use JavaScript.

If you are seeing this message, your viewer

Doc Type: Status:

Effective Date: Next Review Date:

Release Date: Expiration Date:

Author: Previous Number:

Owner: Change Number:

All dates and times are in

Name/Signature Title Date Meaning/Reason

Name/Signature Title Date Meaning/Reason

Name/Signature Title Date Meaning/Reason

Name/Signature Title Date Meaning/Reason

Name/Signature Title Date Meaning/Reason

Name/Signature Title Date Meaning/Reason

REV CHANGE HISTORY PCO CSOP Issue Date

CSOP Process Owner CSOP Author DD-MMM-YY Reviewed by DD-MMM-YY

Amii Tam Gary Wong 12-Apr-2018 Dan Panzica 12-Apr-2018

Bernard Lim / VP - Operations - -

Business Continuity Management

Business Continuity Management

Team / Member Responsibilities

 Initiates disaster notification process and lead the

Emergency Human  Providing information regarding the disaster and

 Activate the response plan

 Activating the IT recovery plan

 Coordinate with different team and department in

The priorities in a disaster situation are to:

Section II – MANAGEMENT RESPONSIBILITIES

 Periodically reviewing the adequacy and appropriateness of its Business

 Appoint appropriate representative or committee (e.g. Audit and Risk

2.2 Role of Business Continuity Plan Leader (BCP Leader)

 Serves as liaison between business unit and management team.

 Acts as team leader for the business unit recovery team.

 Tracks actual progress/completion of recovery activities against the projected

2.3 Management Review and Continual Improvement

 opportunities for continual improvement and implementation of best practices

 changes if required as a result of changes to threat and risks

The Business Continuity Management Reviews should be undertaken regularly (e.g.

 results of tests and exercises

 communications(s) from external interested parties including complaints

 the resiliency performance of the organization

 the extent to which the objectives and targets are met

 status of corrective and preventive actions

 follow up actions from previous reviews

 changing circumstances including developments in legal and other

 recommendations for improvement

Section III – PROGRAM MANAGEMENT

 Undertake or manage the appropriate BCM activities within the

o Business Unit Business Impact Assessment review

o BCM awareness and training schedule for management and employees

 Promote BC across the organization and externally where appropriate

 Maintain the BCM programme documentation

 Review the current state of readiness of organization required by

legislation and regulation

 Periodic review of supplier and outsource provider relationship management

 Record of BCM programme review

 Documented BCM Strategy

 The overview of recovery solutions

 The BCM programme audit result

 Successful notification, escalation, invocation and recovery experiences

 Emphasis during BCM awareness training

 Dissemination of information relating to BCM procedures and equipment

4.2 External Communications