The Business Continuity Management (BCM) model

The Iren Group pays great attention and commitment to the enhancement and protection of corporate assets that guarantee the operational continuity of the Business. Therefore, it formalised and implemented a Business Continuity Management (BCM) model by adopting the organisational and technological safeguards to ensure the continuity of processes, as well as a proactive and structured response in the response and monitoring phases of Emergency and/or Crisis events. The main objective of Business Continuity Management (BCM) is to ensure business resilience in the face of unforeseen events, ensuring the continuity of business processes deemed critical.

A proactive response

to restore business 

The BCM in the ordinary

In order to properly manage the processes related to business continuity, the Group has established an organisational model in the ordinary formalised in the Business Continuity Plan (BCP) Procedure, which complements the corporate organisational model for business continuity issues. Through the model, it is possible to ensure the implementation of appropriate organisational and technological measures, as well as to update and maintain the company's Business Continuity system over time.

The Business Continuity Plan (BCP) is the Operational Plan adopted by the Iren Group that defines within it:

 

  • continuity strategies for each critical process put in place to ensure the rapid resumption of processes in the event of an interruption
 
  • procedures for maintaining the model in terms of updating Business Impact Analysis (BIA), Crisis Simulations, Disaster Recovery Testing, and Staff Training

 

The BCM model in the ordinary is organised on three levels, with specific figures in the management of the ordinary.

 

  • The Strategic level defines the strategic guidelines for managing the model;

 

  • The Tactical level aims to transform strategic directions into operational planning activities for the model;
 
  • The Operational level concretises what is defined by the strategic and tactical levels.

Strategic level

 
  • The Strategic level is chaired by the Business Continuity (BC) Committee, which is responsible for reviewing the continuity system, analysing the Business Impact Analysis (BIA) and implementing continuous system improvement initiatives.

 

Tactical level

 

  • The Business Continuity Manager (also called BC Manager), a role held by the Risk Management Director who is responsible for implementing, developing and maintaining the BCM Plan;

 

  • The Business Continuity Team (also known as the BC Team), chaired by the BC Manager and composed of the BC Representatives of the Business Units and Parent Company and responsible for monitoring and updating routine activities and the outcome of Tests, evaluates and defines the strategies and actions to be implemented;

 

  • Business Continuity Representatives (also referred to as BC Representatives) of Parent and Business Units, who support the BC Manager in coordinating model update activities.

 

Operational level

 

  • Business Continuity process managers of Parent and Business Units, who are the figures identified for each business process, who update the Business Impact Analysis;

 

  • Operational Representatives, who are the point of contact for Second Level Companies, work with the BC Representative to apply the appropriate technical and organisational safeguards.

BCM in Emergency and Crisis Management

 

To achieve a structured response to an emergency or critical event, the Iren Group has adopted a Crisis Management Process with the goal of: 

 

  • supporting business figures involved in managing sudden events
 
  • containing the damage caused 
 
  • ensuring that business continuity is maintained.

 

The Crisis Plan or Crisis Management Plan is the documented set of rules and procedures for detecting, declaring, countering and managing an Emergency or Crisis situation. The Plan makes it possible to organise early responses and take all necessary actions to contain the event and return to normal operations. 

The organisational model of Crisis Management consists of the following extraordinary figures and structures:

The figures

 
  • The Crisis Committee: the collegial body delegated to manage situations of utmost seriousness (State of Crisis) and convened by the First Level Director once a Crisis situation is confirmed.
 
  • The Crisis Manager: variable figure appointed by the Crisis Committee based on the Crisis scenario to be addressed. Typically, the role is assigned to a senior executive in charge of the Structure/Company that is primarily affected by the scenario (e.g. Cybercrime Information Systems) and has the appropriate skills to coordinate the Crisis Team, dialogue with the Board of Directors and key collegial bodies.
 
  • The Emergency/Crisis Team: is activated in the Emergency and Crisis management process and is a completely variable structure depending on the scenario to be addressed. The Emergency/Crisis Team may include the Crisis Manager (in the event of a Crisis), the Operational Contacts of the impacted companies, the BC Process Managers, as well as industry specialists necessary for the resolution of the Emergency or Crisis. Specifically, the Emergency Team is convened by the First Level Director and is responsible for supporting the latter in managing the Emergency, while the Crisis Team is established by the Crisis Manager and is responsible for supporting the latter in managing and resolving the Crisis.
 
  • First Level Directors (of Parent and Business Units): are responsible for organising and implementing the Emergency and Crisis management system and ensuring the business continuity of business processes, and ultimately assesses the level of severity of the event.
 
  • Parent and Business Unit BC Process Managers: must meet certain requirements, in particular be at most the second reporting to the Parent Company Director or BU Director and be in charge of a structure.
 
  • Operational Representatives: role filled by the CEO of each Second Level Company, or delegate thereof.

The communication process

 

The Crisis Procedure governs the process of communicating the Emergency and Crisis externally and internally by reporting, for the various counterparts to be handled, an indication of the organisational figures assigned to carry out external communication, as well as an indication of the communication channels that can be used depending on their availability with respect to the Crisis event.

 

The Crisis Manager is responsible for ensuring adequate reporting to the Board of Directors of the Parent Company and the Group Company involved, the Control, Risk and Sustainability Committee of the Parent Company, the Board of Statutory Auditors, and the Supervisory Board of the Parent Company and the Group Company involved.

What the crisis plan provides

Stakeholder

identification

Indication of all internal and external counterparts to be informed through appropriate communication strategies (e.g. Board of Directors, customers, shareholders, etc...)

Identification 

competent figures

Indication, for each of the counterparts, of the organisational figures assigned to carry out external communication.

Supervision

 

The coordination and supervision of communication is the responsibility of the Communication and External Relations Department at all levels.