Business Continuity Management

April 18, 2023

Index

1. Introduction and Objectives

2. Scope and Users

3. Terms and Definitions

4. Directives

4.1. Crisis Committee

5. Document retention

6. Normative references

7. Publication and Distributing Policies



1. Introduction and Objectives

This policy aims to support the strategies of all EBANX Group companies. To ensure the delivery of the products and services offered, it is crucial to put in place an efficient business continuity strategy, so that EBANX customers are not compromised in the event of service interruptions due to unexpected events, as well as the well-being of ebankers considering any adverse condition, whether climatic, regulatory or operational.

The main objective of the Business Continuity Management is to strategically identify a company's critical processes and to develop a recovery strategy and action plans to ensure that all the essential services will work properly even when facing unplanned situations.

This way, this policy defines procedures to ensure that EBANX:

  • Complies with regulations, legislation and well recommended market practices;

  • Is in line with the organization's goals and business strategy;

  • Ensures that all EBANX employees and any other parties acting on behalf of EBANX are aware of their responsibilities regarding recovery strategies and business continuity;

  • Establishes appropriate procedures for business continuity in order to mitigate the risks associated to unplanned service interruptions;

  • Be agile in the assessment and prevention of economic and regulatory impacts on its products and services, in the most diverse countries in which it operates;

  • Avoids/reduces damages caused by unexpected events that may cause interruptions in delivering our services to our customers;

  • Protects EBANX operations against breaches of confidentiality, integrity and availability;

  • Defines, establishes and maintains effective, sustainable and measurable business continuity controls.

For that, it is essential to be up-to-date and compliant with well recommended market practices, such as ISO 22301, ISO 27001 and BACEN’s Resolution 4557. This will also ensure the integrity of EBANX operations and strengthen our reliability and the confidence of our stakeholders.



2. Scope and Users

Each business area must develop a Business Continuity Plan considering risks to the business, impact analysis and resource requirements resulting in the definition of a Business Continuity Strategy.

This Policy is applicable to all EBANX companies and considers the Risk Appetite definition of the EBANX Global Risk Management Policy, i.e, with focus on processes with BIA impact medium, high and very high. However, it is not applicable for places where a coworking space is used. In this case, the Business Continuity Management Policy of the company providing the coworking service must be followed.



3. Terms and Definitions

  • Business Continuity Plan (BCP): refers to a documented collection of procedures and information that is developed, compiled, and maintained in readiness for use in an incident to enable an organization to continue to deliver its critical services at an acceptable predefined level.

  • Business Impact Analysis (BIA): is the process used to assess the criticality and impact of services and processes performed by the areas in case of an unexpected interruption, besides identifying their ideal recovery time.

  • Business Continuity Management (BCM): it is a process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

  • BCM Lifecycle: refers to a series of business continuity activities which collectively cover all aspects and phases of the BCM program, such as completion/updating of the documents of BIA, BCP, Awareness and Exercises, which are carried out annually.

  • Disaster Recovery Plan (DRP): it is a plan for business continuity in the event of a disaster that destroys part or all business's resources, including IT equipment, data records and the physical space of an organization. IT Operations & Security is the area responsible in EBANX for the preparation, testing and activation of the plan when necessary, as well as sending the results to risk management governance.

  • Risk and Control Assessment (RCA): it is a continuous process that aims to map business’ main processes, identify, evaluate and monitor its risks and associated controls, identify risk exposures and determine corrective actions. It is performed by the areas that execute the processes, with the support and governance of the Risk Management team.

  • Recovery Time Objective (RTO): refers to how long a process can endure without realization.

  • Recovery Point Objective (RPO): regards systems and the need of backups (real time, intraday, last backup or not required) considering how possible it is to realize the process if everything is lost.



4. Directives

Business Continuity must be a business-owned activity as it is only the individual business that can determine exactly its priorities and level of internal and external involvement. The C-Level as well as all other levels of leadership must be involved with Business Continuity Management for their respective areas and must be aware of Business Continuity issues of their structure.

In addition to the existing operations or processes, Business Continuity needs to consider systems and their relevant information and perform a realistic and trustworthy Business Impact Analysis. This information will guide the IT Operations & Security team in building the scope of the IT Disaster Recovery Plan (DRP), by sharing the information gathered in Business Impact Analysis (BIA) regarding critical processes versus systems to ensure that all systems are being covered by DRP, as well as RTOs are aligned.

The Risk Management team, in conjunction with Facilities, IT Corporate and IT GRC teams must be involved in all the decisions related to concentrated risk in EBANX buildings.

In the event of a crisis threat, the Risk Management area must be communicated in order to analyze the possible impact of the crisis on EBANX. All available information will be brought to the attention of one or more members of the C-Level so that the Crisis Committee can be activated if strategic decisions are necessary. The meetings may take place in person at any of the EBANX units where the Committee members are present or even remotely through any available tools.

There must be active integration by the Risk Management team to empower all ebankers and especially leadership areas) so that they are prepared to act with risk prevention in their areas. should be active in their role, being responsible for monitoring the activation of the call tree and custom awareness as well as informing the Risk Management area of all and any incidents related to risks.

BCM LifeCycle consists of the annual review of the Business Impact Analysis (BIA) based on the result of the Risk and Control Assessment (RCA) mapping, the Business Continuity Plan (BCP), BCM Training and Exercises carried out for all areas of EBANX's business.

To ensure compliance with the objective of this policy, EBANX will annually verify that all areas are in compliance with the formally established Business Continuity Plan. In the Global Risk & Compliance area, the Risk Management team is responsible for defining the method of measuring policy compliance, which will be carried out at least once a year.

The Risk Management team must report the results of the BCM Lifecycle to the leadership, including action plans resulting from the need to improve contingency strategies.

The final result of all tests carried out to ensure compliance with the BCM strategy established for each team will be formalized through an Annual Certificate of Compliance, with acknowledgement of the C-Level and Senior Management of GR&C, which must cover the recovery plans of large incidents and deals confirming for each area that plans are up to date and have been tested.


4.1 Crisis Committee

As part of the BCM, it is crucial to ensure that EBANX has an adequate business continuity governance structure to deal with any current or emerging risks. This structure must be prepared to respond to the most different types of unexpected events.

The Crisis Committee is an interdisciplinary committee that is in place at EBANX headquarters and is composed of leaders from different areas (D and SM Levels). Other people may be invited to participate if there is a need for specific knowledge for that situation.

The main objective of this committee is to address the broader strategic implications, including concentration risk issues. In a crisis scenario, this group is also responsible for making decisions about prioritization, resource allocation, delivery and implementation of critical EBANX processes.



5. Document retention

All documentation related to BCM can be stored for at least 5 years, following general auditing rules and best practices.

After this period, the documents may be discarded.



6. Normative references



7. Publication and Distributing Policies

This policy and the supporting policies, regardless of whether it is a new version of an existing document, must be journals for time Global Risk & Compliance.

Any new policies or modifications to existing documents must be made available to all interested parties of EBANX.

Policies are available for consultation, for ebankers, not MyEBANXLife, in the “Policies” section.

Public documents can be found on the EBANX websites.