Business Continuity Management

April 19, 2024


  1. Introduction and Objectives

  2. Scope and users

  3. Terms and definitions

  4. Directives

    4.1. Crisis Committee

  5. Normative references

  6. Publication and Distributing Policies

1. Introduction and Objectives

This policy aims to support the strategies of all EBANX Group companies to ensure the delivery of the products and services offered, it is crucial to put in place an efficient business continuity strategy, so that EBANX customers are not compromised in the event of service interruptions due to unexpected events, as well as the well-being of ebankers considering any adverse condition, whether climate, regulatory, or operational.

The main objective of Business Continuity Management is to strategically identify the company's critical processes and develop a recovery strategy and action plans to ensure that all essential services function properly even when faced with unplanned situations.

Therefore, this policy defines procedures to ensure that EBANX:

  • Comply with regulations, legislation, and well-recommended market practices;

  • Be in line with the organization's business objectives and strategy;

  • Ensure that all EBANX employees and any other parties acting on behalf of EBANX are aware of their responsibilities in relation to recovery and business continuity strategies;

  • Establish appropriate procedures for business continuity in order to mitigate the risks associated with unplanned service interruptions;

  • Have agility in the evaluation and prevention of the economic and regulatory impacts on your products and services, in the most diverse countries in which it operates;

  • ·Avoid/reduce damage caused by unexpected events that may cause disruptions to the provision of our services to our customers;

  • Protect EBANX's operations against breaches of confidentiality, integrity and availability;

Define, establish, and maintain effective, sustainable, and measurable business continuity controls.

To this end, it is essential that we maintain processes that are compatible with well-recommended market practices, such as ISO 22301, ISO 27001 and BACEN Resolution 4557. This will also ensure the integrity of EBANX's operations and strengthen our reliability and the trust of our stakeholders.

2. Scope and users

Each business area should develop a Business Continuity Plan considering risks to business requirements, impact analysis, and resources, resulting in the definition of a Business Continuity strategy.

This policy is applicable to all EBANX companies and considers the definition of Risk Appetite in EBANX's Global Risk Management Policy, focusing on processes with medium, high and very high BIA impact. However, it is not applicable for places where a coworking space is used. In this case, the Business Continuity Management Policy of the company providing the coworking service must be followed.

3. Terms and definitions

Business Continuity Plan (BCP): This refers to a documented collection of procedures and information that are developed, compiled, and kept in readiness for use in an incident to enable an organization to continue to deliver its critical services at an acceptable predefined level.

Business Impact Analysis (BIA): is the process used to assess the criticality and impact of the services and processes performed by the areas in the event of an unexpected interruption, in addition to identifying their optimal recovery time.

Business Continuity Management (BCM): is a process that identifies potential threats to an organization and the impacts to business operations that these threats, if carried out, may cause, and that provides a framework for building organizational resilience with the capacity for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creation activities.

BCM Lifecycle: refers to a series of business continuity activities that collectively encompass all aspects and phases of the BCM program, such as completion/updating of BIA, BCP, Awareness, and Exercise documents, which are conducted annually.

Disaster Recovery Plan (DRP): A business continuity plan in the event of a disaster that compromises part or all of the company's resources, including IT equipment, data records, and an organization's physical space. IT Operations & Security (Cloud Ops & Corporate IT) is the area responsible at EBANX for preparing, testing and activating the plan when necessary, as well as sending the results to Information Security Governance (Infosec).

ebanker: term used to refer to EBANX professionals.

EBANX: all companies of the EBANX economic group.

Risk and Control Assessment (RCA): is an ongoing process that aims to map key business processes, identify, assess, and monitor their associated risks and controls, identify risk exposures, and determine corrective actions. It is carried out by the areas that execute the processes, with the support and governance of the Risk Management team.

Recovery Time Objective (RTO): This is the length of time to resume a critical activity or process after it has been stopped.

Recovery Point Objective (RPO): This is the maximum data loss time tolerated by EBANX in a disaster.

4. Directives

Business Continuity should be an activity owned by the areas, as it is only the area responsible for their processes that can determine exactly their priorities and level of internal and external involvement. The C-Level, as well as all other levels of leadership, should be involved with Business Continuity Management for their respective areas and should be aware of Business Continuity issues for their structure.

In addition to existing operations or processes, Business Continuity needs to consider relevant systems and information and perform a realistic and reliable business impact analysis. This information will guide the IT Operations & Security (Cloud Ops & Corporate IT) team in the construction of the scope of the IT Disaster Recovery Plan (DRP), through the sharing of the information raised in the Business Impact Analysis (BIA) regarding critical processes versus systems to ensure that all critical systems are being covered by the DRP.

In the event of a crisis threat, the Risk Management area should be notified to EBANX for analysis of the possible impact of the crisis. All available information will be brought to the attention of one or more members of the C-Level so that the Crisis Committee can be activated if strategic decisions are necessary. Meetings may take place in person at any of the EBANX units where the members of the Committee are present or remotely through the available tools.

There must be active integration on the part of the Information Security and Risk Management teams to train all ebankers and Leaders so that they are prepared to act with risk prevention in their areas. Leaders

must be active in their role, being responsible for monitoring the activation of the Call Tree and other exercises, as well as informing the Risk Management area of any and all risk-related incidents.

BCM LifeCycle consists of the annual review of the Business Impact Analysis (BIA) based on the result of the mapping of the Risk and Control Assessment (RCA), the Business Continuity Plan (BCP), BCM Training and Exercises carried out for all EBANX business areas.

To measure compliance with the objective of this policy, EBANX will annually verify that all areas are in compliance with the formally established Business Continuity Plan. In the area of Information Security, the Security Governance and Continuity pillar is responsible for defining the method of measuring the observation of the policy, which will be carried out at least once a year.

The Information Security team should report the results of the BCM Lifecycle to leadership, including, if necessary, action plans resulting from the need for improvement in contingency strategies.

The final result of all tests carried out to ensure compliance with the BCM strategy established for each team will be formalized through an Annual Certificate of Compliance, with the knowledge of the C-Level and GR&C and ITOps Board of Directors, which must cover the recovery plans for major incidents and business, confirming for each area which plans are updated and have been tested.

4.1. Crisis Committee

As part of BCM, it is crucial to ensure that EBANX has an adequate business continuity governance structure in place to address any current or emerging risks. This structure must be prepared to respond to the most different types of unexpected events.

The Crisis Committee is an interdisciplinary committee under the responsibility of GR&C that is in place at EBANX headquarters and is composed of leaders from different areas (D and SM Levels). Other people may be invited to participate if there is a need for specific knowledge for that situation.

The main purpose of this committee is to deal with the broader strategic implications, including concentration risk issues. In a crisis scenario, this group is also responsible for making decisions about prioritization, resource allocation, delivery, and deployment of critical EBANX processes.

5. Normative references

EBANX's Global Risk Management Policy;

ISO 22301:2012;

ISO 27001:2013;

BACEN Resolution 4557;

6. Publication and Distributing Policies

Any new policy or modification of an existing document must be made available to all interested parties.

Policies are available for consultation by ebankers on the OneTrust platform, in the “Policies” section.