BUSINESS CONTINUITY MANAGEMENT SYSTEM
[G4-EC7], [G4-EC8] Telecom Italia pays attention to Business Continuity1 a key element for protecting the value and reputation of the Group in delivering its services and products and in full compliance with the terms of its contracts with customers, industry regulations and, more generally, in accordance with the relevant international methodologies and standards.
At Group level, Telecom Italia adopts a Business Continuity Management System (BCMS) as a control and management model for the operational continuity of the processes also through prevention activities, considering both the technological aspects (IT systems, networks, facilities, etc.) and the organizational ones (Human Resources, contractual constraints, logistical aspects, etc.).
The BCMS follows the indications contained in the international standard of reference for Business Continuity, namely ISO 22301, which emphasises, inter alia, the importance of:
- understanding the needs of the organisation and stakeholders in terms of Business Continuity;
- implementing and operating the controls and measures needed to manage the company’s capacity to deal with interruptions in operation due to accidental causes;
- monitoring and reviewing the performance and effectiveness of the business continuity management system;
- disseminating the Business Continuity culture;
- managing communications between interested parties.
The BCMS is based on the Plan-Do-Check-Act Deming Cycle and is broken down into four phases: Governance & Planning
(Plan), Execution (Do), Performance Evaluation (Check) and Improvement (Act).
At the Governance&Planning stage, the Group examines the relevant context, identifying the needs of the Company and its Stakeholders, as well as the contractual/regulatory constraints on Business Continuity. Based on these elements, the Company determines the scope of the Company’s Business Continuity policy and the main strategic objectives. This preliminary analysis goes on to identify the Company’s key processes and services and its critical activities, as well as the resources needed to maintain them. The activities carried out at this stage allow a Business Continuity strategy to be devised that guarantees an appropriate response for each process/service, in terms of operating levels and acceptable recovery times during and after a damaging event.
This stage includes, inter alia:
- the Business Impact Analysis (BIA), which is an assessment of the impact on the business where significant events occur that may affect business activities and the delivery of services.
- The Risk Assessment (RA), aimed at identifying and assessing threats that may affect corporate assets, making them unavailable for a more or less long period of time;
- identification of the Risk Profile resulting from the BIA/RA joint assessment;
- the Business Continuity strategies following the Risk Profile analysis based on the Costs/Benefits evaluation.
Approving the Business Continuity strategy, and the respective budget, allowing the executive stage to be launched, with the development of Risk Treatment and Business Continuity Operational Plans. Operational planning is carried out by the operational departments, each to the extent of its responsibilities, while checks are carried out centrally by ERM to verify consistency between the operational plans and the Business Continuity Strategic Plan, particularly in order to standardise and correlate mitigation activities throughout the company processes involved.
An overall analysis of the performances of the BCMS is planned at least annually, in particular analysing:
- actual data (incident history) regarding recovery times and economic impacts of events;
- operational test data;
- internal assessments.
The Performance Evaluation is used to identify any corrective actions to be undertaken (e.g. specific initiatives for risk prevention, procedural reviews, etc.). The Improvement phase obtains the results of the Performance Evaluation phase and any corrective actions to be taken are defined. These are then presented to the Company’s Executive Directors for a periodic Management Review.
In this phase the Company’s Executive Directors:
- examine and verify the BCMS’s suitability level based on the Performance Evaluation, in agreement with any requirement or regulatory developments;
- assess and approve any corrective actions.
The possible corrective actions to be taken, the policies and the objectives of Business Continuity result in the continuous improvement of the BCMS.
1 “Business continuity” is understood to mean the ability to ensure continuity of service, based on predefined and acceptable levels, following a disruptive incident.