Business Continuity Policy

Ensures reliable delivery of services and maintains business operations during adverse situations and disruption events

Business Continuity Policy

Field Value
Document ID POL-002
Classification Internal
Owner CTO (interim CISO)
Effective Date April 2026
Review Cycle Annual

1. Overview

Wealthy aspires to ensure reliable delivery of its services and support business growth by operating in an economical, efficient, and environment-friendly manner, driven by innovation and agility.

Wealthy is committed to sustained operations, strengthening governance processes, achieving long-term strategic goals, and protecting stakeholder value. The organization is equipped to deal with adverse situations and minimize disruption to critical business activities.

Like any business entity, Wealthy is exposed to potential risks that could disrupt critical business operations and related services. In the event of such incidents, Wealthy is committed to ensuring the safety and security of all concerned (employees, partners, and stakeholders) and continuing business operations and service delivery at predefined acceptable levels. The organization shall also conduct Root Cause Analysis (RCA) for significant incidents to identify underlying issues and prevent recurrence.

2. Purpose

The purpose of the Business Continuity Policy is to ensure that all business activities can be maintained at normal or near-normal performance levels following an incident that has the potential to disrupt or severely impact operations.

This policy establishes the framework for maintaining critical business functions during disruptions and ensures rapid recovery to normal operations while protecting stakeholder interests.

3. Scope

This policy applies to the entire organization, including all departments, functions, and subsidiaries. The scope encompasses:

  • All critical business processes and supporting infrastructure
  • All employees, contractors, consultants, temporary workers, and third-party service providers
  • All Wealthy facilities, systems, and resources
  • All business continuity planning, testing, and recovery activities

Exceptions to this policy must be documented and approved by senior management in accordance with the risk management framework.

4. Policy

4.1 Enterprise Risk Management Framework

Wealthy maintains a comprehensive approach to business continuity through:

  1. Risk Identification and Assessment: Systematically identifying, assessing, and mitigating internal and external risks that can disrupt critical operations.

  2. Business Impact Analysis (BIA): Conducting regular analysis through the risk management framework to determine activities crucial to business continuity and prioritize risk assessment for critical functions. The organization has conducted comprehensive BIA to identify critical business processes, assess potential impact of disruptions, and establish recovery priorities for all essential functions.

  3. Threat Assessment: Evaluating potential threats including natural disasters, cyber incidents, pandemic situations, supply chain disruptions, and technological failures.

4.2 Business Continuity Planning

  1. Business Continuity Plan (BCP): Maintaining and implementing comprehensive BCPs for all business units in alignment with applicable regulatory guidelines and industry best practices.

  2. Emergency Response Alignment: Ensuring business continuity processes align with internal emergency response planning, incident management procedures, and cybersecurity policies.

  3. Resource Planning: Allocating adequate resources including personnel, technology, facilities, and financial resources to support critical functions and ensure continuity of operations.

  4. Recovery Objectives: Establishing clear Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical business functions.

    Defined Recovery Targets:

    • Critical Systems (Trading, Customer Data): RTO ≤ 4 hours, RPO ≤ 1 hour
    • Important Systems (Internal Tools, Reporting): RTO ≤ 8 hours, RPO ≤ 4 hours
    • Standard Systems (General Applications): RTO ≤ 24 hours, RPO ≤ 8 hours

    Recovery Steps Framework:

    1. Immediate Response (0-1 hour): Incident assessment, team activation, stakeholder notification
    2. Short-term Recovery (1-4 hours): Critical system restoration from backups, alternate site activation
    3. Full Recovery (4-24 hours): Complete service restoration, data synchronization, system validation
    4. Post-Recovery (24+ hours): Performance monitoring, lessons learned documentation, plan updates

4.3 Implementation and Operations

  1. Stakeholder Communication: Proactively strengthening internal systems and capabilities to meet stakeholder expectations for business continuity and maintaining clear communication channels during incidents.

  2. Compliance: Ensuring compliance with all relevant laws, regulations, standards, and statutory requirements applicable to operations.

  3. Training and Awareness: Providing regular training to employees on business continuity procedures and their roles during disruption events.

  4. Testing and Exercises: Conducting regular testing of business continuity plans through mock drills, simulations, and tabletop exercises.

4.4 Incident Response and Recovery

  1. Root Cause Analysis (RCA): Conducting comprehensive RCA for major incidents, service disruptions, and near-miss events to identify underlying causes, implement corrective and preventive actions, and improve resilience.

  2. Incident Documentation: Maintaining detailed records of all incidents, responses, and recovery actions for analysis and improvement purposes.

  3. Recovery Coordination: Establishing clear roles, responsibilities, and communication protocols for incident response and recovery operations.

  4. RCA Documentation and Knowledge Management: When incidents occur, conducting thorough investigation to identify root causes and preparing comprehensive RCA documents that capture findings, corrective actions, and lessons learned. These RCA documents shall be maintained for future reference to prevent recurrence and improve organizational resilience against similar incidents.

4.5 Continuous Improvement

  1. Performance Monitoring: Continuously monitoring the effectiveness of business continuity measures and tracking key performance indicators.

  2. Plan Updates: Regularly updating business continuity plans based on incident learnings, RCA findings, audit observations, changes in business operations, technology landscape, and regulatory requirements.

  3. Lessons Learned: Incorporating lessons learned from incidents, exercises, and industry best practices into policy and plan improvements.

5. Policy Compliance

5.1 Compliance Measurement

Compliance with this policy shall be monitored through periodic reviews, business continuity plan testing, audits, incident response assessments, business impact analysis updates, and stakeholder feedback.

5.2 Policy Review

This policy shall be reviewed at least once every two years, or earlier if required, to ensure alignment with changing business needs, regulatory requirements, and operational conditions. RCA findings and incident learnings shall also be considered during policy reviews.

5.3 Exceptions

Any exception to this policy must be approved by senior management in advance, with appropriate risk mitigation measures documented and implemented.

5.4 Non-Compliance

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment, and may expose the organization to operational, financial, and reputational risks.