Business Continuity Management Policy

Business Continuity Management

KX shall have an effective business continuity methodology to proactively identify and plan for significant threats and risks which could adversely impact its ability to operate, serve its customers, or meet its contractual or regulatory obligations.  To meet this goal, KX will:

• Establish a Business Resiliency Program (BRP) which supports the KX strategy and is appropriate to the needs of the organization
• Staff its Business Continuity Management (BCM) team with competent resources to implement, maintain, and continually improve the BCMS and to ensure compliance to this policy is monitored, measured, and periodically reported to management stakeholders
• Staff each in-scope functional area of the business with one or more Business Continuity (BC) Coordinators to drive business continuity within the BU and ensure that all required activities and deliverables are completed per Business Resiliency requirements (see below).
• Audit the organization for compliance with this policy.  The output of the audit shall be considered input to planning any corrective actions deemed necessary and appropriate.
• Establish management reviews of the BRP to review compliance and to provide oversight and direction to improve the effectiveness of the BRP.
• Continuously improve the BRP based on audit findings, feedback from the business, lessons learned, and other inputs

Scope

This policy applies to all KX Offerings and Products, Data Centers, Development Teams, and functional areas that support the creation, distribution and usage of our products.

Business Resiliency Program Requirements

• Business Continuity Plan (BCP) – An overall BCP will be maintained with appropriate strategies and recovery steps for identified risks to the business.
• Functional area Playbooks: Each in-scope Functional area will conduct business impact analysis and risk assessment annually, or when significant changes occur.  Each area will produce playbooks in support of the KX BCP with appropriate strategies and recovery steps for identified risks to that area of the business.  Playbooks shall be:
  • Reviewed and approved by the Functional Head
  • Tested annually (see BCP Testing below)
• Business Impact Analysis (BIA) – in preparing the BCP and supporting Playbooks, a Business Impact Analysis (BIA) shall be performed for each of the Function’s critical functions or services.  A BIA must provide:
  • A description of each critical function or service, and the names of the critical resources who are responsible for each
  • An analysis of the potential adverse impact an outage would have on KX financial, operational, reputational, contractual, or regulatory interests
  • Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), and Minimum Business Continuity Objectives (MBCOs)
  • Recovery strategies
• BCP Lifespan – Approved BCPs are active for ONE YEAR after the date of approval, they expire on that date one year later
• BCP Testing – The KX BCP and its supporting Playbooks shall be tested at least annually to ensure that recovery strategies are viable and can be executed within predefined recovery times, and, to ensure that all team members who have a role to play in restoring operations understand what to do.  Specific requirements are:
  • A BCP Test Plan for a particular playbook must be completed and approved by the function’s head before the test is conducted
  • A BCP Test Report must be completed, and evidence of each activity must be provided before it is approved by the function’s head
  • BCPs must be tested annually or bi-annually:
    • BCP playbooks for teams that do not store or touch customer data on KX premises or in KX systems shall be tested annually
    • BCP playbooks for teams that do store, or touch, customer data shall be tested at least twice a year
• Call Tree Testing – All team members identified in the KX BCP as a responder shall undergo a call tree test twice per year to validate that they are reachable
• Business Continuity Training – All business continuity identified responders must complete BCM training annually and must certify that they have done so
• Products Hosted on Cloud – When products are hosted on third party environments, such as AWS, Azure, Google Cloud… the BCP and/or Disaster Recovery Plan shall explicitly state the recovery responsibilities for each entity (KX and the cloud vendor)
• Versioning and storage – BCPs, Playbooks and BCP Test Plans and Reports shall be version controlled and stored in a secure access restricted document repository by the KX BCM Team, along with all associated auditable records, including approvals, test plans, test results, and training confirmations.  BCPs and their related records are retained according to the KX Records Retention Standard