Corporate Business Continuity Management

Click here to access the PDF.

 

Review History

Version: Date of Review: History:
1 12/17/2021  Preparation of the document.
2 11/29/2023 Update of items: I. Purpose, II. Scope, III. Guideline sub-items: 1; 2.1; 2,4; 2.6.1 and 2.8, IV. Consequence Management, V. Responsibilities, VI. Supplementary Documentation, VII. Concepts and Acronyms and VIII. General Provisions.

 

I. Purpose

The purpose of this Corporate Business Continuity Management Policy (“Policy”) is to establish the guidelines of the Business Continuity Management System (“BCMS”), aiming at contributing to the resilience and sustainability of the business before, during and after crisis situations through the planning, deployment and adoption of Business Continuity Plans (“BCPs”) and the like for use in crisis situations previously defined and assessed by the organization.

II. Scope

All members of the Board of Directors and the Executive Board (“Directors”); members of the Advisory Committees and the Fiscal Council; Employees, including outsourced workers, interns and young apprentices (“Employees”) of the companies Cielo S. A. – Instituição Pagamento (“Cielo”), Servinet Serviços Ltda. A. – Instituição de Pagamento (“Cielo”), Servinet Serviços Ltda. (“Servinet”), Stelo S.A. (“Stelo”) and Aliança Pagamentos e Participações Ltda. (“Aliança”), hereinafter jointly referred to as the “Company”.

All the Company’s Subsidiaries must define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

With respect to the Affiliated Companies, the Company’s representatives who act in managing its Affiliated Companies must make every effort to define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

III. Guidelines

1. Scope

The scope of the Company’s Business Continuity Management includes:

  • All of the Company’s business areas and the respective processes critical to sustaining the business. In addition, the areas and processes are mapped by means of Business Impact Analysis (“BIA”); and
  • The location covered by the BCMS includes the Company’s head office located at Alameda Xingu, 512, 21st to 25th floors, Alphaville, Centro Industrial e Empresarial, Postal Code (CEP) 06455-030, in the City of Barueri, State of São Paulo.

2. Processes to Control the Business Continuity Management System

For the maintenance of the Business Continuity Management System, the control processes listed below have been defined as essential:

2.1. Business Impact Analysis (BIA)

Ensure the identification and analysis of potential impacts to the Company’s business-critical processes.

2.2. Asset Sustainability Analysis (ASA)

Identify the assets (infrastructure and systems) that support the critical business processes listed in the BIA.

2.3. Supplier Assessment

Identify the Suppliers’ adherence to the Business Continuity requirements, defined by the Executive Vice-Presidency of Risk, Compliance, Prevention and Security, focusing on the unavailability of services provided by critical suppliers.

2.4. Assessment of internal demands, such as new products, processes, projects and chances 

Assess new products and services, as well as relevant changes to existing products and services and restructuring environments, within the scope of Business Continuity.

2.5. Assessment of Legal and Regulatory Requirements

Ensure that the legal and regulatory requirements of this BCMS are kept up-to-date. The process must follow the Company’s corporate standards for the matter. The Business Continuity and Crisis Management Department will also be responsible for managing the changes in these legal requirements and regulatory compliance, when applicable to the BCMS context.

2.6. Maintenance of Business Continuity Plans

Ensure the formalization and documentation of business continuity actions and strategies, as well as the roles and responsibilities in the activation of BCPs, in order to minimize the impacts caused by the unavailability of critical processes, and which must consist of the following plans:

2.6.1. Crisis Management Plan

Describe the procedures to be adopted in case of a crisis declaration, as established in the Crisis Management Standard, defining roles and responsibilities in the communication process and mitigation actions.

2.6.2. Disaster Recovery Plan (DRP)

Describe the procedures that guide how to recover the services and technology environment (Data Center) after an incident causing impact that meets the BIA and BCP criteria.

2.6.3. Workplace Continuity Plan (WCP)

Describe the procedures for activating the alternative workplace, in case of unavailability of the main workplace (office and home office), as well as the activation of people for displacement to the alternative workplace of Employees who perform activities identified as critical for the Company.

2.6.4. People Contingency Plan (PCP)

Describe the procedures for replacing key Employees with their backup, previously defined, in case of temporary or permanent absence of the Employee who performs the activities identified as critical to the Company.

2.6.5. Process Continuity Plan (PCP)

Describe the alternative procedures to be used, in case of unavailability of one or more steps that support the business process, regardless of technology.

2.6.6. Critical Supplier Contingency Plan (CSCP)

Describe the alternative procedures to be used in case of unavailability, breach of contract, bankruptcy, among other events related to a critical supplier that supports the business process.

2.7. Conducting BCP Tests and Exercises

Tests and exercises are conducted periodically in order to assess the effectiveness of the continuity plans and ensure that they continue to meet the business needs in the face of possible changes, as well as to increase the maturity of the organizational resilience.

2.8. Conducting Training

Training is conducted annually in order to disseminate the Business Continuity culture and concept online through workshops, livestreams and e-learning, and it is recommended that, by the deadline set by the Company, all administrators, employees, interns, and young apprentices take the training.

2.9. Communication to the Central Bank of Brazil (BCB)

Provide timely communication to BCB about the occurrences of incidents or interruptions of services considered relevant, and indicate the measures for resuming the interrupted activities.

IV. Consequence Management

Employees, suppliers or other stakeholders who observe any deviations from the guidelines of this Policy may report the fact to the Ethics Channel through the channels below, with the option of anonymity.

Internally, non-compliance with the guidelines of this Policy gives rise to the application of accountability measures to the agents that fail to comply with it, according to the respective severity of the non-compliance and as per internal regulations, and is applicable to all persons described in the item “Scope” of this Policy, including the leadership and members of the Executive Board.

V. Responsibilities

  • Business or Business Support Areas:
    • Provide pertinent information to the business, in order to support the evaluation of the availability requirements of critical processes.
    • Informing relevant changes in processes for evaluation by the BCM area and updating the BIAs and Business Continuity Plans (BCPs), if applicable; and
    • Participate and perform BCP and DRP Tests and Exercises.
  • Executive Vice President for Risk, Compliance, Prevention and Security:
    • Manage business continuity activities, proposing strategies to the Board of Directors, formalizing the regulatory instruments aligned with business continuity, promoting employee awareness, monitoring the implementation of continuity plans and managing contingency tests.
  • Executives (Officers/Executive Superintendents):
    • Define and approve the critical processes and services that will be prioritized in the application of the business continuity methodology;
    • Appoint the Business Continuity Focal Point, in the business area;
    • Provide support to the Business Continuity area in the assessment of the processes of the Company’s business areas, in the deployment of business continuity plans and continuity strategies;
    • Approve business continuity plans and strategies; and
    • Validate reports of BCP exercise and test results.
  • Business Continuity Focal Points (Incumbent and Alternate):
    • Centralize and disseminate the issues related to business continuity in their areas, as well as monitor the revision and maintenance of the Plans and BIAs;
    • Ensure that all processes considered critical in their area are covered in the business continuity plan;
    • Assist in the development of the annual BCP testing schedule;
    • Indicate a representative from the area to participate in the tests, as well as review the test booklet and guide the employee in the execution of the test; and
    • Participate in training, workshops, live broadcasts, and e-learning focused on the topics related to business continuity.
  • Business Continuity and Crisis Management Department (Risk, Compliance, Prevention, and Security Board):
    • Introduce the BCP to business managers;
    • Apply BIA and ASA to the processes indicated by business managers;
    • Ensure that current or new services meet the business continuity and BIA of the services;
    • Monitor and evaluate the deployment of the business continuity strategies;
    • Manage the BCP;
    • Develop and review business continuity policies, standards, procedures, and methodology;
    • Prepare, consolidate, and disseminate the corporate BIA and ASA, as well as share in advance the data needed to compose the artifacts;
    • Meet the demands of regulatory agencies, internal and external audits, and institutional clients, regarding the Company’s corporate business continuity discipline;
    • Coordinate the performance of BCP exercises to benchmark the plans;
    • Prepare and present to Management the report on BCP tests and exercises;
    • Act in the activation of the Crisis Executive Group, which aims to monitor, evaluate the event, and activate the Business Continuity Plan; and
    • Analyze and propose adjustments to this Policy in accordance with the periodicity provided for in the Company’s internal rules, and whenever it deems necessary.
  • Officers and employees:
    • Observe and ensure compliance with this Policy and, when necessary, call the Executive Vice Presidency of Risks, Compliance, Prevention and Security for consultation on situations involving conflict with this Policy, or upon the occurrence of situations described herein.

VI. Supplementary Documentation

VII. Concepts and Acronyms

  • Business Impact Analysis – (BIA): This is the identification and analysis of business processes/activities (including the resources required) in order to understand the impact of downtime, which leads to the assignment of recovery objectives and prioritization. (ABNT ISO 22317).
  • Business Continuity Institute – (BCI): Global Membership Institution for Business Continuity Professionals that developed the BCM framework “Good Practice Guidelines 2013” (GPG 2013). The broader role of the BCI and the BCI Corporate Partnership is to promote the highest standards of professional competence and business ethics in the provision and maintenance of business continuity planning and services.
  • Contingency: This is the time when resources are mobilized to respond to the incident and ensure the continuity of critical activities during the event.
  • Crisis: A situation with a high level of uncertainty that disrupts an organization’s core activities and/or credibility and requires urgent action (ISO 22300:2012), i.e., (a) a critical event that, if not handled appropriately, could drastically affect an organization’s profitability, reputation, or ability to operate, and (b) an incident and/or perception that threatens an organization’s operations, employees, shareholder value, stakeholders, brand, reputation, trust, and/or strategic/business objectives.
  • Scope Statement: Document from BCM containing a straightforward summary of the main aspects related to the scope of the Company’s BCMS, its coverage points and their exclusions, objectives and responsibilities of the areas covered, and other relevant items in view of the scope of the organization’s BCMS.
  • Data Center: A place where the computer systems of a company or organization are concentrated, such as a telecommunications system or a data storage system.
  • Business Continuity Management Team: Group of individuals functionally responsible for directing the development and execution of the Business Continuity Plan, as well as responsible for declaring a disaster and providing guidance during the recovery process, both pre-disaster and post-disaster. Similar terms: disaster recovery management team and business recovery management team.
  • BCP Exercise: Training process to evaluate, practice and improve the performance of an organization. Exercises can be used to: Validate policies, plans, procedures, training, equipment, and agreements between organizations; clarify and train staff on roles and responsibilities; improve coordination and communication between organizations; identify resource gaps; improve individual performance; and identify opportunities for improvement and the control of opportunities for improvisational practice. A test is a unique and particular type of exercise, which incorporates an expectation of pass or fail in relation to the planned objectives of the exercise.
  • Business Continuity Management – (BCM): Holistic management process that identifies potential threats to an organization and provides guidelines for a framework in building organizational resilience with the ability for an effective response that protects the interests of its key stakeholders, reputational activities, brand, or continuity in the event of a disaster (ISO 22301:2012). Management of the overall program through training, testing, and review, which aims to ensure that the plan remains up-to-date.
  • Incident: Any behavior that is not part of the standard operation of a service, generating unplanned interruption or reduction of its quality.
  • Business interruption: Any event that interrupts the normal course of an organization’s business operations. Similar terms: outage and interruption of service.
  • Critical Process Map: BCM control document that lists the Critical Processes formally approved by the Company for the BCMS and also the Non-Critical Processes for the BCMS considered in the organization’s BIA studies. BCM is responsible for the map and must follow the mandatory periodic evaluation processes, as well as any maintenance, clarification, dissemination, among others, for the other BCM documents in the BCMS processes.
  • Business Continuity Plan – BCP: Documented procedures that guide organizations in responding, recovering, resuming and restoring to a pre-defined level of operation after the interruption of services or products, as well as in supporting customers during a disaster or other major outage. It usually covers the resources, services and activities needed to guarantee the continuity of critical processes.
  • Disaster Recovery Plan – (DRP): Document, component of the Business Continuity Management Program, approved by the competent governance bodies which defines the resources, actions, tasks and data necessary to manage the technology recovery effort.
  • Focal Point: Person in charge of keeping their area’s BCP updated by simulating, testing, and documenting, in accordance with the Company’s Corporate Business Continuity Management Policy in a timely manner.
  • Business Process: Fundamental activities of a business unit, usually consisting of a group of business functions designed to achieve specific objectives.
  • Recovery Point Objective (RPO): Point at which the information used by an activity must be restored to allow the activity to operate upon resumption.
  • Recovery Time Objective (RTO): Period of time, previously agreed upon by the Company, in which, after an incident, the product, service, resources and/or activities must be resumed.
  • Simulated Exercise: An exercise that covers some aspects of reality, but with controlled variables, contemplating all involved employees, to evaluate the performance of business continuity.
  • Business Continuity Management System (BCMS): Part of the overall management system that establishes, implements, operates, monitors, reviews, and improves business continuity (ISO 22301:2012). The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes, and resources.
  • Affiliated Companies: Companies in which the Company holds 10% (ten percent) or more of their capital, without, however, controlling them, under the terms of article 243, paragraph 1 of Law 6406/76 (Brazilian Corporation Law).
  • Subsidiaries: Companies in which the Company directly or indirectly holds partner or shareholder rights that assure it, on a permanent basis, preponderance in the corporate deliberations and the power to elect the majority of the officers, under the terms of article 243, paragraph 2 of Law 6404/76 (Brazilian Corporation Law).
  • Stakeholders: All relevant target audiences with interests pertinent to the Company, as well as individuals or entities that assume some type of risk, direct or indirect, with respect to the Company. Among others, the following are highlighted: Shareholders, investors, employees, society, clients, vendors, creditors, governments, regulatory bodies, competitors, press, associations and class entities, users of electronic means of payment, and non-governmental organizations.
  • Alternate Focal Point: Provide support to the Focal Point in carrying out its activities and replace it in its absence.
  • CAT: Contingency Activation Time – Maximum time expected for activation of the Contingency State and the use of the Business Continuity Plans.
  • Maximum Tolerable Period of Disruption: Maximum time for impacts to become unacceptable or unrecoverable from an unavailability of services/products.
  • BCM Test: Procedure for evaluation, a way of determining the presence, quality, or veracity of something. Test can refer to an “experiment”. Testing is often applied to support plans.

VIII. General Provisions

The Company’s Board of Directors is responsible for altering this Policy whenever necessary.

This Policy takes effect on the date of its approval by the Board of Directors and revokes any documents to the contrary.