Corporate Business Continuity Management

Click here to access the PDF.

 

Review History

Version: Date of Review: History:
1 12/17/2021  Preparation of the document.

 

I. Purpose

The purpose of this Corporate Business Continuity Management Policy (“Policy”) is to establish the guidelines of the Business Continuity Management System (“BCMS”) for Cielo S.A. (“Cielo” or “Company”), aiming at contributing to the resilience and sustainability of the business before, during and after crisis situations through the planning, deployment and adoption of Business Continuity Plans (“BCPs”) and the like for use in crisis situations previously defined and assessed by the organization.

II. Scope

All members of the Board of Directors, Advisory Committees and Executive Board (“Officers”), members of the Audit Board and employees of Cielo S.A., Servinet Serviços Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter referred to as “Company”.All the Company’s Subsidiaries must define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.With respect to the Affiliated Companies, the Company’s representatives who act in managing its Affiliated Companies must make every effort to define their directions based on the guidelines set forth in this Policy, considering the specific needs and the legal and regulatory aspects to which they are subject.

III. Guidelines

1. Scope 

The scope of the Company’s Business Continuity Management includes:

  • All of the Company’s business areas and the respective processes critical to sustaining the business. In addition, the areas and processes are mapped by means of Business Impact Analysis (“BIA”);
  • The location covered by the BCMS contemplates the Company’s headquarters, located at Alameda Xingu, 512 – 21º ao 25º e 31º andar – Alphaville – SP.

2. Processes to Control the Business Continuity Management System

For the maintenance of the Business Continuity Management System, the control processes listed below have been defined as essential:

2.1. Business Impact Analysis (BIA)

Ensure the identification and analysis of potential impacts to the Company’s business-critical processes.

2.2. Asset Sustainability Analysis (ASA)

Identify the assets (infrastructure and systems) that support the critical business processes listed in the BIA.

2.3. Supplier Assessment

Identify the Suppliers’ adherence to the Business Continuity requirements, defined by the Executive Vice-Presidency of Risk, Compliance, Prevention and Security, focusing on the unavailability of services provided by critical suppliers.

2.4. Assessment of Legal and Regulatory Requirements

Ensure that the legal and regulatory requirements of this BCMS are kept up-to-date, the process must follow the Company’s corporate standards for the matter. The Business Continuity and Crisis Management Department will also be responsible for managing the changes in these legal requirements and regulatory compliance, when applicable to the BCMS context.

2.5. Maintenance of Business Continuity Plans

Ensure the formalization and documentation of business continuity actions and strategies, as well as the roles and responsibilities in the activation of BCPs, in order to minimize the impacts caused by the unavailability of critical processes. It must be composed of the following plans:

2.5.1 Crisis Management Plan

Describe the procedures to be conducted in case of a crisis declaration, as established in the Crisis Management Standard, defining roles and responsibilities in the communication process and mitigation actions.

2.5.2 Disaster Recovery Plan (DRP)

Describe the procedures that guide how to recover the services and technology environment (Data Center) after an incident causing impact that meets the BIA and BCP criteria.

2.5.3 Workplace Continuity Plan (PCLT)

Describe the procedures for activating the alternative workplace, in case of unavailability of the main workplace (office and home office), as well as the activation of people for displacement to the alternative workplace of the employees who perform activities identified as critical for the Company.

2.5.4 People Contingency Plan (PCPas)

Describe the procedures for replacing key employees with their backup, previously established, in case of temporary or permanent absence of the employee who performs the activities identified as critical to the Company.

2.5.5 Process Continuity Plan (PCP)

Describe the alternative procedures to be used, in case of unavailability of one or more steps that support the business process, regardless of technology.

2.5.6 Critical Supplier Contingency Plan (PCFC)

Describe the alternative procedures to be used in case of unavailability, breach of contract, bankruptcy, among other events related to a critical supplier that supports the business process.

2.6. Conducting BCP Tests and Exercises

Tests and exercises are conducted periodically in order to assess the effectiveness of the continuity plans and ensure that they continue to meet the business needs in the face of possible changes, as well as to increase the maturity of the organizational resilience.

2.7. Conducting Training

Training is conducted every six months in order to disseminate the Business Continuity culture and concept online through BCP (workshops, live broadcasts, and e-learning), and it is recommended that, by the deadline set by the Company, all administrators, employees, interns, and young apprentices take the training.

2.8. Communication to the Central Bank of Brazil (BCB)

Provide timely communication to BCB about the occurrences of incidents or interruptions of services considered relevant, and indicate the measures for resuming the interrupted activities.

IV. Consequence Management

Employees, suppliers or other stakeholders who observe any deviations from the guidelines of this Policy may report the fact to the Ethics Channel through the channels below, with the option of anonymity.

Internally, non-compliance with the guidelines of this Policy gives rise to the application of accountability measures for agents who fail to comply with it, according to the respective severity of the non-compliance.

V. Responsibilities

  • Business or Business Support Areas:

Provide pertinent information to the business, in order to support the evaluation of the availability requirements of critical processes;

Update and annually review the Business Continuity Plans and BIAs of said area; and

Participate and perform BCP and DRP Tests and Exercises.

  • Executives (Officers/Executive Superintendents):

Define and approve the critical processes and services that will be prioritized in the application of the business continuity methodology;

Appoint the Business Continuity Focal Point, in the business area;

Provide support to the Business Continuity area in the assessment of the processes of the Company’s business areas, in the deployment of business continuity plans and continuity strategies;

Approve business continuity plans and strategies; and

Validate reports of BCP exercise and test results.

  • Business Continuity Focal Points (Incumbent and Alternate):

Centralize and disseminate the issues related to business continuity in their areas, as well as monitor the revision and maintenance of the Plans and BIAs;

Ensure that all processes considered critical in their area are covered in the business continuity plan;

Perform and update the Phone Tree, in a timely manner;

Assist in the development of the annual BCP testing schedule;

Indicate a representative from the area to participate in the tests, as well as review the test booklet and guide the employee in the execution of the test; and

Participate in training, workshops, live broadcasts, and e-learning focused on the topics related to business continuity.

  • Business Continuity and Crisis Management Department (Risk, Compliance, Prevention, and Security Board):

Introduce business managers to the Business Continuity program;

Apply BIA and ASA to the processes indicated by business managers;

Ensure that current or new services meet the Business Continuity and BIA of the services;

Monitor and evaluate the deployment of the business continuity strategies;

Perform the management of the Corporate Business Continuity Program;

Develop and review business continuity policies, standards, procedures, and methodology;

Prepare, consolidate, and disseminate the corporate BIA and ASA, as well as share in advance the data needed to compose the artifacts.

Meet the demands of regulatory agencies, internal and external audits, and institutional clients, regarding the Company’s corporate business continuity discipline;

Coordinate the performance of BCP exercises to benchmark the plans;

Prepare and report to top management the report on BCP tests and exercises;

Act in the activation of the Crisis Executive Group, which aims to monitor, evaluate the event, and activate the Business Continuity Plan;

  • Administrators and employees:

Observe and ensure compliance with this Policy and, when necessary, call the Executive Vice Presidency of Risks, Compliance, Prevention and Security for consultation on situations involving conflict with this Policy, or upon the occurrence of situations described herein.

VI. Supplementary Documentation

  • ABNT ISO 22317 – BIA
  • ABNT NBR ISO 22301 – BCMS
  • ABNT NBR ISO 31000
  • BACEN Circular no. 3.681/2013
  • Cielo’s Code of Ethics
  • Information Technology Policy
  • BCB Resolution No. 85/2021
  • Statement of Scope
  • PLT_ 014 Information Technology Policy
  • NRM_019 Incident Management
  • NRM_105 Crisis Management

VII. Concepts and Acronyms

  • Business Impact Analysis – BIA: It is the identification and analysis of business processes/activities (including the resources required) in order to understand the impact of downtime, which leads to the assignment of recovery objectives and prioritization. (ABNT ISO 22317)
  • Business Continuity Institute – BCI: Global Membership Institution for Business Continuity Professionals that developed the BCM framework “Good Practice Guidelines 2013” (GPG 2013). The broader role of the BCI and the BCI Corporate Partnership is to promote the highest standards of professional competence and business ethics in the provision and maintenance of business continuity planning and services.
  • Contingency: This is the time when resources are mobilized to respond to the incident and ensure the continuity of critical activities during the event.
  • Crisis: A situation with a high level of uncertainty that interrupts the core activities and/or credibility of an organization and requires urgent action (ISO 22300:2012). A critical event, which, if not handled properly, can dramatically affect an organization’s profitability, reputation, or ability to operate. It can also be an occurrence and/or perception that threatens an organization’s operations, employees, shareholder value, stakeholders, brand, reputation, trust, and/or strategic/business objectives. Impact scenario that meets the Product/Service BIA trigger.
  • Statement of Scope: Document from BCM containing a straightforward summary of the main aspects related to the scope of the Company’s BCMS, its coverage points and their exclusions, objectives and responsibilities of the areas covered, and other relevant items in view of the scope of the organization’s BCMS.
  • Data Center: a place where the computer systems of a company or organization are concentrated, such as a telecommunications system or a data storage system.
  • Business Continuity Management Team: Group of individuals functionally responsible for directing the development and execution of the Business Continuity Plan, as well as responsible for declaring a disaster and providing guidance during the recovery process, both pre-disaster and post-disaster. Similar terms: disaster recovery management team and business recovery management team.
  • BCP Exercise: Training process to evaluate, practice and improve the performance of an organization. Exercises can be used to: validate policies, plans, procedures, training, equipment, and agreements between organizations; clarify and train staff on roles and responsibilities; improve coordination and communication between organizations; identify resource gaps; improve individual performance; and identify opportunities for improvement and the control of opportunities for improvisational practice. A test is a unique and particular type of exercise, which incorporates an expectation of pass or fail in relation to the planned objectives of the exercise.
  • Business Continuity Management – BCM: Holistic management process that identifies potential threats to an organization and provides guidelines for a framework in building organizational resilience with the ability for an effective response that protects the interests of its key stakeholders, reputational activities, brand, or continuity in the event of a disaster (ISO 22301:2012). Management of the overall program through training, testing, and review, aims to ensure that the plan remains up-to-date.
  • Incident: Any behavior that is not part of the standard operation of a service, generating unplanned interruption or reduction of its quality.
  • Business interruption: Any event that interrupts the normal course of an organization’s business operations. Similar terms: outage and interruption of service.
  • Critical Process Map: BCM control document that lists the Critical Processes formally approved by the Company for the BCMS and also the Non-Critical Processes for the BCMS considered in the organization’s BIA studies. BCM is responsible for this map and must follow the processes of mandatory and eventual periodic evaluations, maintenance, clarifications, dissemination, and the like defined for the other BCM documents in the BCMS processes.
  • Business Continuity Plan – BCP: Comprehensive plan that provides the ability to effectively provide services and support to a company’s clients during a disaster or other major outage. Documented procedures that guide organizations to respond, recover, resume, and restore to a predefined level of operation after disruption (ISO 22301:2012). Typically, this covers resources, services, and activities needed to ensure the continuity of critical business functions.
  • Disaster Recovery Plan – DRP: Document, component of the Business Continuity Management Program, approved by management that defines the resources, actions, tasks, and data required to manage the technology recovery effort.
  • Focal Point: Responsible for keeping their area’s BCP updated by simulating, testing, and documenting, in accordance with the Company’s Corporate Business Continuity Management Policy in a timely manner.
  • Business Process: Fundamental activities of a business unit, usually consisting of a group of business functions designed to achieve specific objectives.
  • Recovery Point Objective (RPO): Point at which the information used by an activity must be restored to allow the activity to operate upon resumption.
  • Recovery Time Objective (RTO): Period of time, previously agreed upon by the Company, in which, after an incident, the product, service, resources and/or activities must be resumed.
  • Simulation: An exercise that covers some aspects of reality, but with controlled variables, contemplating all involved employees, to evaluate the performance of business continuity.
  • Business Continuity Management System – BCMS: Part of the overall management system that establishes, implements, operates, monitors, reviews, and improves business continuity (ISO 22301:2012). The management system includes organizational structure, policies, planning activities, responsibilities, procedures, processes, and resources.
  • Affiliated Companies: companies in which the Company holds 10% (ten percent) or more of their capital, without, however, controlling them, under the terms of article 243, paragraph 1 of Law 6.404/76 (Brazilian Corporation Law).
  • Subsidiaries: companies in which the Company, directly or indirectly, holds partner or shareholder rights that assure it, on a permanent basis, preponderance in the corporate decisions and the power to elect the majority of the managers, under the terms of article 243, paragraph 2 of Law 6.404/76 (Brazilian Corporation Law).
  • Stakeholders: all relevant target audiences with interests pertinent to the Company, as well as individuals or entities that assume some type of risk, direct or indirect, with respect to the Company. Among others, the following are highlighted: shareholders, investors, employees, society, clients, suppliers, creditors, governments, regulatory bodies, competitors, press, associations and class entities, users of electronic means of payment, and non-governmental organizations.
  • Alternate Focal Point: Provide support to the Focal Point in the performance of their activities and replace them in their absence.
  • TAC: Contingency Activation Time – Maximum time expected for activation of the Contingency State and the use of the Business Continuity Plans.
  • Maximum Tolerable Period of Disruption (MTPD): Maximum time for impacts to become unacceptable or unrecoverable from an unavailability of services/products.

VIII. General Provisions

The Company’s Board of Directors is responsible for altering this Policy whenever necessary.

This Policy takes effect on the date of its approval by the Board of Directors and revokes any documents to the contrary.