Business Continuity Policy

Prepared for the Unexpected. All Services 4U is committed to maintaining the continuity of our services to clients and residents, even in the face of disruption. We recognise that our clients depend on us for essential property maintenance and compliance services, and that interruption to these services could have serious consequences for resident safety and regulatory compliance. This Business Continuity Policy sets out our approach to preparing for, responding to, and recovering from disruptive events. This policy applies to all employees, directors, officers, contractors, and anyone involved in the delivery of our services.

Our Commitment

We are committed to:

Resilience — Building the capability to withstand and adapt to disruption
Preparedness — Planning for potential disruptions before they occur
Response — Responding quickly and effectively when incidents happen
Recovery — Restoring normal operations as rapidly as possible
Communication — Keeping stakeholders informed throughout any disruption
Continuous Improvement — Learning from incidents and testing to improve our capabilities

Scope

This policy covers:

All business operations and locations
All services we deliver to clients
All employees, contractors, and subcontractors
Critical suppliers and third parties
IT systems and infrastructure
Premises and facilities
Communication systems

Business Continuity Objectives

Our business continuity objectives are:

Objective	Target
Protect life and safety	Priority in all situations
Maintain critical services	Resume within defined recovery times
Protect company reputation	Transparent and professional response
Meet contractual obligations	Minimise client impact
Protect information and assets	Prevent loss and damage
Comply with regulations	Maintain regulatory compliance
Support employees	Ensure welfare and communication
Recover fully	Return to normal operations

Business Continuity Framework

Our business continuity framework is based on ISO 22301 principles.

Framework Components

Component	Description
Policy	This document — sets out our approach and commitment
Business Impact Analysis	Identifies critical activities and recovery priorities
Risk Assessment	Identifies threats and vulnerabilities
Business Continuity Plans	Documented response and recovery procedures
Incident Management	Processes for managing disruptive incidents
Testing and Exercising	Regular testing of plans and capabilities
Training and Awareness	Ensuring people know their roles
Review and Improvement	Continuous improvement cycle

Critical Business Activities

We have identified our critical business activities and their recovery requirements.

Critical Activities

Activity	Description	Recovery Priority
Emergency repairs	24/7 emergency response for gas leaks, floods, security	Critical — immediate
Gas safety services	CP12 certification, gas repairs, CO response	Critical — within 24 hours
Fire safety services	Fire alarm response, emergency lighting, fire door repairs	Critical — within 24 hours
Electrical safety	Electrical faults, safety hazards	Critical — within 24 hours
Water hygiene	Legionella response, water system failures	High — within 48 hours
Planned maintenance	Scheduled PPM services	Medium — within 1 week
Compliance management	Certificate tracking, documentation	Medium — within 1 week
Finance and payroll	Payments to staff and suppliers	High — within 48 hours
Client communication	Updates, enquiries, reporting	High — within 48 hours

Recovery Time Objectives (RTO)

Priority	Recovery Time Objective
Critical	Within 4 hours
High	Within 24-48 hours
Medium	Within 1 week
Low	Within 2 weeks

Recovery Point Objectives (RPO)

Data Type	Recovery Point Objective
Financial data	Maximum 24 hours data loss
Compliance certificates	Maximum 24 hours data loss
Job management system	Maximum 4 hours data loss
Email and communications	Maximum 24 hours data loss

Risk Assessment

We assess risks that could disrupt our operations.

Threat Categories

Category	Examples
Natural events	Severe weather, flooding, pandemic
Technological	IT failure, cyber attack, power outage, telecoms failure
Human	Staff illness, key person unavailability, industrial action
Physical	Fire, building damage, denial of access
Supply chain	Supplier failure, material shortages
External	Civil unrest, terrorism, regulatory change

Risk Assessment Process

For each threat, we assess:

Likelihood of occurrence
Potential impact on operations
Existing controls and mitigations
Residual risk level
Additional actions required

Key Risks and Mitigations

Risk	Likelihood	Impact	Key Mitigations
IT system failure	Medium	High	Cloud systems, backups, disaster recovery
Cyber attack	Medium	High	Security controls, backups, incident response
Loss of premises	Low	High	Remote working, alternative locations
Key staff unavailability	Medium	Medium	Cross-training, succession planning
Pandemic/widespread illness	Medium	High	Remote working, hygiene measures, PPE
Severe weather	Medium	Medium	Flexible scheduling, route planning
Supplier failure	Low	Medium	Multiple suppliers, stock holding
Vehicle fleet loss	Low	Medium	Insurance, hire arrangements
Power/telecoms failure	Low	Medium	Mobile devices, alternative connectivity

Business Continuity Plans

We maintain documented plans for responding to disruptions.

Plan Structure

Plan	Scope
Incident Management Plan	Overall coordination and escalation
IT Disaster Recovery Plan	IT systems and data recovery
Premises Continuity Plan	Loss of or denial of access to premises
Pandemic Response Plan	Widespread illness affecting workforce
Severe Weather Plan	Disruption from weather events
Supply Chain Continuity Plan	Supplier or material failures
Communication Plan	Stakeholder communication during incidents

Plan Contents

Each plan includes:

Activation criteria and triggers
Roles and responsibilities
Escalation procedures
Response actions and checklists
Resource requirements
Communication templates
Recovery procedures
Return to normal operations

Plan Ownership

Plan	Owner	Deputy
Overall business continuity	Managing Director	Operations Director
IT Disaster Recovery	IT Manager	[Deputy]
Premises Continuity	Facilities Manager	[Deputy]
Operations Continuity	Operations Director	[Deputy]

Incident Management

We have clear procedures for managing disruptive incidents.

Incident Classification

Level	Description	Examples
Level 1 — Critical	Major impact, business-wide disruption	Total IT failure, premises destroyed, major cyber attack
Level 2 — Significant	Significant impact, multiple functions affected	Partial IT failure, key system unavailable, significant staff absence
Level 3 — Minor	Limited impact, single function or location	Single system failure, localised issue, minor supplier problem

Incident Management Team

For significant incidents, we activate an Incident Management Team (IMT):

Role	Responsibilities
Incident Manager	Overall coordination, decision-making
Operations Lead	Service delivery continuity
IT Lead	Technology response and recovery
Communications Lead	Stakeholder communication
HR Lead	Staff welfare and resources
Finance Lead	Financial decisions and payments

Incident Response Process

Phase 1: Alert and Activation

Incident reported and logged
Initial assessment of severity
Incident Manager notified
Decision to activate business continuity plans
Incident Management Team convened if required

Phase 2: Response

Immediate actions to protect life and safety
Containment actions to limit damage
Assessment of impact and recovery needs
Activation of relevant continuity plans
Resource mobilisation
Stakeholder communication initiated

Phase 3: Recovery

Recovery actions implemented
Workarounds and interim solutions
Progressive restoration of services
Ongoing communication with stakeholders
Monitoring of recovery progress

Phase 4: Return to Normal

Full restoration of services
Stand-down of incident management
Post-incident review
Lessons learned documented
Plans updated based on learning

IT Disaster Recovery

Our IT systems are critical to service delivery.

IT Recovery Strategy

Component	Strategy
Cloud systems	Hosted in resilient data centres with redundancy
Data backup	Daily backups with offsite/cloud storage
Email	Cloud-hosted (Microsoft 365) with built-in resilience
Job management	Cloud-hosted with regular backups
Telephony	Cloud-based phone system with mobile failover
Devices	Laptops and mobile devices for flexible working

Backup Strategy

Data	Frequency	Retention	Location
Critical business data	Daily	30 days	Cloud + offsite
Databases	Daily	30 days	Cloud + offsite
System configurations	Weekly	90 days	Cloud
Email	Continuous	1 year	Cloud

IT Recovery Procedures

System	RTO	RPO	Recovery Method
Email	4 hours	0 (continuous)	Cloud resilience
Job management	4 hours	4 hours	Cloud restore
Finance system	24 hours	24 hours	Cloud restore
File storage	24 hours	24 hours	Cloud restore
Telephony	4 hours	N/A	Cloud + mobile failover

Cyber Incident Response

In the event of a cyber attack:

Isolate affected systems
Notify IT and Incident Manager
Assess scope and impact
Activate IT Disaster Recovery Plan
Notify relevant authorities (ICO if data breach)
Communicate with stakeholders
Recover from clean backups
Investigate root cause
Implement additional controls

Premises Continuity

We plan for loss of or denial of access to our premises.

Premises Recovery Strategy

Scenario	Response
Temporary denial of access	Remote working, use of alternative locations
Partial damage	Isolate affected areas, continue in unaffected areas
Total loss	Remote working, temporary premises

Alternative Working Arrangements

Function	Alternative Arrangement
Office staff	Work from home (laptops, cloud systems, VPN)
Call handling	Mobile phones, cloud telephony, outsourced overflow
Engineers	Continue from home/vehicles, direct to sites
Management	Work from home, alternative meeting locations
Stores/materials	Alternative suppliers, direct delivery to sites

Alternative Premises

Type	Arrangement
Emergency office space	Serviced office provider on standby
Meeting facilities	Hotels, serviced offices, client premises
Storage	Alternative depot, supplier storage

Remote Working Capability

All office staff are equipped to work remotely:

Laptops with VPN access
Cloud-based applications
Mobile phones
Video conferencing
Access to job management and email
Secure remote access

Workforce Continuity

We plan for significant staff unavailability.

Workforce Risks

Risk	Mitigation
Key person unavailability	Cross-training, documented procedures, succession planning
Widespread illness	Remote working, staggered shifts, hygiene measures
Industrial action	Staff engagement, contingency resources
Skills shortage	Agency arrangements, subcontractor relationships

Key Roles and Deputies

Key Role	Deputy
Managing Director	Operations Director
Operations Director	Senior Operations Manager
Finance Director	Finance Manager
IT Manager	External IT support provider
Compliance Manager	Senior Administrator

Cross-Training

Critical functions have multiple trained staff
Documented procedures for key activities
Regular knowledge sharing
Succession planning for key roles

External Resources

Resource	Purpose
Agency engineers	Supplement workforce if needed
Subcontractors	Additional capacity for specific trades
Temporary staff	Office and administrative support
External IT support	Technical support and recovery

Supply Chain Continuity

We manage supply chain risks.

Critical Suppliers

We have identified suppliers critical to our operations:

Category	Examples	Criticality
Materials	Plumbing, electrical, building materials	High
Vehicle fleet	Lease company, fuel	High
IT services	Hosting, software, support	High
Subcontractors	Specialist trades	Medium
Utilities	Electricity, gas, water, telecoms	Medium
Professional services	Accountants, legal	Low

Supply Chain Mitigations

Risk	Mitigation
Single supplier dependency	Multiple approved suppliers for critical items
Supplier failure	Financial checks, alternative suppliers identified
Material shortages	Stock holding of critical items, early warning monitoring
Price volatility	Framework agreements, price monitoring
Delivery delays	Safety stock, alternative suppliers, direct delivery

Supplier Relationships

Key supplier relationships documented
Emergency contact details maintained
Regular supplier reviews
Supplier business continuity assessed
Contractual provisions for continuity

Communication

Effective communication is essential during disruptions.

Communication Principles

Timely — communicate early and often
Accurate — provide factual, verified information
Consistent — single source of truth
Appropriate — tailor messages to audience
Two-way — listen and respond to concerns

Stakeholder Communication

Stakeholder	Communication Method	Responsibility
Employees	Email, phone, text, team briefings	HR Lead
Clients	Phone, email, account managers	Operations Lead / Account Managers
Residents	Via clients, direct contact where appropriate	Operations Lead
Suppliers	Phone, email	Procurement / Operations
Regulators	Phone, email, formal notification	Compliance Manager
Media	Press statements (if required)	Managing Director
Insurers	Phone, written notification	Finance Lead

Communication Templates

We maintain templates for:

Staff notification messages
Client notification letters
Supplier notifications
Holding statements
Recovery updates

Contact Information

We maintain up-to-date contact lists:

Employee emergency contacts
Client contacts (multiple per client)
Supplier emergency contacts
Subcontractor contacts
Regulatory body contacts
Insurer contacts
Emergency services

Out-of-Hours Communication

On-call manager rota for 24/7 response
Emergency contact number for critical issues
Escalation procedures documented
Mobile phones for key personnel

Pandemic Response

We have specific arrangements for pandemic situations.

Pandemic Response Measures

Phase	Actions
Monitoring	Monitor public health guidance, assess risk
Preparation	PPE stock, remote working preparation, communication plans
Response	Implement controls, remote working where possible, prioritise critical services
Recovery	Phased return to normal, lessons learned

Control Measures

Measure	Implementation
Remote working	Office staff work from home
Social distancing	Reduced office capacity, spacing
Hygiene	Hand sanitiser, enhanced cleaning
PPE	Masks, gloves as required
Health monitoring	Self-assessment, isolation if symptomatic
Vaccination	Encourage and support vaccination
Testing	Access to testing where available

Service Prioritisation

During severe workforce shortage:

Priority 1: Emergency repairs, gas safety, fire safety
Priority 2: Other safety-critical services
Priority 3: Urgent repairs
Priority 4: Planned maintenance

Severe Weather Response

We plan for disruption from severe weather.

Weather Risks

Event	Impact	Response
Snow/ice	Travel disruption, site access	Rescheduling, remote working, gritting
Flooding	Site access, property damage	Alternative routes, emergency response
High winds	Dangerous working conditions	Postpone external work, safety first
Heatwave	Health risks, working conditions	Early starts, welfare measures
Cold snap	Frozen pipes, heating failures	Increased demand, prioritisation

Weather Monitoring

Daily weather forecast review
Met Office warnings monitored
Proactive rescheduling when warnings issued
Communication with clients about potential delays

Winter Preparedness

Gritting of depot and parking areas
Winter equipment for vehicles
Cold weather PPE for operatives
Frozen pipe response procedures
Increased parts stock for heating repairs

Testing and Exercising

We regularly test our business continuity arrangements.

Testing Programme

Test Type	Frequency	Scope
Plan review	Annual	All plans reviewed and updated
Walkthrough	Annual	Talk through plans with key personnel
Tabletop exercise	Annual	Scenario-based discussion exercise
Functional test	Annual	Test specific capabilities (e.g., IT recovery)
Full exercise	Every 2 years	Simulated incident with plan activation

Test Objectives

Validate plans are current and effective
Identify gaps and weaknesses
Train staff in their roles
Test communication and coordination
Verify recovery capabilities

Test Records

Test objectives and scope documented
Outcomes and observations recorded
Issues and improvement actions logged
Follow-up actions tracked to completion
Lessons incorporated into plans

Training and Awareness

We ensure people understand their business continuity roles.

Training Programme

Training	Audience	Frequency
Business continuity awareness	All employees	Induction + annual
Incident management	Incident Management Team	Annual
Plan-specific training	Plan owners and deputies	Annual
Crisis communication	Communications team	Annual
IT disaster recovery	IT team	Annual

Awareness Activities

Policy communication to all staff
Regular reminders and updates
Lessons learned from incidents shared
Participation in exercises

Roles and Responsibilities

Managing Director

Overall accountability for business continuity
Final decision-making during major incidents
Resource allocation for continuity capabilities
Annual review and approval of policy

Operations Director

Day-to-day responsibility for business continuity
Chair of Incident Management Team
Ensuring plans are in place and tested
Reporting on continuity performance

Plan Owners

Maintaining and updating assigned plans
Ensuring team awareness and training
Participating in tests and exercises
Implementing improvements

All Managers

Understanding business continuity plans
Ensuring team awareness
Participating in exercises
Reporting incidents and concerns

All Employees

Understanding their role during disruptions
Following instructions during incidents
Reporting potential issues
Participating in training and exercises

Insurance

We maintain insurance to support recovery.

Insurance Coverage

Insurance	Purpose
Business interruption	Loss of income during disruption
Property	Building and contents damage
Computer/cyber	IT losses, cyber incident costs
Employers’ liability	Employee injury claims
Public liability	Third-party claims
Professional indemnity	Professional negligence claims
Motor fleet	Vehicle damage and replacement

Insurance Claims

Report potential claims to Finance Lead immediately
Document losses and damage
Preserve evidence where possible
Cooperate with insurers
Maintain records of additional costs

Continuous Improvement

We continuously improve our business continuity capabilities.

Improvement Sources

Post-incident reviews
Exercise findings
Audit and assessment results
Near-miss analysis
Industry best practice
Regulatory changes
Client feedback

Post-Incident Review

After any significant incident:

Review meeting held within 2 weeks
What happened and timeline
What went well
What could be improved
Root cause analysis
Actions assigned and tracked
Plans updated based on lessons

Performance Indicators

Indicator	Target
Business continuity plan coverage	100% of critical activities
Plan review completion	Annual, 100% compliance
Test/exercise completion	As per schedule
Training completion	100% of relevant staff
Incident response time	Within defined escalation times
Recovery within RTO	100% of incidents

Compliance and Audit

Regulatory Requirements

We meet business continuity requirements in:

Client contracts (SLA commitments)
ISO 9001 (quality management)
ISO 27001 principles (information security)
Data protection (availability of personal data)
Industry regulations

Audit

Audit	Frequency
Internal business continuity review	Annual
Client audits (as required)	Per contract
External assessment	Every 2-3 years

Policy Review

This policy is reviewed annually and updated to reflect:

Changes in business operations
Lessons learned from incidents and exercises
Changes in risks and threats
Audit findings
Regulatory and client requirements
Best practice developments

This policy should be read in conjunction with:

IT Disaster Recovery Plan
Incident Management Plan
Pandemic Response Plan
Severe Weather Plan
Premises Continuity Plan
Communication Plan
Health and Safety Policy
Cyber Security Policy
Data Protection Policy

Approval

This Business Continuity Policy has been approved by the Managing Director.

Signed:

[Name] Managing Director All Services 4U

Date: [Date]

Review Date: [Date + 1 year]

Contact

Business Continuity Lead Email: continuity@allservices4u.co.uk Phone: [Phone number]

Incident Reporting (24-hour) Phone: [Emergency number]

Quick Reference

Incident Reporting

Report any disruption or potential disruption immediately:

Phone: [Emergency number] Email: incidents@allservices4u.co.uk

Critical Services

Service	Recovery Target
Emergency repairs	Immediate
Gas safety	Within 24 hours
Fire safety	Within 24 hours
Electrical safety	Within 24 hours

Key Contacts

Role	Name	Phone
Incident Manager	[Name]	[Number]
Operations Lead	[Name]	[Number]
IT Lead	[Name]	[Number]

Your Role

✓ Know your responsibilities during disruptions
✓ Report incidents and potential issues immediately
✓ Follow instructions from the Incident Management Team
✓ Keep your contact details up to date
✓ Participate in training and exercises
✓ Be flexible and adaptable

All Services 4U is committed to maintaining services to our clients even in challenging circumstances. Our business continuity arrangements ensure we are prepared, can respond effectively, and recover quickly from disruptions.