Business Continuity Plan

1. Introduction  

Business Continuity Policy Mission Statement    

Airtel Payments Bank is committed to ensure safety of its people and continuity of critical business operations that support delivery of their services, while abiding to business, legal, regulatory, statutory and contractual requirements by developing, implementing and continually improving organization wide Business Continuity.  

1.1.    Business Continuity   

Business continuity (BC) refers to a state of continued, uninterrupted operation of a business in all contexts. It focuses on the resilience of people, infrastructure, processes, applications and vendors as well as the availability and integrity of information.   

It is the intention of Bank to embed business continuity planning into the culture of the organization.   

1.2.      Business Continuity Management (BCM)   

Management of disruption-related risk is based on a thorough understanding of internal, external and risk management contexts Bank operates within. Business continuity management shall incorporate business impact analyses, recovery strategies and business continuity plans, as well as a governance programme covering a testing programme, training and awareness programme, communication and crisis management programme.   

1.3.      BCMS objectives

•       Reduce reliance on key personnel & ensure safety of personnel;  

•       Reduce Bank’s risk to future business discontinuity;   

•       Protect vital assets owned by Bank and those assets belonging to others for which it carries responsibilities;   

•       Preserve the ability to meet stakeholder expectations, including meeting 3rd party arrangements;   

•       Provide for an orderly and expedited recovery after a disruptive event;  

•       Maintain or gain competitive advantage due to a swift and effective response;

•       By combining the best practices for performance, availability, security, and conformance to standards, the Technology will provide a robust foundation for Business Continuity Management. This ensures that in the face of disruptions, the critical systems and data are protected, remain operational, and can quickly recover. 

•       Continuously improving the BCMS through regular testing, reviews, and updates to ensure it remains effective in the face of changing risks.

•       The Bank’s BC and DR capabilities shall be designed to effectively support its resilience objectives and enable it to rapidly recover and securely resume its critical operations (including security controls) post cyber-attacks/ other incidents.

1.4.      Climate Change   

The organization must determine if climate change is relevant to its operations, risks, and objectives. For a bank, this would typically involve evaluating whether climate-related factors (such as increased frequency of extreme weather events, regulatory changes, and sustainability concerns) could affect information security or the bank's ability to maintain the confidentiality, integrity, and availability of information.

For more details refer ESG Report

2. Policy Applicability

•        The BCMS Policy at Airtel Payments Bank shall be applicable to the Office Locations. For details Refer ISBC Manual

•        The BCMS Policy shall be applicable to all LOB’s (operations) and enabling teams for the Banks.

•        This policy shall be applicable to the various dependencies, service providers and external parties supporting key services of Airtel Payments Bank.

3. Management Intent

The management shall ensure that resources are available to support the BC planning process and assist IS-BC working group to:   

•       Understand what the operational and financial consequences and exposures are to their business function and associated dependencies should a disruptive event occur;   

•       Be able to define the critical business processes that must be able to continue, more or less uninterrupted should a disruptive event occur;   

•       Similarly define the priorities for the resumption of the remaining business activities;   

•       Produce a blueprint of the resource requirements to support process continuity and enable a phased recovery. Resources relate to:   

•       Staff – include succession planning,   

•       Space – buildings, work areas,   

•       Stuff – equipment, infrastructure and information,   

•       Funding   

•       Document and register physical assets for insurance purposes;   

•       Identify the present level of preparedness to deal with a disruptive event should it occur;   

•       Explore the ‘what ifs’ and implement positive control variables which enable the business function to adapt and change;   

•       Leverage the capacity of staff to adapt under uncertainty and pressure to give greater operational resilience;   

•       Remain alert at all times to the threat and implications of a disturbance in all contexts.   

BCM tools and templates will be developed and maintained through the Business Continuity Unit.  

4.   Business Continuity Planning

As the business model is digital 24x7 banking, necessity to formulate consolidated Business Continuity Planning (BCP) guidelines covering critical aspects of people, process and technology is critical.   

BCP is a continuous process of identifying hazards and Bank vulnerabilities, the likelihood of disruption, potential consequence on time-sensitive objectives and strategic success, existing control effectiveness and strategies to improve performance and efficiency. It considers risk over time when usual work areas, staff, assets or processes are not available.   

Key concepts of the BC planning process are:   

•       Understand the business;   

•       Complete Business Impact Analysis   

•       Assess the risks

•       Prepare a BCP

•       Training and test the plan.   

4.1.     Resilience Capability   

Airtel Payments Bank business is a complex, interrelated system of dynamic processes operating in an increasingly uncertain, unpredictable environment. Resilience capability refers to the system ability to cope with uncertainty, change and associated stresses (implying it is adaptive). A resilient system is able to effectively adjust its functioning in anticipation of, during, or following changes and disturbances, so that it can continue to perform as required after a disruption or a major mishap, and in the presence of continuous stresses.   

5.   Internal Audit

The organization shall ensure that all planned arrangements, as given in clause 9.2 of ISO 22301:2019 standard, which have an influence on Business Continuity, are subjected to internal audits on an annual basis to verify the compliance with all aspects of BCMS requirements and organization’s policies. The organization shall have a reliance on internal audit procedure that shall ensure planning and coordination of Internal Audits of BCMS arrangements at Airtel Payments Bank. Results of the action taken shall be reviewed and discussed in BCMS Management Review meetings.

Kindly refer to Monitoring Procedure for more details.

6.   Management Review

Airtel Payments Bank’s management shall review the BCMS arrangements bi-annually to ensure its continuing suitability, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the BCMS, including BCMS policy and objectives, and ensuring continual improvement in the BCM arrangements. The results of the review shall be clearly documented, and records shall be maintained.

7.   BCMS Responsibilities

The responsibilities towards Business Continuity management are mentioned below:

•  All employees and vendors /partners (co located) shall conform to the BCMS policy and objectives. 

•  All employees shall be responsible for reporting any identified weaknesses which might impact the Business Continuity or result in disruptive incidents; and

•  The management shall be responsible for supporting all steps / activities taken to mitigate business continuity risks.

Note: A detailed governance procedure shall be established stating the governance structure of BCMS at the bank and all the roles and responsibilities of the BCMS governance roles.

Refer to Governance Procedure for more details

8.  Applicable requirements

8.1. Statutory, legal and regulatory requirements

The Bank shall be committed towards complying with its statutory, legal and regulatory requirements. The BCM team shall partner with legal team to identify requirements (if any) and consider these requirements while establishing, implementing and maintaining an effective BCMS.

8.2.    Business continuity standards

In order to ensure that the core business functions are safeguarded against any unplanned or foreseen interruptions, Bank shall adopt good practice standards set out in ISO 22313:2019 and shall comply with the requirements of ISO 22301:2019.

8.3.      Needs and expectations of interested parties.  

Airtel Payment Bank shall identify all interested parties that are of relevance to its BCMS and shall ensure that the needs and expectations of the interested parties are taken into consideration while establishing its BCMS.

9. Continual Improvement  

The management at Airtel Payment Bank shall be committed towards continually improving the effectiveness of its BCMS. In order to enable this, the organization shall undertake the following measures:

•       Conduct periodic review of its BCMS policy and objectives.

•       Conduct periodic internal and external audits and use the results to correct/ prevent specific nonconformities.

•       Conduct periodic management reviews at planned intervals to evaluate the continuity, suitability, adequacy and effectiveness of its BCMS.

•       Analyse disruptive incidents and disseminate learning’s to all business functions; and

•       Identify nonconformities, take action to control, contain or correct them, deal with their consequences and evaluate the need for action to eliminate their causes.

10.  Policy Communication and Review

The BCMS policy shall be communicated to all employees in the organization and the relevant identified interested parties. The policy shall be placed at an appropriate location on the Airtel Payment Bank intranet site and shall be actively promoted to the staff through training and awareness programs.

The BCMS Policy shall be reviewed annually or whenever there is a major change in the organization. The BCMS Policy shall be reviewed by BCMR and correspondingly by BCM Lead. The BCMS policy, post review of the BCM Lead, would be approved by the BCM Head. As a result of the reviews, additional policies could be issued and/ or existing policies could be updated, as required. Policies that are identified to be redundant shall be withdrawn.

The BCMS policy may be amended, if necessary, to consider any new legal and regulatory requirements and revisions of the business continuity standard ISO 22301:2019 (as applicable).

11. Consequences of non-conformity

Failure to comply with this Policy and the related laws, rules, and regulations may pose a risk to Airtel Payment Bank, its customers, and its stakeholders. This risk may include customer loss, damage to Airtel Payment Bank’s reputation, enforcement actions, fines or other legal and regulatory liabilities.

12.  Defined Recovery Time Objective (RTO) and Critical Activities    Prioritization

Business will identify, critical businesses, owned and shared resources with supporting functions and come up with the   

•       Business Impact Analysis (BIA)  including Risk Treatment Plan (RTP) with identification and mapping of the security classification (in terms of Confidentiality, Integrity, and Availability) of information assets based on their criticality to the operations 

•       Well-documented Business Continuity Plan (BCP) and Tested on set-frequency basis criticality as assessed  

•       Formulate Recovery Time Objectives (RTO), based on BIA which may be periodically finetuned by benchmarking against industry best practices   

13. Assumptions

The BCMS arrangements at Airtel Payment Bank shall be made considering the following:

•        Timing: The incident occurs at the most critical time of the year;

•        Multiple/Concurrent Scenarios: Only one scenario will occur at a time – ‘what-if’ analysis around concurrent scenarios should be avoided. For example, if it is considered that people unavailability is a failure scenario then it is assumed that technology and site as the enablers are available and operational;

•        Any crisis within the territorial limits of Airtel Payment Bank is limited to an individual site, i.e. region wide crisis would not be catered to by the BCMS;

•        Staff Availability: Sufficient skilled staff are available;

•        Communications: At least one method of communication is available to communicate with staff

(mobile network, land line, email as per the crisis management framework);

•        Accessibility: Staff can travel as required or have access to remote facilities;

•        Suppliers: All suppliers (incl. counterparties and service providers) are available during the incident, unless the scenario specifically affects the supplier only; and

•        In the event of unavailability of a site, the identified recovery location does not get simultaneously affected by a crisis along with the primary location.

•        During a crisis or planned testing, Business Leader is responsible to make decision on the Invocation of BCP and needs to ensure continuity of business or operations 

•        During pandemic/unexpected crisis situations, normal recovery strategies might not be effective/applicable and will have to look in for alternatives or enhanced strategies 

•        Floor Marshals will be identified and trained by the Admin or Facilities team

14.  Annexure: Areas related to BCMS

There are few strategies which shall be identified at organization level, which are to be deployed in various verticals of the organization serving as different parts of BCMS. These are:

13.1.  Information Disclosure  

The Airtel Payment Bank employee who has the information on the issue or event which may or has an impact on Airtel Payment Bank and who witnessed the actual incident or who is directly involved in the actual incident shall relay the information or details of the incident/situation through the fastest mode of communication only to the reporting manager, BCMR, through pre-defined lines of communication.

13.2.  Knowledge Transfer / Handover  

•        Existing SPOC / Supervisor shall ensure that a departing employee having BCM responsibilities shall provide a handover/ knowledge transfer of BCMS roles & responsibilities to the identified successor employee. Employees leaving Airtel Payment Bank shall also ensure BCM knowledge transfer before his/her full and final exit process.

•        Risk Team shall include BCM section in the induction program for new joiners. New employee taking up BCM roles and responsibility shall be provided with training and awareness specific to their BCM role.

13.3.  Resource Sharing

During disaster or crisis situation, recovery or restoration of operations will require resources which might be scattered among various groups or functions with different owners. In such disaster or crisis kind of scenario, sharing of resources should be promoted irrespective of different ownership, keeping organization wide objective in mind. Meaning, entitlement to these resources like Service Vehicles, Service Phone Units, laptops, etc. takes a backseat in favour of recovery.

Please note that the recovery or continuity of operations will be a responsibility of the operations team during a crisis or exercise period

13.4.  Regulatory Reference

RBI Guidance Note on Operational Risk Management and Operational Resilience dated 30.04.2024.