Business Continuity Plan
1.1 Background and Importance: Recognizing the various risks that may impact operations, including natural disasters, IT system failures, security emergencies, or disease outbreaks, this Business Continuity Plan has been developed to ensure service continuity, minimize financial losses, protect assets, and maintain the organization's image.
1.2 Reasons: To ensure the company can continue operations under any crisis or emergency, including:
- Natural disasters (floods, earthquakes, wildfires)
- Technical emergencies (power outages, IT system failures)
- Security threats (terrorism, riots)
- Disease outbreaks
1.3 Standard Reference Framework: This Business Continuity Plan aligns with the international standard ISO 22301:2019, which provides a framework for establishing a Business Continuity Management System (BCMS) to plan, implement, monitor, and continuously improve.
1.4 Review of Business Continuity Plan: The company periodically reviews the Business Continuity Plan to ensure systematic, efficient emergency management that aligns with the organization's risk policy.
1.5 Importance to Stakeholders: This Business Continuity Plan is crucial for:
- Building confidence among customers and business partners
- Protecting personal assets and critical information
- Maintaining the brand's image and reputation in both Thai and international markets
- Reducing business impact during emergencies
2.1 Minimize System and Service Downtime
2.1.1 Set target times (RTO & RPO)
- Recovery Time Objective (RTO) for critical systems: no more than 7 days
- Recovery Point Objective (RPO) for customer databases: no more than 7 days
2.1.2 Backup measures
- Prepare DR Cold Site for main operating systems
- Regularly backup data on Cloud Backup
- Procure and maintain relevant equipment and software
2.1.3 Testing and improvement
- Conduct Full-Scale Drill at least once a year to evaluate efficiency and improve readiness
2.2 Protect Assets, Personnel, and Critical Information
2.2.1 Data backup and encryption
- Daily Backup and strategic Off-site Backup
- Use encryption technology for data at rest and data in transit
2.2.2 Physical and system security
- Access Control & CCTV systems
- UPS/Generator for critical equipment
2.2.3 Personnel care
- Develop and practice evacuation and fire drill plans 1
2.3 Maintain Customer Reputation and Confidence
2.3.1 External Communication Plan
- Appointing a spokesperson to provide accurate and consistent information
- Define main communication channels: company website, social media, and email
- Create and maintain incident notification templates with initial notification within 2 hours of incident detection 1
2.3.2 PR Crisis Management
- Hold emergency meetings with PR, legal, HR, and other relevant departments immediately upon incident occurrence to assess risks and determine response strategies
- Prepare standard documents for customer FAQs covering key issues and contact channels
- Define compensation guidelines based on severity and impact to ensure fairness and restore confidence 1
2.3.3 Post-Crisis Satisfaction Assessment
- Check user/stakeholder satisfaction with response and recovery
- Collect strengths and weaknesses of the actual BCP process
- Use feedback to improve the plan and enhance future response efficiency
The Risk Management Committee is primarily responsible for setting direction, policy, and risk management framework alongside crisis preparedness. Key policies include:
3.1 Risk Management Framework
- Screen and assess internal and external risks for a comprehensive overview
- Design appropriate control measures to mitigate unexpected impacts
3.2 Business Continuity Management System (BCMS)
- Plan and allocate resources systematically to ensure critical operations continue
- Define clear activation criteria for emergency measures to promptly implement the plan
3.3 Regularly monitor and review
- Use feedback from drills and exercises to improve the plan to match real situations
4.1 Risk Assessment Risk assessment is a crucial step in developing the Business Continuity Plan (BCP) for The Erawan Group, aiming to:
4.1.1 Identify potential crises: Consider threats and events that may impact operations, such as fires, floods, power outages, disease outbreaks, earthquakes, and data leaks.
4.1.2 Assess likelihood: Determine the probability of each event occurring, categorized as "low," "medium," and "high".
4.1.3 Assess impact: Consider the severity of impacts on finance, reputation, and operations if the event occurs.
4.1.4 Determine risk level: Jointly assess likelihood and impact to prioritize management and resource allocation.
4.1.5 Define key control measures: Outline prevention and impact reduction strategies for specific events, along with preparedness and effective response measures.
| Crisis Scenario | Likelihood | Impact | Risk Level | Control measures |
|---|---|---|---|---|
| Fire | Medium | High | High |
|
| Flood | Low | Medium | Medium |
|
| Power outage | Low | Low | Low |
|
| Disease Outbreak | Medium | High | High |
|
| Earthquake | Low | Medium | Medium |
|
| Data Breach | Medium | High | High |
|
4.2 Risk and Business Impact Assessment
4.2.1 To identify the core operational systems and processes that underpin overall business operations-covering finance, accounting, procurement, human resources, IT and central support services.
| Core Activity | Description | Impact |
|---|---|---|
| Enterprise Resource Planning (ERP) System | A system for recording and processing accounting data-revenues, expenses and cost information. |
|
| Financial Reporting System & Reporting | The process and system for generating financial statements and related reports. |
|
| Human Resources & Payroll Management System | Recording employee information; calculating salaries, benefits and taxes. |
|
| Information Technology Infrastructure | Network services, primary backup systems, encryption and security maintenance. |
|
Upon the occurrence of a system failure, the emergency recovery team shall undertake the following actions:
5.1 Immediate Notification
Operational personnel shall report the incident to the primary responsible officer immediately upon detection.
5.2 Appointment of Backup Team Leader
If the primary officer is unavailable, a designated backup manager shall assume leadership and decision-making authority.
5.3 Site Safety Verification
Confirm that the work area is safe before entry, ensuring that electrical hazards are isolated and that fire-suppression gas systems pose no risk.
5.4 Preliminary Damage Assessment
Inspect affected equipment, files and backups to estimate the time and resources required for recovery.
5.5 Engagement of External Services
Coordinate with DR Cold-Site providers, cloud-backup services, and any necessary hardware vendors.
5.6 Resource Planning and Allocation
Define the sequence of recovery steps and establish time-frame objectives (RTO/RPO) in accordance with organizational policy.
5.7 Initiation of Recovery Procedures
Execute recovery in line with the backup plan or by leveraging standby systems (Short-term Plan / Backup-driven Recovery).
Monitor progress continuously until the system is restored to its target operational state.