[G4-EC7], [G4-EC8] TIM pays attention to Business Continuity1 a key element for protecting the value and reputation of the Group in delivering its services/products and in full compliance with the terms of its contracts with customers, industry regulations and, more generally, in accordance with the relevant international methodologies and standards.
At Group level, TIM adopts a Business Continuity Management System (BCMS) as a control and management model for the operational continuity of the processes also through prevention activities, considering both the technological aspects (IT systems, networks, facilities, etc.) and the organizational ones ( Human Resources, contractual constraints, logistical aspects, etc.).
The BCMS follows the indications contained in the international standard of reference for Business Continuity, namely ISO 22301, which emphasises, inter alia, the importance of:
- understanding the needs of the organisation and stakeholders in terms of Business Continuity;
- implementing and operating the controls and measures needed to manage the company’s capacity to deal with interruptions in operation due to accidental causes;
- monitoring and reviewing the performance and effectiveness of the business continuity management system;
- disseminating the Business Continuity culture;
- managing communications between the parties involved regarding Business Continuity themes.
The BCMSis based on the Plan-Do-Check-Act Deming Cycle and is broken down into four phases: Governance & Planning (Plan), Execution (Do), Performance Evaluation (Check) and Improvement (Act).
At the Governance&Planning stage, the Group examines the relevant context, identifying the needs of the Company and its Stakeholders, as well as the contractual/regulatory constraints on Business Continuity. Based on these elements and the Risk Tolerance and Risk Appetite, the Company determines the scope of the Policy and the main strategic objectives for Business.
Continuity. This preliminary analysis goes on to identify the processes/services that are most important for the Company and the resources supporting the ongoing availability of these processes and services. The activities carried out at this stage allow a Business Continuity strategy to be devised that guarantees an appropriate response for each process and service, in terms of operating levels and acceptable recovery times during and after a damaging event.
This stage includes, inter alia:
- the Business Impact Analysis (BIA), which is an assessment of the impact on the business where significant events occur that may affect business activities and the delivery of services.
- the Risk Assessment (RA), according to the model adopted in the ERM and aimed at identifying and assessing threats that may affect corporate assets, making them unavailable for a more or less long period of time;
- identification of the Risk Profile resulting from the BIA/RA joint assessment;
- the Business Continuity strategies following the Risk Profile analysis based on the Costs/ Benefits evaluation.
The execution phase involves approving the Business Continuity strategy, and the respective budget, allowing the executive stage to be launched, with the development of Risk Treatment and Business Continuity Operational Plans. The respective planning is carried out by the operational departments, each to the extent of its responsibilities, while the ERM carries out checks to verify the consistency between the operational plans and the Business Continuity Strategic Plan, particularly in order to standardise and correlate mitigation activities throughout the company processes involved.
An overall analysis of the performances of the BCMS (Performance Evaluation stage) is planned at least annually, in particular analysing:
- actual data (incident history) regarding recovery times and economic impacts of events;
- operational test data;
- internal assessments;
The Performance Evaluation is used to identify any corrective actions to be undertaken (e.g. specific initiatives for risk prevention, procedural reviews, etc.). The Improvement phase obtains the results of the Performance Evaluation phase and any corrective actions to be taken are defined. These are then presented to the Company’s Executive Directors for a periodic Management Review.
In this phase the Company’s Executive Directors:
- examine and verify the BCMS’s suitability level based on the Performance Evaluation, in agreement with any requirement or regulatory developments;
- assess and approve any corrective actions.
The possible corrective actions to be taken, the policies and the objectives of Business Continuity result in the continuous improvement of the BCMS.
1 “Business continuity” is understood to mean the ability to ensure continuity of service, based on predefined and acceptable levels, following a disruptive incident.