Continuity Policy

Introduction

 Sociedad de Gestión de los Sistemas de Registro Compensación y Liquidación de Valores, S.A.U (hereinafter "IBERCLEAR"), as a company of the Bolsas y Mercados Españoles Group (hereinafter BME), participates in the BME Group. Business Continuity management system. In addition, in compliance with Regulation 909/2014 of the European Parliament, of July 23, 2014 (CSDR) and its implementing regulations IBERCLEAR, within the framework of the BME Group continuity management system, has established, applies and maintains an adequate continuity strategy of its activity and recovery in case of a disaster aimed at guaranteeing the preservation of its functions, the opportune recovery of the operations and the fulfilment of its obligations.

In this regard, IBERCLEAR, in line with the BME Group Business Continuity Policy and in compliance with the aforementioned CSDR, incorporates into its Business Continuity Policy all the elements of the BME Group Business Continuity Policy as well as the specifications of its management scope.

BME Group Continuity Policy

Purpose

The overall objective of the Business Continuity of BME is to make the necessary preparations and plan a sufficient set of procedures to adequately respond to the appearance of a harmful incident, from the moment such is declared until the full recovery of normality in the different business activities, minimising the impact caused to the operations.

Business Continuity Principles.

The BME Group Business Continuity Policy is based on a set of principles that have been formulated taking into account the business needs of the BME Group companies and with a high degree of knowledge of the risks associated with them. These principles are:

1. The primary objective is the protection and safety of personnel, both under normal operating conditions and in a contingency situation.

2. BME Management will be responsible for managing the key risks to the continuity of the processes considered critical by the Organisation.

3. Attempt to minimise the impact that could be derived from any emergency situation on services identified as critical, or their level of provision.

4. Return the affected location to normal as soon as possible having mitigated the consequences of the harmful incident.

5. BME will guarantee that the BME Group Business Continuity Plan, as well as the corresponding Technical Disaster Recovery Plans, are developed and implemented in an appropriate manner, taking into account the identified critical services and processes and using the evaluation of the risks, their probability and impact as a point of reference.

6. BME will keep its Business Continuity Plan and the Technical Disaster Recovery Plans updated at all times, for which it will carry out regular reviews and whenever a significant change occurs that could affect them.

7. BME undertakes to periodically test its Business Continuity Management System to ensure its suitability to the needs of the BME group and to adapt it whenever necessary in view of the results of said tests.

8. BME will guarantee that all personnel involved in both the Continuity Plan and the Technical Disaster Recovery Plans are informed of their responsibilities within the framework of Business Continuity, through training, dissemination and testing.

9. BME will ensure that critical processes/services are recovered within the timeframes stipulated in the Business Continuity Plan.

10. BME will guarantee the preparation of the corresponding Continuity Procedures, among which are the internal and external communication plans, and to keep them updated through regular reviews.

11. BME will regularly review the correct functioning of the Business Continuity Management System as well as its testing system and the alignment thereof with this Business Continuity Policy.

IBERCLEAR Continuity Policy

In compliance with the provisions set forth in the CSDR and in the implementation of BME's Business Continuity Policy, IBERCLEAR has assumed the BME Group Business Continuity Policy as its own as well as all the Continuity Principles established therein, with the following specialities derived from the supervised activity that it performs.

Responsabilities

In order to coordinate the Business Continuity Principles, the BME Group has created a structure at various levels and has established the responsibilities assigned to each of them.

Board of Directors

The Board of Directors is the most senior body responsible for ensuring the effectiveness and adequacy of the BME Group's Business Continuity.

Management Committee

It is the highest level executive body within the BME Group and the main body responsible for the management of the Group's Business Continuity.

Continuity and Risk Committee

It is the body in charge of coordinating the Business Continuity within the BME Group and which main responsibility is Oversee the application of this Business Continuity Policy, as well as to review it annually, propose any modifications it deems necessary, and submit them to the Management Committee for approval. Likewise, the Continuity and Risks Committee will ensure the Business Continuity Policies of the Group companies that, by virtue of the regulations that apply to them, must have a Business Continuity Policy that adapts to and complements the BME Group Business Continuity Policy.

Continuity Supervisor

The Continuity Supervisor is the main executing figure of the Continuity and Risks Committee and the main responsibilities are:

• Coordinate with the technical departments responsible for the changes to the systems and communications that may affect critical systems or processes/recovery procedures to detect any necessary changes in the Business Continuity Plan.
• Perform and update the Business Continuity Plan and the Continuity Procedures, at least on an annual basis, and submit them before the Continuity and Risk Committee for approval.
• Design, programme, coordinate and document the test plan of the Business Continuity Management System.
• Inform the Continuity Committee of the results of the Business Continuity Management System tests and the results of the annual audit of the same and propose any changes it considers appropriate in light of said results.
• Evaluate the impact of the activation of the Business Continuity Plan for both the BME Group and any involved third parties.
• Monitor and document all the circumstances and decisions taken during a crisis situation to create a knowledge base that can be used to analyse the execution of the Business Continuity Plan and to propose any possible improvements to it.

Continuity Representatives

The Continuity Representatives will be responsible for coordinating the Business Continuity function within each of the BME Group Companies. Their main duties is to keep the Board of Directors of the Group company they are responsible for informed of any relevant situation that affects business continuity or any relevant issue dealt with by the Continuity and Risks Committee.

 

Likewise, in order to articulate these Principles of Business Continuity, IBERCLEAR has a structure at various levels with specific responsibilities assigned to each of them:

The Board of Directors

The Board of Directors of IBERCLEAR, the body responsible for approving IBERCLEAR's Business Continuity Policy and the Business Continuity Plan, as established in article 6, section 2.m) of the Regulations of the Board of Directors.

Likewise, it is responsible for ensuring the correct management of business continuity within the Company, in coordination with the bodies entrusted with the management of business continuity within the BME Group, of which IBERCLEAR is a part.

Risk Committee

The Board of Directors will have the Risk Committee which, as an advisory committee of this body on the current and future global strategy and appetite of the Company with regard to risk, will advise the Board of Directors on the Business Continuity Policy of IBERCLEAR and the Business Continuity Plan prior to its approval.

Chief Risk Officer or CRO

When defining business continuity as part of the Company's risks, the IBERCLEAR Chief Risk Officer assumes the role of the Company's Continuity Representative, thus becoming responsible for coordinating the Business Continuity provisions within IBERCLEAR.

Their main duties in this area are: 

• Facilitate the compilation of requirements of and changes to the critical systems of IBERCLEAR.
• Represent and safeguard the interests of IBERCLEAR within the Continuity and Risks Committee of the BME Group.
• Keep the Board of Directors of IBERCLEAR informed of any relevant situation that affects business continuity or any relevant issue dealt with in the Continuity and Risks Committee.

Critical processes and recovery objectives

IBERCLEAR has defined the recovery time objective (RTO) for each of its processes and essential functions.      

Procesos críticos/esenciales	RTO
Notary service	2h
Central maintenance   service	2h
Settlement service	2h
RENADE services	45m
PTI (Gestión del   Sistema de Información)	2h
Links service	2h

Resources and recovery strategy

IBERCLEAR has all the necessary means to ensure the recovery of its services and essential functions within the established target recovery times.

The main strategy established by IBERCLEAR to ensure the continuity of its essential functions, and therefore the continuity of its business, is to ensure the redundancy of all those elements that support the critical functions of the Company. Essentially:

 Provision of an alternative work centre with sufficient capacity to host the functions required by IBERCLEAR, to which workers can move at an appropriate time.

• Geographically diversified Data Processing Centres that allow the recovery of all functions within the stipulated target times.
• Availability of workstations with remote access capability for all personnel considered as critical.
• Training of personnel to carry out tasks under critical business conditions.

IBERCLEAR has developed and continuously updates the different Continuity Procedures (communication, activation, transfer to the alternative centre, etc.) established in the provisions applicable in case of an emergency and which are included in the Business Continuity Plan.