ORANGE ROMANIA S.A.

Internal Audit & Quality Department

BUSINESS CONTINUITY PLAN

PROCEDURE

Reference: OR/016/QD Version: 1.1 Pages: 33

AUTHOR (S)
Function Name Signature Date
Quality Coordinator Nicolae CHIRTAS

QUALITY REVIEW
Function Name Signature Date
IT Quality Coordinator Mircea VASILESCU
TD Quality Supervisor Ionut STAN
Quality and O&M Methods Manager Dan BACIU

APPROVED BY
Function Name Signature Date
IT Director Grigore FLORESCU
Technical Director Daniel LAVINA
Internal Audit & Quality Manager Mariana POPA
Orange Romania Executive Director Richard MOAT

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 3 of 33

CONTENT

1. PURPOSE.................................................................................................................................................. 5

2. APPLICATION DOMAIN............................................................................................................................ 5

3. DOCUMENT SUPPORT............................................................................................................................ 5

4. REFERENCES........................................................................................................................................... 5

5. DEFINITIONS & ABBREVIATIONS........................................................................................................... 5

6. ACKNOWLEDGEMENT OF CONTRIBUTION.......................................................................................... 6

7. PROCESS INITIATION AND MANAGEMENT..........................................................................................6

7.1 ORANGE GROUP POLICY STATEMENT............................................................................................. 6
7.2 ORANGE ROMANIA BUSINESS CONTINUITY PROGRAMME............................................................7
8. BUSINESS CONTINUITY PROCESS........................................................................................................ 7
8.1 ASSESSMENT OF BUSINESS RISK AND IMPACT OF POTENTIAL EMERGENCIES........................7
8.1.1 Emergency Incident Assessment..................................................................................................... 7
8.1.1.1 Environmental Disasters................................................................................................................................ 7
8.1.1.2 Organised and / or Deliberate Disruption.......................................................................................................8
8.1.1.3 Loss of Utilities and Services......................................................................................................................... 9
8.1.1.4 Equipment or System Failure.......................................................................................................................10
8.1.1.5 Serious Information Security Incidents.........................................................................................................10
8.1.1.6 Other Emergency Situations........................................................................................................................ 11
8.1.2 Possible Emergency Events – Probability, Impact and existing Controls:.....................................12
8.1.3 Business Impact Analysis.............................................................................................................. 13
8.1.3.1 Core Business Functions and agreed RTO’s:..............................................................................................14
8.1.3.2 Equipment and work area requirements:.....................................................................................................14
8.1.4 IT and Communications................................................................................................................. 15
8.1.4.1 Specification of IT and Communications Systems.......................................................................................15
8.1.4.2 Application / Core Business Functions Matrix..............................................................................................16
8.1.4.3 Key IT Personnel and Emergency Contact Information:..............................................................................17
8.1.4.4 Key IT and Communications Suppliers and Maintenance Engineers:.........................................................17
8.1.4.5 Existing IT Recovery Procedures.................................................................................................................17
8.1.5 Existing Emergency Procedures.................................................................................................... 17
8.1.5.1 Summary of Existing Procedures for Handling Emergency Situations........................................................17
8.1.5.2 Key Personnel Responsible for Handling Existing Emergency Procedures................................................17
8.1.5.3 External Emergency Services and Contact Numbers..................................................................................18
8.1.6 Premises Issues............................................................................................................................ 18
8.1.6.1 Responsibility and Authority for Building Repairs........................................................................................18
8.1.6.2 Back-up Power Arrangements.....................................................................................................................19
8.2 PREPARING FOR A POSSIBLE EMERGENCY..................................................................................19
8.2.1 Back-up and Recovery Strategies................................................................................................. 19
8.2.1.1 GSM Network Recovery Strategy................................................................................................................19
8.2.1.2 Alternative Business Process Handling Strategy.........................................................................................20
8.2.1.3 IT Systems Back-Up and Recovery Strategy...............................................................................................20
8.2.1.4 Insurance Coverage..................................................................................................................................... 21
8.2.2 Key BCP Personnel and Suppliers................................................................................................ 21
8.2.2.1 Functional Organisation Chart.....................................................................................................................22
8.2.2.2 BCP Project Co-ordinator for each Key Functional Area (Department).......................................................22
8.2.2.3 Key Personnel and Emergency Contact Information...................................................................................23
8.2.2.4 Key Suppliers and Vendors and Emergency Contact Information (see APPENDIX 3)...............................23
8.2.2.5 Manpower Recovery Strategy......................................................................................................................23
8.2.2.6 Establishing the Disaster Recovery Team...................................................................................................24
8.2.2.7 Establishing the Business Recovery Team..................................................................................................24
8.3 DISASTER RECOVERY PHASE.......................................................................................................... 25

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 4 of 33

8.3.1 Planning for Handling the Emergency...........................................................................................25

8.3.1.1 Identification of Potential Disaster Status.....................................................................................................25
8.3.1.2 Involvement of Emergency Services............................................................................................................25
8.3.1.3 Assessing Potential Business Impact of the Emergency.............................................................................26
8.3.1.4 Project Management Activities.....................................................................................................................26
8.3.2 Notification and Reporting During Disaster Recovery Phase.........................................................26
8.3.2.1 Notification to Management and Key Employees........................................................................................26
8.3.2.2 Handling Personnel Families Notification.....................................................................................................26
8.3.2.3 Handling Media during the Disaster Recovery Phase.................................................................................26
8.3.2.4 Maintaining Event Log during Disaster Recovery Phase.............................................................................27
8.3.2.5 Disaster Recovery Phase Report.................................................................................................................27
8.4 BUSINESS RECOVERY PHASE.......................................................................................................... 27
8.4.1 Managing the Business Recovery Phase......................................................................................27
8.4.1.1 Mobilising the Business Recovery Team.....................................................................................................27
8.4.1.2 Assessing Extent of Damage and Business Impact.....................................................................................27
8.4.1.3 Preparing Specific Recovery Plan................................................................................................................27
8.4.1.4 Monitoring Progress..................................................................................................................................... 27
8.4.1.5 Keeping Everyone Informed.........................................................................................................................28
8.4.1.6 Handing Business Operations Back to Regular Management.....................................................................28
8.4.1.7 Preparing Business Recovery Phase Report...............................................................................................28
8.5 TESTING THE BUSINESS CONTINUITY PROCESS..........................................................................28
8.6 MAINTENANCE OF THE PLAN........................................................................................................... 28
8.7 AUDITING THE PLAN.......................................................................................................................... 29
9. QUALITY RECORDS............................................................................................................................... 29

10. MODIFICATION HISTORY...................................................................................................................... 29

11. APPENDIX............................................................................................................................................... 29
11.1 APPENDIX 1: THE FILED BIA QUESTIONNAIRES AND THE LIST OF ORANGE CORE BUSINESS FUNCTIONS:
29
11.2 APPENDIX 2: KEY IT PERSONNEL AND EMERGENCY CONTACT CALL LIST:..........................................29
11.3 APPENDIX 3: KEY TD, IT AND COMMUNICATIONS SUPPLIERS AND MAINTENANCE ENGINEERS..............30
11.4 APPENDIX 4: EMERGENCY AND SECURITY KEY PERSONNEL CALL LIST:..............................................30
11.5 APPENDIX 5: LIST OF MAIN ORANGE INSURANCE POLICY’S:................................................................31
11.6 APPENDIX 6: LIST OF KEY PERSONNEL AND EMERGENCY CONTACT INFORMATION, BY DEPARTMENTS: 31
11.7 APPENDIX 7: CRISIS EVENT LOG....................................................................................................... 33

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 5 of 33

1. PURPOSE
The purpose of this Business Continuity Plan is to provide an effective, fit-for-purpose, predefined and
documented framework and process to enable the Business Continuity Management of the company’s Mission
Critical Activities and their dependencies.

2. APPLICATION DOMAIN
The plan applies to entire Orange Romania.

3. DOCUMENT SUPPORT
The original of procedure is to be found within QUALITY WEB Site in electronic format (http://quality ).

4. REFERENCES
 OR/015/QD – Crisis Management Plan Procedure
 IT/425/IT – IT Crisis Management Plan
 TD/601/PC – TD Crisis Management / Escalation Procedure
 OR/428/IT – Information Technology Security Policy Procedure
 OR/208/FD – Security Procedure.
 OR/422/IT – Recovery Plan for Europe House site
 OR/424/IT – IT Disaster Recovery Plan for FEPER site
 TD/6208/PC – TD Disaster Recovery Plan for Pasteur site
 TD/6212/PRO – BSS Crisis Management Methods
 TD/6209/PRO – TRANS Methods as support for BSS & NSS Crisis
 TD/6210/PRO – TRANS Crisis Management Methods
 TD/6211/PRO – NSS Crisis Management Methods
 TD/6208/PC – Disaster Recovery Plan for Pasteur Site
 TD/6213/O&M – VAS Crisis Management Methods
 TD/6219/DN – DN Crisis Management Methods
 TD/6042/O&M – Fire Prevention in MSC Sites.
 OR/116/CSD – CSD Crisis Management Plan
 OR/206/FD – Health & Safety Procedure
 Business Continuity Planning “in a box” – best practice information pack (Orange UK)

5. DEFINITIONS & ABBREVIATIONS

Crisis - Extreme threat to an organization, which has the potential for significant negative results to important
organizational values, functions and services.
This threat could result in major damage to the organization’s employees, products, services, profitability and
reputation. A crisis can escalate and become a disaster.

Disaster - Any accidental, natural or malicious event which threatens or disrupts normal operations, or
services, for sufficient time to affect significantly, or to cause failure of, the enterprise

Crisis Management Team - a support group made up of representatives of key sub departments which may be
called upon to provide emergency support in times of major crises.

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 6 of 33

Disaster Recovery Team - a group of specialists who have previously been nominated as being able to assist
in dealing with the initial emergency.

Business Recovery Team – a group of specialists, technicians and operations staff led by a senior member of
the Orange management who are charged with implementing the necessary recovery procedures once a
serious emergency has occurred.

Crisis Operations Center (COC) - the central location endowed with adequate communications and
operational means from which crisis management operations are directed.

Core Business Processes - Critical business activities or functions, which (if interrupted or
unavailable for a sustained period of time) could jeopardize the business's ability to operate.
(Core Business Processes are also known as Critical Business Functions).

Business Impact Analysis (BIA) - The process that analyzes all business processes then
measures the quantitative and/or qualitative impact that specific events may have on business.

Damage Assessment - Following a disaster, this is the process of assessing damage to Orange’s
employees, products, services, financial condition and reputation.

Recovery Time Objective (RTO) - The maximum period of time a given resource or function
can be unavailable before business sustains unacceptable consequences (e.g. financial losses,
lowered customer service levels).

Mitigation - Activities eliminate or reduce the probability of a disaster’s occurrence.

Response: Activities provide emergency assistance for casualties and help reduce further damage or help to
speed recovery operations.

Recovery: Activities, both short and long term, help to return conditions to normal or improved levels. During
the recovery operations, actions are taken to minimize recurrence of the disaster or lessen its effects if
prevention is not possible.

 BCM = Business Continuity Management

 BCP = Business Continuity Plan
 CMP = Crisis Management Plan
 DRT = Disaster Recovery Team
 BRT = Business Recovery Team

6. ACKNOWLEDGEMENT OF CONTRIBUTION
We would like to acknowledge the contribution of Mircea VASILESCU, Ionut STAN, Radu DUMITRU, Irina
ENACHE, Cristina SAULESCU and Florin TOCA – all members of Orange Romania Quality Team, to the
development of this procedure.

7. PROCESS INITIATION AND MANAGEMENT

7.1 ORANGE GROUP POLICY STATEMENT

“It is the policy of Orange to ensure the continuity of its operations even when they are impacted by a disastrous
event. This is achieved by the implementation of a Group wide Business Continuity Programme at Orange for
the business functions, the technical components of the network, and its supporting infrastructure.

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 7 of 33

Orange recognizes the business necessities for investment in a cost effective Business Continuity Programme
throughout the Group and appreciates that effective Business Continuity management is also good business
practice. As such, Orange encourages pro-active management of potential impact to the company before these
impacts become reality.

Orange recognizes that the primary responsibility for the organization of Business Continuity rests its CEO,
Directors and management teams, but it also recognizes that every employee has a responsibility to cooperate,
at various levels, with the definition, implementation, testing and maintenance of the Business Continuity
Programme”.

7.2 ORANGE ROMANIA BUSINESS CONTINUITY PROGRAMME

The Programme is coordinated by existing Quality Team of Orange and the Project Coordinator was
appointed by Orange Romania Executive Director.

The Quality Coordinators/Supervisors act as Business Continuity Management Coordinators using their
business knowledge, experience and expertise to coordinate the business continuity efforts of their on-site
business units in liaison with local management and the Site Crisis Management Team.

Business Unit Manager: It is the responsibility of the manager of each individual business unit to provide an
effective “fit for purpose” BCM capability for their specific business unit.

Crisis Management Team: a support group made up of representatives of key sub departments which may be
called upon to provide emergency support in times of major crises by implementing the BCM..

8. BUSINESS CONTINUITY PROCESS

8.1 ASSESSMENT OF BUSINESS RISK AND IMPACT OF POTENTIAL EMERGENCIES

8.1.1 Emergency Incident Assessment

A key part of the BCP development process is to review the types of disruptive events that can affect the
normal business process. There are many potential disruptive events and the impact and probability level
must be assessed. It is therefore, necessary to consider each potential disruptive threat and a list is included
in this section to assist with this process.

8.1.1.1 Environmental Disasters

 Flood
Floods result from thunderstorms, tropical storms, snow thaws or heavy and prolonged rainfall causing
rivers to overflow their banks and flood the surrounding areas. Floods can seriously affect buildings and
equipment causing power failures and loss of facilities and can even result in injury or death.

 Snowstorm
Snowstorm conditions can include blizzards, strong winds, freezing temperatures with significant amounts of
snow. Snow and ice can impact power and communications and employees may be unable to travel to work
due to the impact on public transport or road conditions. It is possible for buildings to collapse under the
weight of snow and injuries or even death could occur through freezing temperatures and icy conditions.

 Earthquake

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 8 of 33

Earthquakes are caused by a shifting of the earth's rock plates beneath its surface resulting in violent
shaking and movement of the earth's upper surface. Severe earthquakes can destroy power and
communication lines and disrupt gas, water and sewerage services. Significant damage to structures can
occur including total collapse of buildings, bridges or other elevated structures. Earthquakes can also bring
landslides, damage to dams, and aftershocks and resulting damage can hinder rescue efforts. In addition to
being trapped in a collapsing building, of particular danger to human life is the possibility of falling glass or
other objects.

 Electrical storms
The impact of lightning strikes can be significant. It can cause disruption to power and can also cause fires.
It may also damage electrical equipment including computer systems. Structural damage is also possible
through falling trees or other objects.

 Fire
Fires are often devastating and can be started through a wide range of events which may be accidental or
environmental. Deliberate fires caused through arson are dealt with in topic 7.1.1.2. The impact on the
business will vary depending on the severity of the fire and the speed within which it can be brought under
control. A fire can cause human injury or death and damage can also be caused to records and equipment
and the fabric or structure of premises.

 Subsidence and Landslides

Subsidence and landslides are often caused through a change in the composition of the earth's surface.
This change can often result from flooding, where flowing water can create cavernous open areas beneath
structures. Subsidence or landslides can cause structural damage and can also disrupt transport services
and affect travelling conditions.

 Freezing Conditions
Freezing conditions can occur in winter periods and the effects can be devastating. Where temperatures fall
in excess of - 30( Centigrade they can create conditions which significantly disrupt businesses and even
cause death or injury. Businesses and homes can be seriously affected through burst pipes, inadequate
heating facilities, disruption to transportation and malfunctioning equipment. Work undertaken outside of
buildings in the open environment will obviously be seriously affected.

 Epidemic
An epidemic can occur when a contagious illness affects a large number of persons within a country or
region. This can have a particularly devastating short term impact on business through a large number of
persons being absent from work at the same time. Certain illnesses can have a longer term effect on the
business where long term illness or death results.

8.1.1.2 Organised and / or Deliberate Disruption

 Act of terrorism
Acts of terrorism include explosions, bomb threats, hostage taking, sabotage and organised violence.
Whether this is perpetrated through a recognised terrorist organisation or a violent protest group, the effect
on individuals and business is the same. Such acts create uncertainty and fear and serve to de-stabilise the
general environment.

 Act of Sabotage
An act of sabotage is the deliberate serious disruption of an organisation's activities with an attempt to
discredit or financially damage the organisation. Business will often be immediately and seriously affected
by successful acts of sabotage. This can affect the normal operations and also serve to de-stabilise the

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 9 of 33

workforce. An internal attack on the IT systems through the use of malicious code can be considered to be
an act of sabotage.

 Theft
This hazard could range from the theft of goods or equipment to the theft of money or other valuables. In
addition to possibly financially damaging the organisation, theft can cause suspicion and uncertainty with the
workforce where it may be believed that one or more of them could have been involved.

 Arson
Arson is the deliberate setting of a fire to damage the organisation's premises and contents. As this can
cause both loss of premises and loss of goods and other assets, this can be highly disruptive to the
organisation.

 Labour Disputes / Industrial Action

This disruptive threat is the withdrawal of labour or working to rule usually organised by a union to which
employee groups may belong. It can follow a dispute between the workers and the management of a
company which has not been resolved. A withdrawal of labour is often accompanied by picketing across the
entrance of the company's premises to try to discourage anyone from entering. This sort of action is highly
disruptive to the business and normally results in a shutdown of the business until the dispute is resolved.

8.1.1.3 Loss of Utilities and Services

 Electrical power failure

All organisations depend on electrical power to continue normal operations. Without power the
organisation's computers, lights, telephones and other communication medium will not be operational and
the impact on normal business operations can be devastating. All organisations should be prepared for a
possible electrical power failure as the impact can be so severe. Data can be lost, customers can be lost
and there can be a serious impact on revenue. Pre-planning is essential as a regional outage can cause a
shortage of back up electrical generators. Consideration should be given to installing UPS systems to avoid
brownouts.

 Loss of gas supply

The loss of gas supply can be extremely serious where the business relies on gas to fuel either its
production processes or provide heating within its premises. The impact that a loss of gas supply can have
on the production process can result in the whole process shutting down. The impact on the organisation will
also be particularly acute where the loss of gas-fired heating could render the premises unusable during
periods of low external temperatures.

 Loss of water supply

The loss of the water supply is likely to close down a business premises until the supply is restored. Where
the water is used in the production process this is particularly serious. The loss of water supply is also a
health and safety issue as minimum sanitary needs cannot be met. This is often caused through a fault in a
water supply route or as a result of a particularly severe drought.

 Petroleum and oil shortage

For most countries in the world, a petroleum shortage can occur at any time. This has a serious impact on
businesses as rationing is likely to be imposed immediately affecting transportation and the normal
operations of diesel or petrol fuelled machinery. For example, this type of shortage can be caused by a
sudden reduction in production output imposed by one of the OPEC members. It could also be caused
through the short-term failure of a refinery, thereby affecting output of particular grades of fuel.

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 10 of 33

 Communications services breakdown

Most businesses are fully dependent upon their telecommunications services to operate their normal
business processes and to enable their networks to function. A disruption to the telecommunications
services can result in a business losing revenue and customers. The use of cell-based telephones can help
to alleviate this but the main reliance is likely to be on the land based lines.

8.1.1.4 Equipment or System Failure

 Internal power failure
An internal power failure is an interruption to the electrical power services caused through an internal
equipment or cabling failure. This type of fault will need to be repaired by a qualified electrician and delays
will inevitably impact on the business process. Where particularly serious faults have occurred, such as
damage to main cables, the repairs could take some time and could have a severe effect on the business.

 Air conditioning failure

An air conditioning (AC) failure could have serious consequences where the AC unit is protecting particularly
sensitive equipment such as a main computer processing unit, and the rise in temperature could cause the
equipment to fail and be damaged. It can also affect the workforce as conditions in buildings can become
extremely uncomfortable with a significant rise in temperatures and where the staff are adversely affected.
Portable AC equipment may possibly be used as back up.

 Equipment failure (excluding IT hardware)

All businesses rely on a whole range of different types of equipment in order to run their business
processes. In many cases, it is possible to move to alternative processes to enable the business processes
to continue but this requires considerable planning and preparation.

8.1.1.5 Serious Information Security Incidents

 Cyber crime
Cyber crime is a major area of information security risk. It includes attacks by hackers, denial of service
attacks, virus attacks, hoax virus warnings and premeditated internal attacks. All cyber crime attacks can
have an immediate and devastating affect on the organisation's normal business processes. The average
cost of an information security incident has been estimated at US$30,000 and over 60% of organisations are
reported to experience one or more incidents every year.

 Loss of records or data

The loss of records or data can be particularly disruptive where poor back up and recovery procedures
result in the need to re-input and re-compile the records. This is normally a slow process and is particularly
labour intensive. This can result in an increase in costs through additional working hours and a great deal of
embarrassment where information is unexpectedly not available.

 Disclosure of sensitive information

This is a serious information security incident which can result in severe embarrassment, financial loss, and
even litigation where damage has been caused to someone's reputation or financial standing. Further types
of serious disclosure involve secret patent information, plans and strategic directions, secret recipes or
ingredients, information disclosed to legal representatives etc. Deliberate unauthorised disclosure of
sensitive information is also referred to as espionage.

 IT system failure
With the almost total level of dependence on IT systems within the vast majority of businesses, a failure to
these systems can be particularly devastating. The types of threats to computer systems are many and

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 11 of 33

varied, including hardware failure, damage to cables, water leaks and fires, air conditioning system failures,
network failures, application system failures, telecommunications equipment failures etc.

8.1.1.6 Other Emergency Situations

 Public transportation disruption
Disruption to public transport has a major effect on businesses through the inability of employees to get to
their normal place of work. This disruption can be caused through major accidents, industrial action,
equipment failure, bad weather conditions and major preventative repairs. Difficult travelling conditions
increase absenteeism as well as lower morale and productivity.

 Neighbourhood hazard
A neighbourhood hazard is defined as a disruptive event in the close vicinity which directly or indirectly
affects your own premises and employees. An example would be a seepage of hazardous waste from a
neighbouring factory or the escape of toxic gases from a local chemical plant.

 Health and Safety Regulations

For organisations that do not properly and fully observe all the necessary Health and Safety Regulations, a
complaint or an inspection can result in the operation being completely closed down until the situation is
corrected. This could result in substantial delays on major projects with significant financial implications.
Organisations should ensure that they meet the necessary regulations and requirements at all times.

 Mergers and acquisitions

Mergers and acquisitions can be extremely de-stabilising on the employees of both businesses involved.
Employees may be uncertain about how they will be affected or even whether they are about to lose their
jobs. Unless well managed, the effect on the staff could be considerable with a dramatic lowering of morale
and productivity.

 Negative publicity
Unfavourable press comments can result in a lowering of employee morale or a loss of customers. Any
company can suffer from negative publicity and an internal crisis is best resolved from within, prior to the
media feeding of the uncertainties and disputes. Reports may also be inaccurate, particularly where reliable
information is not available, and therefore, well-worded press statements may be issued to quieten down
adverse reports. Information can be leaked to the press from disgruntled employees and industry
competitors.

 Legal problems
Legal problems are both time consuming and expensive. Organisations can experience a wide range of
legal issues including sexual harassment, contract disputes, copyright disputes, health and safety
regulations and discrimination. It is important that organisations are fully aware of their legal duties and the
rights of their employees.

Each of the above scenarios needs to be developed and examined in detail and an analysis prepared of the
consequences of each potential scenario. Each scenario should also be assessed for possibility of
occurrence (probability rating) and possible impact (impact rating):

PROBABILITY RATING IMPACT RATING

SCORE LEVEL SCORE LEVEL

1 VERY HIGH 1 TERMINAL

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 12 of 33

2 HIGH 2 DEVASTATING

3 MEDIUM 3 CRITICAL

4 LOW 4 CONTROLLABLE

5 VERY LOW 5 IRRITATING

8.1.2 Possible Emergency Events – Probability, Impact and existing Controls:

Environmental disasters:
Probability Impact Control
Flood 5 4 Orange Sites located in secured areas of the cities.
Snowstorm 3 4 Idem.
Earthquake 3 3 The main buildings are verified and certified.
Electrical Storms 3 5 Buildings, Antennas protected (grounded).
Fire 4 2 Buildings, Sites fire-protected and monitorised
continuously by Facilities and Technical Dep.
Subsidence and Landslides 5 3 The main buildings are verified and certified.
Freezing Conditions 5 4 Temperature Control for all offices.
Epidemic 5 3 “Medicover” and “CM Unirea” Contracts for employees
health control in Europe House and Pantelimon sites,
OR/211/FD – Procedure.

Organised and/or deliberate Disruption:

Probability Impact Control
Act of Terrorism 5 2 Security Procedure: OR/208/FD.
Act of Sabotage 5 3 Internal Fraud clauses included in Internal Regulation.
Theft 5 4 Security Procedure: OR/208/FD.
Arson 5 2 Security Procedure: OR/208/FD.
Labour Disputes 5 5 Internal Communication, HR Processes.

Loss of Utilities and Services:

Probability Impact Control
Electrical Power Failure 4 4 UPS and diesel generators back-ups for main
systems.
Loss of Water Supply 4 5 NO
Petroleum and Oil Shortage 5 4 NO
Communications Services 5 4 Orange Network usage, re-routing procedures.
break-down

Equipment or System Failure:

Probability Impact Control
Internal Power Failure 3 4 UPS and maintenance processes.
Air Conditioning Failure 3 5 Air Conditioning maintenance Procedure:
TD/630/PRO.
Equipment Failure (non IT) 4 3 O&M Procedures (TD).

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 13 of 33

IT security incidents:
Probability Impact Control
Cyber Crime 5 3 IT Security Procedures (OR/428/IT, OR/419/IT,
OR/407/IT, OR/406/IT)
Loss of records 5 2 IT/411/MIS Procedure.
Disclosure of sensitive 5 3 IT Security Policy: each employee must agree and
information sign a non-disclosure clause included in Work
Contract. OR/428/IT Procedure.
IT System Failure 5 3 IT maintenance procedures.

Other Emergency Situations:

Probability Impact Control
Public Transportation 3 4 Usage of company’s cars for critical positions.
disruption
Neighbourhood hazard 4 4 Security Procedure: OR/208/FD.
Health and Safety Regulations 5 3 Health & Safety Procedures, H&S Coordinator in
charge.
Mergers and acquisitions 5 4 Internal Communications.
Negative Publicity 5 4 PR and Communications group activity.
Legal Problems 4 5 Legal sub-department.

8.1.3 Business Impact Analysis

The Business Impact Analysis is the first step toward building a company-wide Business Continuity
Programme. The information outlined in this analysis provides the framework for implementing viable Business
Continuity Plans and processes that adequately support the requirements of the critical business functions and
critical technical services. The objectives of the BIA are to:
 Determine which business functions and technical services are critical to the daily operations of
Orange
 Determine the interdependencies between business functions.
 Quantify and qualify in financial and non-financial terms the impact to the business if critical business
functions are unable to operate after disaster.
 Establish Recovery Time Objectives (RTO) for each critical business function and technical services.
 Determine business functions requirements for applications and identify the associated recovery
profiles.
 Identify all equipment and work area requirements (desks, phones, personal computers, specialized
equipment, etc.)
 Evaluate findings and present recommendations.
 Present next steps.

For the Critical technical components of the GSM Network (TD) and support IT Business Functions the Impact
was considered major by default and the BCM process started already.

The Business Impact Analysis Process was performed using the Orange Group recommended methodology
and BIA Questionnaires.

The APPENDIX 1 shows the results of BIA for each Core Business (businesses with RTO<5 days) of Orange
Romania.

8.1.3.1 Core Business Functions and agreed RTO’s:

Department Sub-Department Business function RTO

Customer Service Activation & Dealers Activation 2 days
Dealers Support for Activation 2 days

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 14 of 33

Service Center Customer Care (Help Line - answers to the incoming calls) 1.5 days
Customer profile Changes (Problem Solving group) 0.5 days
Complaints Handling (Problem Solving Group) 1 day
Churn Loyalty (TRL group) 1 day
Retention (TRL group) 3 days
Credit (Fraud, Collection & Credit) 1 day
Fraud (Fraud, Collection & Credit) 1 day
Collection (Fraud, Collection & Credit) 5 days

Sales Retail Shop Sales (for a generic shop) 3 day

Support Credit Control "Agenti" 5 day
Key Accounts 5 day
Help Line -"Parteneri" 3 day
Logistics Sales Logistics 3 day

Financial Treasury Suppliers Payments 0.5 days

Facilities Security & Safety 1 day
Mailing & Errand 0.5 days

Purchasing Purchasing Purchasing Operations 4 days

8.1.3.2 Equipment and work area requirements:

CSD Core Business Processes

Customer
Customer profile Complaints Activation Dealers Loyalty Retention Credit Fraud Collection
Resources Care Changes Handling Support
Work
Station 170 19 20 36 22 20 12 9 16 12
Phone 170 19 20 36 22 20 12 9 16 12
Fax 4 1 1
Automatic
Fax 2 1 1 1 1
Fax Server 3 3
Printer 4 2 2 1 2 1 1 1 1
Scanner 1 1 1 1 1
Cesena
server 1
Air
conditioning 1 1 1 1 1

Sales Dep. Core Business Processes

Sales Logistics Orange Shop Partners Partners Credit Key Help Line
Resources Remuneration Control Accounts
Work Station 23 12 4 4 3 4
Phone 15 12 3 3 3
Server 1 2
Mobil Electro – 1 1
generator group

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 15 of 33

Printer 4 6 2 1 1 1
Fax 2 2 1 1 1+1 1
Scanner 5
Copier 1
UPS 5 3
Demo GSM with 2 2
IR (GPRS)
Laptop 4 1
Mobile Phone 11 15 4
Air Condition. 1
Car (courier) 2

Financial Department Core Business Processes

Resources Suppliers Payment Mailing & Errand Safety & Security Legal
Work Station 6 4 2
Phone 5 4
Data Line 1
Mobile Phone 1
Cross-connection

Purchasing Core Business Processes

Resources Purchasing Operations
Work Station 6
Printer 1
Phone 6
Fax 1
Mobile Phone 6
Laptop 1
Cars 3

8.1.4 IT and Communications

Of particular importance when considering business risks and the impact of potential emergencies is the
disruption to, and availability of, IT services and communications.

This section examines some of the issues to be considered when assessing the level of risk associated with
IT services and communications.

8.1.4.1 Specification of IT and Communications Systems

The basic sites information and the on-site inventories is included in the Site Structure chapters from Disaster
Recovery Plans at site level Procedures :
 IT Disaster Recovery Plan for Europe House site - OR/422/IT
 IT Disaster Recovery Plan for Pantelimon site - OR/423/IT
 IT Disaster Recovery Plan for FEPER site- OR/424/IT
 TD Disaster Recovery Plan for Pasteur site – TD/6208/PC

8.1.4.2 Application / Core Business Functions Matrix

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 16 of 33

CSD Core Business Processes

Customer
Customer profile Complaints Activation Dealers Loyalty Retention Credit Fraud Collection
Application Care Changes Handling Support
Jupiter * * * * * * * * *
Vantive * * * * * * * * * *
EPOS * *
EDP * * * * * *
PABX * *
Fax Servers * *
MS Outlook *
Fax & Data * *
applications
PPSROM *
ARS *
Local Access * * *
databases
Preventel *
Fraud Mng. *
System
CTI *

Sales Dep. Core Business Processes

Sales Logistics Orange Shop Partners Partners Credit Key Help Line
Application Remuneration Control Accounts
Oracle * * * * *
E-shop *
EPOS *
Jupiter * *
Vantive * *
PABX * * * * * *
Dealers * *
Commissioning
Dealers *
objectives
URS * *
DCR * * *
Local Access * * * *
databases

Financial Department Core Business Processes

Application Suppliers Payment Mailing & Errand Safety & Security Legal
Oracle *
Multicash *
Cash Management *
MS Outlook * *
PABX * * *
Control Access *
CATV *

Purchasing Core Business Processes

Application Purchasing Operations

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 17 of 33

Oracle *

8.1.4.3 Key IT Personnel and Emergency Contact Information:

The Appendix 2 (extracted from “IT Crisis Management Plan – IT/425/IT” ) contain the list of key IT
personnel and their emergency contact information. Through this list, the persons responsible for back-up
and recovery of specific systems can be contacted in the event of a significant unexpected event which is
affecting the IT systems and is likely to disrupt normal business operations.

8.1.4.4 Key IT and Communications Suppliers and Maintenance Engineers:

The Appendix 3 (extracted from “IT Crisis Management Plan – IT/425/IT”) contain the list of key IT and
Communications Suppliers and maintenance engineers.

8.1.4.5 Existing IT Recovery Procedures

IT back-up and recovery procedures for hardware, software and data:
 IT Disaster Recovery Plan for Europe House site - OR/422/IT
 IT Disaster Recovery Plan for FEPER site - OR/424/IT
 MIS Databases Back-up & Security Procedures – IT/411/MIS
 Billing & CRM Escalation Procedure – OR/421/IT

8.1.5 Existing Emergency Procedures

This section reviews the other recovery procedures including topics such as evacuation procedures, fire
regulations, health and safety procedures etc.

8.1.5.1 Summary of Existing Procedures for Handling Emergency Situations

The “Security Procedure” – OR/208/FD document the processes.

8.1.5.2 Key Personnel Responsible for Handling Existing Emergency Procedures

The Security Manager and his group is responsible for security, fire regulations, Health & Safety and evacuation
processes in Orange Romania.
The main tasks and responsibilities of Security Manager:
 To ensure the permanent and correct function of the security devices: CCTV, control access, anti-theft
system and fireproof system. The responsibility for the fireproof system refers only to the administrative
premises: Europe House, Pantelimon, Dunarea, Pasteur, Customer Cluj, Customer Timisoara and all
shops’ locations.

 To ensure the permanent communication between the security devices installed in different premises

 To analyze the needs of securing different sites and locations

 To design the security levels and circulation flows

 To supervise the execution of the project implementation, equipment installation or optimization and service
works

 To conceive and organized periodically evacuation drills

 To train the members of the evacuation supervision teams and the employees for emergency situations
behavior

 To assure the issue of access badges for all employees and collaborators

 To train the employees and collaborators to use the control access, anti-theft and fireproof systems properly

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 18 of 33

 To manage the control access database and events history

 To provide reports on employees and collaborators access in/out Orange Romania premises to all
concerned directors or departments managers

 To manage all contract with guard companies and equipment providers

 To inform the management about special events concerning the premises security

The Appendix 4 lists the address and phone numbers of Emergency and Security Key personnel.

8.1.5.3 External Emergency Services and Contact Numbers

Public Emergency Service Phone Number

Health Care 961
Fire Squad 981
Police 955
SSP Guard Intervention Group 021 321 4877
Inselkat Maintenance Team 021 203 3567
Climalux (Air conditioning) 021 628 5595

8.1.6 Premises Issues

In the event that the emergency situation affects the organisation's premises, it is necessary to have information
to hand on the authority levels (and responsibility) of individuals involved in the emergency recovery procedures
which would enable them to effect repairs immediately.

8.1.6.1 Responsibility and Authority for Building Repairs

This section of the BCP contains the list of main premises owned or used by Orange together with information
regarding the authority for building maintenance and repairs:

Orange Site Facilities Position Office Mobile E-mail

Responsible Phone
Europe House Andrei Office 203 3553 0744 440476 [email protected]
headquarter DAHNOVICI Manager
Pasteur TD site Gabriel CADAR Senior Office 203 3282 0744 440486 [email protected]
Administrator
Pantelimon CSD Cornel Office 203 3989 0744 440437 [email protected]
ZIMBILSCHI Administrator
Cluj CSD & TD site Dan DANCI MAR Manager 203 5101 0744 441441 [email protected]
Timisoara TD site Virgil CUSNIR MAR Manager 203 5001 0744 441414 [email protected]
Timisoara CSD & Sales Emilia BALAN Facilities 203 5380 0744 441423 [email protected]
site Supervisor
Bacau TD Site Relu MAR Manager 203 5220 0744 441204 [email protected]
UNGUREANU

8.1.6.2 Back-up Power Arrangements

This section contains the list of main premises owned or used by Orange together with information regarding
the authority for Back-up Power Generators maintenance and testing:

Orange Site Back-up Power Position Office Mobile E-mail

Responsible Phone
Europe House Andrei DAHNOVICI Office Manager 203 3553 0744 440476 Andrei.Dahnovici@oran

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 19 of 33

headquarter ge.ro
Pasteur TD site Eugen NOC Environment 0744 441241 Eugen.Strimbeanu@ora
STRIMBEANU Expert nge.ro
Pantelimon CSD Cornel ZIMBILSCHI Office 203 3989 0744 440437 Cornel.Zimbilschi@oran
Administrator ge.ro
Timisoara CSD & Emilia BALAN Facilities 203 5380 0744 441423 [email protected]
Sales site Supervisor
Timisoara TD site Virgil CUSNIR MAR Manager 203 5001 0744 441414 [email protected]
Cluj CSD & TD site Dan DANCI MAR Manager 203 5101 0744 441441 [email protected]
Bacau TD Site Relu UNGUREANU MAR Manager 203 5220 0744 441204 Relu.Ungureanu@orang
e.ro

8.2 PREPARING FOR A POSSIBLE EMERGENCY

Once the project initiation processes have been completed and the business risks assessed, it is necessary
to take steps to minimise the effects of potential emergencies. The underlying objective of this chapter is to
identify ways of preventing an emergency from turning into a disaster for the organisation.

The focus will be on those business activities that are key to the continued viability of the business.

8.2.1 Back-up and Recovery Strategies

This section of the BCP will discuss the strategic options available, and will be based on the business risk
assessment which was carried out in the previous chapter.

The complexity, and related cost, of back-up procedures and systems may well depend upon the identified
speed with which systems or business processes need to be restored.

8.2.1.1 GSM Network Recovery Strategy

For the Critical technical components of the GSM Network (TD) the Strategy is detailed for every
network domain: NSS, TRANS, BSS, VAS:
 TD/6208/PC – Disaster Recovery Plan for Pasteur Site
 TD/6209/PRO – TRANS Method as Support for BSS & NSS Crisis;
 TD/6210/PRO – TRANS Crisis Management Method;
 TD/6211/PRO – NSS Crisis Management Method;
 TD/6212/PRO – BSS Crisis Management;
 TD/6213/O&M – VAS Crisis Management;
 TD/6042/O&M – Fire Prevention in MSC Sites.
 TD/6219/DN – DN Crisis Management Methods

8.2.1.2 Alternative Business Process Handling Strategy

For each key process, it is necessary to determine the type of back-up process which would be appropriate.
For an automated administrative process, it may be considered adequate to back up the business process
with a manual process supported by stand-alone PCs.

Very often, cost is a major factor in the speed of recovery, and a mirrored back-up site would normally be
significantly more expensive to set up and maintain than a manual process.

The key Business processes and the recommended strategic approach for each is listed bellow:

 Customer Service:

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 20 of 33

Sub-Department Business function RTO Strategy

Activation & Dealers Activation 2 days Relocate and restore.
Dealers Support for Activation 2 days Relocate and restore.
Customer Care (Help Line - Relocate and restore, switch on others sites
Service Center answers to the incoming calls) 1.5 days (Cluj, Timisoara).
Customer profile Changes Relocate and restore.
(Problem Solving group) 0.5 days
Complaints Handling (Problem Relocate and restore.
Solving Group) 1 day
Churn Loyalty (TRL group) 1 day Relocate and restore.
Retention (TRL group) 3 days Relocate and restore.
Credit (Fraud, Collection & Credit) 1 day Relocate and restore.
Fraud (Fraud, Collection & Credit) 1 day Relocate and restore.
Collection (Fraud, Collection & Relocate and restore.
Credit) 5 days

 Sales Department
Sub-Department Business function RTO Strategy
Retail Shop Sales (for a generic shop) 3 day Relocate and restore.
Support Credit Control "Agenti" 5 day Relocate and restore.
Key Accounts 5 day Relocate and restore.
Help Line -"Parteneri" 3 day Relocate and restore.
Logistics Sales Logistics 3 day Relocate and restore.
 Financial Department:
Sub-Department Business function RTO Strategy
Treasury Suppliers Payments 0.5 days Manual operation.
Facilities Security & Safety 1 day Manual operation.
Mailing & Errand 0.5 days Manual operation.
 Purchasing:
Sub-Department Business function RTO Strategy
Purchasing Purchasing Operations 4 Manual operation.

8.2.1.3 IT Systems Back-Up and Recovery Strategy

There are a number of strategic options to be investigated when considering IT systems back up and
recovery processes. The two most important factors to be considered are the criticality of the IT systems to
the business processes (the speed of recovery needed), and the amount of money available for IT back up
and recovery strategies. The options, in order of cost, are as follows:
FULLY MIRRORED RECOVERY SITE
This strategy entails the maintenance of a fully mirrored duplicate site which would enable instantaneous
switching between the live site and the back up site. This is normally the most expensive option.
SWITCHABLE HOT SITE
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to
maintain an identical site with communications to enable you to switch your IT operations to his site within
an agreed time period, usually less than one to two hours.
HOT SITE

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 21 of 33

This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to
maintain a compatible site to enable you to switch your IT operations to his site within an agreed time
period, usually less than six to twelve hours.
COLD SITE
This strategy involves the setting up of an emergency site once the crisis has occurred and has a standby
arrangement with a vendor to deliver the minimum configuration urgently. This option usually enables the
organisation to be operational within two to three days.
RELOCATE AND RESTORE
This strategy involves the identification of a suitable location, hardware and peripherals and re-installing the
systems and backed up software and data after an emergency has occurred. This strategy is considered to
be inadequate for the needs of today's business.
NO STRATEGY
This is the cheapest strategy. This also carries the highest risk and will involve no off-site back up of system
or data. This option usually ends up with the organisation going out of business.
For Orange Romania IT Systems, Back-Up and Recovery Strategy is detailed for each Site (see IT Disaster
Recovery Plans for each Site, chapter: “Disaster Recovery Strategy”):
 OR/422/IT – Recovery Plan for Europe House site
 OR/424/IT – IT Disaster Recovery Plan for FEPER site

8.2.1.4 Insurance Coverage

One important strategy to be considered is the maintenance of insurance to cover unexpected emergency
losses. Orange Romania Strategy include multiple Insurance Policies for Employees, Equipments, Property and
Buildings, Business Interruption, Commercial General Liability, Company Cars.
The complete list is detailed in Appendix 5.

The Insurance Policy contact persons:

Name Position Office Mobile E-mail
Phone
Alexandru RUSSU Deputy CFO 203 3471 0744 440466 [email protected]
Dana LUPAN Treasury Officer 203 3461 0744 625540 [email protected]

8.2.2 Key BCP Personnel and Suppliers

Orange employees are our most important and valuable asset. In any emergency, in addition to its systems
recoveries, the company will rely on its employees to enable it to recover normal business operations in the
minimum amount of time. We will also rely on our main suppliers of critical goods and services to continue to
support recovery of our business operations through to normal operating mode.

A well-organised and structured approach will avoid the unexpected crisis deteriorating into chaos.

This section of the BCP will contain information on who should be contacted in the event of an emergency,
and how to contact keys suppliers and also key staff, and other employees.

8.2.2.1 Functional Organisation Chart

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 22 of 33

8.2.2.2 BCP Project Co-ordinator for each Key Functional Area (Department)
This section of the BCP lists each Department and also the name, position and contact number of the
nominated Project Co-ordinator for each area.

The Quality Team of Orange Romania coordinates the BCP Project, and Orange Quality Coordinator was
appointed by the Executive Director as Project Leader.

The Directors and Managers of each Department have the final responsibility of implementing the Business
Continuity Plan.

Department Position Name Office Mobile E-mail

Phone

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 23 of 33

Management Quality Nicolae 2037088 0744441107 [email protected]

Coordinator CHIRTAS

Technical Quality & Dan BACIU 2033254 0744441145 [email protected]

Methods Mng.

IT Quality Mircea 2037030 0744440911 Mircea.Vasilescu@orange.

Coordinator VASILESCU ro

Customer Quality Radu 2037308 0744440860 [email protected]

Service Supervisor DUMITRU

Sales Quality Irina ENACHE 2033669 0744440218 [email protected]

Coordinator

Financial Quality Mihaela 2033464 0744441399 [email protected]

Coordinator PETICILA o

Purchasing Quality Elisabeta 2033574 0744440091 Elisabeta.Gheorghe@oran

Coordinator GHEORGHE ge.ro

Marketing Quality Mihai LUNGU 2033673 0744440216 [email protected]

Groups Coordinator

Human Quality Corina 2033501 0744440520 [email protected]

Resources Coordinator FRINCU

8.2.2.3 Key Personnel and Emergency Contact Information

When an emergency occurs it is necessary to have ready access to all key personnel for the functional areas
and systems affected by the crisis. This section of the BCP contain a list (see APPENDIX 6 ) of key personnel,
their position, functional area, and procedures or systems for which they are responsible. This section also
include normal and emergency contact information.

8.2.2.4 Key Suppliers and Vendors and Emergency Contact Information (see APPENDIX 3).

8.2.2.5 Manpower Recovery Strategy

A key component in any BCP is the development of a manpower recovery strategy. This is an area where it
is critical for a workable plan to be in place which takes into account the needs of the business and the
needs of the staff and their families (where affected). This aspect must be handled with sensitivity.

An up-to-date staff list is available in electronic form on http://intranet/ (“angajati”) as part of the BCP. The
Human Resources Dep. will provide normal and emergency contact details (home addresses and phone
numbers) for all employees if necessary. At the initial stage in the disaster recovery management process,
there is a procedure for accounting for the safety of all members of staff (OR/208/FD – Security Procedure).

If the disaster happens outside of normal working hours the staff should be contacted to inform them of the
event and to issue instructions to each staff member on how to keep in touch with events during the
recovery process. Options here may include pre-recorded messages left on a special telephone number,
SMS to a group or to all Orange Employees, couriers, etc.

For disasters which affect a whole city or area, family circumstances may dictate the need for employees to
deal with home problems before being available to deal with work related issues. It may be necessary to
consider succession trees for key staff in case one or more key persons are unavailable.

It is also necessary to identify key personnel who are needed to manage or participate in the actual recovery
operation. This is dealt with in chapter 8.2.2.3.

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 24 of 33

8.2.2.6 Establishing the Disaster Recovery Team

The Disaster Recovery Team should be made up of a group of specialists who have previously been
nominated as being able to assist in dealing with the initial emergency. These will not necessarily be the
same persons who are members of the Business Recovery Team. During the initial emergency the following
personnel may need to be involved depending upon the circumstances:

 Key members of Senior Management

 Security Officer

 Facilities Manager

 Employee Relations Manager or deputy

 Premises Maintenance Staff

 IT technicians (IT Net. Help Desk, Billing )

 TD Crisis Manager (=NOC Manager) for Technical sites Emergencies

 Communication technicians (PABX)

 Security staff
The Disaster Recovery Team (DRT) is responsible for working with the emergency services to clear the initial
emergency crisis situation in order that the Business Recovery Team are able to start their activities. The DRT
itself, will only be able to start their own recovery activities once the emergency services have given permission
for these duties to commence. During the initial emergency, the DRT will normally make themselves available
to provide assistance to the emergency services, as appropriate.

The configuration of the DR Team will depend upon the type and severity level of the emergency.
Nominated members from the DRT should be 'on-call' at all times and should ensure that their contact details
are known to the emergency services.

All members of the Disaster Recovery Team should maintain an up-to-date copy of the BCP in a secure
location off-site.

8.2.2.7 Establishing the Business Recovery Team

It is necessary to establish a dedicated Business Recovery Team consisting of specialist technicians and
operations staff who are charged with implementing the necessary recovery procedures once a serious
emergency has occurred. The Business Recovery Team (BRT) should be led by a senior member of the
organisation's management. In the event of such an emergency, the BRT leader will be responsible for taking
overall charge of the process and ensuring that the organisation returns to normal operations as early as
possible.

The BRT will consist of senior representatives from the main business and support units and will be supported
by nominated task forces for each recovery process, as appropriate.
These persons will not necessarily be the same persons who are members of the Crisis Management Team.

Each member of the Business Recovery Team should keep an up-to-date copy of the BCP in a secure off-site
location and should be fully familiar with its contents.

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 25 of 33

8.3 DISASTER RECOVERY PHASE

A critical part of handling any serious emergency situation is in the management of the Disaster Recovery
Phase. By definition, the Disaster Recovery Phase is likely to involve, to a significant degree, external
emergency services. The priority during this phase is the safety and well being of the employees and other
involved persons, the minimisation of the emergency itself, the removal or minimisation of the threat of further
injury or damage and the re-establishment of external services such as power, communications, water etc. A
significant task during this phase is also the completion of Damage Assessment Forms.
In addition to the emergency services, the Disaster Recovery Phase may involve different personnel depending
upon the type of emergency and a Disaster Recovery Team should be nominated according to the
requirements of each specific crisis.

8.3.1 Planning for Handling the Emergency

The first stage of handling the emergency situation involves the assessment of the initial emergency situation. It
needs to be determined at an early stage if the Disaster Recovery Team is required to be involved. This section
of the BCP covers the identification of the emergency situation, mobilising the Disaster Recovery Team and
assessing the scale of the emergency.

8.3.1.1 Identification of Potential Disaster Status

One of the first tasks is to determine whether an actual or pending crisis is likely to become sufficiently serious
to require the evacuation of staff.
If a serious emergency situation has already occurred which has caused injury or loss of life or damage to
premises or equipment, then the Disaster Recovery Team should be mobilised immediately.
Criteria for determining whether a potential disaster situation exists could include the following:
 Is there an actual or potential threat to human safety

 Is there an actual or potential serious threat to buildings or equipment

 Is there likely to be a need to involve the emergency services

If the answers to any of the above are positive then the Disaster Recovery Team should also be notified.

8.3.1.2 Involvement of Emergency Services

It is likely that there will be an involvement of the public emergency services in many disaster recovery
situations where there is danger to human life or serious damage to property and assets. The emergency
services will initially deal with the actual emergency event such as an accidental spillage of toxic material, a fire
or a flood. The emergency services will concentrate their efforts on rescuing any persons trapped within
buildings or vehicles and also in minimising the impact of the emergency event on premises and assets
wherever possible. The protection of human life and the treatment of any wounded persons will be afforded the
highest level of priority. The emergency services will need to liaise with responsible individuals from the
organisation who can provide information that they may require.
The emergency services have specialists who can provide advice on how to prepare for the outcome of such
situations and how to minimise the likelihood of their occurrence. Once the emergency situation is brought
under control, the emergency services will hand over the situation to the responsible officials representing the
organisation. This will normally be the Disaster Recovery Team.

8.3.1.3 Assessing Potential Business Impact of the Emergency

Assessments need to be made at various stages during the recovery process as to the potential scale of the
emergency from a business perspective. During the Disaster Recovery Process, these will include a preliminary
damage assessment. The initial assessments will normally be carried out by the Disaster Recovery Team using
the basic site information and the on-site inventories as described in the Site Structure chapters from Disaster
Recovery Plans at site level Procedures.
The Disaster Recovery Team may call special consultants, key vendors and key service providers to help them
with this process as appropriate.
The assessments will be based on the particular circumstances applying and the following five point scale may
be considered appropriate:

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 26 of 33

1 Is likely to seriously affect normal business operations for over five days
2 Is likely to seriously affect normal business operations between three and five days
3 Is likely to seriously affect normal business operations between one and three days
4 Is likely to seriously affect normal business operations between eight and twenty four hours
5 Is likely to seriously affect normal business operations for less than eight hours

8.3.1.4 Project Management Activities

It is necessary for the management of the disaster recovery phase to be properly structured and controlled.
Where practical, this phase should be organised in accordance with best project management practices. The
recovery process is likely to require a significant level of co-ordination utilising diverse resources including the
use of public emergency services. During the handling of the disaster recovery process all events should be
planned and recorded. The planning part of the process is dealt with here. The recording process is dealt with
in the Crisis Event Log (see APPENDIX 6)

8.3.2 Notification and Reporting During Disaster Recovery Phase

Maintaining good levels of communications is one of the most important ingredients during the disaster
recovery phase. It is important that any information released is both accurate and timely. It is necessary to keep
various groups informed including the Disaster Recovery Team, the Business Recovery Team, the senior and
middle management, families of affected employees, media and other key members of staff.

8.3.2.1 Notification to Management and Key Employees

During the Disaster Recovery phase, the management and key employees should be kept informed of key
developments affecting the business process overall and in particular the impact on their own areas of
responsibility.
This section of the BCP contain a list of management and key employees who should be contacted in an
emergency situation (see APENDIX 5).

8.3.2.2 Handling Personnel Families Notification

If the emergency event has resulted in a situation which would cause concern to an employee's immediate
family such as hospitalisation of injured persons, it will be necessary to notify their immediate family members
urgently.
This type of communication needs to be handled with sensitivity and care in order not to increase the level of
distress to the persons being notified.
The HR Department (ER Manager or deputy) will provide all necessarily information and support for this activity.

8.3.2.3 Handling Media during the Disaster Recovery Phase

Media contact during the disaster recovery phase has to be handled very carefully. All information released to
the public at this time has to be accurate and speculation should be reduced to the minimum. Media interviews
and press release statements should be handled by persons who have been specifically authorised to
undertake such duties. Other persons who have not been authorised to speak to the media should be strongly
discouraged from doing so.
The Orange PR Manger is in charge with Media Handling process during Disaster and Crisis situations.

8.3.2.4 Maintaining Event Log during Disaster Recovery Phase

It is important that all key events during the disaster recovery phase are recorded. An event log should be
maintained by the leader of the Disaster Recovery Team (see APPENDIX 6).

8.3.2.5 Disaster Recovery Phase Report

On completion of the Initial Disaster Recovery Phase the DRT leader should prepare a report on the activities
undertaken. The report should contain information on the emergency, who was notified and when, action taken
by members of the DRT together with outcomes arising from those actions. The report will also contain an
assessment of the impact to normal business operations. The report should be given to the Head of the
Business Recovery Team, with a copy to Senior Management, as appropriate.

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 27 of 33

8.4 BUSINESS RECOVERY PHASE

The Business Recovery Phase will either follow directly on from the Disaster Recovery Phase or will be directly
initiated after a serious emergency incident affecting normal business operations which does not need a
Disaster Recovery Phase.
The Business Recovery Phase involves the restoration of normal business operations after an unexpected
event which has disrupted all or part of the business process. From a business perspective, this is the most
critical phase of the whole BCP. The efficiency and effectiveness of the procedures contained within this section
could have a direct bearing on the organisation's ability to survive the emergency.

8.4.1 Managing the Business Recovery Phase

From a business perspective, the most important part of the BCP is the Business Recovery Phase. This phase
deals with restoring normal business operations in the fastest possible time. This process needs to be carefully
managed and controlled in order to ensure optimum use of resources with correct prioritisation applied to key
tasks.

8.4.1.1 Mobilising the Business Recovery Team

Immediately following an emergency which seriously affects one or more of the organisation's normal business
processes, the Business Recovery Team (BRT) are to be notified. If there is the need for a Disaster Recovery
Phase then initially the BRT are likely to be put on standby. If there is no Disaster Recovery Phase or the
Disaster Recovery Phase is nearing completion, the BRT will be asked to assemble at the Emergency
Command Centre set up to control and manage both the emergency and the recovery process.

8.4.1.2 Assessing Extent of Damage and Business Impact

Once the Business Recovery Team (BRT) is mobilised, the first task is the assessment of the extent of the
damage and impact on the business process. This activity must be focused on the business impact as opposed
to the damage assessment carried out by the Disaster Recovery Team which is mainly focused on the impact
on people and the physical infrastructure.
The affect of the disaster will be reviewed by examining each area of the business that has been affected and
assessing the impact on the various key business processes identified in BIA process described above (8.1.3).

8.4.1.3 Preparing Specific Recovery Plan

The Recovery Plan will identify those areas which need to be addressed immediately and will establish a
prioritised sequence for the recovery process to proceed. Activities will, wherever possible, be carried out
simultaneously but the critical path must be identified to ensure that those activities directly on the critical path
receive the highest priority.
The Recovery Plan will list the activities which need to be carried out in priority sequence and which persons or
teams are responsible for completing those tasks. Where suppliers and vendors are required to supply goods or
services as part of the recovery process then these activities will be involved also.

8.4.1.4 Monitoring Progress

It is necessary for the BRT leader to closely monitor progress of the individual recovery tasks during this phase.
Difficulties experienced by one group of persons could have a significant affect on other dependent tasks. It is
important also to ensure that each task is properly resourced and that the efforts required to restore normal
business operations have not been under-estimated.

8.4.1.5 Keeping Everyone Informed

During the Business Recovery Phase it is extremely important that all affected persons and organisations are
kept properly and fully informed. This could include the following groups :
Board of Directors

Management and Staff

Customers

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 28 of 33

Appropriate Authorities or industry regulatory bodies

Insurance broker/loss adjustors

Suppliers and vendors

Contracted staff

Joint venture partners

A particularly important area to be considered is in notifying customers about the impact on deliveries of Orange
services.
A further area requiring special attention is the media. Only persons authorised to release information to the
media will be permitted to do so (PR Manager). The information given to all parties must be accurate and
timely. Estimates of the timing of normal working operations should be announced with care.

8.4.1.6 Handing Business Operations Back to Regular Management

Once normal business operations have been restored it will be necessary to hand the responsibility for specific
operations back to the regular management process.

8.4.1.7 Preparing Business Recovery Phase Report

On completion of the Business Recovery Phase the BRT leader should prepare a report on the activities
undertaken. The report should contain information on the disruptive event, who was notified and when, action
taken by members of the BRT together with outcomes arising from those actions. The report will also contain an
assessment of the impact to normal business operations. The report should be distributed to Senior
Management, as appropriate.

8.5 TESTING THE BUSINESS CONTINUITY PROCESS

The BCP should be tested within a realistic environment which means simulating conditions which would be
applicable in an actual emergency. It is also important that the tests should be carried out by the persons who
would be responsible for those activities in a crisis.
Exercising can take various forms, from a test of the communications plan, a desk-top walk-through to a full
system test.
The two main objectives of the test are to verify that the plan is practically workable by modeling recovery from
disaster conditions and training to familiarize staff with the operation of the plan.
When considering the contents of the test, aspects to include are: date, time, workloads, political and economic
conditions, accounting period end, other activities.
The frequency of the tests is minimum every 12 months.

8.6 MAINTENANCE OF THE PLAN

Orange company exists in a dynamic environment and therefore subject to change – in people, process,,
market, risk, environment, etc. Business Continuity Plans must reflect these changes to remain valid.

The effective change control Procedure is OR/001/QD because the BCP is a quality document.

8.7 AUDITING THE PLAN

The BCP has to be audited according to the OR/005/QD Audit Procedure, by internal or external independent
auditors. As a minimum, this audits should take place on an annual basis.

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 29 of 33

9. QUALITY RECORDS
 QAF036 – Business Impact Analysis Questionaire

10. MODIFICATION HISTORY

VERSION AUTHOR DATE DETAILS

1.0 Nicolae 18.07.2003 First draft issue.
CHIRTAS
1.1 Nicolae 27.10.2004 The Appendix was updated (in order to reflect
CHIRTAS employees data changes).
The list of approvers was extended with TD and IT
directors (and TD and IT Quality Coordinators for
Quality Review).

11. APPENDIX

11.1 APPENDIX 1: The filed BIA questionnaires and the List of Orange Core Business Functions:
BIA Questionaires

11.2 APPENDIX 2: Key IT Personnel and Emergency Contact Call List:

Full Name Position Recovery Role Office Mobile E-mail
Phone
Grigore FLORESCU IT Director Supervision, coordination, 2037055 0744440170 Grigore.Florescu@o
communication range.ro
Cristian IVANUS IT Network Manager(interim) Network Team Coordination 2037048 0744/440999 Cristian.Ivanus@ora
nge.ro
Mihai CIRCIUMARESCU Senior Network Administrator Network connectivity 2033556 0744440595 Mihai.Circiumarescu
@orange.ro
Vladimir NENU Senior System Administrator Hardware and operating system 2033022 0744440013 Vladimir.Nenu@oran
ge.ro
Mihai FLOREA Help Desk Team Leader Hardware and operating system 2037078 0744440979 Mihai.Florea@orang
e.ro
Gabriel DRAGAN System Administrator (UNIX) Hardware and OS UNIX like 2033529 0744440993 Gabriel.dragan@ora
nge.ro
Ionut SCARLAT IT Operations Manager Billing & CRM Supervision 2037317 0744440524 Ionut.scarlat@orang
e.ro
Cristian MINDRICELU Billing & CRM Manager Advisor, Coordination 2037052 0744441121 Cristian.Mindricelu@
orange.ro
Viorel SAVULESCU Billing Operations Controller Billing systems 203 3017 0744440015 Viorel.savulescu@or
ange.ro
Adrian DOMIDE Systems Support Expert Billing systems 2037370 0744440026 Adrian.domide@ora
nge.ro
Virgil CHERECHES CRM Operations Team CRM systems 2033781 0744440910 Virgil.chereches@or
Leader ange.ro
Iustin POP CRM Application CRM systems 2037054 [email protected]
Administrator o
Cristian IVANUS MIS Manager MIS Recovery Coordinator 2037048 0744/440999 Cristian.Ivanus@ora
nge.ro
Eugen VARGA OA Application Administrator Oracle application recovery 2037017 0744/440012 Codrin.Popa@orang
e.ro
Codrin POPA OA Oracle DBA Database recovery 2037033 0744440974 Codrin.Popa@orang
e.ro
Virgil CARASTANEF Information System Architect IBM hardware & software 2037047 0744/440994 Virgil.Carastanef@or
recovery ange.ro

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 30 of 33

11.3 APPENDIX 3: Key TD, IT and Communications Suppliers and Maintenance Engineers
TD Suppliers
Full Name Company Responsibility Office Mobile Email
Phone Phone
Alcatel hot line Alcatel BSS 0744 574 824
Motorola hot line Motorola BSS 0744 551 156
Alcatel hot line Alcatel NSS 0744 574 824
Tekelek hot line Tekelek NSS
Alcatel hot line Alcatel Trans 0256 306113
Alcatel TASC Alcatel Full IN +33 23 874 - [email protected]
3000
CMG Help Desk Logica CMG SMSC, VASP, WAP +31 23 513 - www.cmg-support.com
4040
Rapsodia OTA, MB

IT and Communications
Full Name Company Responsibility Office Mobile E-mail
Phone
Lucian BARBULESCU HP-Compaq HP SuperDome 0722278012
Horia BARBUL HP-Compaq Billing systems 202.78.59 0788468847
Lucian NICULAE Qnet CRM HP Systems 230 14 19 0744652327
Alexandru CACIULATU Q’Net Hardware 2301444 0744652332 Alexandru.Caciulatu@q
2301543 net.ro
Andrei SOCOLIUC IBM Romania IBM HW & SW 2244015 0745/590120 [email protected]
Liviu ROSCA IBM Romania IBM HW & SW 2244015 0740/121486 [email protected]
m
Dan GHELBEREU S&T EMC Symmetrix 2332700 0745/129127 [email protected]
Stefan FLOREA S&T EMC Symmetrix 2332700 0744/326409 [email protected]
Oracle Romania HQ Oracle Romania Oracle Databases 3072700 - -
Adrian BRILL CSB IBM HW 3123043 0723/394520 [email protected]
Mihai IACOBAN CSB IBM HW 3123043 0744/328288 [email protected]
Ioana COSTESCU RDS URS Postpay, URS Prepay, 2314006 - ioana.costescu@orang
Call, Invoices, Payment e.ro
Mihai MOROSAN SoftNet Lotus Notes 2039664, 0722/957045
2331840
Radu CADARIU SoftNet EDP system 2039664 0740112390 Radu.Cadariu@softnet.
2331840 ro
Viorel MIHAILA GBA Bonus on incoming, Bonus on 2127521 - [email protected]
retention 3123043 o
Valentin AGARICI Microsoft Romania Microsoft software 2024200 0744755441 [email protected]
m
Dick VENCU Radix Company SA Network fax software 2117801 0744323543 [email protected]
2117855
Aurelian POPA Radix Company SA Network fax software 2117801 0788365977 [email protected]
2117855
Tudor POP Datanet Active Network Equipment 0788365147 0744758611 [email protected]

11.4 APPENDIX 4: Emergency and Security Key personnel Call List:

Full Name Position Recovery Role Office Mobile E-mail
Phone
Sorin DIACONU Security Manager Security systems, Emergency 2033980 0744440498 Sorin.Diaconu @orange.ro
Evacuation coordination.
Liviu SIMION Health & Safety Officer Health & Safety Regulations 2033287 0744440426 Liviu.Simion@ orange.ro

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 31 of 33

11.5 APPENDIX 5: List of main Orange Insurance Policy’s:

Policy No. 2648731-K
Insurer : Generali Asigurari SA
Type of policy : Group Personal Accident – Cover for working hours and transportation to and
from work for 1.633 people, adjusted quarterly
Inception date : 30.05.2004
Expiration date : 31.05.2005
Values insured: 5000 / 10000 USD for each death / disability by accident

Policy No. 2605000548

Insurer : AIG Romania
Type of policy : Electronic Equipment Insurance
Inception date : 01.06.2004
Expiration date : 31.05.2005
Value insured : Property Damage: USD 382,484,200
Business interruption: USD 200,000,000

Policy No. 90/0031/03

Insurer : AIG Romania
Type of policy : Property Terrorism and Sabotage Insurance
Inception date : June 1st , 2004
Expiration date : May 31st , 2005
Values insured : Property damage : USD 502,241,290
Business Interruption: USD 200,000,000

11.6 APPENDIX 6: List of Key Personnel and Emergency Contact Information, by Departments:
Facilities Emergency Responsible:
Full Name Position Recovery Role Office Mobile E-mail
Phone
Sorin DIACONU Security Manager Security systems, Emergency 2033980 0744440498 Sorin.Diaconu
Evacuation coordination. @orange.ro
Liviu SIMION Health & Safety Officer Health & Safety Regulations 2033287 0744440426 Liviu.Simion@
orange.ro

IT Department Crisis Management Team:

Full Name Position Recovery Role Office Mobile E-mail
Phone
Grigore FLORESCU IT Director Supervision, coordination, 2037055 0744440170 Grigore.Florescu@o
communication range.ro
Cristian IVANUS IT Network Manager (interim) Network Team Coordination 2037048 0744/440999 Cristian.Ivanus@ora
nge.ro
Mihai CIRCIUMARESCU Senior Network Administrator Network connectivity 2033556 0744440595 Mihai.Circiumarescu
@orange.ro
Vladimir NENU Senior System Administrator Hardware and operating system 2033022 0744440013 Vladimir.Nenu@oran
ge.ro
Mihai FLOREA Help Desk Team Leader Hardware and operating system 2037078 0744440979 Mihai.Florea@orang
e.ro
Gabriel DRAGAN System Administrator (UNIX) Hardware and OS UNIX like 2033529 0744440993 Gabriel.dragan@ora
nge.ro
Ionut SCARLAT IT Operations Manager Billing & CRM Supervision 2037317 0744440524 Ionut.scarlat@orang
e.ro
Cristian MINDRICELU Billing & CRM Manager Advisor, Coordination 2037052 0744441121 Cristian.Mindricelu@
orange.ro
Viorel SAVULESCU Billing Operations Controller Billing systems 203 3017 0744440015 Viorel.savulescu@or
ange.ro

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 32 of 33

Adrian DOMIDE Systems Support Expert Billing systems 2037370 0744440026 Adrian.domide@ora
nge.ro
Virgil CHERECHES CRM Operations Team CRM systems 2033781 0744440910 Virgil.chereches@or
Leader ange.ro
Iustin POP CRM Application CRM systems 2037054 [email protected]
Administrator o
Cristian IVANUS MIS Manager MIS Recovery Coordinator 2037048 0744/440999 Cristian.Ivanus@ora
nge.ro
Eugen VARGA OA Application Administrator Oracle application recovery 2037017 0744/440012 Codrin.Popa@orang
e.ro
Codrin POPA OA Oracle DBA Database recovery 2037033 0744440974 Codrin.Popa@orang
e.ro
Virgil CARASTANEF Information System Architect IBM hardware & software 2037047 0744/440994 Virgil.Carastanef@or
recovery ange.ro

TD Crisis Management team:

Full Name Position Recovery Role Office Mobile E-mail
Phone
Ioan Irimia NOC Manager Crisis Manager 203 3340 0744 441070 Ioan.Irimia@orange.
ro
Florin Stefanescu NEG BSS Exp BSS domain responsible 203 3234 0744441073 Florin.Stefanescu@
orange.ro
Cosmin Corlatescu NEG BSS Exp PRO/NEG/BSS (Backup) 203 3297 0744441083 Cosmin.Corlatescu
@orange.ro
Valentin Popa NOC BSS TL O&M/NOC/BSS 203 3350 0744 441407 Valentin.popa@oran
ge.ro
Adrian Patatu BSS Expert DEV/BSS 203 3240 0744 441467 Adrian.Patatu@oran
ge.ro
Raluca Marinescu NSS PM NSS domain responsible 203 32 46 0744 441089 Raluca.marinescu@
orange.ro
Ladislau Olah NSS Engineer DEV/NSS 203 3294 0744 443294 Ladislau.Olah@oran
ge.ro
Razvan Dumitru NOC NSS TL O&M/NOC/NSS 203 32 70 0744 441507 Razvan.dumitru@or
ange.ro
Sorin Olimid Backbone Project Mng. TRANS Domain Responsible 203 3367 0744 441425 Sorin.Olimid@orang
e.ro
Jenica Bucalau SDH Net. Project Mng. DEV/TRANS 203 3361 0744 441425 Jenica.Bucalau@ora
nge.ro
Liviu Gocan NOC Trans TL O&M/NOC/TRANS 203 3382 0744 44 1143 Liviu.gocan@orange
.ro
Paul.Goita VAS Expert VAS Domain Responsible 203 7594 0744 440228 Paul.Goita@orange.
ro
Florin Crucita DEV VAS Expert DEV/VAS 203 7507 0744441396 Florin.crucita@orang
e.ro
Catalin Tibulca NOC VAS Expert O&M/NOC/VAS 203 3391 0744441361 Catalin.Tibulca@ora
nge.ro
Florin Bucioaca Transmission Engineer Data Net. Domain Responsible 203 7588 0744441224 Florin.Bucioaca@or
ange.ro
Stefan Slavnicu DEV NSS Expert Data Net. / NSS equipment 203 7513 0744 441359 Stefan.slavnicu@ora
nge.ro
Laurentiu Vasile NOC Infrastructure Team O&M/NOC/NIG 203 3385 0744 441093 Laurentiu.Vasile@or
Leader ange.ro

CSD Crisis Management team:

Full Name Position Recovery Role Office Mobile E-mail
Phone
Andreea Popescu Customer Service Supervision, 2033800 0744440180 [email protected]
Executive Manager coordination,
communication
Diana Predoiu Service Center Manager Advisor, 2033841 0744440871 [email protected]
Coordination
Julien Zidaru Customer Care Bucuresti Advisor, 2033914 0744440527 [email protected]
Coordination
Radu Bulzan Customer Care Timisoara Advisor, 0744445301 0744440548 [email protected]
Coordination
Andreea Haba Customer Care Cluj Advisor, 0744445550 0744440855 [email protected]

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission
 Reference Version Page
BUSINESS CONTINUITY PLAN
PROCEDURE OR/016/QD 1.1 33 of 33

Coordination
Florin Boldescu Problem Solving Manager Advisor, 2033922 0744440883 [email protected]
Coordination
Bogdan Atanasiu Activation & Dealers Advisor, 2033843 0744440872 [email protected]
Manager Coordination
Anca Voinescu Churn Manager Advisor, 2033830 0744440819 [email protected]
Coordination
Serban Lia Fraud, Collection & Credit Advisor, 2033836 0744440864 [email protected]
Manager Coordination
Luminita Vasile Loyalty & Retention Advisor, 2033829 0744440843 [email protected]
Manager Coordination

11.7 APPENDIX 7: Crisis Event Log

Date/Time Event Description Who was notified Follow up Consequence Impact assessment
action on business

QAF001v.2.
This document is Orange Romania property and cannot be reproduced without permission