Book for participant

IVL Business Impact Analysis (BIA) Page No. 12 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 4.1 PLANNING PHASE Activities to be completed by BCM Coordinators/BIA Respondent from business function/ entity/plant/site during BIA planning include: i. Understand the main purpose of conducting BIA exercise and how the information will feed into Business Continuity Plan (BCP). ii. Syndicate with Head of Business or Head of Function/Entity/Plant/Site or other relevant Approving Authority to ensure full participation from identified key personnel and all business functions are well represented in the exercise. iii. Gather information/background search of the business function/entity/plant/site, i.e. Organisational Chart and Job Description. Attend BIA training to have a better understanding on how to complete the BIA template. 4.2 EXECUTION PHASE Activities to be completed by business function/entity/plant/site BCM Coordinators/BIA Respondent during BIA execution include: i. Complete BIA Template (Refer to APPENDIX 1: Guide to Complete BIA Template) where Minimum Resource Requirements (MRR) of the CBF are identified through requirement of: a) People b) Equipment c) Technology d) Asset e) Interdependencies Cost implication should be considered in identifying CBF to prevent over estimation of CBF as well as MRR. In prioritising management of resources, business functions are group into 3 categories; Priority 1, 2 and 3 based on its criticality. The criticality of business functions are assessed based on time required to resume functions, i.e. Recovery Time Objective (RTO) and the severity of impact to business should the function fail to resume in time. The categorisation of RTO by criticality is depicted in Figure 3 (next page)

IVL Business Impact Analysis (BIA) Page No. 13 of 13 Guideline Issue No. 1 Rev. No. Record ID: GRMB-BCM-G-01-002 Confidential Release Date: March 2021 (eg. EHS, reputation, Security, legal, operations) Figure 3: Categorisation of RTO by Criticality It is important to understand and differentiate between the criticality of business functions during crisis versus business as usual. Functions which are not identified as critical during disaster do not mean they are less important during business as usual. ii. Conduct challenge session (Refer to APPENDIX 2: Guide to BIA Challenge Session) together with Head of Business or Head of Function/Entity/Plant/Site to finalise BIA results upon completing the BIA Template in order to evaluate its completeness and accuracy. iii. Consolidate BIA results, if there is more than one BIA in a particular business function/entity/plant/site. iv. Obtain approval from appropriate approving authority. 4.3 REVIEW PHASE Activities to be completed by BCM Coordinators/BIA Respondent by business function/ entity/ plant/ site during BIA review phase include: i. Conduct BIA periodic review The approved BIA shall be updated and reviewed when there are internal or external changes, which include but not limited to, the following elements: a) Organisational context b) Risk and levels of risk c) Effectiveness of risk treatments d) Business processes e) Key personnel f) Interdependencies with other organisations g) Obtain approval from appropriate approving authority. - END -

5. Business Recovery Strategy (BRS) Guideline 103

GROUP RISK MANAGEMENT & BCM (GRMB) IVL BUSINESS RECOVERY STRATEGY (BRS) GUIDELINE March 2021 INTERNAL USE © 2021 INDORAMA VENTURES LIMITED (IVL) All rights reserved. No part of this content may be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner.

IVL BUSINESS RECOVERY Page No. 2 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 RECORD DETAILS IVL Business Recovery Strategy (BRS) Guideline Record Title: Issue No: 1 Revision No: 1 Record Version: Record Status: Approved Record Reference Number GRMB-BCM-G-01-003 RECORD APPROVAL Reviewed By: Approved By: Prepared By: Kanchit Damkaew, Dhananjay Mohite, Wan Norashikin Mohd Nasir, Senior Manager AVP VP Global Risk Global Risk Global Head Management & BCM Management & BCM Risk Management & BCM Date: Date: Date:

IVL BUSINESS RECOVERY Page No. 3 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 RECORD CLASSIFICATION RECORD SECURITY SECRET X CONFIDENTIAL INTERNAL USE OPEN RECORD TYPE X Policies, Frameworks and Guidelines Manuals, Procedures, Work Instructions and Records Legal, Commercial and Contractual Documents Forms and Reports Business and Financial Correspondences & Communication REVISION HISTORY AMENDMENT SHEET PAGE NO. DATE NATURE OF REVISED SIGNATURE OF AMENDMENT/ CHANGE BY APPROVER

IVL BUSINESS RECOVERY Page No. 4 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 TABLE OF CONTENT 1.0 INTRODUCTION......................................................................................................................... 5 1.1 OBJECTIVES................................................................................................................... 6 1.2 SCOPE............................................................................................................................. 6 1.3 REFERENCES................................................................................................................. 6 1.4 GLOSSARY OF TERMS.................................................................................................. 9 2.0 OVERVIEW OF BUSINESS RECOVERY STRATEGY ........................................................... 10 2.1 BUSINESS RECOVERY STRATEGY DEVELOPMENT............................................... 11 3.0 BUSINESS RECOVERY STRATEGIES................................................................................... 13 3.1 WORKPLACE FAILURE ................................................................................................ 13 3.2 ICT FAILURE ................................................................................................................. 19 3.3 WORKFORCE FAILURE ............................................................................................... 20 3.4 KEY INTERDEPENDENCIES FAILURE ....................................................................... 22 3.5 FACILITIES FAILURE.................................................................................................... 24 3.6 SUPPLY FAILURE......................................................................................................... 25

IVL BUSINESS RECOVERY Page No. 5 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 1.0 INTRODUCTION Business Recovery Strategy (BRS) is the 4th component of BCM Framework, as shown in Figure 1 below. It is a process to determine and select recovery strategy to ensure an entity can resume Critical Business Functions during business disruption. Recovery strategy is developed based on results obtained from Business Impact Analysis (BIA) exercise. The objective of BRS is to select appropriate recovery strategies to resume and recover Critical Business Functions (CBFs) taking into account identified business disruptions, cost of implementation, Recovery Time Objective, Recovery Point Objective and business impact identified during BIA. Figure 1: BCM Framework

IVL BUSINESS RECOVERY Page No. 6 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 1.1 OBJECTIVES This guideline provides a structured and consistent approach in identifying and selecting Business Recovery Strategy (BRS). This document, which complements the BCM Framework, covers the process and options in selecting recovery strategies. It defines the baseline BCM requirements applicable to IVL and its subsidiaries and to the extent practicable to suppliers and business partners. 1.2 SCOPE This guideline is generic for application in any business environment and shall apply to IVL and its subsidiaries. This guideline shall be read together with BCM Framework and its guidelines. Any deviation to the requirement defined in this document shall be in consultation and approved by GRMB. Changes to this document shall be reviewed, updated and coordinated by GRMB. 1.3 REFERENCES This document makes reference to the following: i. IVL Enterprise Risk Management (ERM) Framework. ii. IVL Business Continuity Management (BCM) Framework. iii. IVL Business Impact Analysis (BIA) Guideline. iv. IVL Business Continuity Plan (BCP) Guideline. v. IVL Testing & Exercising (T&E) Guideline. vi. IVL ERM Process Guideline. vii. International Standard ISO 22301 (Societal Security – Business Continuity Management Systems – Requirements).

IVL BUSINESS RECOVERY Page No. 7 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 1.4 GLOSSARY OF TERMS 1.4.1 Terms and Definitions Business Continuity Capability of the organization to continue delivery of products or services at acceptable predefined levels following business disruption. Business Continuity Management Holistic management process that identifies potential threats and their impact to the organisation, and provides a framework for building resilience with the capability for an effective business resumption that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Business Continuity Plan Documented procedures that guide organizations to respond, recover, resume, and restore to pre-defined level of operation following business disruption. Business Impact Analysis Process of analysing activities and the effect that a business disruption might have upon them. Business Disruption A risk event that results in unplanned, outage or negative deviation from the expected delivery of products or services according to the organization’s objectives. Crisis A significant business disruption which affects the organization's normal operations; impacting people, environment, assets and reputation. Critical Business Function Vital function which an organisation requires to remain viable. If the function is unavailable for a prolonged period, it will result in financial and non-financial loss (e.g. EHS, reputation, security, legal and operations). Exercising Process to train for, assess, practice, and improve performance in an organization. Note 1: Exercises can be used for: validating policies, plans, procedures, training, equipment, and inter-organizational agreements; clarifying and training personnel in roles and responsibilities; improving inter-organizational coordination and communications; identifying gaps in resources; improving individual performance; and identifying opportunities for improvement, and controlled opportunity to practice improvisation. Note 2: A test (refer to definition of “testing”) is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned.

IVL BUSINESS RECOVERY Page No. 8 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 Incident An abnormal or unplanned event that affects people, environment, asset and reputation, requires attention and has the potential to precipitate an emergency, crisis and/or business disruption. Interdependencies The reliance of an organization’s business functions, processes or systems with another party (internal or external). Prolonged An extended duration or period of time. Recovery Point Objective Point to which information used by an activity must be restored to enable the activity to resume operation. Recovery Time Objective Period of time following a business disruption within which supply of product or service or activities must be resumed, or resources must be recovered. Testing Procedure for evaluation; a means of determining the presence, quality, or veracity of something. Note 1: Testing may be referred to a “trial”. Note 2: Testing is often applied to supporting plans.

IVL BUSINESS RECOVERY Page No. 9 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 1.4.2 Abbreviations AWF Alternate Workforce AWS Alternate Worksite CBA Cost Benefit Analysis BCM Business Continuity Management BCP Business Continuity Plan BIA Business Impact Analysis BRS Business Recovery Strategy CBF Critical Business Function DRP Disaster Recovery Plan ICT Information Communication & Technology RPO Recovery Point Objective RTO Recovery Time Objective SLA Service Level Agreement VO Virtual Office

IVL BUSINESS RECOVERY Page No. 10 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 2.0 OVERVIEW OF BUSINESS RECOVERY STRATEGY Business Recovery Strategy (BRS) is the process to determine appropriate strategies to resume and recover Critical Business Functions. The selection of recovery strategies shall be based on Business Impact Analysis and should take into account identified business disruptions, cost of implementation, Recovery Time Objective and business impact. The entity shall determine an appropriate recovery strategy for: i. Protecting prioritized activities, ii. Stabilizing, continuing, resuming and recovering prioritized activities and their dependencies and supporting resources, and iii. Mitigating, responding to and managing impacts. From the identified business disruption scenarios and recovery strategies, Business Continuity Plan (BCP) shall be developed. The relationship between cost of recovery, acceptable downtime (RTO) and business impact can be described in Figure 2. Cost of recovery decreases as time to recover prolongs. However, prolonging time to recover may also result in an increase in the severity of impact to business. The acceptable downtime or RTO is achieved when the cost of recovery is at optimum and intersects with business impacts that are deemed acceptable by the business function/entity/plant/site. Figure 2: Cost, RTO and Impact (Disaster Recovery Institute)

IVL BUSINESS RECOVERY Page No. 11 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 2.1 BUSINESS RECOVERY STRATEGY DEVELOPMENT The following are the steps in developing recovery strategies: 2.1.1 Consolidate endorsed BIA result summary. Utilise the data collected during BIA stage to identify the available recovery strategies for the entity’s operations that will meet the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) identified during the BIA process. 2.1.2 Evaluate existing arrangements and options for alternative recovery strategies and perform Cost Benefit Analysis (CBA). i. Review recovery requirements identified from BIA assessment and evaluate existing recovery arrangements. ii. Identify alternative business recovery strategies for example in the case of workplace failure, business could: a) Do nothing and recover at time of business disruption b) Develop manual workaround procedures c) Identify internal (e.g. Conference rooms, training rooms, cafeterias, etc.) and external alternate site d) Contract third party service providers/outsourcers e) Transfer staff and work to Alternate Worksite f) Build dedicated alternate site iii. Identify strategies for recovery of vital records and work in progress to meet the RPO and to ensure they are accessible. iv. Assess viability of alternative strategies against the results of business impact analysis/recovery time objectives - Compare internal/external solutions. a) Advantages b) Disadvantages c) Costs (startup, maintenance & execution) d) Mitigation capability and control options e) Ability to meet defined RTO and RPO v. Estimate the cost of implementing and maintaining recovery identified. vi. Perform cost benefit analysis on the recommended strategies to align the cost of implementing the strategy against the assets at risk.

IVL BUSINESS RECOVERY Page No. 12 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 2.1.3 Select and validate appropriate Business Recovery Strategies. Some of the key questions to be considered in validation of strategies are as follows: i. What is the total time taken to declare a disaster? ii. Is the staff available following a disruption? iii. Are there any restrictions on relocation of staff (for example staff that need to be relocated to make way for critical staff)? iv. Does the alternate site have capacity to accommodate more critical functions should more CBF staff is required? v. What is the maximum time that the business unit is allowed to stay at the alternate site? vi. What is the time taken and resources needed to implement the strategy? vii. Are there existing processes to recover? viii. Do we need to develop additional standard operating procedures? 2.1.4 Obtain management’s approval, plan and budget for implementation. i. Recommended strategies shall be approved and meet both RTO and RPO identified in the BIA. ii. Strategies that have been approved must be planned and budgeted for implementation.

IVL BUSINESS RECOVERY Page No. 13 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 3.0 BUSINESS RECOVERY STRATEGIES Business recovery strategies shall be developed based on, but not limited to, the following business disruption scenarios as depicted in Table 1. For other types of business disruption scenarios or other types of recovery strategies, business could refer to the lessons learnt or best practices from other organizations in the industry. Business Disruption Recovery Strategy Options Workplace Failure Alternate Worksite ICT Failure Workforce Failure • Pre-staged Worksite Key Interdependencies Failure • Dedicated Workspace • Acquisition Facilities Failure • Virtual Office Supply Failure ICT Disaster Recovery Strategy • Technology • Vital Record Alternate Workforce • First Level Manning • Second Level Manning • Third Level Manning Key Interdependencies Strategy • Business Partners o Memorandum of Understanding (MOU) o Collaboration • 3rd Party Suppliers o Service Level Agreement (SLA) o Sourcing Strategy o Insurance Spares o Alternate Equipment o Business Continuity Clauses • Utility Providers o Memorandum of Understanding (MOU) Facilities Failure Recovery Strategy • Facilities Restoration • Alternate Production • Exercise Legal Rights Supply Failure Recovery Strategy • Utilisation of existing assets/capacity/inventories • External Sourcing Table 1: Recovery Strategy Options 3.1 WORKPLACE FAILURE Workplace failure could be caused by incidents such as, but not limited to, riot, terrorist attack, natural disaster, and bomb threat that can affect accessibility to the building for a prolonged period of time. The following Alternate Worksite strategies can be considered:

IVL BUSINESS RECOVERY Page No. 14 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 3.1.1 Alternate Worksite An entity should prepare and plan for an Alternate Worksite (AWS) in the event that the office building is inaccessible for a long period of time. In the event of a crisis that requires activation of Business Continuity Plan (BCP), a predefined strategy on AWS would help the entity to resume their business within a stipulated time. The decision that an entity makes when determining what type of site to establish often hinges on the results of a cost-benefit analysis as well as the needs of the organization. The AWS strategies are categorized as depicted in Table 2 below: Pre-staged Worksite Dedicated Acquisition Virtual Office Workspace An AWS that An environment in which An AWS that is fully An AWS that is only employees work from equipped with has acquired after different locations, out of necessary infrastructure business office environment infrastructure and only, no disruption equipment equipment RTO: depends on RTO > 1 month specific business RTO < 24 hours RTO < 2 weeks requirement Table 2: Alternate Worksite Strategies

IVL BUSINESS RECOVERY Page No. 15 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 The strategies are detailed out as follows: i. Pre-staged worksite Pre-staged worksite is an Alternate Worksite that already has in place the computers, telecommunications, and the environmental infrastructure required to recover the critical business functions. The infrastructure and facility at the pre- staged worksite is always ready and available at all time and has been regularly tested to ensure that it can meet the needs of the entity in the event of business disruption. The following factors need to be considered in calculating cost to setup a pre-staged wao)rksiteS:ize of pre-staged worksite b) Leasing cost c) Retrofitting and equipment installation cost d) General maintenance and operations cost This option is suitable for CBFs that are required to resume in less than 24 hours. In selecting this strategy, business should weigh the following factors: a) Losses to normal operations Entity can relocate with minimal losses to normal operations as workspace is already available to continue business operation. b) Availability Workspace can be made ready for operation within hours. c) Testing Pre-staged worksite has in place the required facility and equipment for entity to continue their CBF during business disruption. Hence, it is easier to conduct the simulation testing to verify and test the BCP. d) Maintenance cost The equipment has already been purchased hence the operational costs are the highest among the four Alternate Worksite strategies. All the systems and equipment as well as physical and information security need to be maintained. e) Equipment and system technology Equipment and systems may be obsolete in the next few years due to rapid changes in technology.

IVL BUSINESS RECOVERY Page No. 16 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 ii. Dedicated workspace Dedicated workspace is an alternate work site that has infrastructure (power points, LAN, cabling) readily available without the equipment (computers & printers) for the CBF staff. Equipment will only be purchased and installed during business disruption to minimize cost. The following factors need to be considered in calculating cost to setup a dedicated workspace: a) Size of dedicated workspace b) Leasing cost c) General maintenance and operations cost d) Equipment installation cost This option is suitable for CBFs that are required to resume in less than 2 weeks. In selecting this strategy, business should weigh the following factors: a) Maintenance cost Dedicated workspace can be maintained at a lower cost as equipment will be made available during business disruption. b) Reliability of delivery of equipment by supplier. During business disruption, no equipment is readily available. This results in a longer lead delivery time. Despite agreement with supplier, there could be a risk in reliability of delivery. c) Procurement cost High procurement cost in acquiring equipment due to short notice given to supplier iii. Acquisition Acquisition is where the entity acquires work space with sufficient facility and ICT equipment to support recovery operations in the event of a business disruption. The following factors need to be considered in calculating cost during acquisition: a) Office space and related facility b) Hardware such as networking devices and infrastructure c) Software and systems required to perform the backup d) Transportation for relocation e) Manpower to setup and support the site and backup functions

IVL BUSINESS RECOVERY Page No. 17 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 This option is suitable for CBF that are required to resume in more than 1 month. In selecting this strategy, business should weigh the following factors: a) Maintenance cost Maintenance cost is minimal compared to pre-staged worksite and dedicated workspace strategies as facility and equipment are only acquired after business disruption. b) Acquisition cost Acquisition cost is high as all the required facility and equipment need to be acquired within a short period of time frame. c) Compatibility of ICT application/system All critical application and system need to be reinstalled and setup at the time of business disruption. Hence, there could be a lot of ICT and system related issues such as system incompatibility, loss of data, licensing issues, etc. d) Complexity of testing as the worksite is not readily available 3.1.2 Following are factors that need to be considered in setting up an Alternate Worksite (AWS): i. Location and security a) AWS locations should be at a distance where it will be less likely to be impacted when the main/primary office is at the risk of being lockdown due to impact of major incident. Easy accessibility to AWS with more than one route to ensure timely resumption of business functions. b) AWS building and its surrounding area is determined safe from natural disasters. c) Periodic audits must be undertaken to ensure structural integrity of AWS buildings remain intact. d) Security personnel are available at all times to prevent trespassing into AWS. e) Sound monitoring system and CCTV is switched on around the clock. f) Fire alarm, sprinklers, and Public Address (PA) system are available and in good working condition. ii. Facilities and working environment a) Seating arrangement and workspace capacity match the number of CBF staff with adequate room ventilation. b) Sick bay and first aid kits are adequate and readily available. c) Adequate amenities are available in AWS. d) Adequate facilities (e.g. hospital, bank, etc.) within the locality of AWS.

IVL BUSINESS RECOVERY Page No. 18 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 e) Sufficient parking space and lodging (if necessary) for CBF staff. f) AWS able to provide backup in case of power disruption to ensure the continuity of critical business functions. iii. ICT a) Telephone network and internet access are available and in good working condition. b) Periodic network security audit and ICT infrastructure audit must be undertaken to ensure high reliability at all time. c) AWS is connected to data centers for uninterrupted access to systems & applications in the server. iv. Virtual Office A Virtual Office (VO) is an environment in which employees work from different locations, out of office environment, for example at home or hotel. To resume work via VO, there should be sufficient equipment, infrastructure and connectivity allowing access to systems used in the office environment. The following factors need to be considered in calculating cost for VO: a) Location of virtual site (CBF staff to convene at one specific location or at many locations). b) Infrastructure and equipment required by CBF staff. c) General maintenance and operations costs such as equipment (e.g. laptop). The RTO for VO strategy is subject to specific business requirement and nature of the job. It can be resumed immediately after business disruption, or any determined or specified time frame depending on the criticality of the function. In selecting this strategy, business should weigh the following factors: a) Operational cost VO eliminates the need for a central location; no cost will be incurred to lease and maintain a physical building. b) Convenience to staff Work can be resumed anywhere as employees can work effectively from different locations. c) Accessibility to system Potential accessibility issues if full access to all office system is not made available for the user. d) ICT support Technical support is unavailable as IT support is not designed to be deployed at multiple locations.

IVL BUSINESS RECOVERY Page No. 19 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 3.2 ICT FAILURE ICT failure happens when data, systems, and applications are no longer available during business disruption. The recovery strategy is Disaster Recovery Plan (DRP) whereby critical systems/applications and vital records are backed-up at another location. The following recovery strategies can be considered during business disruption: 3.2.1 Common ICT Disaster Recovery Strategies, which include technology and vital records, are as depicted in Table 3 below: Type of Disaster ICT Disaster Description Recovery Plan Recovery Strategies Strategy Mirror Site • Pre-staged data center with a real-time backup of system and data with an active-active configuration Hot Site • Pre-staged data center with a real-time backup of system and data with an active-passive configuration Technology Warm Site • Pre-staged data center with no system and data backup, but partially prepared hardware and network • Restoration of system and data needs to be considered as part of recovery strategy Vital Record Cold Site • Pre-staged data center with no system and data Acquisition backup, nor prepared hardware and network Synchronous • Restoration of hardware, system and data needs to Mirroring Asynchronous be considered as part of recovery strategy Mirroring Electronic • Strategy to acquire new data center at best effort in Vaulting Tape backup the event of a business disruption • Restoration of hardware, system and data needs to be considered as part of recovery strategy • Real-time data volume backup • Near real-time data volume backup • Backup of data sent electronically • Backup of electronic data via tape cartridges Table 3: ICT Disaster Recovery Strategies For further details, please refer to IVL ICT Disaster Recovery Plan (DRP) guidelines.

IVL BUSINESS RECOVERY Page No. 20 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 3.3 WORKFORCE FAILURE Workforce failure could be caused by incidents such as pandemic, mass resignation and others that can adversely impact the ability of IVL employees to resume critical business functions effectively. Alternate Workforce (AWF) strategy is pertinent to mitigate unavailability of workforce for business resumption. 3.3.1 Alternate Workforce In ensuring the robustness of the Alternate Workforce strategy, there are three levels of AWF strategy which entail first level manning, second level manning and third level manning. However, depending on the nature of the job, some critical business functions are unable to have alternate employees (e.g. scarcity of highly specialized experts in a particular field). The Management must take cognizance of this fact and develop other strategies to support the entity’s preparedness. Three main levels of recovery strategies for Alternate Workforce are described in Table 4: First level manning Second level manning Third level manning Alternate Workforce who Alternate Workforce from Alternate Workforce from 3rd possess similar skill set from outside the initial worksite party organisations or even the same department or such as from other region or from JV partners or business division at the initial worksite country, but still from the partners within the same location and same entity entity Table 4: Alternate Workforce Recovery Strategies i. First level manning First level manning refers to Alternate Workforce from the primary worksite within the same location and company (e.g. IVL staff within IVL Building). The identified alternate staff should relatively possess similar skill set to the incumbent they replace. In selecting this strategy, business should weigh the following factors: a) Training requirement AWF within the same worksite is familiar with the system used to execute the business function, thus less training is required. AWF from first level manning is already well-equipped with the knowledge about the company which accelerates the learning process to execute the required business function. b) Data security By having AWF from the same worksite, company’s confidential data will only circulate within the same company which prevents disclosure of information to public.

IVL BUSINESS RECOVERY Page No. 21 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 c) Single point of failure In the event disaster strikes within the same location, the first level manning workforce could also be impacted. ii. Second level manning Second level manning refers to Alternate Workforce within the same entity but located outside of primary worksite such as from other region or country (e.g. IVL staff from other locations to be the Alternate Workforce for staff in IVL Building). The identified alternate staff should relatively possess similar skill set and experience to the incumbent they replace. In selecting this strategy, business should weigh the following factors: a) Training requirement AWF within the same company is familiar with the system used to execute the business function, thus less training is required. AWF from second level manning is already well-equipped with the knowledge about the company which accelerates the learning process to execute the required business function. b) Data security By having AWF from the same worksite, company’s confidential data will only circulate within the same company which prevents disclosure of information to public. c) Knowledge sharing AWF from different worksite may be able to share and transfer their knowledge as well as experience to improve the level of efficiency of the work function. d) Business resumption time AWF from different worksite may require longer traveling time; hence there could be delay in business resumption. e) Additional costs Implementation of second level manning requires additional costs such as training, travel, accommodation, allowances, etc. iii. Third level manning Third level manning refers to Alternate Workforce from external companies such as business partners, employment agencies and etc. It is preferable that the identified Alternate Workforce has the same competency as the CBF staff. In selecting this strategy, business should weigh the following factors: a) Business improvement AWF from external companies doing the same functions are able to share and transfer their knowledge as well as experience to improve the level of efficiency of the task.

IVL BUSINESS RECOVERY Page No. 22 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 b) Additional costs Implementation of third level manning will incur additional operational cost in hiring external workforce. The expenses may include manpower cost, travelling expenses, training expenses, living allowances, agency fees, etc. c) Data security This option may pose a threat to security and confidentiality of company data, by exposing internal data to third party. 4. KEY INTERDEPENDENCIES FAILURE Key Interdependencies failure could be caused by failure of suppliers, business partners, utilities providers, government agencies and other dependent parties in supplying critical goods and components or render critical services that can adversely impact resumption of core business operations. 4.1 Key Interdependencies Recovery Strategy Key Interdependencies are defined as any mutual relationship or synergy between entities which are critical to the core business operation. Key interdependencies can be divided into internal and external dependencies. i. Internal Internal dependencies exist when units, departments and sections are dependent on each other within the same entity (e.g. supply chain department relies on finance department on budgeting matters). This identification of internal dependencies is critical to ensure that CBF staff can resume their work successfully with the support from its internal dependencies. ii. External External dependencies exist when entity relies on external parties for services and goods in ensuring continuity of operation. The external parties can be categorized as follows: a) Business partners b) Third party suppliers c) Utility providers (i.e. electricity, water supplies, telecommunication, etc.) d) Government agencies

IVL BUSINESS RECOVERY Page No. 23 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 Common recovery strategies for key interdependencies are described in Table 5 below: Parties Recovery Strategies Description Memorandum of • Negotiated agreement between Understanding (MOU) company and its contractor on having Business Partners integrated Business Continuity Strategy • Share resources or critical items Collaboration between business partners to resume critical operations during Service Level business disruption Agreement (SLA) • SLA is negotiated agreement on Sourcing Strategy 3rd Party Suppliers agreed accountability of non- delivery of services provided by suppliers • Alternate sourcing is having backup supplier in the event the main supplier fails to supply critical equipment or services • Multiple sourcing is having multiple suppliers to supply similar critical equipment to prevent single point Insurance Spares of failure Alternate Equipment • Insurance spares is having Business Continuity Clauses additional inventory of critical equipment as backup to be used in the Memorandum of event suppliers fail to supply critical Utility Providers Understanding (MOU) equipment • Utilizing other equipment with similar specifications to replace affected critical equipment • Negotiated agreement between company and its suppliers to include Business Continuity Plan or Recovery Strategy requirement in the contract • Memorandum of Understanding is negotiated agreement with Utility Providers to ensure the consistency and reliability of their services even during business disruption Table 5: Key Interdependencies Recovery Strategy

IVL BUSINESS RECOVERY Page No. 24 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 3.5 FACILITIES FAILURE Facilities failure could be caused by, but not limited to fire, explosions, natural disaster, etc. which disrupts the operations of platforms, pipelines, terminals, depots and other facilities that can adversely impact resumption of core business operations. 3.5.1 Facilities Failure Recovery Strategy Key strategies for facilities failure comprise restoring facilities, sourcing for alternate production and exercising legal rights. During business disruption, businesses should primarily exhaust efforts in expediting facilities restoration to minimise impact on business productivity. If restoration of facilities is prolonged or failed, businesses may opt for alternate production or exercise legal rights as the last resort. The recovery strategies are explained as follows: i. Facilities restoration The recovery solution to restore the affected facilities during an emergency are: a) Business function/entity/plant/site facilities restoration to reduce downtime b) Activate SLA with vendors for equipment spares ii. Alternate production The initiative to recover the affected worksite by using alternate production unit. For example: a) PTA: Engage alternate delivery point of raw materials by sourcing from other PTA facilities/plants b) Engage alternate processing plant iii. Exercise legal rights This initiative shall remain as the last resort to minimize the losses of the business i.e. declaration of force majeure by business function/entity/plant/site

IVL BUSINESS RECOVERY Page No. 25 of 25 STRATEGY (BRS) GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-003 INTERNAL USE Release Date: March 2021 3.6 SUPPLY FAILURE Supply failure could be caused by, but not limited to, facilities failure (pipelines, terminals and depot, etc.) and a reduced amount of resources which disrupts the operations raw materials supply chain that can adversely impact the supply obligation of key products to core customers. 3.6.1 Supply Failure Recovery Strategy Key strategies for supply failure comprise of the utilisation of existing assets/capacity/inventories (including safety stock) and external sourcing strategy. i. Utilisation of existing assets/capacity/inventories Reallocation of system supply: a) Lifting prioritisation b) Shipment rescheduling c) Products reallocation d) Products export deferment/cancellation/buy- back ii. External sourcing Initiative to continue the supply by using spot market. Spot market is a strategy in which supplies are imported for immediate delivery. The spot market is also called the \"cash market\" or \"physical market\", because prices are settled in cash on the spot at current market prices, as opposed to forward prices. - END -

6. Testing & Exercising (T&E) Guideline 129

GROUP RISK MANAGEMENT & BCM (GRMB) IVL TESTING & EXERCISING (T&E) GUIDELINE March 2021 INTERNAL USE © 2021 INDORAMA VENTURES LIMITED (IVL) All rights reserved. No part of this content may be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner.

IVL TESTING & EXERCISING (T&E) Page No. 2 of 19 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 RECORD DETAILS IVL Testing & Exercising (T&E) Guideline Record Title: Issue No: 1 Revision No: 1 Record Version: Record Status: Approved Record Reference Number GRMB-BCM-G-01-004 RECORD APPROVAL Reviewed By: Approved By: Prepared By: Kanchit Damkaew, Dhananjay Mohite, Wan Norashikin Mohd Nasir, Senior Manager AVP VP Global Risk Global Risk Global Head Management & BCM Management & BCM Risk Management & BCM Date: Date: Date:

IVL TESTING & EXERCISING (T&E) Page No. 2 of 19 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 RECORD CLASSIFICATION RECORD SECURITY SECRET X CONFIDENTIAL INTERNAL USE OPEN RECORD TYPE X Policies, Frameworks and Guidelines Manuals, Procedures, Work Instructions and Records Legal, Commercial and Contractual Documents Forms and Reports Business and Financial Correspondences & Communication REVISION HISTORY AMENDMENT SHEET PAGE NO. DATE NATURE OF REVISED BY SIGNATURE OF AMENDMENT/CHANGE APPROVER

IVL TESTING & EXERCISING (T&E) Page No. 4 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 TABLE OF CONTENT 1.0 INTRODUCTION .....................................................................................................................5 1.1 OBJECTIVE........................................................................................................................6 1.2 SCOPE ..............................................................................................................................6 1.3 REFERENCES ..................................................................................................................6 1.4 GLOSSARY OF TERMS....................................................................................................7 2.0 OVERVIEW OF TESTING & EXERCISING ..........................................................................10 2.1 ROLES AND RESPONSIBILITIES IN TESTING & EXERCISING...................................10 3.0 TYPES OF TESTING & EXERCISING ..................................................................................11 3.1 PARTIAL SIMULATION ....................................................................................................11 3.2 INTEGRATED SIMULATION............................................................................................12 4.0 BUSINESS DISRUPTION SCENARIOS & RECOVERY STRATEGIES .................................13 4.1 WORKPLACE FAILURE.................................................................................................. 13 4.2 WORKFORCE FAILURE .................................................................................................13 4.3 ICT FAILURE ...................................................................................................................13 4.4 KEY INTERDEPENDENCIES FAILURE .........................................................................13 4.5 FACILITIES FAILURE ..................................................................................................... 13 4.6 SUPPLY FAILURE .......................................................................................................... 13 4.7 OTHER BUSINESS DISRUPTION SCENARIOS............................................................ 13 5.0 TESTING & EXERCISING FREQUENCY ..............................................................................14 6.0 PHASES IN TESTING & EXERCISING..................................................................................15 6.1 PLANNING PHASE ......................................................................................................... ..15 6.2 EXECUTION PHASE....................................................................................................... .16 6.3 REVIEW PHASE.............................................................................................................. .17 6.4 KEY CONSIDERATION.................................................................................................... 18

IVL TESTING & EXERCISING (T&E) Page No. 5 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 1.0 INTRODUCTION Testing & Exercising is the 5th component of BCM Framework, as shown in Figure 1 below. It measures the effectiveness of recovery strategies identified in the Business Continuity Plan (BCP). Testing & Exercising ensures that the BCP is validated, kept up-to-date and the organisation is ready when facing business disruption, while taking into consideration changes in the business environment, rapid technological advancements and new requirements as well as legislations imposed by stakeholders, among others. Among the objectives of Testing & Exercising include: i. To ensure effectiveness and robustness of recovery strategies identified in Business Continuity Plan. ii. To ensure preparedness and readiness in facing business disruption. iii. To identify issues and areas of improvement for BCP enhancement. Figure 1: BCM Framework

IVL TESTING & EXERCISING (T&E) Page No. 6 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 1.1 OBJECTIVE Testing & Exercising guideline aims to provide a systematic approach to ensure robustness in planning, conducting and analysing results of BCP testing. 1.2 SCOPE This guideline focuses on Testing & Exercising for office building environment and shall apply to IVL and its subsidiaries. This guideline shall be read together with BCM Framework and its guidelines. Any deviation to the requirement defined in this document shall be in consultation and approved by GRMB. Changes to this document shall be reviewed, updated and coordinated by GRMB. 1.3 REFERENCES This document makes reference to the following: i. IVL Enterprise Risk Management (ERM) Framework. ii. IVL Business Continuity Management (BCM) Framework. iii. IVL Business Impact Analysis (BIA) Guideline. iv. IVL Business Recovery Strategy (BRS) Guideline. v. IVL Business Continuity Plan (BCP) Guideline. vi. IVL ERM Process Guideline. vii. IVL Technical Standard (PTS): Emergency Drill and Exercise Procedure. viii. International Standard ISO 22301 (Societal Security – Business Continuity Management Systems – Requirements).

IVL TESTING & EXERCISING (T&E) Page No. 7 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 1.4 GLOSSARY OF TERMS 1.4.1 Terms and Definitions Business Continuity Capability of the organization to continue delivery of products or services at acceptable predefined levels following business disruption. Business Continuity Management Holistic management process that identifies potential threats and their impact to the organisation, and provides a framework for building resilience with the capability for an effective business resumption that safeguards the interests of its key stakeholders, reputation, brand and value- creating activities. Business Continuity Plan Documented procedures that guide organizations to respond, recover, resume, and restore to pre-defined level of operation following business disruption. Business Disruption A risk event that results in unplanned, outage or negative deviation from the expected delivery of products or services according to the organization’s objectives. Crisis A significant business disruption which affects the organization's normal operations; impacting people, environment, assets and reputation. Critical Business Function Vital function which an organisation requires to remain viable. If the function is unavailable for a prolonged period, it will result in financial and non-financial loss (e.g. EHS, reputation, security, legal and operations). Exercising Process to train for, assess, practice, and improve performance in an organization. Note 1: Exercises can be used for: validating policies, plans, procedures, training, equipment, and inter-organizational agreements; clarifying and training personnel in roles and responsibilities; improving inter-organizational coordination and communications; identifying gaps in resources; improving individual performance; and identifying opportunities for improvement, and controlled opportunity to practice improvisation. Note 2: A test (refer to definition of “testing”) is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned. Impact Evaluated consequence of a particular outcome.

IVL TESTING & EXERCISING (T&E) Page No. 8 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 Incident An abnormal or unplanned event that affects people, environment, asset and reputation, requires attention and has the potential to precipitate an emergency, crisis and/or business disruption. Interdependencies The reliance of an organization’s business functions, processes or systems with another party (internal or external). Recovery Time Objective Period of time following a business disruption within which: i. Product or service must be resumed, or ii. Activity must resumed, or iii. Resources must be recovered Testing Procedure for evaluation; a means of determining the presence, quality, or veracity of something. Note 1: Testing may be referred to a “trial”. Note 2: Testing is often applied to supporting plans. Verification Confirmation, through the provision of evidence, that specified requirements have been fulfilled.

IVL TESTING & EXERCISING (T&E) Page No. 9 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 1.4.2 Abbreviations AWF Alternate Workforce AWS Alternate Worksite BCM Business Continuity Management BCP Business Continuity Plan BCT Business Continuity Team CBF Critical Business Function DRP Disaster Recovery Plan ICT Information Communication Technology RTO Recovery Time Objective T&E Testing & Exercising VO Virtual Office GIT Group Information Technology

IVL TESTING & EXERCISING (T&E) Page No. 10 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 2.0 OVERVIEW OF TESTING & EXERCISING Testing & Exercising (T&E) involves a process to validate the components in Business Continuity Plan by simulating possible disaster scenarios to ensure consistency of recovery strategies, plans and procedures with business continuity objectives. T&E key components shall include: i. Scope and objectives of the testing. ii. Appropriate scenarios that are well planned with clearly defined aims and objective. iii. Time validation of business continuity arrangement, involving relevant parties. iv. Post-exercise reports that contain outcomes, recommendations and actions to implement improvements. v. Testing are reviewed within the context of promoting continual improvement. vi. Testing are conducted at planned intervals or when there are significant changes within the organization or to the environment in which it operates. 2.1 ROLES AND RESPONSIBILITIES IN TESTING & EXERCISING In undertaking Testing & Exercising, the roles and responsibilities of the key parties involved are as per Table 1 below. Group Risk Management & BCM (GRMB) is responsible in coordinating integrated testing across the group, while BCM Coordinators will coordinate Testing & Exercising to be conducted at business function/entity/plant/site level. GRMB BCM Coordinator (Business Critical Business Function Function/Entity/Plant/Site) (CBF) staff • Communicate and align • Liaise with and cascade • Assist and provide BCM on Testing & Exercising information to BCM Coordinators with information/status with BCM Coordinators Coordinators and CBF required • Coordinate and conduct staff on testing • Participate in Testing & integrated testing across • Coordinate and conduct Exercising the group testing • Provide feedback to • Identify findings and • Identify findings and BCM Coordinators on Testing & Exercising consolidate integrated consolidate testing conducted testing result across the result • Present/update group • Coordinate gap closure Management on testing results • Coordinate gap closure • Present/update on integrated testing Management on testing across the group result • Present/update Management on testing results Table 1: Roles and Responsibilities

IVL TESTING & EXERCISING (T&E) Page No. 11 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 3.0 TYPES OF TESTING & EXERCISING 3.1 PARTIAL SIMULATION Partial simulation is designed to validate: i. Readiness of selected components within a BCP (e.g. BCT, BCM recovery team, CBF staff). ii. Effectiveness of specific recovery strategies and procedures relevant to selected disruption scenarios (e.g. resumption of CBF at AWS only for workplace failure). iii. Effectiveness of recovery strategies for selected CBF or parts of an entity (e.g. resumption of CBF for finance department). Examples of partial simulation shall include but not limited to: 3.1.1 BCP Walk-Through Participants review the plans and procedure in a safe and stress-free environment such as in a conference room. 3.1.2 Table Top Exercise A table top exercise simulates business disruption scenarios in a controlled environment. The participants gather to discuss general problems and procedures in the context of business continuity. The focus is on training and familiarisation with roles, procedures, or responsibilities. 3.1.3 Call Tree Verification A test designed to validate that phone numbers and contact lists of relevant personnel and stakeholders are accurate and up-to-date and effectiveness of response time and clarity in message delivery. 3.1.4 Alternate Worksite A test designed to validate effectiveness of building and work area execution, response and recovery plans at a designated alternate location. 3.1.5 Virtual Office A test designed to validate effectiveness of getting employees to work from different locations, out of office environment. In order to resume work via virtual office, there should be sufficient equipment, infrastructure and connectivity allowing access into systems used in the office environment.

IVL TESTING & EXERCISING (T&E) Page No. 12 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 3.2 INTEGRATED SIMULATION Integrated simulation is designed to validate all components within a BCP relevant to selected disruption scenarios, including effectiveness of recovery strategies and procedures, for an entire entity. For a simulation to be defined as integrated, it has to fulfil all the following criteria: i. Involves entire entity. ii. Involves Testing & Exercising of all components within a BCP relevant to selected disruption scenarios, including BCP activation through call tree, resumption of CBF, BCT and BCM recovery team. iii. Incorporates validation of all identified recovery strategies relevant to selected disruption scenarios (e.g. resumption of CBF staff at AWS and VO for disruption scenario of workplace failure). A simulation is defined as partial if any of the above criteria is not met.

IVL TESTING & EXERCISING (T&E) Page No. 13 of 19 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 4.0 BUSINESS DISRUPTION SCENARIOS & RECOVERY STRATEGIES In carrying out Testing & Exercising, the following disruption scenarios can be tested. 4.1 WORKPLACE FAILURE Workplace failure could be caused by incidents such as, but not limited to, riot, terrorist attack, natural disaster, and bomb threat that can affect accessibility to the building for a prolonged period of time. The recovery strategies for workplace failure are twofold: i. Alternate Worksite (AWS) ii. Virtual Office (VO) 4.2 WORKFORCE FAILURE Workforce failure could be caused by incidents such as, but not limited to, pandemic, mass resignation and others that can adversely impact the ability of IVL employees to resume critical business functions effectively. The recovery strategy for this failure is identification of Alternate Workforce (AWF) to ensure resumption of CBF according to BCP. 4.3 ICT FAILURE ICT failure happens when data, systems, and applications are no longer available during business disruption. The recovery strategy is Disaster Recovery Plan (DRP) whereby critical systems/applications are backed-up at another location. The scenario of ICT failure shall be tested and monitored by GIT. 4.4 KEY INTERDEPENDENCIES FAILURE Key Interdependencies failure could be caused by , but not limited to, failure of suppliers, business partners, utilities providers, government agencies and other dependent parties in supplying critical goods and components or render critical services that can adversely impact resumption of core business operations. 4.5 FACILITIES FAILURE Facilities failure could be caused by, but not limited to, fire, explosions, natural disasters, etc. which disrupt the operations of pipelines, terminals, depots, etc. that can adversely impact resumption of core business operations. 4.6 SUPPLY FAILURE The failure assumes disruption of supply to customers or from suppliers which affect business operations. 4.7 OTHER BUSINESS DISRUPTION SCENARIOS Development of BCP should also consider combination of the above business disruption scenarios and other business disruption scenarios that are not listed above.

IVL TESTING & EXERCISING (T&E) Page No. 14 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 5.0 TESTING & EXERCISING FREQUENCY Business function/entity/plant/site shall conduct Testing & Exercising to allow CBF staff to be familiar with the BCP, facilities and systems for business continuity. At minimum, the Testing & Exercising frequencies are as per Table 2 below: Types Description Frequency Once every year Partial Simulation Validation of selected components within a BCP, effectiveness of specific Once every i. BCP Walk-through recovery strategies and procedures, or 3 years for selected CBF or parts of an entity. ii. Table Top Exercise iii. Call Tree Verification iv. Alternate Worksite v. Virtual Office Integrated Simulation Validation of all components within a BCP relevant to selected disruption scenarios, including effectiveness of recovery strategies and procedures, for an entire entity. Plant, facilities and sites Validation of selected components As per IVL within a BCP, effectiveness of specific Emergency Disaster recovery strategies and procedures, Drill and Recovery Plan and linkages to emergency training and Exercise (DRP) drill at plant, facilities and sites Procedure environment. As per DRP activation in the event of DR and disruption to IVL primary data centre. BCP Policy (IT- POL- 016) Table 2: Frequency of Testing & Exercising

IVL TESTING & EXERCISING (T&E) Page No. 15 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 6.0 PHASES IN TESTING & EXERCISING As per Figure 2 below, there are 3 phases in Testing & Exercising i.e. Planning, Execution and Review. PLANNING EXECUTION REVIEW • Obtain approval from • Track attendance of • Assess, review and respective Heads participants analyse test result • Ensure completeness of • Run testing according • Submit BCP to plan feedback/exercise report for • Design testing • Take note of findings enhancement programme Present and seek and gaps endorsement from • Develop testing Management arrangements & budget allocation • Amend existing BCP to close any identified • Conduct awareness gaps on BCP Figure 2: Testing & Exercising Phases 6.1 PLANNING PHASE In planning Testing & Exercising, the following elements should be taken into account: i. Obtain approval from respective Approving Authorities Approval from respective heads/approving authority shall be obtained before conducting Testing & Exercising as it might affect business function/entity/plant/site day-to-day operations. ii. Ensure completeness of Business Continuity Plan (BCP) BCM coordinator shall ensure that information in BCP is updated and completed prior to Testing & Exercising. The information includes call tree, Recovery Time Objective (RTO) for CBF, CBF staff details and others. iii. Design testing programme Testing programme shall be designed taking into account the following components: a) Testing objective b) Business disruption scenario Input from relevant parties shall be obtained to ensure the scenarios developed are realistic

IVL TESTING & EXERCISING (T&E) Page No. 16 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 c) Participants – RTO/CBF staff/AWF/BCT/CMT • Testing should be scheduled taking into cognizance the availability of CBF staff, observers and 3rd parties involved • Size of participants should be manageable for the testing to be effective d) Involvement of external parties (e.g. Police, Fire Brigade, Hospital, Department of Environment, etc.) e) Duration of testing f) Mobilisation plan g) Injection of scenarios – additional scenarios injected during testing to test the ability of relevant stakeholder in responding to certain situations h) Questionnaires to be developed to obtain feedback from targeted parties. Samples of checklist and questionnaires are as per below: • Appendix 1 - Sample of Pre-Simulation Checklist for BCM Coordinator • Appendix 2 - Sample of Feedback Questionnaire for CBF Staff • Appendix 3 - Sample of Checklist for Observer iv. Arrangement on testing and ascertain budget Testing requirements such as logistic arrangement preparations, security, ICT, food and beverages and others shall be budgeted for testing. v. Awareness on BCP CBF staff should be made aware of the testing details and their responsibilities during BCP activation. 6.2 EXECUTION PHASE In executing Testing & Exercising, the following elements should be taken into account: i. Attendance of participants BCM Coordinator shall record the attendance of participants during testing. Participants could include CBF staffs, BCT members, BRT members, observers etc. ii. Testing & Exercising implementation The testing shall be conducted according to the test plan. Arrangements with observers and non-CBF, if any, will be coordinated by BCM Coordinators.

IVL TESTING & EXERCISING (T&E) Page No. 17 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 iii. Findings and gaps Findings and gaps during testing can be obtained using the checklist and questionnaires developed during pre - Testing & Exercising phases. The Checklist for Observer and VO/AWS Feedback Questionnaire for CBF Staff shall be collected and consolidated by BCM Coordinators. Once testing has been completed, a short debriefing session should be conducted to discuss on the preliminary findings from the testing exercise. For VO, depending on the VO location, a short debriefing session after the testing should be conducted to discuss on the preliminary findings from the testing exercise. 6.3 REVIEW PHASE In review of Testing & Exercising, the following elements should be taken into account: i. Gaps Analysis Observers’ Checklist and CBF staff Feedback Questionnaire shall be consolidated and analysed to ascertain any gaps for BCP enhancement. Enhancement for BCP can be for the following components: a) Call tree – effectiveness of medium used (SMS, call) response time, message delivery. b) Recovery Time Objective (RTO) – resumption time for the function. c) People – minimum number of people required to perform CBF at the identified Alternate Worksite strategy. d) Equipment – minimum number of critical equipment needed by critical staff to perform the CBF. e) Technology – technology requirements to perform the CBF which includes identification of Critical Systems & Applications (CSA) and Vital Records. f) Asset – strategy for CBF to be at either AWS or VO reflecting the organization’s requirement. g) Interdependencies – internal and external dependencies for CBF. ii. Presentation to Management Consolidated findings and gaps identified are to be presented to Management. Follow- up on gaps shall be undertaken to ensure gaps closures are completed within the specified timeline.

IVL TESTING & EXERCISING (T&E) 18 of 18 GUIDELINE Issue No. 1 Rev. No. 1 Record ID: GRMB-BCM-G-01-004 INTERNAL USE Release Date: March 2021 6.4 KEY CONSIDERATION 6.4.1 Alternate Worksite (AWS) and Virtual Office (VO) i. Workstation layout at AWS The number of workstations required and layout for AWS staff to be confirmed prior to testing. Workstation signage are available at each desktop and arranged by BCM Coordinators, if required. ii. Equipment, systems and facilities at AWS and VO a) For AWS: 6.4.2 Office equipment and systems shall be tested first to ensure that it is operational, up-to-date and aligned with business function/entity/plant/site requirements. Availability of facilities such as prayers room, sick bay, counselling room, and restroom should also be taken into account. Additional requirement for equipment or facilities, if any, shall result in additional costs. b) For VO: Pre-testing of VO equipment shall be conducted to ensure that it is functional, up-to-date and aligned with BCP requirements. The pre-testing should also include internet connection speed and stability, together with Common and Specific Systems. VO Checklist (refer to Appendix 2: Sample of Feedback Questionnaire for CBF) shall be used for pre-testing of VO equipment, systems and applications. Identification and appointment of Alternate Workforce (AWF) For testing involving AWF, BCM Coordinators shall ensure identification of AWF in the BCP and appointment of the respective AWF. Sufficient training programme shall be conducted to ensure AWF are able to resume the CBF according as per business function/entity/plant/site BCP. Three level of AWF strategy will differ from one business function/entity/plant/site to another: i. 1st Level – Within building ii. 2nd Level – Outside location iii. 3rd Level – 3rd party/staff from other organisation 6.4.3 Plant, facilities and sites For Testing & Exercising specific to plant, site, where AWS/VO is not applicable and Testing & Exercising is conducted on site, business function/entity/plant/site could leverage on emergency drill and exercise for ease of implementation and cost optimisation purposes. - END -