1. PURPOSE

This Policy has been established to ensure the continuity of service delivery in all of GÜLER's processes, the resilience of critical operations, crisis management competence, and corporate sustainability within the framework of ISO 22301.
The primary objective is to ensure that our customers' foreign trade, customs clearance, and regulatory processes continue under all conditions, within specified timeframes, and in a secure manner.

2. SCOPE

This policy covers:
• All operational processes of Customs Consultancy,
• IT infrastructure, software, data centers, and information security,
• Head office, branches, and all liaison offices,
• Human resources, suppliers, business partners, and group companies.

3. POLICY STATEMENT (COMPLIANT WITH ISO 22301 CLAUSE 5.2)

As GÜLER, our commitment is as follows:
• We treat business continuity as a strategic priority.
• We plan, implement, test, review, and continuously improve our processes to minimize disruption risks.
• We guarantee that the service we provide to our customers in crisis or extraordinary situations will not fall below predefined acceptable levels.
• We provide and improve the necessary resources, manpower, technology, and financial structure to ensure the sustainability of our critical activities.
• We conduct regular training and drills to increase all employees' awareness of business continuity.
• We fully comply with legal, regulatory, and contractual requirements.
• We maintain effective communication with our stakeholders (customers, government agencies, port/terminal authorities, suppliers) during crisis periods.
This policy has been approved by senior management and is communicated to all employees.

4. OUR BUSINESS CONTINUITY MANAGEMENT MODEL

It is carried out in accordance with the Plan–Do–Check–Act (PDCA) cycle requiredby ISO 22301.

5. BUSINESS IMPACT ANALYSIS (BIA) AND RISK ASSESSMENT (ISO 22301 – CLAUSE 8.2 & 8.3)

At GÜLER, a BIA has been prepared for all critical processes:

5.1 Critical Activities
• Customs Declaration Registration
• Invoice/document control, tariff determination
• Data flow and reporting (Power BI, KPI systems)
• Digital system continuity
• Customer communication and crisis management

5.2 Risk Scenarios
The following risks are assessed within the scope of BIA analyses:
• System failure / loss of server access
• Cyber attack
• Personnel loss or critical position vacancy
• Fire, earthquake, flood
• Physical office access barriers
• Sudden load increase due to regulatory changes
• Supplier-related interruptions
• National/international delays in logistics For each risk:
• Impact level,
• Maximum tolerable downtime (MTPD),
• Target recovery time (RTO),
• Required resources have been identified.

6. BUSINESS CONTINUITY STRATEGIES (ISO 22301 – CLAUSE 8.4)

6.1 Organizational Strategies
• Backup Personnel – Authority Delegation Matrix: A second responsible person is designated for all critical positions.
• Multi-Location Operations: Our office structure across 12 provinces distributes the risk of disruption.
• 24/7 Access Mechanism: Dedicated communication lines for critical customers.

6.2 Technological Strategies
• 100% in-house developed software infrastructure
• Active-passive backup server architecture in geographically separate locations
• Daily/weekly/monthly layered backup
• ISO 27001 compliant cybersecurity infrastructure
6.3 Operational Strategies
• All processes can be carried out from different locations thanks to the digital declaration system.
• Regulatory processes are executed with centralized compliance control.
• "Emergency Task Cards" have been created for customer-based critical operations.
6.4 Supplier and Stakeholder Management
• An SLA (Service Level Agreement) structure is implemented for critical suppliers.

7. INTERVENTION STRUCTURE AND CRISIS MANAGEMENT (ISO 22301 – CLAUSE 8.4.3)

7.1 Crisis Management Team
The following units are activated in extraordinary situations:
• Senior Management
• Ethics & Compliance Directorate
• Information Technology Unit
• Operations Directorate
• Communications and Customer Management Unit

7.2 Emergency Plans
Prepared for each location and process in accordance with ISO 22301:
• Evacuation plans
• Alternative work location
• Remote work procedures
• Data recovery procedures
• Crisis communication protocol

8. TRAINING, AWARENESS, AND EXERCISES (ISO 22301 – CLAUSE 7.2 & 8.5)

• All employees receive business continuity training at least once a year.
• Scenario-based tabletop exercises are conducted for critical processes.
• An annual disaster recovery plan (DRP) exercise is mandatory for the IT infrastructure.
• Exercise results, risk levels, and action plans are recorded and improved upon.

9. COMMUNICATION AND STAKEHOLDER MANAGEMENT (ISO 22301 – CLAUSE 7.4)

9.1 Internal Communication
• Employees are informed via SMS, email, and emergency communication channels during a crisis.
• Authority delegation and team rotation notifications are predefined.
9.2 External Communication
• Customers are informed about critical impacts within specified timeframes.
• Coordinated communication is maintained with government agencies, ports, warehouses, and relevant stakeholders.
• Media communication is conducted solely by designated spokespersons.

10. PERFORMANCE MONITORING AND MEASUREMENT (ISO 22301 – CLAUSE 9)

• The effectiveness of continuity plans is regularly tested.
• KPI performance, processing times, error rates, and user feedback are analyzed.
• Internal audits, independent audits, and ISMS (ISO 27001) audits are conducted in an integrated manner.
• Continuity plans are reviewed and updated at least once a year.

11. CONTINUOUS IMPROVEMENT (ISO 22301 – CLAUSE 10)

• Processes are revised based on exercise results, actual incidents, customer feedback, and audit reports.
• A culture of continuous improvement is implemented in line with structural, technological, and operational needs.
• Senior management commits to providing the necessary resources for the development of the Business Continuity Management System.

12. TOP MANAGEMENT APPROVAL

This policy has been approved by GÜLER's senior management and is binding for all employees, suppliers, and stakeholders.
The policy will be reviewed annually and updated as necessary.