Governance & Compliance

Business Continuity Policy.

Our commitment to resilience and continuity of supply, aligned to ISO 22301:2019.

Amended public version. This is an amended version of Aromis International FZCO's Business Continuity Policy (ARO-BCABMS-POL-02), published for transparency. Individual names and certain operational details have been omitted. The complete, controlled version of this policy is available on request and is shared according to the nature of the request.

Business Continuity Management System · ISO 22301:2019, integrated with ISO 37001:2025 · Version 2.0, 15 June 2026

Policy

Aromis International FZCO, as a modern and forward-looking business, recognises the need to ensure its operations run smoothly and without interruption for the benefit of its customers, shareholders and other stakeholders. Recent regional disruption has demonstrated that severe, prolonged interruption can occur, and this policy reflects the organisation's strengthened commitment to resilience. To ensure continuous operations, Aromis International FZCO has implemented a Business Continuity Management System (BCMS) in line with the international standard ISO 22301:2019 and aligned with its integrated Anti-Bribery Management System (ISO 37001:2025).

It is the policy of Aromis International FZCO to:

  • Maintain a strategy for responding to and recovering from adverse situations that aligns with a low acceptable risk level, incorporating lessons learned from real activations.
  • Ensure that, whenever practical, action is taken to prevent the occurrence or recurrence of an adverse situation by adopting appropriate risk controls, including diversifying logistics routes and sourcing away from single points of failure.
  • Maintain a programme of activity that ensures the organisation can respond appropriately to and recover from adverse situations, in line with predefined business continuity objectives.
  • Maintain appropriate response plans, including a business continuity plan and an incident response plan, underpinned by a straightforward escalation process.
  • Rehearse response and recovery plans at least annually, or following significant changes to the operating environment or organisational structure.
  • Maintain a level of resilience to operational failure commensurate with the risks faced, including a full alternate-site and remote-working sequence.
  • Ensure that all persons involved in business continuity management are competent, with appropriate education, training, skills and experience.
  • Review relevant metrics through the formal monthly management-review cadence to assess whether changes are needed, based on collected historical data, the outputs of automated monitoring tools (with human oversight), and feedback from relevant sources.
  • Review ideas for continual improvement during monthly management reviews to prioritise them and assess their timescales and benefits.
  • Remain aligned with good industry practice in business continuity management and continually improve the effectiveness of the BCMS across all areas within the defined scope.
  • Comply with applicable legal, regulatory and contractual requirements, as identified and managed through our legal and regulatory requirements procedure.

Scope and key dependencies

The scope of the BCMS is the import, export and promotion of food products and related marketing products, operated from the Dubai Airport Free Zone (DAFZA), Dubai. Its critical activities and their external dependencies are:

  • Sourcing of finished goods — our contract manufacturers in Türkiye and Tunisia, managed as business associates through supplier due diligence.
  • Financial operations — our banking partners, for the processing of payments and receipts and currency hedging.
  • Regulatory compliance and licensing — the Dubai Airport Free Zone Authority (DAFZA), for our trade licence and premises.

In line with ISO 37001:2025, Aromis International FZCO determines climate-change issues relevant to the business and records the needs of interested parties. This policy integrates a compliance culture that does not tolerate bribery or corruption and supports the Anti-Bribery Policy and the Whistleblower Policy. Reporting of any bribery or unethical conduct can be made by email to ethics [at] aromis.ae.

Roles and responsibilities

Roles, responsibilities and authorities for the integrated Business Continuity and Anti-Bribery Management System are defined centrally in our Context of the Organisation procedure, which is the single authoritative source.

Risk and control framework

The framework for managing operational risks is defined in our business impact analysis procedure and business continuity risk register. Key risk areas and our control strategy are summarised below:

  • Regional instability and conflict — disruption to regional shipping, airspace, or the DAFZA hub. Controls: incident response plan, a full alternate-site and remote-working sequence, and diversified logistics routes.
  • Supplier disruption — failure of a key manufacturer to produce or ship goods due to raw-material or geopolitical issues. Controls: supplier diversification, alternative sourcing for selected commodities, and structured decision support in our enterprise systems.
  • Financial concentration — over-reliance on a single client or market. Controls: automated monitoring of receivables (with human oversight) and dual-authorisation payment controls with segregation of duties.
  • Health emergency — loss of access to the primary place of work. Control: transition to remote working using our cloud productivity and enterprise systems.
  • Information security and cyber — ransomware or data breach. Controls: as defined in our Cybersecurity and Artificial Intelligence Policy.

Monitoring, review and exercising

The performance of the BCMS is monitored to ensure its continuing suitability, adequacy and effectiveness, supplementing the monthly management-review cadence:

  • Monthly business continuity and anti-bribery management review.
  • Weekly resilience and risk briefing.
  • Automated risk monitoring, with human review.
  • Business continuity plan test or exercise at least annually, or after a major plan update.
  • Management-system document review at least annually.
  • Supplier business-continuity evaluation at onboarding and annually for critical suppliers.
  • Internal audit in line with the internal audit plan.

This policy is communicated to all staff and made available to relevant interested parties as appropriate.

Approval

Approved and authorised for and on behalf of Aromis International FZCO.

General Manager
Date: 15 June 2026

This amended public edition omits individual names, specific control values and internal document references. The complete controlled document (ARO-BCABMS-POL-02) is available on request via our contact page.