Security Process
Business Continuity
02 Business Continuity Planning - Defining the Scope

Business Continuity Programme

The first step in implementing a business continuity programme is to confirm the scope with senior management.

Scope Definition

The scope should define the priority areas your programme will cover—not every aspect of your organisation's business as usual. It should take into account your organisation's:

  • Legislative responsibilities
  • Overall strategy
  • Objectives
  • Structure

Make sure the scope includes anything that the priority areas depend on, such as supporting functions and resources. Review the scope regularly to ensure it reflects your organisation's responsibilities, objectives, and functions.

Policy Development

Develop a policy that outlines the intent and coverage of your business continuity programme. This should be approved by senior management and include:

  • A definition of business continuity management
  • Reference to any standards and guidelines you follow
  • What your programme covers
  • How your programme will be structured and run
  • Links with other policies, processes, and disciplines within your organisation (e.g. risk management)

Identification of Personnel

You need people from all levels of the organisation to carry out business continuity management. Identify capable people to authorise, manage, and implement your programme. Consider roles such as:

  • A governance team
  • A senior manager to sponsor the programme
  • A team to lead programme implementation
  • Departmental leads, plan owners, and subject matter experts
  • Incident response teams

Multi-Disciplinary Coordination

Your business continuity programme should provide the framework for integrated incident management. Where other functions (e.g. security, privacy, IT) have incident management procedures, make sure each team understands the others' response structures, triggers, and escalation paths.

Your various incident management procedures and associated plans should be able to operate independently or together for an organisation-wide, holistic response to all incidents.