We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Having and promoting business resilience

Published
1 Nov 2013
Topic
Preparing Scotland

Annexes

Annex 1 – The legislative context

The statutory duties concerning:

  • the ability of Category 1 organisations to continue to be able to perform their functions,
  • the provision, by local authorities, of advice and assistance to businesses and other organisations about the continuance of their activities.

relate primarily to their ability to meet the challenges of emergencies. ‘Emergencies’ are defined in the Act as events or situations, including war and terrorism, which threaten ‘serious damage’ to human welfare, the environment or security. The National Risk Register sets out the most serious risks which could lead to such events.

However, these requirements are not limited to their ability to respond to the emergency itself but include the effects of the emergency on the organisation. In order to develop and fulfil the requirements of the Act, planners will therefore need to consider related non-emergency Business Resilience. This may be significant in its own right but also because of its relevance to capabilities that support emergency functions. These include the management of the indirect effects of emergencies, the ability of organisations to sustain emergency capabilities and to recover (in preparation for subsequent emergencies) and also to some aspects of work with partner organisations.

Having business resilience

The Civil Contingencies Act 2004 and the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 set out the following duties in relation to being able to continue to be able to perform organisational functions.

All Category 1 responders must maintain plans to ensure:

  • that if an emergency occurs, as far as this is reasonably practicable, they can continue to perform their functions, and
  • that if an emergency occurs or is likely to occur, so far as necessary or desirable, they can perform their roles of preventing the emergency; reducing, controlling, or mitigating its effects; or taking other action in connection with it.

These two duties can be summarised as: having an appropriate level of Business Resilience to continue priority activities and to respond to the emergency.

The regulations also set out some aspects of how these duties must be performed, stating that Category 1 responders:

  • must have regard to any relevant risk assessments that have been carried out as part of the duties under the Act
  • may maintain plans which relate to a particular emergency or a particular kind of emergency
  • must maintain plans which relate to more than one emergency or more than one kind of emergency
  • must, when maintaining plans, include arrangements to exercise the plan and to provide training for an appropriate number of suitable staff
  • must have regard to any relevant arrangements to warn and to provide information to the public about emergencies

Voluntary sector organisations

In performing the above duties, Category 1 responders must have regard to the activities of voluntary organisations which are relevant to emergencies, and which operate in their area. This means those whose purpose is to prevent an emergency, or to reduce, control, or mitigate its effects, or those with a similar role. Whether or not the voluntary organisation carries out other functions does not affect this duty.

Promoting business resilience

Local authorities have additional duties connected with the provision of advice and assistance to other organisations about the continuance of their activities when faced with emergencies. Local authorities:

  • must provide advice and assistance to businesses at large about continuing their activities when affected by emergencies
  • may provide advice and assistance to individual businesses about continuing their activities when affected by emergencies
  • may provide advice and assistance to businesses in identifying and obtaining help from a competent and experienced business continuity consultant

The regulations also set out some aspects of how these duties must be performed. Local authorities:

  • must consider relevant community risk registers when doing these things
  • must consider any advice and assistance being provided by other responders in their area and need not duplicate that work
  • must co-operate with other local authorities in the same partnership area in fulfilling these duties
  • may perform these duties jointly with another responder or may make arrangements with another responder to perform the duty on their behalf
  • may charge for the cost of providing advice and assistance on a cost recovery basis

These duties refer to ‘commercial’ activities and ‘emergencies.’ ‘Commercial’ should not be taken narrowly to mean only private sector businesses operating for a profit. Others, including charities, building societies and credit unions, carry out commercial activities; they operate as businesses, generate financial benefits, and should be considered in performing this duty.

However, this does not mean that local authorities should concentrate solely on emergencies as defined in the Act. Most organisations will have direct experience of serious emergencies rarely, if ever. Discussing a broader range of everyday disruptions is likely to be a more productive way to engage businesses, as severe emergencies may seem remote, implausible, or seen as a problem only for emergency services. Building resilience to smaller disruptions can lead to greater ability to manage larger disruptions, though the approach should always be tailored to the context.

Voluntary sector organisations

Local authorities have equivalent duties to provide advice and assistance to voluntary organisations, with the exception that they need only provide this to those which they consider ‘appropriate.’ In determining whether a voluntary organisation is appropriate, the regulations require consideration of:

  • the nature and extent of the organisation’s activities, particularly its contribution to (i) preventing emergencies; (ii) reducing, controlling, or mitigating the effects of an emergency; (iii) other emergency‑related actions; (iv) social welfare
  • the size of the organisation (e.g. staffing and turnover)
  • whether the advice and assistance is likely to improve the organisation’s resilience in the event of an emergency

Because the voluntary sector is large and diverse, it is unrealistic for local authorities to provide advice to all organisations. Efforts should therefore be prioritised where the benefit to emergency resilience or social welfare would be greatest.

Geographic scope

These local authority duties apply only in relation to businesses and voluntary organisations operating in the local authority’s area. This includes those operating temporarily, such as music festivals or major construction projects.

The additional duties placed on local authorities can be summarised as: taking appropriate steps to promote Business Resilience within the commercial and voluntary sectors in their area.

Other Category 1 responders and promoting business resilience

The regulations require other Category 1 responders in the area to cooperate with local authorities delivering these duties. In addition to initiatives led by local authorities, other Category 1 responders can promote Business Resilience in several ways:

  • by influencing their suppliers and sub-contractors, thereby improving the resilience of the Category 1 responder itself
  • through the normal work of the organisation, which will have Business Resilience consequences (e.g. crime and fire prevention initiatives)
  • by ‘warning and informing’ work which makes organisations and the public more aware of risks

Annex 2: Selected glossary

Business Continuity – Strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level.

Business Impact Analysis – The process of determining the impacts on the organisation from interruptions to business operations or processes.

Business Resilience – A holistic approach, demonstrating how resilience can contribute to the overall strategic aims and objectives of an organisation. It extends the scope of business continuity management and emphasises the human and cultural aspects.

Community Resilience – Communities and individuals harnessing local resources and expertise to help themselves in an emergency, in a way that complements the response of emergency responders.

Crisis – An abnormal situation which threatens the operations, staff, customers, or reputation of an enterprise.

Enterprise Risk Management – (ERM) – a strategic business discipline that supports the achievement of an organisation’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks.

Incident Response Structure – Organised arrangements to provide effective direction, coordination and deployment of resources required to respond to an incident.

Maximum Tolerable Period of Disruption (or outage) – Maximum Tolerable Period of Disruption is the maximum allowable time that the organisation’s key products or services is made unavailable or cannot be delivered before its impact is deemed as unacceptable.

Recovery Phase – Process of rebuilding, restoring, and rehabilitating following an emergency or disaster, and continuing until the disruption has been rectified, demands on services have been returned to normal levels, and the needs of those affected have been met.

Recovery Point Objective (RPO) – The point in which information used by an activity must be restored to enable that activity to operate on resumption.

Recovery Time Objective – Recovery Time Objective (RTO) refers to the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organisation.

Risk Appetite – Total amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time.

Risk Treatment – Process of determining those risks that should be controlled (by reducing their likelihood and/or putting impact mitigation measures in place) and those that will be tolerated at their currently assessed level.

Single Point of Failure (SPOF) – The part of a service/activity/process whose failure would lead to the total failure of a key business activity.

Surge Capacity Planning – Development of arrangements to deliver an increased volume of those goods or services that are normally provided.

Annex 3 – further reading and references

Back to top