We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Philosophy, principles, structures and regulatory duties

Published
1 Jun 2016
Topic
Preparing Scotland
Mandatory requirements and recommended good practice

Duty to maintain business continuity plans

Mandatory requirements

Category 1 responders must:

1. Maintain plans for the purpose of ensuring, so far as is reasonably practicable, that if an emergency occurs the person or body is able to continue to perform his/her or its functions – Section 2(1)(c).

2. Consider whether a risk assessment makes it necessary or expedient for the person or body to add to or modify a business continuity plan – Section 2(1)(e).

3. Have regard to the relevant risk assessments when carrying out duties to maintain business continuity – Regulation 13.

4. Maintain plans which relate to more than one emergency, or particular kind of emergency, and may maintain plans relating to a particular emergency or kind of emergency – Regulation 15.

5. Include a procedure for determining whether emergency or business continuity plans require to be implemented, and identify the person or persons responsible for taking that decision – Regulation 18.

6. Have regard to the activities of the relevant voluntary sector when planning for emergencies – Regulation 17.

7. Test the effectiveness of plans and include arrangements for carrying out exercises – Regulation 19(a).

8. Provide training to an appropriate number of staff considered necessary to carry out plans effectively – Regulation 19(b).

9. Consider whether plans should be modified in the light of guidance and/or assessment issued by Scottish Ministers under Regulation 11 – Regulation 20.

Issues to consider and recommended good practice

10. Ensuring that the structures that support Business Continuity Management include and engage with other Category 1 responders, other partner agencies and external suppliers. This may in part be facilitated by the collective support of the RRP.

11. Having provision for the carrying out of regular exercises specifically designed to validate and test BCM arrangements to ensure effectiveness.

12. Giving consideration to the type of plans you produce, e.g. generic plans, which relate to more than one type of emergency, or specific plans which relate to a particular emergency type, or a mixture of both (Regulation 15). The nature of the plans should be based on the risk assessments you have carried out and the critical functions of the organisation (Regulation 13).

13. Having in place a documented BCM strategy and operational business continuity plans that set out how your organisation will reduce risks to its key functions and to continue to perform these at the time of an emergency or in the face of disruption.

14. Having procedures in place to determine whether an event has occurred which is likely to seriously obstruct your organisation in performing its day-to-day functions, including who should make this determination and what actions will follow from this.

15. Being able to demonstrate that a systematic approach is being taken to developing and maintaining business continuity management in your organisation.

16. Having an identified BCM coordinator with the necessary skill set and experience to champion BCM and work with managers to deliver your organisation’s BCM strategy and related plans.

17. Being able to demonstrate in that any internal risks (as opposed to the risk due to an external emergency) are addressed in your BCM arrangements.

18. Being able to demonstrate that process for monitoring, reviewing and updating Business Continuity Plans involves the necessary range of stakeholders and remains directly relevant to the delivery of a practical BC capability.

19. Being able to demonstrate that recovery time objectives (RTOs) and acceptable level of service have been agreed for critical functions.

20. Being able to demonstrate that all dependencies which underpin critical functions have been identified.

21. Being able to demonstrate that all risks to critical functions have been identified, assessed and mitigated.

22. Being able to demonstrate that the organisation’s supply networks and external subcontractors have been considered as a source of risk and that mitigation of any such risks is in place.

23. Being able to demonstrate that, in the event of their loss, realistic plans are in place to recover critical functions within their RTOs.

24. Being able to demonstrate that staff, and both external and internal stakeholders, are aware of the BCM strategy and that it is fully embedded in the organisational culture. A comprehensive programme of awareness raising, education and skill specific training is recommended.

25. Being able to demonstrate that sufficient staff with the correct skill mix have been trained and are available to ensure BCPs are effective – Regulation 19(b). Training should include the contents of the plan, roles and responsibilities and the skills and knowledge required.

Indicators of good practice

26. An agreed and documented corporate Business Continuity policy is in place and is:

  • led at strategic level
  • part of mainstreamed management processes
  • part of the corporate governance structures
  • appropriately resourced

27. Business Continuity Plans are updated and maintained, through a documented process, both at regular intervals and in response to:

  • updates to your risk assessments (see the risk assessment section above)
  • lessons identified from incidents, training or exercising
  • organisational and structural changes
  • changes in your organisation’s objectives, functions and processes
  • changes in supplier and contractual arrangements
  • significant changes to staff, equipment or premises

28. Emergencies and impacts in your risk assessments are addressed in your BCM arrangements especially critical functions and resource requirements for:

  • emergency response and
  • continuation of critical day-to-day functions at the time of an emergency

29. Critical functions of your organisation have been identified. Functions might be critical because they:

  • are an essential part of the response to external emergencies
  • help to prevent emergencies and/or reduce and mitigate the risk of them occurring
  • impact immediately on human welfare or the environment
  • have immediate and significant security, legal or financial implications
  • have significant implications for your organisation’s reputation

30. Your organisation’s BCM arrangements are consistent with recognised standards. Consider benchmarking your BCM arrangements against such standards or gaining accreditation to the standard.

Back to top