Set the scope of your business continuity programme

The first stage in implementing a business continuity programme is confirming the scope with senior management.

Define the scope of your programme

The scope defines at a high level the priority areas your programme will cover — not everything your organisation does as ‘business as usual’ can or should be maintained during a disruption. The scope of your programme should take into account your organisation’s:

  • legislative responsibilities
  • overall strategy
  • objectives
  • structure.  

When you’re setting the scope, make sure it includes anything your priority areas depend on, such as supporting functions and resources.

Once you’ve established a business continuity programme, review its scope regularly so it continues to reflect your organisation’s responsibilities, objectives, and functions.

Develop a policy for managing business continuity

Develop a policy that outlines the intent and coverage of your business continuity programme. Senior management should approve the policy.

A policy for managing business continuity should include:

  • a definition of business continuity management
  • reference to any standards and guidelines you follow
  • what your programme covers
  • how your programme will be structured and run
  • links with other policies, processes, and disciplines within your organisation (for example, risk management).

Identify capable people and assign responsibility

You need people from all levels of the organisation to carry out business continuity management. Identify capable people to authorise, manage, and implement your programme. Roles you should cover include:

  • a governance team
  • a senior manager to sponsor the programme
  • a team to lead the programme’s implementation
  • departmental leads, plan owners, and subject matter experts
  • incident response teams.

Coordinate your response across disciplines

Your business continuity programme should provide the framework for integrated incident management for your organisation. Where other functions — like security, privacy, and information technology — have incident management procedures, make sure each team knows about the others’ response structures, triggers, and escalation paths.

To ensure an organisation-wide, holistic response to all incidents, your various incident management procedures and associated plans should be able to operate independently or together.


Page last modified: 4/05/2022