Business continuity planning: requirements, scope of work and deliverables

This is Part Four of our Business Continuity series. We recommend reading Parts One to Three first.

So far in our Business Continuity series, we’ve outlined why continuity plans are important, the various stakeholders that should be consulted and additional factors like geographically distributed operations that should be considered. In this article, we will discuss the importance of defining the scope of your organization’s continuity plan and the steps we recommend when proposing the scope to management.

This series will continue detailing the steps for establishing a business continuity plan, regardless of whether your organization takes a project management approach or an agile approach.

Figure 01: Preparation for the business continuity planning program

Leadership commitment

Before you venture into implementing a business continuity plan, you should always have a commitment from the leadership team to support the continuity development program. In the early stages of the program, leadership can demonstrate their commitment by forming a committee and delegating the responsibility of implementing the program or appointing an experienced individual to oversee the program. Additionally, many organizations already have a policy on Business continuity planning that demonstrates leadership commitment.

In both private organizations and nonprofits, one way to gauge the likelihood of leadership support for a continuity plan is to look at the enterprise risk register. By identifying organizational resiliency related risks, as well as the owner responsible for mitigating those risks, you can determine if there is a high probability that the initiative will be supported ⁠— if the owner has been assigned to mitigate risks in the near future, this is a good indicator that the directors will support a continuity program. Additionally, the eagerness of the directors to provide requirements or allocate time to confirm the program requirements when it is proposed to them will indicate the support you will receive for developing and implementing a business continuity plan.

These indicators may not always apply though. Sometimes, due to the organization operating in a less regulated environment, the owners of the organization (or the executive leadership committee) may not show sufficient interest in developing and implementing a business continuity plan. In such cases, the enterprise risk management members and auditors must work harder to educate the executives or the owners of the company and urge them to have a plan. 

For publicly listed companies and  private enterprises operating in a regulated industry, it is a requirement in most countries to have a business continuity plan. 

Requirements for the business continuity plan

The primary requirements of an organization’s continuity plan will typically be determined by the board of directors, since they provide oversight to the matters related to the survival of the organization. In organizations that are not publicly listed or small to medium in nature, the board appoints a committee or an individual to drive the business continuity planning. This appointed party then determines the requirements by looking at stakeholder concerns at the enterprise risk register and the business drivers.

Generally, the requirements should include:

Figure 02

If any of these factors have not been addressed, it is advisable to point out any gaps to the leadership team. The above high level requirements serve as a good starting point for defining program scope.

Scope of work

Every program needs a scope of work to help the organization define the deliverables, expectations, the boundaries within which the program is executed. The scope should be documented and presented to the stakeholders for their approval. Scope of work takes the requirements accepted by the management and elaborates for the potential external vendors to understand. When defining the scope of work, it’s important to separate the requirements that must be delivered on internally (with support from vendors) from the ones that must be entirely delivered by the vendors. It is important to set the right expectations from the very beginning of a program, otherwise, business continuity planning can become an expensive affair.

Items a typical scope of work includes are:

Figure 03: The typical scope of work for a business continuity planning program

Additionally, the below business continuity deliverables must be added to the scope of work as well:

Figure 04: Extended scope of work for the business continuity planning program

The scope of work items are not limited to the above. We will expand on the scope of work requirements in our upcoming premium toolkit, so that your organization can select the appropriate ones for your program.

Whenever scope of work is documented, out of scope items should follow (thereby eliminating any assumptions). Stating “anything not specified in the scope of work is out of scope” is acceptable, however, it is overall a better approach to be specific when ruling out items that are not in the scope. For example, an out of scope item could be the other subsidiary in a group of companies or a parent company.

Deliverables

Once the scope is defined, a minimum set of deliverables must be identified for the program. The ISO 22301:2019 framework outlines some of the deliverables that you need to have as part of business continuity planning. However, you need to verify with your auditors whether the listed deliverables are sufficient for compliance. Auditors will provide any additional recommendations they deem relevant. Mandatory deliverables must be identified and included in the scope of work. Some of the mandatory deliverables might include:

Figure 05: Important deliverables for the business continuity plan in a program

Approval and Tendering

Once the scope of work and the deliverables are defined, you may need approval before proceeding with procuring the required external consultants or a vendor. Usually the procurement process of the respective organization is followed to tender, receive bids, evaluate, shortlist, approve, select and award the contract to a vendor or a consultant.

During the time of procurement, you may opt to send mass emails or organize stakeholder meetings to provide an overview of the business continuity planning for the organization, the expected changes and highlight the benefits of the business continuity planning for the staff, departments and the organization. This will keep the staff informed and knowledgeable about this topic. This will also help calm anxieties of the staff during the interview process for business impact analysis (which will be discussed later in this series).

This approval process may vary depending on the project management governance established in an organization. The implementing organization may already have an established project management framework. If that framework outlines that once a plan is formalized, it must be handed over to the project management office for initiating and implementation, then these steps should be followed. However, the requirements must be established before it is sent to the project management office formally.

Conclusion

Understanding the commitment of the leadership team is crucial for the success of the business continuity planning. Once you have their commitment, document the requirements for the business continuity plan and then identify the scope of work, out of scope and the deliverables. Depending on the organization, at this point, the program could be transferred to the PMO for managing. Most of the organization outsource the implementation to a third party vendor or sometimes, hire a consultant and develop the plan internally with the consultant oversight and sometimes with additional support from the consultant.

Previous
Previous

Business continuity planning: program planning

Next
Next

Security Data Analytics and Reporting, Developing reporting viewpoints: CISO