S 6.110 Specification of the scope and the business continuity management strategy

Initiation responsibility: Top Management

Implementation responsibility: Top Management, Emergency Officer

The first task when initiating a business continuity management system is to specify the scope and business continuity management strategy. These basic steps forming the basis for all subsequent tasks in business continuity management are to be initiated and carried out by the organisation's management. If there is already a central contact person available for business continuity management, usually referred to as an Emergency Officer, this person must help the organisation's management perform this task.

The scope of the business continuity management system may comprise the entire organisation or individual areas of it. The scope should be self-contained, should not be too narrow, and should contain all value-adding business processes and/or the relevant specialised tasks, the most important resources, and the necessary supporting business processes. It is helpful if the organisation's management states what it considers to be the most important services and/or products of the organisation when creating the contingency concept. If certain business processes are explicitly excluded or only considered to a limited extent within this scope, for example, this must be documented accordingly.

Since the primary goal of business continuity management is to ensure and stabilise the organisation's ability to survive, the ultimate goal should be to examine the entire organisation. This is the only way to guarantee effective protection of the reputation and value-adding activities of the organisation, and therefore to protect the interests of the most important interest groups.

The basis for the subsequent steps in the establishment of a business continuity management system is to specify and define the terms emergency, crisis, and business continuity management for the organisation. The failure of individual business processes or an entire system may cause a disruption, an emergency, or even a crisis in the organisation. Since the meanings of these terms depend on each organisation individually and on the protection requirements of the business processes and IT systems, each organisation should provide general definitions of these terms. Even the term business continuity management should be defined precisely. The organisation should define which tasks and competences are included in the business continuity management system in order to separate it from the other management systems established in the organisation, as well as to specify where these systems overlap.

In order to be able to set the framework for the contingency concept, a business continuity management strategy, or emergency strategy for short, must be specified and pursued when establishing a business continuity management system. For this reason, the organisation's management must define the basic cornerstones, for example:

• the goals to be achieved by establishing business continuity management (such as meeting the demands of important interest groups),
• the requirements placed on business continuity management,
• the willingness of the organisation to take risks (its appetite for risk) and/or the level of acceptance for risks in the company and/or government agency,
• the types of business interruptions that can be considered a threat to the existence of the organisation,
• how to respond to this and as of what minimum level the response will be initiated,
• the legal, contractual, or regulatory requirements that must be fulfilled.

The goals of business continuity management should be based on and support the general business goals and business tasks. It also makes sense to take into account the goals of other management systems, and especially of the security management system, when specifying these goals.

Review questions:

• Was the scope of the business continuity management system clearly defined?
• Was a business continuity management strategy specified by the organisation's management stating the goals to be achieved and the level of risk considered acceptable?