PP1 Policy & Program Management

Question 1

What is a business continuity policy?

Answer 1

Key document that sets out purpose, context, scope, and governance of the BC programme.

The policy “provides intentions and direction of an
organization as formally expressed by its top management.” (Source: ISO 22301:2012)

Question 2

When to use an interim structure and plan?

Answer 2

In large or complex organisation, where fully scoped BC programme may take months to complete, an interim response structure and plan may be sensible temporary measure.

Question 3

General principles to be considered when

creating or revising BC policy (7):

Answer 3

1. Provide STRATEGIC DIRECTION for BC programme
2. Define way organisation will APPROACH BC and how programme will be structured and resourced.
3. Supported, approved and owned by TOP MANAGEMENT.
4. State how supports strategic objectives of organisation.
5. Appropriate to size, complexity and type of organisation.
6. Identify standards or guidelines used as benchmark
7. COMMUNICATED and made available to all interested parties.

Question 4

Steps required to develop effective BC policy are (10):

Answer 4

1. Agree definition and objectives
2. Agree scope of BC programme.
3. Identify and agree on standards or guidelines
4. Review and conduct gap analysis
5. Draft new or revised policy.
6. Review draft policy
7. Circulate draft policy for consultation
8. Amend draft policy
9. Facilitate approval and signoff of policy
10. Ensure approved policy is communicated

Question 5

The business continuity policy should include (8):

Answer 5

1. Definition of BC for use in organisation.
2. Statement of governance and leadership commitment
3. Defined objectives and scope for BC programme.
4. Roles and responsibilities for BC programme including an incident response capability.
5. References to relevant policies, standards,and legal and regulatory requirements.
6. Identification of interested parties.
7. Agreed methods and frequency for measurement and review of all stages of BC lifecycle.
8. Agree methods for sign-off and communication of policy and all programme activities.

Question 6

BC policy should be regularly reviewed at pre-agreed intervals or following significant changes, including (5):

Answer 6

1. Change in organisation’s approach to risk
2. Change in market conditions.
3. An acquisition, merger, or disposal.
4. Changes to products or services
5. Changes to legal or regulatory requirements.

Question 7

Reviewing or auditing BC policy, following should be demonstrated (6):

Answer 7

1. Top management ensured policy is communicated
2. Policy is effective.
3. Policy clearly states what measurable deliverables of the BC programme are.
4. Clear TOP MANAGEMENT commitment
5. Clear and documented ongoing commitment to BC and continual improvement.
6. Opportunities for adapting to change can be identified.

Question 8

General principles to consider when determining scope of the BC programme (4):

Answer 8

1. Definition of scope of programme ensures clear
   understanding of which areas of organization are
   included and excluded.
2. Understanding of organization’s strategy, objectives,culture, operating environment, and approach to risk.
3. Understanding of outsourced activities and suppliers of products and services.
4. Understanding of BC programme as ongoing process.

Question 9

Process to determine scope of business continuity programme (4):

Answer 9

1. Establish steering group
2. Define and document relevant products and services
3. Consider requirements for delivery
4. Consider requirements of other related policies

Question 10

Definition of Products and Services:

Answer 10

Beneficial outcomes provided by organization to

its customers, recipients and interested parties…” (Source: ISO 22301:2012)

Question 11

Decisions on products and services to include in scope may be prompted by (4):

Answer 11

1. Products which make significant contribution to the
   organization’s reputation, income, or success.
2. Customer contractual requirement.
3. Legal or regulatory requirement.
4. Physical threats, eg. proximity to other industrial
   premises such as a chemical manufacturing plant or hazards such as flooding.

Question 12

Reasons product or service may be excluded from scope include (2):

Answer 12

1. Nearing end of life (and would be terminated if disrupted).
2. Low margins or low volumes (could be terminated or externally sourced if disrupted).

Question 13

Deciding whether to exclude product or service, following issues should be considered (5):

Answer 13

1. Financial loss.
2. Interested parties who may be impacted by loss
3. Reputational damage
4. Impact on legal or regulatory requirements.
5. Needs and expectations of customers and other interested parties.

Question 14

Methods and techniques used to define scope of BC programme include (5):

Answer 14

1. Cost beneft analysis.
2. Strengths, Weaknesses, Opportunities and Threats (SWOT) analysis.
3. Benchmarking against appropriate standards or guidelines.
4. Market analysis techniques.
5. Business impact analysis (BIA) and risk assessment (if already been conducted).

Question 15

Governance for business continuity primarily focuses on (5):

Answer 15

1. Providing oversight and support
2. Ensuring BC programme aligns with organization’s objectives.
3. Ensuring BC programme complies with policy and related legal and regulatory requirements.
4. Monitoring and reviewing BC programme regularly to ensure requirements are being met.
5. Supporting continual improvement

Question 16

Establishing governance for BC requires the

following (6):

Answer 16

1. Understanding of organizational structure,
2. Clear definition of authority and accountabilities relating to BC
3. Identification of key performance indicators
4. Defined BC information to report
5. Outline of type and frequency of reporting and communication.
6. Alignment of governance of BC programme with
   overall governance framework of organization.

Question 17

Leadership and commitment to BC policy and programme can be achieved using the following methods (8):

Answer 17

1. Recognising and communicating requirement for BC as key management discipline
2. Ensuring that BC policy and programme is aligned to objectives of organization.
3. Ensuring that BC programme delivers expected outcomes
4. Maintaining support for BC policy and programme.
5. Ensuring individuals undertake activities.
6. Providing resources required to implement policy
7. Directing and supporting continual improvement of BC
8. Providing direction and guidance to embed BC
   into business as usual routines.

Question 18

In defining governance, organization’s top management should agree (5):

Answer 18

1. What needs to be measured and monitored.
2. How this should be achieved.
3. Methods for monitoring, measuring, analysing,and
   evaluating.
4. When monitoring and measuring should be performed
5. When monitoring and measuring results should be analysed and evaluated

To do this, top management should:

1. Act to address areas of weakness or gaps in BC programme objectives.
2. Monitor effectiveness of programme.
3. Ensure that relevant information is retained as evidence of results.

Question 19

Purpose of assigning roles and responsibilities

Answer 19

Ensure tasks required to implement and maintain BC programme allocated to specific, competent
individuals whose performance can be evaluated and where further training requirements can be identified.

Question 20

By assigning member top management overall

accountability for BC and effectiveness, organisation ensures that (3):

Answer 20

1. BC recognised as key activity in organisation.
   2 Implementation will be achieved through collaboration with other related disciplines.
2. Appropriate response roles and responsibilities will be defined based on competency

Question 21

Skills and competencies required in roles identified as part of BC programme:

Top management

Answer 21

Provide leadership, commitment and resources as part of governance.

Question 22

Skills and competencies required in roles identified as part of BC programme:

Steering group

Answer 22

Oversee, advise, and manage BC programme, making recommendations,and reporting to top management

Question 23

Skills and competencies required in roles identified as part of BC programme:

Business continuity plan owner

Answer 23

Ensure BC plan adequately reflects organization’s BC

capability.

Question 24

Skills and competencies required in roles identified as part of BC programme:

Business continuity professional

Answer 24

Develop and deliver effective BC programme. This includes facilitation and coordination of plans throughout the organisation.

Question 25

Skills and competencies required in roles identified as part of BC programme:

Incident response personnel

Answer 25

Respond to incident or crisis

Question 26

Skills and competencies required in roles identified as part of BC programme:

Departmental representative

Answer 26

Communicate implications of departmental changes that may impact BC programme.
Collect information for BIA.
Develop, implement, and maintain departmental plans on behalf of the plan owner.
Conduct and participate in exercises.

Question 27

Skills and competencies required in roles identified as part of BC programme:

All personnel (7)

Answer 27

1. Acknowledge roles and responsibilities during incident
2. Recognise incident or crisis.
3. Alert incident or crisis responders
4. Escalate action to incident or crisis management team.
5. Respond appropriately to specific threats.
6. Respond appropriately when evacuated from site.
7. Understand relevant plans and associated roles and responsibilities.

Question 28

Skills and competencies required in roles identified as part of BC programme:

Interested parties

Answer 28

Act where relevant within the BC programme or in response to incident.

Question 29

Outcome of assigning roles and responsibilities as part of

BC policy and programme management are:

Answer 29

1. Clearly defend roles and responsibilities assigned to
   competent individuals and teams.
2. Appropriate authority assigned as relevant to the role.
3. Roles and responsibilities, and authorities documented in BC policy.
4. Alternates for each role identified.
5. Responsibilities included in individuals’ job descriptions and communicated to interested parties

Question 30

BC programme definition

Answer 30

BC programme is ongoing management and governance process supported by top management and
appropriately resourced to implement and maintain BC
continuity management.” (Source: ISO 22301:2012)

Question 31

Documentation in BC programme has three purposes (3):

Answer 31

1. Help manage BC programme effectively.
2. Demonstrate effective management of programme.
3. Enable prompt and effective response to incident

Question 32

To implement and manage BC programme, the BC

professional or team, in consultation with top management should (9):

Answer 32

1. Develop BC management programme
2. Identify appropriate activities
3. Coordinate appropriate activities within organization
4. Manage change and coordinate with other areas of
   organization
5. Promote benefits of programme through communication
6. Manage programme budget.
7. Maintain and manage programme documentation.
8. Ensure relevant legal and regulatory requirements identified and considered
9. Report to top management

Question 33

Examples of projects included as part of BC
programme are (3):

Answer 33

1. Developing and managing exercise programme.
2. Developing and delivering training and awareness activities.
3. Selecting suppliers to deliver defined product or service

Question 34

Following should also be considered when managing BC programme (6):

Answer 34

1. Relevant industry sector specific good practice
2. Self-assessment against relevant standard/legislation
3. Relationships with suppliers or providers of outsourced activities
4. Financial management and budgetary requirements.
5. Legal and regulatory advice.
6. Internal and external audits (where appropriate).
7. Reviews and change management requirements

Question 35

A BC management programme consists of (8):

Answer 35

1. BC policy.
2. Definition of objectives of BC for the organization.
3. Clearly defend scope.
4. Definition of governance and leadership commitment.
5. Roles and responsibilities.
6. References to relevant policies, standards, and regulatory requirements.
7. Identification of interested parties, including outsourced service providers.
8. Method for review, measurement, sign-off and
   communication.
9. Ongoing budget commitment and financial support.

Question 36

BC programme documentation should include the following (17)

Answer 36

1. BC policy.
2. BC programme of activities.
3. Project management documentation.
4. BC team meeting agendas, minutes, action trackers.
5. Skills and competency requirements and records.
6. Training and awareness activities.
7. BIA questionnaires and information.
8. Risk assessment.
9. Papers supporting choice of BC solutions.
10. Response structure.
11. BC plans.
12. Crisis management plans.
13. Exercise programme.
14. Exercise reports.
15. Service level agreements with customers and suppliers.
16. Contracts for outsourced service provider recovery services, including workspace and salvage.
17. Maintenance and review programme and reports.

Question 37

Sections in PP1 Policy and Programme Management (5):

Answer 37

1. BC POLICY
2. Scope BC PROGRAMME
3. Establishing GOVERNANCE
4. Assigning ROLES AND RESPONSIBILITIES
5. The BC PROGRAMME

Question 38

PP1 Policy and Programme Management Professional Practice Definition (3):

Answer 38

1. Establishes policy relating to BC.
2. Defines policy should be implemented through ongoing cycle of activities within BC programme.
3. Governance is established, roles and responsibilities are assigned and programme is developed, implemented and maintained.