Business Continuity Planning: Scope of work and deliverables
Note: This series is already complete on our website (https://akrogoniaios.com). Also, please check out our business continuity toolkit here. Now for a limited time, the toolkit is available free of cost, and you can download it here.
This is Part Four of our Business Continuity series. We recommend reading Parts One to Three first.
So far in our Business Continuity series, we’ve outlined why continuity plans are important, the various stakeholders that should be consulted, and additional factors like geographically distributed operations that should be considered. In Part 4, we will discuss the importance of defining the scope of your organization’s continuity plan and the steps we recommend when proposing the scope to management.
This series will continue detailing the steps for establishing a business continuity plan, regardless of whether your organization takes a project management approach or an agile approach.
Leadership commitment
Before you venture into implementing a business continuity plan, you should always have a commitment from the leadership team to support the program's continued development. In the early stages of the program, leadership can demonstrate their commitment by forming a committee and delegating the program's responsibility or appointing an experienced individual to oversee the program. Additionally, many organizations already have a policy on Business continuity planning that demonstrates leadership commitment.
One way to gauge the likelihood of leadership support for a continuity plan is to look at the enterprise risk register in both private and nonprofit organizations. By identifying organizational resiliency-related risks and the owner responsible for mitigating those risks, you can determine if there is a high probability that the initiative will be supported . If the owner has been assigned to mitigate risks in the near future, this is a good indicator that the directors will support a continuity program. Additionally, the directors' eagerness to provide requirements or allocate time to confirm the program requirements when it is proposed to them will indicate the support you will receive for developing and implementing a business continuity plan.
These indicators may not always apply, though. Sometimes, due to the organization operating in a less regulated environment, the owners of the organization (or the executive leadership committee) may not show sufficient interest in developing and implementing a business continuity plan. In such cases, the enterprise risk management members and auditors must work harder to educate the executives or the owners of the company and urge them to have a plan.
For publicly listed companies and private enterprises operating in a regulated industry, it is a requirement in most countries to have a business continuity plan.
Requirements for the business continuity plan
The board of directors will typically determine the primary requirements of an organization’s continuity plan since they provide oversight to matters related to the organization's survival. In organizations that are not publicly listed or small to medium in nature, the board appoints a committee or an individual to drive the business continuity planning. This appointed party then determines the requirements by looking at stakeholder concerns at the enterprise risk register and the business drivers.
Generally, the requirements should include:
If any of these factors have not been addressed, it is advisable to point out any gaps to the leadership team. The above high-level requirements serve as a good starting point for defining program scope.
Scope of work
Every program needs a scope of work to help the organization define the deliverables, expectations, the boundaries within which the program is executed. The scope should be documented and presented to the stakeholders for their approval. Scope of work takes the requirements accepted by the management and elaborates for the potential external vendors to understand. When defining the scope of work, it’s important to separate the requirements that must be delivered internally (with support from vendors) from the ones that the vendors must entirely deliver. It is important to set the right expectations from the very beginning of a program. Otherwise, business continuity planning can become an expensive affair.
Items a typical scope of work includes are:
Additionally, the below business continuity activities must be added to the scope of work as well:
The scope of work items is not limited to the above. We will expand on the scope of work requirements in our upcoming premium toolkit so that your organization can select the appropriate ones for your program.
Whenever the scope of work is documented, out-of-scope items should follow (thereby eliminating any assumptions). Stating “anything not specified in the scope of work is out of scope” is acceptable. However, it is overall a better approach to be specific when ruling out items that are not in the scope. For example, an out-of-scope item could be the other subsidiary in a group of companies or a parent company.
Deliverables
Once the scope is defined, a minimum set of deliverables must be identified for the program. The ISO 22301:2019 framework outlines some of the deliverables you need to have as part of business continuity planning. However, it would help if you verified whether the listed deliverables are sufficient for compliance with your auditors. Auditors will provide any additional recommendations they deem relevant. Mandatory deliverables must be identified and included in the scope of work. Some of the mandatory deliverables might include:
Approval and Tendering
Once the scope of work and the deliverables are defined, you may need approval before proceeding with procuring the required external consultants or a vendor. Usually, the respective organization's procurement process is followed to tender, receive bids, evaluate, shortlist, approve, select and award the contract to a vendor or a consultant.
Promotion: Instead, you can buy our toolkit and implement your business continuity plan by yourself at less than 75% cost of hiring a consultant.
During the procurement time, you may opt to send mass emails or organize stakeholder meetings to provide an overview of the business continuity planning for the organization, the expected changes, and highlight the benefits of the business continuity planning for the staff, departments, and the organization. This will keep the staff informed and knowledgeable about this topic. This will also help calm the staff's anxieties during the interview process for business impact analysis (which will be discussed later in this series).
This approval process may vary depending on the project management governance established in an organization. The implementing organization may already have an established project management framework. If that framework outlines that once a plan is formalized, it must be handed over to the project management office for initiation and implementation. However, the requirements must be established before it is sent to the project management office formally.
Conclusion
Understanding the commitment of the leadership team is crucial for the success of business continuity planning. Once you have their commitment, document the business continuity plan's requirements and then identify the scope of work, out of scope, and the deliverables. Depending on the organization, at this point, the program could be transferred to the PMO for managing. Most of the organizations outsource the implementation to a third-party vendor or hire a consultant and develop the plan internally with the consultant oversight and sometimes with additional support from the consultant.
