NOT PROTECTIVELY MARKED

Business Continuity Management

Standard Operating Procedure

Notice:

This document has been made available through the

Police Service of Scotland Freedom of Information
Publication Scheme. It should not be utilised as guidance
or instruction by any police officer or employee as it may
have been redacted due to legal exemptions.

Owning Department Risk and Business Assurance

Version Number 2.00 (Publication Scheme)

Date Published 27/05/2016

Version 2.00 NOT PROTECTIVELY MARKED

(Publication Scheme)
 NOT PROTECTIVELY MARKED

Compliance Record

Equality Impact Assessment: Date Completed / Reviewed: 14/12/2015

Information Management Compliant: Yes
Health and Safety Compliant: Yes
Publication Scheme Compliant: Yes

Version Control Table

Version History of Amendments Approval Date

1.01 Initial Published Version 26/03/2013
Inclusion of the requirement to consider EIAs in support
1.02 29/03/2015
of the Business Continuity approach.
Minor changes. Various additions regarding legal
2.00 26/05/2016
requirements and BCM roles and responsibilities.

Version 2.00 NOT PROTECTIVELY MARKED 2

(Publication Scheme)
 NOT PROTECTIVELY MARKED

Contents
1. Purpose
2. Business Continuity Management Overview
3. Business Continuity Management System (BCMS) Lifecycle
4. Scope of the Business Continuity Management System
5. Understanding of the Organisation and its Context
6. Legal and Regulatory Requirements
7. Understanding the Needs and Expectations of Interested Parties
8. Leadership and Commitment
9. Control of Documented Information
10. Resources
11. Competence
12. Business Impact Analysis
13. Establishing Resource Requirements
14. Protection and Mitigation
15. Fall-back Site
16. Service Level Agreement / Mutual Aid
17. Risk Assessment
18. Business Continuity Strategy
19. Incident Response Structure
20. Business Continuity Plans
21. Exercising and Testing
22. Evaluation of Business Continuity Procedures
23. Internal Audit
24. Continual Improvement
25. Management Commitment
26. BCM Roles and Responsibilities

Appendices

Appendix ‘A’ List of Associated Legislation

Appendix ‘B’ List of Associated Reference Documents
Appendix ‘C’ List of Associated Forms
Appendix ‘D’ Notification / Invocation and Escalation Procedures

Version 2.00 NOT PROTECTIVELY MARKED 3

(Publication Scheme)
 NOT PROTECTIVELY MARKED

1. Purpose

1.1. This Standard Operating Procedure (SOP) supports the Police Service of
Scotland, hereafter referred to as Police Scotland, Policy for Business
Continuity Management.

1.2 The Civil Contingencies Act 2004, places a statutory duty on the police, as a
Category 1 responder, to have a Business Continuity Management System
(BCMS) in place to ensure continued delivery of essential services.

1.3 Police Scotland shall align its BCMS arrangements with the International
Standards BSI ISO 22301. The Standard sets out the process and principles
of BCM and enables the Organisation to measure its Business Continuity
Management (BCM) capability in a consistent and recognised manner.

1.4 This SOP provides practical guidance on the methodology for developing and
implementing BCM within Police Scotland and aims to provide an overview on
BCM from initial development to the on-going maintenance of our Business
Continuity capability.

1.5 BCM supports emergency planning and is underpinned by the Service’s Risk
Management Procedures, providing the overall framework within which the
Service can comply with the Civil Contingencies Act 2004.

2. Business Continuity Management Overview

2.1 A wide range of terminology has been used to describe the processes
associated with managing disruptions, such as disaster recovery and
contingency planning. These tend to be reactive, requiring a response only
after a disruption has occurred.

2.2 However, BCM has evolved and now includes the concepts of risk
management and corporate governance. Consequently, it now takes a
proactive approach, seeking to identify those potential impacts that could
adversely affect the service delivery capability of Police Scotland before they
occur.

2.3 The Business Continuity Plan (BCP) identifies the essential resources needed
to ensure that critical functions can continue in the event of a disruption.

2.4 Resource, time and capability constraints will mean that Police Scotland has
to focus its business continuity activity on those processes most important to
the objectives of the organisation. Prioritisation is a key element of business
continuity and this may mean the disruption of some business processes for
defined periods, until resources are available to restore them.

2.5 All levels of management within the Service need to appreciate that they have
a responsibility in maintaining service delivery and therefore need to consider
how they would manage disruptions to their functions.

Version 2.00 NOT PROTECTIVELY MARKED 4

(Publication Scheme)
 NOT PROTECTIVELY MARKED

2.6 Police Scotland has six Strategic Processes:

A. Custody Management
B. Operational Policing (Response & Community Policing)
C. Command Control and Communications
D. Criminal Investigation
E. Health Safety & Welfare
F. Supporting the Criminal Justice System

2.7 Any functions that support the Strategic Processes must be maintained and
are known as Critical Functions.

3. Business Continuity Management System Lifecycle

3.1 The International Standard BS ISO 22301 applies the “Plan-Do-Check-Act”
(PDCA) model to planning, establishing, implementing, operating, monitoring,
reviewing, maintaining and continually improving the effectiveness of an
organisation’s BCMS.

3.2 Police Scotland will establish, implement, maintain and continually improve a
BCMS, including the processes needed and their interactions, in accordance
with the requirements of the International Standard BS ISO 22301.

3.3 Business Continuity Management is defined in BS ISO 22301 as 'a holistic

management process that identifies potential threats to an organisation and
the impacts to business operations that those threats, if realised, might cause,
and which provides a framework for building organisational resilience with the
capability for an effective response that safeguards the interests of its key
stakeholders, reputation, brand and value creating activities.'

3.4 BCM is proactive and concentrates on everything needed to continue the

strategic processes of an organisation in the event of an interruption. It
focuses on the effects and not the cause of the disruption.

3.5 Figure 1 below illustrates how a BCMS takes inputs (interested parties and
requirements for continuity management) and, through the necessary actions
and processes, produces continuity outcomes (i.e. managed business
continuity) that meet those requirements.

Version 2.00 NOT PROTECTIVELY MARKED 5

(Publication Scheme)
 NOT PROTECTIVELY MARKED

Plan Establish business continuity policy, objectives, targets,

(Establish) controls, processes and procedures relevant to improving
business continuity in order to deliver results that align with
the organisation’s overall policies and objectives.
Do Implement and operate the business continuity policy,
(Implement and controls, processes and procedures.
operate)
Check Monitor and review performance against business continuity
(Monitor and policy and objectives, report the results to management for
review) review, and determine and authorise actions for remediation
and improvement.
Act Maintain and improve the BCMS by taking corrective action,
(Maintain and based on the results of management review and reappraising
improve) the scope of the BCMS and business continuity policy and
objectives.

4. Scope of the Business Continuity Management System

4.1 Police Scotland will:
 Establish the parts of the Service to be included in the BCMS;
 Establish BCMS requirements, considering Police Scotland priorities,
goals, internal and external obligations (including those related to
interested parties), and legal and regulatory responsibilities;

Version 2.00 NOT PROTECTIVELY MARKED 6

(Publication Scheme)
 NOT PROTECTIVELY MARKED

 Identify products and services and all related activities within the scope of
the BCMS; and
 Take into account interested parties’ needs and interests, such as the
supply chain, public and/or community input and needs, expectations and
interests (as appropriate).

5. Understanding of the Organisation and its Context

5.1 Police Scotland will determine external and internal factors that are relevant to
its purpose and that affect its ability to achieve the intended outcome(s) of its
BCMS.

5.2 These factors shall be taken into account when establishing, implementing
and maintaining the BCMS. Police Scotland will identify and document the
following:
 Processes, functions, services, products, partnerships, supply chains,
relationships with interested parties, and the potential impact related to a
disruptive incident;
 Links between the BCMS and Police Scotland priorities and objectives
and other policies, including its overall risk management strategy; and
 Risk appetite.

6. Legal and Regulatory Requirements

6.1 Police Scotland will establish, implement and maintain a procedure(s) to
identify, access and assess the applicable legal and regulatory requirements.
This will be related to the continuity of its operations, products and services,
as well as the relevant interested parties.

6.2 Police Scotland will ensure that these applicable legal, regulatory and other
requirements are taken into account in establishing, implementing and
maintaining its BCMS.

6.3 Police Scotland shall document this information and keep it up-to-date. New
or variations to legal, regulatory and other requirements shall be
communicated to affected employees and other interested parties.

7. Understanding the Needs and Expectations of Interested

Parties
7.1 When establishing its BCMS, Police Scotland shall determine:
 The interested parties that are relevant to the BCMS; and
 The requirements of these interested parties (i.e. their needs and
expectations whether stated, generally implied or obligatory).

Version 2.00 NOT PROTECTIVELY MARKED 7

(Publication Scheme)
 NOT PROTECTIVELY MARKED

8. Leadership and Commitment

8.1 The Executive and other relevant management roles throughout the
organisation must demonstrate leadership with respect to the BCMS.

9. Control of Documented Information

9.1 Documented information required by the BCMS shall be controlled to ensure it
is available and suitable for use, where and when it is needed and that it is
adequately protected.

10. Resources
10.1 Police Scotland will determine and provide the resources needed for the
establishment, implementation, maintenance and continual improvement of
the BCMS.

11. Competence
11.1 Police Scotland will:
 Ensure that those involved in the overview, co-ordination and
management of the BCMS are competent on the basis of appropriate
education, training, and experience;
 Where applicable, take actions to acquire the necessary competence, and
evaluate the effectiveness of the actions taken; and
 Retain appropriate documented information as evidence of competence.

11.2 Training will be made available to all individuals who have a responsibility
within the BCMS and will be tailored to their particular needs or involvement in
the system.

12. Business Impact Analysis

12.1 Police Scotland shall establish, implement, and maintain a formal and
documented evaluation process for determining continuity and recovery
priorities, objectives and targets. This process shall include assessing the
impacts of disrupting critical functions that support Police Scotland Strategic
Processes. The Business Impact Analysis will include the following:
 Identifying critical functions that support the provision of Strategic
Processes;
 Assessing the impacts over time of not performing these functions;

Version 2.00 NOT PROTECTIVELY MARKED 8

(Publication Scheme)
 NOT PROTECTIVELY MARKED

 Setting prioritised timeframes for resuming these functions at a specified

minimum acceptable level, taking into consideration the time within which
the impacts of not resuming them would become unacceptable; and
 Identifying dependencies and supporting resources for these functions,
including suppliers, outsource partners and other relevant interested
parties.

12.2 Functions should be identified and prioritised in order of criticality, including

those that either deliver or directly or indirectly support the Strategic
Processes.

12.3 The process to prioritise functions must also identify the impact of the loss of,
or a reduction in the ability to deliver that function and the impact over time in
the business cycle of a particular function.

12.4 Two particular timescales must be considered. They are the Maximum
Tolerable Period of Disruption, (MTPD) and the Recovery Time Objective,
(RTO). In Business Continuity terms the MTPD is defined as the “time it would
take for adverse impacts, which might arise as a result of not providing a
product/service or performing an activity, to become unacceptable”.

12.5 What needs to be established is:

 The maximum time period after the start of any disruption to business
within which each function needs to be resumed;
 The minimum level at which each function needs to be performed upon
resumption; and
 The length of time within which normal levels of operation need to be
resumed.

12.6 When considering this, it is clear that the aim must be to recover the function
prior to reaching the MTPD.

12.7 A RTO must therefore be set for each function, which will always be less than
the MTPD. In Business Continuity terms the RTO is defined as “the period of
time following an incident within which product or service must be resumed, or
activity must be resumed, or resources must be recovered”.

12.8 The RTO must be set at a realistic timescale so that there can be a staged
recovery and thereafter resumption to normal service. Recovery times should
be selected from the Recovery Time Objective Table which can be found in
the Business Continuity Plan Template. The Business Continuity Plan
template can be obtained from the Business Continuity Officer(s) at Risk and
Business Assurance.

Version 2.00 NOT PROTECTIVELY MARKED 9

(Publication Scheme)
 NOT PROTECTIVELY MARKED

13. Establishing Resource Requirements

13.1 Police Scotland will determine the resource requirements to implement the
selected strategies. The types of resources considered shall include but not
be limited to:
 People;
 Information and data;
 Buildings, work environment and associated utilities;
 Facilities, equipment and consumables;
 Information and communication technology (ICT) systems;
 Transportation;
 Finance; and
 Partners and suppliers.

14. Protection and Mitigation

14.1 For identified risks requiring treatment, Police Scotland will consider proactive
measures that:
 Reduce the likelihood of disruption;
 Shorten the period of disruption; and
 Limit the impact of disruption on Strategic Processes.

15. Fall-Back Site

15.1 For each Critical Function included within a BCP, it will be necessary to
identify a ‘fall-back’ site to ensure the continuity of the function, in the event of
a permanent loss or temporary denial of access to the principal site. There
must be agreement with the Head of the host / guest Business Area /
Department identifying the following:
 The accommodation that is to be used;
 The circumstances under which it is to be used;
 Arrangements for gaining access; and
 Arrangements for contacting relevant staff.

15.2 The arrangements should be documented within the Fall-Back

Accommodation Section of the BCP. If arrangements are within own estate
please include details within the Accommodation Requirements section of the
Business Impact Analysis (BIA).

Version 2.00 NOT PROTECTIVELY MARKED 10

(Publication Scheme)
 NOT PROTECTIVELY MARKED

15.3 Consideration must also be given to whether a move to fall-back

accommodation will impact on any member of staff, or members of the public,
from any of the protected groups from the Equality Act. For example a person
with a disability which cannot be accommodated for at the fall-back site.
Therefore an Equality Impact Assessment should be carried out to assist in
decision making.

15.4 As a part of your fall-back arrangements consideration needs to be given to

the creation of Battle Boxes / Grab Bags for the BCM Team and Critical
Functions. The contents will be determined by those who will be required to
use it during a disruption, the following items should be considered:
 Business Continuity Plan
 Hard Copy Templates
 Stationery
 Mobile Phone charger

Note: Battle Boxes / Grab Bags must be secured within Police Premises.

16. Service Level Agreement / Mutual Aid

16.1 Where the continuation of an activity relies on an external agency or supplier,
a service level agreement should be formulated agreeing levels of service to
be provided. Business Continuity Plan Holders must ensure that the service
being provided meets their needs and in particular that the timescales for
providing the service matches the Recovery Time Objectives for their critical
functions.

16.2 The Business Impact Analysis template will be used to complete and record
the above described process. Business Impact Analysis template can be
obtained from the Business Continuity Officer (s) at Risk and Business
Assurance.

17. Risk Assessment

17.1 Police Scotland will establish, implement, and maintain a formal documented
risk assessment process that systematically identifies, analyses and
evaluates the risk of disruptive incidents.

17.2 Police Scotland will:

 Identify risks of disruption to the Strategic Processes and the functions,
systems, information, people, assets, outsource partners and other
resources that support them;
 Systematically analyse risk;

Version 2.00 NOT PROTECTIVELY MARKED 11

(Publication Scheme)
 NOT PROTECTIVELY MARKED

 Evaluate which disruption related risks require treatment; and

 Identify treatments commensurate with business continuity objectives and
in accordance with risk appetite.

18. Business Continuity Strategy

18.1 Determination and selection of strategy, including the development of
Business Continuity Plans shall be based on the outputs from the BIA and risk
assessment. Police Scotland will determine an appropriate business
continuity strategy for:
 Protecting Strategic Processes;
 Stabilising, continuing, resuming and recovering prioritised functions and
their dependencies and supporting resources; and
 Mitigating, responding to and managing disruptions.

18.2 Consideration shall also be given to conduct evaluations of the business

continuity capabilities of suppliers.

19. Incident Response Structure

19.1 The Business Areas BCM Team structure for responding to a disruptive
incident will mirror existing arrangements and management structures, as far
as possible, without assigning individuals more than one key role. This will
ensure the necessary responsibility, authority and competence to manage an
incident.

19.2 Notification / Invocation and Escalation Procedures are included in the

Business Continuity Plan template (see Appendix ‘D’).

20. Business Continuity Plans

20.1 There must be an explanation of the scope of the plan, including a detailed
description of the purpose, and services provided by the Business Area /
Department and to whom.

20.2 Plans must include the following information:

 A process for invoking the plan;
 Details of contingencies for each of the functions, addressing individually
loss of facilities / accommodation; IT and Communications systems;
people and supply / support chains, including relevant health, safety and
welfare issues;
 Relevant and necessary contact information for key personnel, internal
and external departments/agencies and other key stakeholders; and

Version 2.00 NOT PROTECTIVELY MARKED 12

(Publication Scheme)
 NOT PROTECTIVELY MARKED

 Fallback arrangements.

20.3 The degree of detail required to be contained within a Plan for a function shall
be commensurate with the critical nature of that function.

20.4 Plans shall also consider arrangements needed to ensure smooth transition
from Business Continuity mode to the resumption of “normal business”.

20.5 Once approved the Plan must be signed off by the Plan Holder and copies
circulated as necessary. A copy of the plan must be submitted to the
Business Continuity Management Officer(s). Further copies will be distributed
as necessary and detailed on the Distribution Record of the plan. A hard copy
plan will be kept at the fall-back site.

20.6 The Business Continuity Plan template will be used to complete and record
this process. All BCM templates can be obtained from the Business Continuity
Officer(s).

21. Exercising and Testing

21.1 Police Scotland will conduct exercises and tests that:
 Are consistent with the scope and objectives of the BCMS;
 Familiarises BCM Team with their roles;
 Are based on appropriate scenarios that are well planned with clearly
defined aims and objectives;
 Taken together over time validate the whole of its business continuity
arrangements, involving relevant interested parties;
 Minimise the risk of disruption to operations;
 Produce formalised post-exercise reports that contain outcomes,
recommendations and actions to implement improvements;
 Are reviewed within the context of promoting continual improvement; and
 Are conducted at planned intervals and when there are significant changes
within Police Scotland or to the environment in which it operates.

21.2 A programme of exercising of plans shall be implemented and will ensure that
all plans are subject to an exercise at least once every year. In addition to this
further exercises may be arranged. The level and number of exercises shall
be commensurate with the level of risk associated with a Business Area or the
critical nature of the functions of that Business Area.

21.3 The exercise programme will be co-ordinated by the Business Continuity

Management Officer(s).

Version 2.00 NOT PROTECTIVELY MARKED 13

(Publication Scheme)
 NOT PROTECTIVELY MARKED

22. Evaluation of Business Continuity Procedures

22.1 Police Scotland will conduct evaluations of its business continuity procedures
and capabilities in order to ensure their continuing suitability, adequacy and
effectiveness. These evaluations shall be undertaken through periodic
reviews, exercising, testing, post-incident reporting and performance
evaluations. There shall be an annual review of all Business Continuity Plans
with a six month health check between review periods. The review cycle will
be co-ordinated by the Business Continuity Officers

22.2 Police Scotland has a statutory obligation to conduct an Equality Impact

Assessment (EIA) on all policies, procedures, plans, orders, business change
etc. This is under the Equality Act 2010 which places an onus on Police
Scotland to adhere to the needs of the Public Sector Equality Duty.

22.3 As part of the BCM process it is essential that consideration be given to the
impact on the relevant 9 protected characteristics (disability, race, age,
gender, gender reassignment, maternity / paternity, marriage / civil
partnership, sexual orientation) during the emergency, continuity and recovery
phases for each BIA created for a Critical Function.

22.4 If this is sufficiently recorded in an auditable format i.e. within the BIA / BCP,
then there will be no need to complete an EIA as this would be evidence of
streamlining equality considerations in the process. Please refer to the
Equality Impact Assessment SOP for further guidance on this subject.

22.5 The responsibility for this will lie with the Business Continuity Management
Team and will be co-ordinated by the Business Continuity Management
Officer(s).

22.6 Significant changes arising shall be reflected in the procedure(s) in a timely

manner. There shall be periodic evaluation of compliance with applicable legal
and regulatory requirements, industry best practices, and conformance with
its own business continuity strategy and objectives. The Police Scotland shall
conduct evaluations at planned intervals and when significant changes occur.

22.7 When a disruptive incident occurs which requires the invocation of business
continuity procedures, there must be a post-incident review by the Business
Areas affected. The results must be explored to determine whether any
amendments to procedures is required and to assist in the sharing of good
practice where it is identified.

22.8 Part of the responsibility of Risk Management is to assess the business

continuity risks faced by the Service. In order to do this, events occurring
throughout Police Scotland which may indicate a risk require to be monitored.

22.9 The following three criteria should be applied in considering whether or not an
incident should be reported:
 Time – how long the incident lasts for or how long the outage is for;

Version 2.00 NOT PROTECTIVELY MARKED 14

(Publication Scheme)
 NOT PROTECTIVELY MARKED

 Effect – the effect the incident has on service, process or system;

 Scale – does the incident impact upon the Force wide,
Division/Department or work area.

22.10 Using the table below the following formula should be used:
Time + Effect + Scale = Score

22.11 These factors should be graded and scored, and incidents or occurrences that
attract a score of ‘5’ or more, must be reported.
Score Time Effect Scale
(Outage)
3 4 hrs + Total failure High - Force wide or more than one
Command Area
2 1>4 hrs Substantial or significant failure Med - Division / Department or one
Command Area
1 0>1 hrs No or limited failure Low – local effect only

22.12 Examples

22.12.1 The following table shows some examples of incidents/disruptions. These are
shown for guidance purposes using the criteria listed above, however, it
should be noted that any incident/disruption regardless of its Score should be
reported if it is believed to be in the best interest of Police Scotland.
Furthermore, if an incident/disruption falls below the “score” criteria but is
reoccurring consistently or regularly it should be reported.
Incident Time Effect Scale Total Report
Loss of Crime Recording system for 6hrs 3 2 3 8 Yes
at a Public Service Centre
Total loss of power at Divisional Office for 1 1 2 4 No
45 mins
High sickness level of staff (30%) involving 3 2 3 8 Yes
more than one Command Area
Loss of email system at an HQ Department 1 1 2 4 No
for 50 minutes

22.13 The Governance Report (018-003) will be use to complete and record the
process of post-incident review. Once complete the Governance Report
should be submitted to the Business Continuity Management Officer(s).

23. Internal Audit

23.1 Scottish Police Authority (SPA), Internal Auditors shall conduct audits at
planned intervals to provide information on whether the business continuity
management system conforms to Police Scotland’s own requirements for its
BCMS, the requirements of BS ISO 22301 and is effectively implemented and
maintained.

Version 2.00 NOT PROTECTIVELY MARKED 15

(Publication Scheme)
 NOT PROTECTIVELY MARKED

24. Continual Improvement

24.1 Police Scotland shall continually improve the suitability, adequacy and
effectiveness of the BCMS in line with priorities.

25. Management Commitment

25.1 The Executive of Police Scotland must demonstrate leadership and
commitment with respect to the BCMS by:
 Ensuring that policies and objectives established for the BCMS are
compatible with strategic direction;
 Ensuring the integration of the BCMS requirements into business
processes;
 Ensuring that the resources needed for the BCMS are available;
 Communicating the importance of effective business continuity
management and conforming to the BCMS requirements;
 Ensuring that the BCMS achieves its intended outcome(s);
 Directing and supporting persons to contribute to the effectiveness of the
BCMS;
 Promoting continual improvement;
 Supporting other relevant management roles to demonstrate their
leadership and commitment as it applies to their areas of responsibility;
and
 Establishing roles, responsibilities, and competencies for business
continuity management.

26. Business Continuity Management Roles and Responsibilities

26.1 BCM Plan Holder
 Owner of the BCP;
 Final approval of BCM arrangements for Business Area

26.2 BCM Team Leader and Deputy

 Requires appropriate seniority and authority to be accountable for BCM
implementation;
 Single point of contact for the Business Continuity Co-ordinator (BCC);
 Report directly to the Plan Holder with regard to BCM arrangements and
disruptions.

Version 2.00 NOT PROTECTIVELY MARKED 16

(Publication Scheme)
 NOT PROTECTIVELY MARKED

26.3 Business Continuity Co-ordinator and Deputy

 Administration and maintenance of BCM Plan in respect of their area of
business;
 Communication of Business Area BCM Arrangements;
 Identification and Co-ordination of Stakeholder activity in their Business
Area;
 Monitor Fall-Back Accommodation within their Business Area;
 Organisation and administration of local exercising, auditing and
amendment of their plan;
 Single point of contact for BCM Officer(s);
 Support & Advise BCM Team Leader;
 Completion of Governance Reports.

26.4 BCM Stakeholders

 Creation & Maintenance of BIA(s) for relevant Critical Functions;
 Will be Single Point of Contact for BCC;
 Will form part of BCM Team if required during a disruption;
 Will take part in BIA Walkthrough Exercises for relevant BIA(s);
 Will take part, where required in Local & Central Exercising.

26.5 BCM Officer(s)

 Support staff on aspects of BCM policy and strategy;
 Develop and co-ordinate the BCM arrangements and exercise programme
for Police Scotland;
 Monitor and report the results of BCM activity to the Executive of Police
Scotland;
 Provide staff with support, advice and guidance with regard to BCM;
 Develop, maintain and deliver training in BCM;
 Conduct BIA Walkthrough Exercises;
 Maintain Version Control for BCM Plans;
 Monitor Fall-Back Accommodation agreements between Business Areas;
 Co-ordinate review of BCM arrangements;
 Build relationships with External Organisations and Professional Bodies
relating to BCM;
 Promote BCM best practice within Police Scotland.

Version 2.00 NOT PROTECTIVELY MARKED 17

(Publication Scheme)
 NOT PROTECTIVELY MARKED

Appendix ‘A’

List of Associated Legislation

 The Civil Contingencies Act 2004

Version 2.00 NOT PROTECTIVELY MARKED 18

(Publication Scheme)
 NOT PROTECTIVELY MARKED

Appendix ‘B’

List of Associated Reference Documents

 Equality Impact Assessment SOP
 International Standards BSI ISO 22301 (Hard copy at Scottish Police College
library).
 Police Scotland BCM Guidance Manual (Available from Business Continuity
Officers)

Version 2.00 NOT PROTECTIVELY MARKED 19

(Publication Scheme)
 NOT PROTECTIVELY MARKED

Appendix ‘C’

List of Associated Forms

 Business Continuity Management Governance Report (018-003).

Version 2.00 NOT PROTECTIVELY MARKED 20

(Publication Scheme)
 NOT PROTECTIVELY MARKED

Appendix ‘D’

BCM Notification / Invocation and Escalation Procedures

Version 2.00 NOT PROTECTIVELY MARKED 21

(Publication Scheme)