Avetta

Business Continuity
Planning Question
Guidance for
Prequalification Form
(PQF)

Page 1 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02
 Table of Contents
Introduction 4
How to use the guidance 4
Question Guidance Notes 4
Category: Leadership 5
Policy and Commitment 5
Q1). 5
What do we mean by a business continuity policy? 5
Q2). 5
Key Contacts & Responsibilities 5
Category: Planning 6
Risk and Opportunity Determination 6
Q1). 6
Q2). 7
Objectives and Planning 8
Q1). 8
What do we mean by a business continuity plan? 8
What are the things that could impact on your ability to deliver work or service? 8
Q2). 8
Category: Support 9
Resources 9
Q1). 9
Q2). 9
Q3). 9
Competence 10
Q1). 10
Awareness and Communication 10
Q1). 10
Q2). 10
Q3). 11
Q4). 11
Q5 12
Q6). 12
Category: Operations 13
Planning and Control 13
Q1). 13
Business Impact Assessment (BIA) - Risk Assessment 13
Q1). 13
Q2). 13
Q3). 14
Q4). 14
Q5). 14
Q6). 14
Q7). 15
Q8). 15
Q9). 15
Page 2 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02
 Strategy 16
Plans and Procedures 16
Q1). 16
Q2). 16
Q3). 16
Exercise (Drills and Simulations) 16
Q1). 16
Q1a). 17
Evaluation of Documentation 17
Category: Performance Evaluation 17
Internal Audit / Review 15
Q1). 15
Q1 a & b). 15
Q2). 15
Q3). 15
Q4). 16
Management Review 18
Q1). 19
Category: Improvement 19
Non-Conformance and Corrective Action 17
Q1). 17
Q1a). 17
Continuous Improvement 19
Q1). 19
Q2). 19

Page 3 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02
 Introduction
We recognise that the practice of business continuity
may be a new area of business management to many
of the organizations that participate within the Avetta
Network. Recent events with the impacts of the
Coronavirus pandemic and the effects this had on the global
supply chain has focused many companies to begin
evaluating how a strategic supplier manages the issue of
business continuity and maintains their services/products, which
ultimately impacts upon how they continue to deliver these.

The prequalification process traditionally looks at how a company that

provides a service to a client organization manages their safety
management, environmental and quality programs. In some cases, based
upon the suppliers location or work activity, some clients will look at other
factors as part of their due diligence such as sustainability, business transparency,
environmental impacts and so on.

How to use the guidance

If you are uncertain about the question or how it applies to your business activity or
service, you should cross reference the question you are unsure about with the relevant
question number within the guidance.
The information provided is written at a fairly high level and is intended to give you
enough clarification supported with examples of what the client will expect in relation
to the types of answers you should provide.

You don’t have to read the whole document to locate guidance on a specific
question. If you require help with a question, simply scroll your cursor over the
contents section. The part that relates to the question
you need assistance with. Whichever question you need
help with place the cursor on the text, click your mouse,
and you will be taken directly to the appropriate help text.

Question guidance notes

Page 4 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 04
 Category: Leadership
Policy and Commitment
Q1).
What do we mean by a business continuity policy?
This is a policy statement produced by the business to demonstrate the commitment from the highest
levels of the management team, irrelevant of size of the business, that all the necessary actions to
identify potential issues that can impact upon the business operating on a normal basis will be
documented. Those will be risk assessed and based upon the severity of the impact listed in priority
order of attention. The content will be subject to review by competent members of the senior
management team.

The policy should confirm that the company will train and communicate to all workers what the plan is
and advise where this information will be held.

The content will be subject to continued assessment for its suitability and will ensure that appropriate
training and guidance is provided to all members of the workforce and direct simulations and drills will
be undertaken to ensure the effectiveness of any programming put into place.

If the business has multi-locations the policy statement should also take this into account and where
information needs to be localised this should also be included.

The policy will confirm a commitment to continuous improvement of the business continuity program.

The policy should ideally be undersigned by the most senior management representative with
responsibility for keeping the business running in a normal manner

Q2).
Key Contacts & Responsibilities
It is essential irrelevant of the size of the business that key individuals who will be responsible for
delivering assigned tasks during an event are identified and confirmed within the planning process.

Each part of the business should be listed with the individuals who have expertise in that part of the
business confirmed and named based upon the location.

It is ESSENTIAL this list is kept up to date. If an individual changes phone providers and phone number
this should be inserted into the plan as soon as possible. Ensure the verification of details is undertaken
at each review including when key members change within the business. Changes may result based on
individuals changing jobs, promotion or retirement – it is essential that if someone refers to the contact
document it reflects the current ‘EMPLOYEE LIST’.

Specific areas of the business should be allocated to those individuals who have detailed knowledge of it.
Be prepared to provide alternates/substitutes as the nominated person may not actually be available,
may have been injured, are away on holiday or are too busy working on another part of the emergency.

The same rule for maintaining up to date contact information specific to the alternatives /substitutes
should be the same as the primary contacts.

Page 5 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 05
 Category: Planning
Risk and Opportunity Determination
Q1).
‘Does this only apply to big companies? No, all companies would benefit from understanding the types of
risk planning they would need to do and any size company can be impacted by the weather or
unforeseen issues where you have to put an action in place quickly, having the plan means you have
thought about it and have looked at what you can do to put the problem right! It is essential that the
company has the commitment from the senior team to keep the business operating.

The options shown in the table are incidents or occurrences that could impact upon your business. This
could be the main place of business or a key site operation.

Based upon where your business is located, the issues or events may vary. The plan reflects the issues
you may face and what actions you should put into place to ensure the recovery time is always kept to a
minimum and you can get the business operating normally again

When you identify the potential impacts, you will need to start to assess what are the actions needed and
who will be responsible in the business to undertake the actions needed to get the business back to a
normal state

The key is be realistic, if there is a very low probability of hurricanes then you should focus on the issues
that can occur

It is essential to accurately identify the potential risks to your business and correctly categorise the level
of impact it would have on your business.

For example:

a) Your business is located in a region that is subject to severe weather variations throughout the year, in the
winter months snow brings down power lines which impacts on the business and its ability to maintain
production, what actions can you take to reduce the impact to production; e.g. Maintain a backup generator or
independent power source.
b) You only employ two teams of electricians and you are currently working on two projects for two separate
clients. One of the teams go out with food poisoning, what is the risk you could lose that client or even both if
you split the other team?
When you assess the potential risk to your business consider ‘How vulnerable is the business if this
happens?’ How can we mitigate this and get back to normal business?
It may be that a client requests to see how your business have conducted a ‘Business Impact Assessment’,
(BIA)this is the same process as identifying the risks that can impact upon your business and stop it
operating normally.

Page 6 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 06
 When developing the content of your risk record it is essential that all identified items and associated
actions need to reduce their impact are reviewed by members of the senior management team and
parties within the business that possess the necessary competence to understand what actions are
needed and as important confirm what is achievable.
Ensure that the contents of this business risk information is made available to all relevant members of
the workforce.

An example of what actions should be taken:

The areas of the business that are at risk should be outlined in the Business Impact Assessment (BIA) / risk
assessment along with the level of impact it can have on the business operation. How this i calculated
should be based upon the following criteria:

- Impact on workers
- Impact on the company and its ability to meet contractual requirements
- Impact to the client and meeting their expectations
- Impact on other 3rd parties not employed but affected by the company actions
- Ability of the business to recommence trading again based on previous performance
- Confirm key workers ensuring they have the correct level of understanding of the content.
- Ensure continual improvement is an outcome of the program.
- Ensure that all legal and business requirements are integral to the development and implementation of
the program.

Q2).
It is important that the plan covers issues such as key workers, the workers who help to deliver your
services. If your key staff went of sick or even left the business will this impact on your ability to keep to a
client’s deadlines, would this cost the company money or future contracts.

You need to confirm in your plan how you would deal with the sudden loss of workers including what
methods you would use e.g. Bring in a subcontractor or other works who can fulfil the work to the same
standard

Page 7 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 07
 Objectives and Planning
Q1).
What do we mean by a business continuity plan?
This is a business plan or suite of procedures that allows the business
to consider a range of factors or events that may impact on your
business being able to deliver its normal scope of business and
operate on a normal basis.

‘Is this something that only applies to big companies? No, all
companies would benefit from understanding the types of risk
planning they would need to do in the event of a serious issue. For
example; any size company can be impacted by the weather or
unforeseen issues where you need to put an action in place quickly,
having the plan means you have thought about it and have looked at
what you can do to reduce the impact, keep the business functioning
and above all else ensure going forward the mitigation plans are
subject to continual improvement.

What are the things that could impact on your ability to deliver work
or service?

For example, a critical supplier of timber may have a fire and

you need to source a new supplier quickly, you may be a small
company and a number of workers are off sick at the same time,
your supply of raw materials is impacted by bad weather not
usually experienced at the time of year. This process should
manage unforeseen issues such as flooding, loss of utilities,
anything that can impact upon the business being able to
function normally. You may have a plan, flow chart or a simple
document that lists the potential issues and who needs to be
contacted to help deliver the actions needed to help the
business recover.

Q2).
This in the context of the business continuity program is where solutions
and processes have been identified to rectify the impact caused by the
event that it is simply not good enough to discuss and identify solutions,
enough resources should be made available to put them into place.
Resources is not always about money; it can also include materials and
human resource.

Also, if post event or as part of a test and requirements are identified to

improve the process and get the business back to normality adequate
resources are apportioned to action the requirement. For example: If it
was found in the post event analysis that certain levels of personal
protective equipment were needed to address the incident that occurred
this should be provided as a resource needed to get the business up and
functioning again.

Page 8 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 08
 Category: Support
Resources
Q1).
The supporting evidence should demonstrate what type of training or information is provided to key
workers. It should not contain any personal details of single individuals. It may be a simple agenda or
timetable detailing how the plan will be implemented or it may be a sophisticated program approach
that includes a program for drills and debriefs etc.

Confirm if processes such as: Training Needs Analysis; Conducting a business impact assessment;
Emergency communication skills; Operating and maintaining operation programs and managing
suppliers and contractors when the plan is implemented are included.

There is no right or wrong response, it simply needs to provide confirmation that nominated individuals
who have key roles in the event of an emergency know and understand exactly what they need to do.

Q2).
Once a company have invested the time and effort to develop a plan to get the business running normally
after a serious event, it is essential that the content of the plan or process that is being used is kept up to
date and subject to testing.

Why is this important?

A Company can change, there can be staff changes, there can be takeovers or growth so that the business
expands into other geographical locations or new product lines, changes of supplier base, if the
circumstances change from the original scope the plan must reflect the current type of operation.

Q3).
It is essential that in some cases where specific types of equipment or working practice are identified as
being needed to get the business running in a normal capacity are made available. In some cases, this may
be a specific piece of equipment over and above the normal production plant. For example; if the power
stops midway through a production cycle and it could impact upon all of the batch, it may need a generator
that starts within seconds to continue the circulation of power to the equipment. This is equipment that
would need to be purchased or leased and funds made available to minimise the identifiable occurrence.

Regarding the ‘formality’ this means that if something is identifiable (Normally found in the impact
assessment or identified as part of the management review during the continuous improvement process) as
being needed the process for identification and subsequent funding has an audit trail, this may include
purchase order forms, recommendations from specialist personnel.
Other examples could include ensuring that sufficient communication systems are provided, this could be
mobile radio is cellular activity is not available, specific categories of personal protective equipment is
purchased and, in ALL cases, these are readily available if and when they may be needed.

Page 9 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 09
 Competence
Q1).
This question relates to the actual competence of the nominated individuals that have been identified within
the list of key workers who have been tasked with undertaking a specific part of the implementation of the
business continuity pan, in simple terms helping to get the business back to normality.

They will not only be documented within the list of key workers, the areas of the program they have been
tasked with to address, they must have the necessary competence (Skill-set / Experience / Qualifications /
Understanding of the business and have been trained in the requirements documented within the plan).
They must also have the necessary authority to get things done which does not fall under the issue of
competence.

Awareness and Communication

Q1).
This question relates to consultation NOT simply communication. There is a subtle difference. The reason
for the question is that it is essential for the continuity program to be effective, all parties that are impacted
by the business operation and subsequent loss of that operation must be advised about the content of the
plan, the actions that are to be taken based upon whatever type of event impacts upon the business and
how important it is to ensure that all impacted parties are aware of the parts they play in minimising the
impact and getting the business operable again.

This involves active dialogue including explanations on meeting expectations and also confirming exactly
what roles they will play and, in some cases, may actually involve them participating in the simulations. A
record of any information should be kept and also any feedback received that may enhance the contents
should also be recorded and where applicable acted upon.

Q2).
When a company has more than one location it is important especially if a part of the operation if stopped, it
impacts upon other parts of the company business that they also have some involvement within the
continuity plan.

Where changes are required that have been identified as part of a simulation or actual event it is essential
that where changes are made in one location that the impact of the change is looked at to understand how
this impacts on other locations which is why it is essential that when looking at developing the content all
factors and business operations are assessed. It is of no use if the new actions get site A running normally
but because the changes were not communicated or the impact of the change was not assessed at site B,
this could have a negative impact on the business operation at site B. It is essential that all the identified key
stakeholders are advised of the changes made to the content.

Page 10 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 10
 Q3).
When the business continuity plan has been developed it is essential that all the individuals who have been
identified as having a key role actually know that they have been nominated and are willing to do the role in
the event of an emergency. It is also essential that all relevant parties know where the most up to date copy
of the plan is located and how they can access it. For example, if located in the cloud, do all parties have the
correct password to be able to get to the documentation?

The communication process used to educate the general workforce who have not been identified as key
points of contact may be slightly different in its approach as they will simply need to know what instructions
they should follow in the event of an unplanned emergency that stops the business from operating, this may
be in the form of a training brief or tool-box huddle reminder, it really depends on the size of the business ,
how departments are broken down and what level of input they would have to assist the nominated person.
The media used to communicate the message is totally dependent upon the type of business and what
works best for the company.

Q4).
This is an important role and should only be given to an individual who has the necessary seniority and is
allowed to act on behalf of the company.

If they are allowed to speak to any form of media, they should be provided with appropriate training and
guidance.

If talking to the media, it would be wise to ensure that they are provided with guidance from the
company’s legal counsel so as not to make comments that may cause mis-information of be misquoted
by areas of the media. To understand their limitations.

Their details should be made known to all major clients in the event they need to liaise on behalf of the
company. To keep the key clients appraised of any potential impact to their order, what actions have
been taken and estimates on when the business will be fully functional again.

They should be provided with a list of important points of contact that are critical to the operation of the
business. These contact details should also be maintained so that they are up to date e.g. insurance
company details, main points of contact in the client organization, nearest emergency facility etc.

It must be confirmed within the plan that all external communications should be delivered by this
nominated individual – no one else

Page 11 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 11
 Q5).
If there is not a single procedure that covers document management with the business, a simple process flow or
bullet list that shows the sequence of how documents are managed, controlled and archived where applicable is
acceptable.

For example:

- Document containing phone details of key workers

- Three of the key workers have retired (Identified during review of the plan/content)
- Three replacements are identified (Identified as part of the management review)
- New contact details are inserted into the list (Upgrading of the content)
- New details are issued to all relevant parties and new details communicated to the company (Document issue)
- Plan revision amended to reflect new content (Document status amended)
- Old out of date copies archived and filed away – (Archived documentation)

The response may simply be a set of bullets that details what actions are taken periodically with the
documentation specific to the business plan, to ensure the content is maintained and always kept up to date.

Q6).
In the event a large number of workers become sick simultaneously this can impact upon the company being
able to function correctly, this could be classed as a ‘Crisis’ which is still part of the business continuity process.
For example, there may be a case of severe food poising or an illness that affects several workers in different
departments who become ill at the same time, this can impact upon the business from operating normally. It is
essential that the workers who have not been impacted are provided with advice/guidance on what actions the
company have taken to prevent the spread of the infection and what actions they should take in order not to
catch the illness.

There are various methods and actions, and these are listed in the question sets, you should check the options
that are most appropriate to your type of business especially if you use about from employment agencies or day
labour where you don’t know who will be attending the site.
This is not restricted to the Coronavirus pandemic, if for example your business operates within an industry such
as food manufacture and process or consumer goods, it is possible that illness such as food poisoning, skin
reactions etc could not only stop productive but in extreme cases can lead to product recall and damage to the
brand.

Page 12 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 12
 Category: Operations
Planning and Control
Q1).
Contact information that is specific to other parties NOT just the nominated key works, must also be kept up
to date.

For example:
Next of kin information. If an individual has been seriously hurt and their next of kin information is out of
date it would make it very embarrassing and difficult to have to try and locate that persons information.

A client may have expectations on a specific order that will impact on the delivery and the contracted
service level agreement, it is essential they are provided with an accurate overview of the event and the
potential impact it may have upon them.

An international strategic supplier has been prevented from working on your product due to a severe
weather intervention such as a typhoon, flood, etc you need to understand the impact and where
applicable find an alternative supplier.

Business Impact Assessment (BIA) - Risk Assessment

Q1).
It is essential that before putting any plan together that the senior management team (irrelevant of the size
of business) actually understand what are the potential risks that can impact upon the business and prevent
it from operating normally.

Not all events are foreseeable or predictable but there must be some form of process that if something does
occur actions can be taken to address them.

For example, flooding may not be something that has ever been considered as the potential likelihood of this
happening is low but if your business is located near a potential water source and the local area is subject to
an unprecedented storm which results in localised flooding, what action should be taken.
It is important that the events that have been identified are documented and the impact they can have on
the business should be evaluated, the terminology used will vary company by company, for example, partial
closure, full closure requiring transfer of operations, severe financial impact, etc
specific categories of personal protective equipment is purchased and, in ALL cases, these are readily
available if and when they may be needed.

Q2).
The process used should confirm the timelines that individual events can have on the business. How long
will it incapacitate the business operation what will the time be before it can be up and running again.
For example, major fire destroyed two production units. To re-build and obtain new production machines
will take 5 months to be up and running at previous capacity as some of the production can be transferred to
another location while remediation works are undertaken.

Page 13 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 13
 Q3).
When the events have been identified and the actions identified needed to ensure the business has minimal
impact it is essential that the company prioritise the actions and allocation of resources and the severity of
the event by classifying what type of impact this has on the operation, this follows the calculation that has
evaluated the level of risk this now puts that into a category such as business – catastrophic, business risk –
very low etc.

All parties involved in the program should understand how this level was calculated and it should be made
clear within the documentation and it should be recognised that post simulation or desk top test that this
level may change and where applicable all parties need to be made aware of that change via the
communication mechanism.

Q4).
All of the events that have been identified should reflect reality for the business, there is no value
documenting and calculating events that simply would not exist based upon where you are located and your
type of business. For example, what is the likelihood of a train derailment impacting upon the business when
the railroad is located several miles, or a severe weather event not usually found in the region they are
based.

The experts within the business and company insurance providers should confirm the issues that should be
addressed so resources can be focused on what can potentially happen. All information contained within the
plan had=s been verified as being actually needed and of value to the business.

Q5).
For a business to maintain its normal operation it has to ensure that the strategic suppliers used to provide
equipment and services are also looked at, their own business continuity planning should be taken into
consideration.

It is essential as part of a continuity plan that the methods of obtaining critical services are looked at and
where necessary ensure that these are secure and if they are interrupted what actions should be taken to
either continue with the services or secure another provider. This is NOT about ensuring their systems are
compatible with your programs as it is unlikely you will have any jurisdiction on their content , but more
about ensuring that they have suitable programs in place as well.

In some international locations the term ‘Business Continuity’ may mean different things and at a critical
point in the event something occurs it is not a good place to be when it is realised the supplier only looks at
fire drills as part of their continuity programs.

As part of your analysis, you should be considering what the impact to your business will be if your main
supplier stops working, what is the impact to you?

Q6).
This question is very similar to some of the previous questions where classifications are documented based
upon the type of event. This is a more detailed level of assessment that breaks down the impact further by
actually specifying what the actual impacts are specific to for example this could be a multi issue problem.
For example, if the order being processed is not fulfilled it can create a contract failure which may also relate
to legal action by the client Which subsequently impacts on the brand reputation. The question confirms
that as part of the risk assessment the impact can be described in an understandable but accurate
description of the business failure points.
Page 14 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 14
 Q7).
In some sectors it may be a requirement within a business that if a worker has travelled
to an area where they may be exposed to certain infections e.g. They may visit a country
on vacation that may be prone to certain health infections, Nigeria – Yellow Fever, May be
a country that has an outbreak of a specific condition such as ‘Foot and Mouth’. Before
they can actually return to the workplace do you require that the individual advises they
have been to a location where there may be conditions that could infect other members of
the workforce which could impact on the business operation or the actual product being
manufactured which can be a factor in some sectors such as food processing and
manufacture.

Q8).
Similar to the previous question that focused on full time workers this question relates to
casual labour who may be employed via an employment agency or via a day labour
business, the question seeks to understand if you validate where they have been before
starting employment on your worksite, if they are employed in a casual capacity they
could potentially work in a previous location that could introduce risk to your worksite
and you are simply establishing if their previous employment could introduce a risk to
your business that could impact on normal operations. This may be done as part of a
signing in process at the security office or as part of a site induction, it is whatever
methodology is suitable for your business. Does the company ask questions such as
this of all workers including employment agency staff and day labourers especially if
they have the potential to enter parts of the worksite that can cause the potential
impacts as described?

Q9).
There are some sectors where the daily health of a worker is essential especially in the
food manufacturing and pharmaceuticals sector. It is possible that this may not apply
to the sector within which you operate.

Page 15 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 15
 Strategy
Plans and Procedures
Q1).
This question is seeking to understand what mechanism is used to detail what processes are needed to enact
the actions need to get the business back up to normality. Are sequenced checklists used by the nominated
personnel, the question is seeking to understand if the continuity plan that is in place is structured and does
not rely on memory, there are prompts that ensures all critical business functions are addressed. Is the
process staged, is it sequenced it is possible that if a specific sequence is required and they are undertaken in
different locations the potential to miss parts increases if the requirement is not documented?

If a checklist approach is not used, the alternative methodology should be confirmed in your response. The
question is NOT specifying that a checklist is better than any alternative, it is simply assessing how your
business manages this issue.

Q2).
Many companies sometimes confuse disaster recovery with business continuity. Disaster recover generally
focuses upon information technology (IT). It is a documented process or set of procedures that will assist
your business to recover and protect the company IT infrastructure in the event of a disaster.
Based upon the size and sophistication of your business the loss of your IT can have dramatic effects for
example, a small electrical contractor who has lost their computerised payroll and order program or a major
manufacturing operation that cannot program their production units.

This question is seeking to understand, has your business included IT safety and recovery as part of your
continuity process and included both natural disasters such as floods or human based impacts such as
cyber-crime/ ransomware attacks or malicious viruses and it forms part of the business continuity program
and is not in isolation the only thing addressed.

Q3).
In many cases, some mix up the issue of crisis management with business continuity. A crisis can impact on
the business operation but not prevent it operating completely. The question is seeking to understand if the
overall plan considers that if a crisis occurs there is a process that can deal with it on a crisis by crisis basis
and not a one-size solution as these issues can manifest themselves differently based upon circumstances.

Exercise (Drills and Simulations)

Q1).
For any form of business process or plan to be deemed as effective it is essential that the content is tested to
make sure that it actually works for your business and does what it was designed to actually do, get the
business up and running normally again.

The manner in which the process is tested is based upon how you want to test the program and what you
deem as the most appropriate method, the question is simply seeking to understand that if you do test the
content that this is done on a regular basis. There is no point having a program that is not tested and you
found in a real event that what was proposed simply is not effective. You should look at the methods used
and also determine the most appropriate frequency.

Page 16 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 16
 Q1a).
It is essential that there is a defined frequency or program in place and a consistent methodology, the
methods used should be appropriate to the business, don’t opt for processes that look good on paper but
will never be implemented, use methods and systems that are achievable within the business and there are
suitably qualified personnel who can undertake the assessment in a competent manner.

Evaluation of Documentation

Category: Performance Evaluation

Internal Audit / Review
Q1).
In addition to the testing or simulation of events to test the effectiveness of your content, further checks
and balances can also be undertaken to ensure the content is actual suitable for the business. For
example, a simulation may have taken place in January but in September of the same year your
business acquires a competitor, it is essential that as part of a program review the impact and changes
faced by the business are addressed within the plan and its implementation.

Q1 a & b).
There are different methods that can be used to ensure the content is up to date and fit for ‘current’
business use. Within the option list there are listed different methods that can be used to understand
the current status of the content and how it should be applied. Also, to confirm how important this
process is, the frequency should also be noted as and when this is undertaken. It is possible that this
may vary by department and in some cases some things may be looked at on a weekly basis other yearly
based on the subject matter which is why there is the option to check multi boxes.

Q2).
To ensure that the monitoring process is effective, it is essential that any form of review is undertaken by
either the nominated key workers and or senior members of the management team. For any
management program to be effective the stakeholders of the business irrelevant of the size of the
business have to have an involvement in evaluating the effectiveness of the program.

This question seeks to determine which stakeholders within your business. There may be multi
stakeholders who participate within the evaluation process. You have the option to check multiple
checkboxes, this will confirm the type and level of insight being applied to the evaluation.

Q3).
When conducting the review of the effectiveness of the program that has been put into place, it is
essential that you a form of measurement to confirm just how effective the actions have been, if you can
measure you cannot demonstrate if it actually worked or not. Your business may call them something
different, a term commonly used is ‘performance metrics’ these are benchmarks that must be achieved
for the plan and the associated actions being carried through for example if all actions are
implemented, the company phone communication can be back on line within 2 hours or if the office has
to be relocated due to an issue at the current place of work this is completed within a 24 hour period.
The achievement of what is effective is based upon your needs.

Page 17 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 17
 Q4).
If at any time the proposed actions found within the plan and identified as being the course of action needed
to get the business operating normally again are found not to work there must be a process in place that
identifies a course of action to make the rectification better so that it does work. It is better to find gaps and
issues during a practice or simulation rather than an actual event but nevertheless the process should look
to make the actual plan effective by a process of continued improvement which can only be achieved by
review, practice and testing of the proposals.

Management Review
Q1).
As well as the key stakeholders within the day to day aspect of the business it is also essential that the
primary decision makers, the management team also conduct a review of the actions being taken. In some of
the smaller companies this may actually be one and the same persona.

It is essential that the management conduct a review to ensure the priorities of the business are addressed
and this covers all aspects of the business not a single department. The management review should focus on
the work undertaken such as reviews, documentation being used, the type of personnel involved - were they
suitable did they do what was asked of them or do they need support or replacing. This is not the same as a
standard review unless it is undertaken at the same time as other reviews due to the size of the company, the
management can shape just how effective the actions and planning can be.

Category: Improvement
Non-Conformance and Corrective Action
Q1).
If, during the simulation or standard review process and an issue has been identified that has been
calculated as not something that would work in the event of an emergency. This issue should be
recorded so that apart from maintaining a record of any type of review, all parties can assess the issue
and can also provide feedback on why the issue occurred or what actions can be taken as part of the
continuous improvement process making the back to operation much more effective.

Q1a).
The formal record should look to document the issues that have been found, for example what caused
the issue to go wrong or what needs to be done to enhance the requirement. It should as a minimum
confirm what type of timeframe is needed to make the change ‘right’. If this does not happen it is
possible that it may simply forgotten and in the time of an event the actions have not been changed
from the previous incorrect method.

Page 18 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02 18
 Continuous Improvement
Q1).
Throughout the section where changes are made, they have to be made for the right reason in that it
improves what is already in place and the range of changes ‘continually improve things. In some cases, it is
possible what is in place may be all that is needed but other issues that may impact upon the requirement.
For example, while the action may be suitable, other suggestions to improve what has been put into place
can fall under the continuous improvement banner, you may be using cell phones but you may identify that
due to some types of inclement weather they are not suitable to use as a communication aid so an option for
cell phone or radio may make the communication process more efficiencies. This is about having an open
mind to make changes to improve and enhance, not change for change sale.

Q2).
Where changes have been identified it is important that they are not only documented but the changes are
communicated to all relevant parties and adequate resources are made available to implement them. Where
changes are needed, the company should also confirm who will be impacted by the changes and who will be
responsible for implementing them.

About Avetta
Avetta connects leading global organizations with more than 85,000 qualified suppliers, contractors, and vendors across
100+ countries. We support the sustainable growth of supply chains through our trusted contractor prequalification,
supplier audits, insurance monitoring, robust analytics and more. With real results in helping companies reduce TRIR,
our highly configurable solutions elevate safety and sustainability in workplaces around the world—helping workers get
home to their families each night.

Page 19 of 19
© Avetta 2020 Guidance notes for Business Continuity Planning Prequalification Forms - Question Set
V.02
Let’s connect at avetta.com