Annex 1: The Legislative Context
The statutory duties concerning:
- the ability of Category 1 organisations to continue to be able to perform their functions22,
- the provision, by local authorities, of advice and assistance to businesses and other organisations about the continuance of their activities.
relate primarily to their ability to meet the challenges of emergencies. ‘Emergencies’ are defined in the Act23 as events or situations, including war and terrorism, which threaten ‘serious damage’ to human welfare, the environment or security. The National Risk Register24 sets out the most serious risks which could lead to such events.
However, these requirements are not limited to their ability to respond to the emergency itself but include the effects of the emergency on the organisation. In order to develop and fulfil the requirements of the Act, planners will therefore need to consider related non-emergency Business Resilience. This may be significant in its own right but also because of its relevance to capabilities that support emergency functions. These include the management of the indirect effects of emergencies, the ability of organisations to sustain emergency capabilities and to recovery (in preparation for subsequent emergencies) and also to some aspects of work with partner organisations.
5.1 Having Business Resilience
The Civil Contingencies Act 2004 and the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 set out the following duties in relation to being able to continue to be able to perform organisational functions.25
All Category 1 responders must maintain plans to ensure:
- that if an emergency occurs, as far as this is reasonably practicable, they can continue to perform their functions, and
- that if an emergency occurs or is likely to occur, so far as necessary or desirable, they can perform their roles of preventing the emergency; reducing, controlling or mitigating its effects; or taking other action in connection with it.
These two duties can be summarised as: having appropriate level of Business
Resilience to continue priority activities and to respond to the emergency.
The regulations also set out some aspects of how these duties must be performed, stating that Category 1 responders:
- must have regard to any relevant risk assessments that have been carried out as part of the duties under the Act
- may maintain plans which relate to a particular emergency or a particular kind of emergency
- must maintain plans which relate to more than one emergency or more than one kind of emergency
- must, when maintaining plans, include arrangements to exercise the plan and to provide training for an appropriate number of suitable staff
- must have regard to any relevant arrangements to warn and to provide information the public about emergencies
5.1.1 Voluntary Sector Organisations
In performing the above duties, Category 1 responders must have regard to the activities of voluntary organisations which are relevant to emergencies and which operate their area. In this context, this means those whose purpose is to prevent an emergency, or to reduce, control or mitigate its effects, or those with a similar role. Whether or not the voluntary organisation carries out other functions in addition to these, does not affect this duty.
5.2 Promoting Business Resilience
Local authorities have additional duties connected with the provision of advice and assistance to other organisations about the continuance of their activities when faced with emergencies26. Local authorities:
- must provide advice and assistance to businesses at large about continuing their activities when affected by emergencies
- may provide advice and assistance to individual businesses about continuing their activities when affected by emergencies
- may provide advice and assistance to businesses in identifying and obtaining help from a competent and experienced business continuity consultant
The regulations also set out some aspects of how these duties must be performed. Local authorities:
- must consider relevant community risk registers when doing these things
- must consider any advice and assistance being provided by other responders in their area and need not duplicate that work
- must co-operate with other local authorities in the same partnership area in fulfilling these duties
- may perform these duties jointly with another responder or may make arrangements with another responder to perform the duty on its behalf
- may charge for the cost of providing advice and assistance on a cost recovery basis
These duties refer to ‘commercial’ activities and ‘emergencies’. ‘Commercial’ is not a straightforward term to define. It should not be taken narrowly to mean only private sector businesses operating for a profit. Others, including charities, building societies and credit unions, carry out commercial activities; they operate as businesses, generate financial benefits and should be considered in performing this duty.
However, this does not mean that local authorities should concentrate solely on emergencies, as defined this way, when working to promote Business Resilience. Thankfully, most organisations will have direct experience of serious emergencies only rarely, and perhaps never in the case of those due to hostilities. Discussing a broader range of more commonplace disruptions is likely to be a more productive way to engage businesses, as very severe emergencies may seem less credible, too difficult to manage, or a problem for the emergency services. Pursuing this indirect route may lead from resilience against smaller disruptions to a greater ability to deal with higher impact events, although the approach taken should be tailored to the circumstances.
5.2.1 Voluntary Sector Organisations
Local authorities have equivalent duties to provide advice and assistance to voluntary organisations, with the exception that they need only provide this to those voluntary organisations which they consider ‘appropriate’. In determining whether a voluntary organisation is ‘appropriate’ in this context, the regulations set out the following factors which must be considered:
- the nature and extent of activities the organisation carries out, particularly, the extent to which the organisation contributes to (i) the prevention of emergencies; (ii) the reduction, control or mitigation of the effects of an emergency; (iii) other actions in connection with an emergency; (iv) social welfare.
- the size of the organisation (e.g. staff employed and turnover).
- whether the advice and assistance is likely to improve the organisation’s resilience in the event of an emergency.
As the voluntary sector is large and diverse, it is unrealistic to expect local authorities to provide advice and assistance for all organisations. Rather, they should prioritise their efforts to those where its uptake would be likely to strengthen emergency resilience or social welfare in their region.
5.2.2 Geographic Scope
These local authority duties apply only in relation to businesses and voluntary organisations which operate in the local authority’s area. This includes those which operate in the area for a period of time without being resident, for example, music festivals or major construction projects.
The additional duties placed on local authorities can be summarised as: taking appropriate steps to promote Business Resilience within the commercial and voluntary sectors in their area.
5.2.3 Other Category 1 Responders and Promoting Business Resilience
The regulations require other Category 1 responders in the area to cooperate with local authorities who are delivering these duties. In addition to initiatives led by local authorities, other Category 1 responders can promote Business Resilience in several ways:
- by influencing their suppliers and sub-contractors, thereby also improving the resilience of the Category 1 responder itself
- through the normal work of the organisation which will have Business Resilience consequences, e.g. crime prevention and fire prevention initiatives
- by ‘warning and informing’ work which makes organisations and the public more aware of risks
22 Civil Contingencies Act (2004) 2 (1) (c)-(d)
23 Civil Contingencies Act 1(1)-(5)
24 See National Risk Register https://www.gov.uk/government/publications/national-risk-register-for-civil-emergencies-2013-edition
25 See section 2(1)(c)-(d) and 4(1) of the Act and Part 7 of the Regulations
26 These are set out in of Part 7 of the Regulations and arise from section 4(1) of the Act, Where they are referred to as to as ‘relevant responders’.
Annex 2: Selected Glossary
Business Continuity – Strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable pre-defined level.
Business Impact Analysis – The process of determining the impacts on the organisation from interruptions to business operations or processes.
Business Resilience – A holistic approach, demonstrating how resilience can contribute to the overall strategic aims and objectives of an organisation. It extends the scope of business continuity management and emphasises the human and cultural aspects.
Community Resilience – Communities and individuals harnessing local resources and expertise to help themselves in an emergency, in a way that complements the response of emergency responders.
Crisis – An abnormal situation which threatens the operations, staff, customers or reputation of an enterprise.
Enterprise Risk Management – (ERM) – a strategic business discipline that supports the achievement of an organisation’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks.
Incident Response Structure – Organised arrangements to provide effective direction, coordination and deployment of resources required to respond to an incident.
Maximum Tolerable Period of Disruption (or outage) – Maximum Tolerable Period of Disruption is the maximum allowable time that the organisation’s key products or services is made unavailable or cannot be delivered before its impact is deemed as unacceptable.
Recovery Phase – Process of rebuilding, restoring and rehabilitating following an emergency or disaster, and continuing until the disruption has been rectified, demands on services have been returned to normal levels, and the needs of those affected have been met.
Recovery Point Objective (RPO) – The point in which information used by an activity must be restored to enable that activity to operate on resumption.
Recovery Time Objective – Recovery Time Objective (RTO) refers to the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organisation.
Risk Appetite – Total amount of risk that an organisation is prepared to accept, tolerate or be exposed to at any point in time.
Risk Treatment – Process of determining those risks that should be controlled (by reducing their likelihood and/or putting impact mitigation measures in place) and those that will be tolerated at their currently assessed level.
Single Point of Failure (SPOF) – The part of a service/activity/process whose failure would lead to the total failure of a key business activity.
Surge Capacity Planning – Development of arrangements to deliver an increased volume of those goods or services that are normally provided.
Annex 3: Further Reading and References
How Prepared Are You? Business Continuity Management Toolkit
Business Continuity Guide for Small Businesses
ISO 22301 Business Continuity Management Ready Scotland
Preparing Scotland Guidance
© Crown copyright 2013
You may re-use this information (excluding logos and images) free of charge in any format or medium, under the terms of the Open Government Licence. To view this licence, visit http://www.nationalarchives.gov.uk/doc/open-government-licence/ or e-mail: email@example.com.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
First published by the Scottish Government, November 2013
ISBN: 978-1-78412-024-5 (web only)
The Scottish Government St Andrew’s House Edinburgh EH1 3DG
Produced for the Scottish Government by APS Group Scotland
Published by the Scottish Government, November 2013