Necessary and Sufficient Evidence (Consolidated Framework)

For each domain, “necessary and sufficient” evidence means: the minimum concrete artefacts and observations that prove the criterion is in place (E1), enabled (E2), and working in practice (E3).

Below is a concise, practical set of examples.

1. Context, Scope, Stakeholders & Strategy

  • E1 – Gateway (Existence)
    • Approved procedure for context and stakeholder analysis covering QMS/EMS/Risk/BCM.
    • Last completed context analysis (PESTLE, SWOT, similar) and stakeholder map.
    • Documented scope statements for QMS/EMS/Risk/BCM and current strategic objectives set/approved.[1]
  • E2 – Enablement (Structure)
    • Version‑controlled context and stakeholder analyses stored in a defined repository, with review dates and owners.
    • Objective register linking each objective to context/stakeholder drivers, with owners, measures, and targets.
    • Visual or tabular mapping showing traceability: context & stakeholders → scope → objectives.[1]
  • E3 – Operational Effect (Execution)
    • Business cases, initiative charters, or portfolio papers explicitly referencing context/stakeholder insights and disruption scenarios.
    • Risk and continuity investment decisions where disruption analysis or BIA inputs changed priorities or options.
    • Steering/portfolio committee minutes showing strategic objectives used to approve, defer, or stop initiatives.[1]

2. Leadership, Governance, Culture & Accountability

  • E1 – Gateway
    • Approved, current policies for Quality, Environment, Risk, BCM.
    • Governance structure document (e.g., RACI, terms of reference) defining roles, committees, and escalation paths.
    • Board/Executive‑approved risk appetite statement or equivalent criteria.[1]
  • E2 – Enablement
    • Forward calendar and minutes of regular Q/E/R/BCM governance forums showing leader attendance.
    • Resource plans or budgets explicitly allocating people/funding to these frameworks.
    • Leadership communications (town halls, videos, emails) and recognition mechanisms promoting an open, learning culture.[1]
  • E3 – Operational Effect
    • Decision records where risk, quality, environmental or BCM information materially changed direction or conditions.
    • Issue and action logs showing tracking, ownership, due dates, and closure of audits, incidents, and nonconformities.
    • Observed leadership behaviours (e.g., walk‑throughs, safety/environment dialogues) consistent with stated policies and values.[1]

3. Integrated Risk & Opportunity Management

  • E1 – Gateway
    • Enterprise risk management procedure including risk criteria, treatment, and explicit BIA/continuity risk assessment method.
    • Standard templates for risk registers and BIA (critical activities, RTOs, RPOs).
    • Planning guidance that requires documenting opportunities as well as risks.[1]
  • E2 – Enablement
    • Consolidated risk registers covering strategic, operational, financial, environmental, and continuity risks, with owners and ratings.
    • Completed BIA documentation for in‑scope services with current RTO/RPO, dependencies, and last review date.
    • Evidence of periodic reviews updating risk and opportunity entries when services, technology, or context change.[1]
  • E3 – Operational Effect
    • Prioritised risk treatment plans and continuity strategies that clearly reference underlying risk ratings and BIA outputs.
    • Investment, project or resource‑allocation decisions that explicitly follow risk and opportunity evaluations.
    • Records of accepted, avoided, transferred, and treated risks with rationale tied to risk appetite.[1]

4. Framework, Design & Integration into Operations

  • E1 – Gateway
    • Integrated management framework document describing QMS/EMS/Risk/BCM processes and interfaces.
    • Map showing integration points between framework processes and core operational and project processes.
    • Defined project/initiative governance and delivery framework (stage gates, roles, decision rights).[1]
  • E2 – Enablement
    • Process documentation and templates embedding Q/E/R/BCM requirements (e.g., risk sections, environmental checks).
    • Training records showing operational and project teams briefed on the integrated framework.
    • Configured tools/workflows (e.g., PPM, ERP, ticketing) enforcing required checkpoints and approvals.[1]
  • E3 – Operational Effect
    • Samples of projects delivered following defined stage‑gates, with required framework artefacts present.
    • Operational records (change requests, incident handling, service design) showing consistent use of the integrated processes.
    • Findings from reviews or audits where deviations were detected, corrected, and led to updates in processes or training.[1]

5. Planning, Objectives, Strategies & Change

  • E1 – Gateway
    • Documented process for setting Q/E/R/BCM objectives and action plans, including risk/opportunity assessment.
    • Methodology for developing continuity and recovery strategies (e.g., alternate site, manual workaround, supplier arrangements).
    • Change management procedure requiring assessment of risk, continuity, and environmental impacts.[1]
  • E2 – Enablement
    • Objective and action plan register with targets, timelines, responsibilities, and required resources.
    • Documented continuity and recovery strategies tested for feasibility (e.g., technical tests, supplier confirmations).
    • Change templates/forms with mandatory sections for risk, continuity, and environmental assessment.[1]
  • E3 – Operational Effect
    • Budget and portfolio decisions demonstrably aligned to agreed objectives and risk‑based priorities.
    • Examples where changes were modified, delayed, or rejected due to risk/continuity/environmental assessment outcomes.
    • Procurement, facilities, IT, and workforce plans explicitly guided by continuity strategies (e.g., dual suppliers, resilient networks).[1]

6. People, Capability, Culture, Communication & Awareness

  • E1 – Gateway
    • Role profiles or competency matrices specifying requirements for BCM, Risk, QMS, EMS roles.
    • Training and awareness framework for Q/E/R/BCM (curriculum, frequency, target audiences).
    • Defined communication plan and channels (e.g., intranet, alerts, briefings) with owners.[1]
  • E2 – Enablement
    • Training records (completion data, refresher schedule) for staff in key and general roles.
    • Knowledge repositories (wikis, guides, playbooks) capturing organisational knowledge for these disciplines.
    • Evidence that messages (e.g., campaigns, tooltips, dashboards) reach intended audiences in a timely, understandable way.[1]
  • E3 – Operational Effect
    • Observed competence in exercises, incidents, audits, and daily operations (e.g., correct use of risk and BCM tools).
    • Survey or interview results showing risk and BCM awareness outside specialist teams.
    • Behavioural evidence (e.g., proactive risk raising, near‑miss reporting, environmental good practices) aligned with desired culture.[1]

7. Customers, Markets, Stakeholders & Supply Chain

  • E1 – Gateway
    • Defined processes for capturing customer/stakeholder requirements and feedback (VOC, complaints, surveys).
    • Supplier/partner onboarding and management procedures including Q/E/R/BCM expectations.
    • Documented continuity and environmental obligations with key suppliers in contracts or SLAs.[1]
  • E2 – Enablement
    • Regular customer and supplier performance reports including quality, environmental, risk, and continuity indicators.
    • Controls for critical suppliers (SLAs with penalties, audit programs, contingency clauses).
    • Evidence of market, stakeholder, and supply‑chain insights being fed into planning and risk assessments.[1]
  • E3 – Operational Effect
    • Records where customer/stakeholder feedback triggered specific improvements or control changes.
    • Documented mitigation actions for critical supplier risks (diversification, alternate suppliers, stockpiles).
    • Joint initiatives or co‑designed improvements with key customers/suppliers that measurably improved performance or resilience.[1]

8. Operational Control, Design, BCM Plans & Emergency Response

  • E1 – Gateway
    • Documented process maps and work instructions for key products/services and critical activities.
    • BCM plans and emergency response procedures for relevant scenarios and locations.
    • Defined design and development process (where applicable) with control points and verification steps.[1]
  • E2 – Enablement
    • Role‑based, accessible versions of procedures and BCM/emergency plans (e.g., mobile, control‑room copies).
    • Contracts or operational procedures referencing relevant BCM and emergency requirements and triggers.
    • Clear assignment of incident/BCM roles, with criteria for activating and escalating plans.[1]
  • E3 – Operational Effect
    • Incident and exercise records showing plans and procedures were followed and effective.
    • Evidence of operational and emergency controls preventing or mitigating key risks (KPIs, loss data, safety/environmental metrics).
    • Post‑incident/exercise reviews resulting in updates to operational controls, BCM plans, and training.[1]

9. Information, Data, Documentation & Digital

  • E1 – Gateway
    • Documented information management procedure (creation, approval, retention, access) specific to Q/E/R/BCM.
    • Defined data quality standards and ownership for critical data sets.
    • Inventory of digital tools and systems supporting Q/E/R/BCM, with roles and responsibilities.[1]
  • E2 – Enablement
    • Evidence documents and records are reviewed, approved, version‑controlled, and easily retrievable.
    • Configured systems enforcing standard fields, workflows, and reports for Q/E/R/BCM data capture.
    • Information security and integrity controls (access profiles, backups, audit logs) for critical information.[1]
  • E3 – Operational Effect
    • Examples where Q/E/R/BCM data and reports are used in operational and strategic decisions.
    • Trend analyses and dashboards used to identify issues, hotspots, and improvement needs.
    • Logs of data/document issues and corrections, including root cause fixes to prevent recurrence.[1]

10. Performance Measurement, Monitoring, Exercising & Review

  • E1 – Gateway
    • Defined KPI set and targets for quality, environmental, risk, and BCM performance.
    • Documented internal audit and management review program.
    • BCM exercising and testing program document specifying objectives, scope, and frequency.[1]
  • E2 – Enablement
    • Evidence that monitoring, audits, reviews, and exercises occur per plan, with documented outputs and actions.
    • Analysis reports that go beyond compliance to examine trends, causes, and exposure.
    • Action registers assigning owners and due dates to findings and exercise outcomes.[1]
  • E3 – Operational Effect
    • Traceable examples where monitoring/audit results led to changes in controls, priorities, or strategies.
    • Exercise reports demonstrating realistic scenarios, identified gaps, and resulting updates to BIA, strategies, and plans.
    • Management review minutes showing use of results to steer direction, investment, and risk posture.[1]

11. Learning, Improvement, Innovation & Resilience Evolution

  • E1 – Gateway
    • Procedure for capturing incidents, nonconformities, near misses, and lessons, across Q/E/R/BCM.
    • Mechanisms for collecting improvement and innovation ideas (campaigns, suggestion schemes, retrospectives).
    • Defined root cause analysis and improvement planning method and templates.[1]
  • E2 – Enablement
    • Register/portfolio of improvement and innovation initiatives with prioritisation criteria.
    • Investigation records showing consistent use of root cause methods where thresholds are met.
    • Action tracking system with ownership, deadlines, and status for improvement items.[1]
  • E3 – Operational Effect
    • Trend data showing reduction in repeat incidents, nonconformities, or near misses in targeted areas.
    • Case examples where specific improvements measurably enhanced risk, quality, environmental, or continuity outcomes.
    • Evidence that lessons and insights feed back into strategy, frameworks, and capability building (e.g., revised standards, new training).[1]

Sources
[1] Consolidated-Capability-Assessment-Framework-Discussion.pdf

Unknown's avatar

Author: John Salter & Associates Consulting Services

John Salter - specialising in the facilitation of risk-based capability reviews; needs-based training; business continuity planning; crisis management exercises; and organisational debriefing. Recognised for “preventing disasters, or where that is not possible, reducing the potential for harm” Ref: Barrister H Selby, Inquest Handbook, 1998. Distracted by golf, camping, fishing, reading, red wine, movies and theatre.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.