A necessary and sufficient BCM/resilience “evidence set”

When commissioned to review a client’s continuity and resilience capabilities I am nearly always asked – “What documentation do you need to review?” You can reflect on my response below:

“Minimum Viable” set to request client to consider

BCM minimum evidence set: policy & framework, risk register with BCM risks and latest assessment, approved BIAs, strategies and BCPs per critical area, crisis/incident plan with contacts, recent exercise and incident review reports, latest BCM audit and management review.

  • BCM policy and framework document.
  • Current enterprise risk register with BCM-relevant risks highlighted and the latest BCM risk assessment.
  • Completed and approved BIAs for all critical business units or services.
  • Approved continuity strategies and at least one current BCP per critical area.
  • Crisis/incident management plan with contact lists.
  • Last 2–3 exercise reports and action logs.
  • Last post-incident review (if any major event in last 2–3 years).
  • Latest BCM-related audit report and management review minutes.
  • Evidence of document control (register or repository view) and training/awareness records.

A minimal but robust suite to test for in any client can be grouped into governance, analysis, solution design, implementation, and assurance.

1. Governance and Policy

  • Business continuity / resilience policy (scope, objectives, principles, authority, review cycle).[2]
  • BCM program charter or framework, showing integration with ERM and other ISO-style management systems.[3][1]
  • Defined roles and responsibilities (e.g. BCM sponsor, coordinator, plan owners, incident manager, crisis team).[4][5]
  • Governance bodies and oversight records: steering committee / risk committee ToR and minutes where BCM is discussed.[6]
  • Regulatory or contractual requirement register for continuity/resilience (where applicable, e.g. APRA CPS 232, ASX rules).[2]

2. Risk and Impact Foundations

  • Enterprise or BCM-specific risk assessment identifying disruption scenarios, likelihood/impact, current controls and gaps.[8][3]
  • Documented business impact analysis at appropriate levels (process/service/function) with: critical activities, MTPD/MAO, RTOs/RPOs, resource dependencies, peak periods, and upstream/downstream impacts.[10][3]
  • Clear linkage: risk assessment and BIA feeding into continuity strategies and priorities (traceable in documentation sets).[2][3]

3. Strategies, Plans and Supporting Data

  • Documented continuity strategies (e.g. alternate site, remote work, manual workarounds, stockpiles, supplier redundancy) with rationale from BIA and risk assessment.[2][8]
  • One or more business continuity plans that consolidate:
    • Incident detection and declaration criteria.
    • Activation and escalation procedures.
    • Structure and roles of crisis/BC teams.
    • Communication strategy (internal, external, regulators, media, key stakeholders).[5][9]
  • Supporting playbooks/procedures where critical (IT disaster recovery, facilities, cyber, critical supply-chain, people surge/relocation).[5][10]
  • Up-to-date contact lists (staff, executives, crisis team, key suppliers, critical customers, emergency services, regulators) with access arrangements on and off site.[12][9]
  • Essential reference
    • Register of critical processes, applications, sites, assets and their RTO/RPO.[3][4]
    • Records of key contracts, licences, insurances, and property documents, plus how they are accessed during disruption.[13][11]

4. Implementation, Training and Communication

  • Implementation plan or roadmap for BCM capabilities, mapped to actions, owners and dates.[10][3]
  • Training and awareness material, attendance records, and role-specific briefing for incident/crisis team members.[3]
  • Evidence of staff communication about continuity arrangements (intranet pages, newsletters, briefings, onboarding content).[5]

5. Exercising, Review and Continuous Improvement

  • Exercise/test strategy and schedule (covering a mix of tabletop, simulations, technical recovery tests).[7][8]
  • Exercise plans/scripts and post-exercise reports including outcomes, issues, and agreed improvements.[14][8]
  • Post-incident reviews / after-action reports following real disruptions, with lessons learned and tracked actions.[3][8]
  • Documented corrective actions and improvements log linking to exercises, incidents, audits and management reviews.[7][8]
  • Internal or external BCM audits or reviews, including scope, findings, and follow-up verification.[6][14]
  • Periodic management review of the BCM/resilience program (agenda, pack and minutes), showing assessment of performance, changes in context, and resource decisions.[3][2]

6. Document Management and Accessibility

  • Documented classification of BCM documents (policies, BIAs, plans, playbooks, records) and ownership.[6][14]
  • Version control and review history for key documents (policy, framework, BIAs, plans, strategies).[14]
  • Evidence of secure, resilient storage and access arrangements for continuity documents (e.g. ERM/BCM tool, shared drive with offline/alternate access).[12][14][6]

Sources
[1] Business Continuity Management and Resilience Guidelines https://policies.uow.edu.au/document/view-current.php?id=218&version=1
[2] Prudential Standard CPS 232 Business Continuity Management https://www.apra.gov.au/sites/default/files/Prudential-Standard-CPS-232-Business-Continuity-Management-(July-2017).pdf
[3] Guide to business continuity & resilience https://www.protiviti.com/sites/default/files/2022-11/guide-to-business-continuity-and-resilience-fifth-edition-protiviti_GLOBAL.pdf
[4] Guidance Note 10 – Business Continuity and Disaster Recovery https://www.asx.com.au/documents/rules/asx_clear_guidance_note_10.pdf
[5] SECTION 3: APPENDICES CHECKLISTS AND CONTROL … https://pqc.icai.org/assets/ISACourse2.0DVD/7.0_Business_Continuity_Management/Section_3_Appendices/Section_3_Checklist_For_BCP_Audit.pdf
[6] Business Continuity Review | vic.gov.au – Victorian Government https://www.vic.gov.au/business-continuity-review
[7] [doc] EN_BCP-Check-list.docx https://preparecenter.org/wp-content/uploads/2020/05/EN_BCP-Check-list.docx
[8] How to Conduct a Business Continuity Risk Assessment – V-Comply https://www.v-comply.com/blog/business-continuity-risk-assessment/
[9] AFP National Guideline on business continuity management https://www.afp.gov.au/sites/default/files/2024-02/AFP-National-Guideline-on-business-continuity-management.pdf
[10] Business Continuity Plan Based on Risk Assessment https://riskledger.com/support/framework/h/10
[11] How to Create a Business Continuity Plan https://www.qbe.com/au/news/how-to-create-a-business-continuity-plan
[12] business-continuity-plan-template.docx https://www.publications.qld.gov.au/dataset/05765d5a-91b3-45fd-af43-699ede65dd8a/resource/63f7d2dc-0f40-4abb-b75f-7e6acfeae8f3/download/business-continuity-plan-template.docx
[13] How to plan for a disaster | Not-for-profit … https://www.nfplaw.org.au/free-resources/disasters/governance/plan
[14] Business Continuity Plan Review Checklist [free pdf] – POPProbe https://www.popprobe.com/checklist-library/emergency/natural-disaster/b26a-eme-business-continuity-plan-review-checklist
[15] Prepare for the unexpected – Build a Business Continuity Plan https://www.smallbusiness.nsw.gov.au/sites/default/files/2023-11/16370_SBC%20Prepare%20for%20the%20unexpected%20ACCESSIBLE_0.pdf

a-necessary-and-sufficient-bcmresilience-evidence-set.pdfDownload
So which 9 documents will you select?
Unknown's avatar

Author: John Salter & Associates Consulting Services

John Salter - specialising in the facilitation of risk-based capability reviews; needs-based training; business continuity planning; crisis management exercises; and organisational debriefing. Recognised for “preventing disasters, or where that is not possible, reducing the potential for harm” Ref: Barrister H Selby, Inquest Handbook, 1998. Distracted by golf, camping, fishing, reading, red wine, movies and theatre.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.