Business Continuity policy
Published: 04 February 2025Freedom of information class: How we manage our resources
This policy outlines everyone’s responsibilities in terms of business continuity.
Table of contents
1. Purpose and scope
1.1 This policy sets out the Registers of Scotland (RoS) commitment to ensure that previously identified and agreed important business services can continue to operate following an incident that has the potential to disrupt the normal service provided.
1.2 This policy applies to all employees and contingent workers.
2. Guiding principles
2.1 RoS is committed to providing the best possible experience to its customers and the best possible relationships with employees, contingent workers and suppliers. To ensure the consistent availability and delivery of services provided, RoS has developed this Business Continuity Policy in support of our Business Continuity Programme and overall organisational resilience.
2.2 RoS, like any other organisation, is exposed to risks that could disrupt or delay critical business functions and/or the delivery of services. Our strategy for continuing business in the event of an incident is to ensure: the safety of all employees, the security of all data; that important tasks continue and the delivery of important business services from predefined locations.
2.3 RoS Business Continuity arrangements will be guided by an understanding of its most important and critical business services ('Important Business Services') which shall be defined by the Executive Management Team (EMT) and kept under review.
3. The policy
3.1 RoS is committed to delivering organisational resilience.
3.2 Each Head of Service in RoS shall prepare and review their own comprehensive Business Impact Analysis (BIA) and Business Continuity Plan (BCP) at least annually: which both together contribute towards the overall solution for the Important Business Services of RoS.
3.3 When a Business Continuity Plan is completed, approved by the associated Director and implemented, each plan shall identify procedures which ensure on-time availability and delivery of required services.
3.4 Each Business Continuity Plan shall be exercised as a minimum on an annual basis to ensure compliance with this Business Continuity Policy. Each exercise shall be reviewed against the relevant BCP and that BCP then updated, if required.
3.5 RoS will align with the International Standard ISO 22301 (Business Continuity management systems – requirements) as the guidance and structure for its Business Continuity activities.
3.6 RoS recognises the importance of an active and fully supported Business Continuity Programme to ensure the safety, health and continued employment for its employees and contingent workers, quality service delivery for customers and stakeholders, and compliance with Statute and Regulation.
3.7 RoS requires the commitment of each employee and contingent worker, business area and supplier in support of the activities required to protect RoS assets, mission and survivability.
4. Roles and responsibilities
4.1 EMT is responsible for the content of this policy, its approval and review. They are responsible for ensuring its implementation in practice and for monitoring this over time. They are responsible for ensuring that appropriate procedures, guidelines or standards as are required to support this are maintained and ownership for these assigned appropriately. They are responsible for identifying and communicating RoS' Important Business Services.
4.2 The EMT is responsible for ensuring that the commitments given in this policy are met, and that the function is appropriately resourced and accounted for within the wider governance of RoS.
4.3 Every BIA and BCP update shall be copied to the Enterprise Risk Management team (to be stored securely).
4.4 RoS Digital are responsible for the creation, maintenance and testing of robust Disaster Recovery Plans to ensure that any damage or disruptions to their critical assets can be quickly minimised and that these assets can be restored to normal or near-normal operation as soon as is practicable.
4.5 RoS Communications are responsible for the creation and maintenance of an overall Communications Plan for RoS to use during an incident.
4.6 Heads of Service are responsible for ensuring their business continuity arrangements inform risk management activity for their services.
4.7 All RoS employees and contingent workers have a responsibility to be aware of Business Continuity, and to support and participate in Business Continuity activities led by Heads of Service.
5. Approval and review
5.1 This policy will be reviewed annually, unless earlier review is appropriate, by the Information Security and Assurance Group (ISAG) and approved by EMT.
Author | Business Continuity and Organisational Resilience Lead | ||
---|---|---|---|
Reviewed | Head of Enterprise Risk Management | ||
Cleared | Policy and Corporate Services Director | ||
Approval | EMT | Approval date | December 2024 |
Policy version | V 3 | ||
Review responsibility | EMT | Review date | December 2025 |
Publication scheme | Yes | ||
Email to contact | businesscontinuity@ros.gov.uk |
- EMT have approved removal of the annual requirement to exercise all Business Continuity Plans from January 2025, to be replaced with an agreed annual programme of multi-function/team exercises involving one or more of the Important Business Services.↩