You are a member of the steering committee for the program of the business continuity management system and sitting in a meeting with the agenda of business impact analysis to determine the Maximum Tolerable Period Downtimes (MTPDs) and recovery time objectives (RTOs). All of the following should have been done prior to the meeting except what?
A. Plan for actions to address risks to the effectiveness of the management system
B. Establish the business continuity policy
C. Conduct risk assessment in terms of business activities
D. Understand the organization’s context and interested parties
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Conduct risk assessment in terms of business activities.
This question is asking about “except”. In other words, it is asking “what should not have been done before the meeting.”
As the meeting is to identify critical business activities and underlying resources that are represented by MTPDs and RTOs, it implies that the business activities have not been identified yet. As a result, it’s not possible to conduct risk assessment in terms of business activities.
“Plan for actions to address risks” looks like “risk treatment” that follows “risk assessment.” However, they are dealing with different risks. The former is addressing the risk related to the effectiveness of the management system, while the later is treating the risks of business activities.
The BCMS program is typically initiated based on program policy. That is the business continuity policy. Since you are sitting in a meeting for a BCMS program, it implies that a BC policy has been determined.
Understanding the organization’s context and interested parties to determine the BC requirements is started at the very beginning before the BC policy is determined.