You are a member of the program of business continuity management system (BCMS) and sitting in a meeting. After the discussion, there are some findings of your company. A plant in Taiwan manufactures sports towels and markets around the world; another plant in Vietnam primarily makes shoes for a worldwide label that mandates your company shall fulfill its purchase orders without interruption. Based on the findings, which of the following activity should be conducted first?
A. Conduct business impact analysis (BIA)
B. Determine the scope
C. Assess risk in terms of products and services and related resources
D. Identify strategies and solutions

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Determine the scope.

The sequence is as follows:

1. Determine the scope
2. Conduct business impact analysis (BIA)
3. Assess risk in terms of products and services and related resources
4. Identify strategies and solutions

It’s a common practice to conduct the organization and context analysis and the stakeholder analysis to identify issues and determine the needs and requirements of stakeholders. The scope is determined based on the result of those analyses.

The scope of the business continuity management system can be determined in terms of organization parts, products, and services.

The business impact analysis will then be conducted to identify critical products and services, the underlying information systems, and dependent resources. MTD, RTO, and RPO are determined.

Once the underlying information systems and dependent resources that support the products and services are identified, risk assessment is conducted to identify, analyze, and evaluate risks to them.

Strategies and solutions are risk treatment options to mitigate risks.