Visit Scotland | Alba

1. Purpose of the policy

VisitScotland is the national tourism organisation for Scotland. Our main aim is to contribute significantly to the advancement of Scottish tourism and events by giving it a real presence in the global marketplace and benefiting the whole of Scotland.

VisitScotland has a corporate responsibility to protect staff, safeguard assets, and continue operations to promote Scottish tourism and events. This policy is intended to mitigate the risk, both organisational and reputational, to business activities and to provide details of business continuity corporate governance.

2. Objectives

The objectives of this policy are to:

Plan

  • provide a business continuity planning framework and approach that will ensure resilience is considered as part of VisitScotland operations giving assurance to the Board, and external stakeholders through appropriate exercising, rehearsing, and reviewing
  • provide guidance and procedure to all VisitScotland staff that must be followed in planning for and during the time of disruption, major incident, emergency, or crisis

Do

  • minimise the organisational and reputational risks to VisitScotland during business interruptions and ensure that VisitScotland continues to operate at an acceptable level during a time of crisis
  • build resilience into VisitScotland’s activities and systems so that they are available at an appropriate level in as short a time as possible following a business disruption
  • ensure the health, safety, and welfare of VisitScotland employees during a business continuity event
  • support VisitScotland’s risk management approach

Check

  • maintain VisitScotland’s reputation during a continuity event
  • maintain financial commitments to staff, projects, and suppliers
  • prevent breaches of statutory and regulatory requirements that could lead to litigation and ensure appropriate governance is maintained

Act

  • maximise opportunity for improvement following a business continuity event
  • regularly review the Policy and Plan incorporating lessons learned from previous events

3. Definition

Business continuity is generally defined as denial of access to;

  • premises
  • staff resources
  • key suppliers and contractors
  • IT systems and services
  • consumer and industry facing digital services
  • documentation and records
  • key events

The focus of the policy and associated documents is to ensure that, following a Business Continuity incident, the key and critical operations of VisitScotland will be supported as the organisation works towards a managed return to Business as Usual.

This policy is a strategic document and is linked to several associated plans:

4. Business continuity management process

A business continuity and resilience programme (BCR) has been set up to ensure that there is ongoing management of the related activities across the organisation.

The BCR Programme will review the Directorate Departmental, business continuity & resilience action plans that will, on a scheduled basis, be monitored and refreshed to ensure continuity of business in the event of an incident. The Steering, Programme Delivery and Workstream Delivery Groups will, if/as required, change to reflect the refreshed departmental action plans as required as they naturally complete and move to BAU activity throughout the programme lifecycle.

5. Departmental business impact assessments

VisitScotland approach to business continuity planning is one which is driven by recovery of critical business services, including the medium- and long-term loss of systems and data.

The Departmental Business Impact Assessments are undertaken to ensure that each department’s critical services, along with their supporting activities and resources, are identified and documented. Identification of critical services are risk-based.

  • identification of each department’s key services/processes and the activities on which these depend including supporting resources
  • mapping the workflow of the identified key services/processes ensuring these consider supporting resources
  • assess the impact on the organisation in the event of department’s key services/process being disrupted

The Recovery Point Objectives (RPO) (maximum amount of data used within a business-critical process that could be lost in terms of time) and Recovery Time Objectives (RTO) are included in line with the results of the BIAs and are recorded within departmental Business Continuity plans to enable management to understand the data recovery requirements of each department. Once RPOs and RTOs have been identified and documented, that recovery information within each BCP is cross checked against actual recovery capabilities set out in the IT disaster recovery plan to ensure that this is realistic and can be feasibly implemented in the event of a disruption.

As with the completion of BIA exercises, incident response plans contained within the BCP will be updated to focus specifically on the various departments that exist within the organisation rather than being based on example scenarios.

The Audit and Risk Committee will provide oversight of the process for performing BIAs and updating Business Continuity Plans.

6. Operational plans

6.1    Crisis comms

There are several different crisis situations that could affect VisitScotland, and the communications response needs to be tailored to these different situations. They could be operational or reputational.

If the crisis involves a situation with any of our operations – (i.e., in one of our buildings, with our systems such as VisitScotland.com or relating to a member of staff on internal matters only), then we would take the lead in the communications response.

If there were a major security or environmental threat, there would be a multi-agency response led by the most appropriate responder as outlined by the Civil Contingencies Act 2004. The Scottish Government would activate its resilience room, known as SGoRR, to coordinate the work of partners and brief Ministers during the emergency. If appropriate, VisitScotland could be asked to take part in SGoRR.

A reputational crisis may emerge due to other issues such as negative commentary on social media, by stakeholders or by the media. VisitScotland would normally lead the response to a reputational crisis of this type.

The Crisis Communications Plan outlines the audiences, channels and messaging that would need to be considered in response to a business continuity issue.

6.2    IT / digital and cyber resilience

The Disaster Recovery Plan (DRP) captures, in a single repository, all the information required for VisitScotland to withstand a disaster as well as the processes that must be followed to achieve Disaster Recovery (DR).

For IT and Digital services, this includes specific situations that would impact on the delivery of underlying internal systems, and user-facing external systems:

  • ocean point data centre and / or pulsant data centre are inaccessible, and/or all systems within them are non-functional
  • Disruption to several of the internet links into the data centres, taking them "offline"
  • Major SaaS services (e.g. Office 365) or public cloud infrastructure (Azure and AWS) are degraded or offline for a period of time

The purpose of the DRP document is twofold: first to capture all the information relevant to VisitScotland’s ability to withstand a disaster, and second to document the processes that will be followed if a disaster were to occur.

In the event of a disaster the primary goal will be to enact the processes detailed in this DRP to bring all VisitScotland’s departments and external digital services back to business-as-usual in as timely a fashion as possible. This includes:

  • preventing the loss of resources such as hardware, data, and physical IT assets
  • minimising IT related downtime
  • keeping the business running in the event of a disaster

The approach to IT and Digital DR is focused on how we recover from a major event and the complete loss of key systems. All other types of failures e.g., hardware are covered under normal BAU processes.

The VisitScotland DRP takes all the following IT functions into consideration:

  • server infrastructure
  • network infrastructure
  • cloud based systems (SaaS, PaaS, and IaaS)
  • data storage and backup systems
  • organisational applications
  • database systems
  • public digital services
  • IT and digital documentation

6.3    Data resilience

Under the data protection legislation (General Data Protection Regulations (GDPR) and the Data Protection Act 2018), certain personal data breaches must be notified to the Information Commissioner’s Office (ICO). Affected data subjects may need to be informed too.

For a data breach to be confirmed, all suspected and confirmed data incidents should be thoroughly investigated.

The data protection policy and guidelines are to:

  • outline VisitScotland’s internal data incident reporting procedure
  • define what a data incident and a data breach mean
  • remind all staff that any loss or suspected loss of data must be recorded by law
  • outline the factors which will be considered when determining whether the ICO and/or the data subjects should be informed of the data breach

6.4    iCentre resilience

VisitScotland operates 26 Visitor Information Centres spread across the country. Each iCentre has its own business continuity plans which contain information on emergency contacts within VS, Staff contacts, external contacts such as landlords and trades persons, details of potential alternative locations if appropriate. Consideration is also given to Critical work-based staff and if they can work and home and have access to equipment. information on key business activities and if there is an ability to proceed manually if systems fail and associated critical timelines.

6.5    Group estates resilience

VisitScotland operates 14 local offices including access to Scotland House in London. Each Office has its own business continuity plans which contain information on emergency contacts within VS, Staff contacts, external contacts such as landlords and trades persons. As with iCentre operations consideration is also given to Critical work-based staff and if they can work and home and have access to equipment. information on key business activities and if there is an ability to proceed manually if systems fail and associated critical timelines.

6.6    VisitScotland events resilience

Business resilience is a factor when VisitScotland delivers its own events such as EXPO and the Scottish Thistle Awards, consideration will be given to event cancellation, abandonment or curtailment and ensure resilience plans are in place.

6.7    2023 Cycling World Championships Limited

In August 2023, the inaugural UCI Cycling World Championships (2023 Cycling Worlds) will bring together 13 World Championship events for different cycling disciplines in one unprecedented event for the first time ever.

2023 Cycling World Championships Ltd maintains a Business Continuity Plan to enable it to:

  • return to business as usual as soon as possible following any disruption to service
  • secure prompt and efficient recovery of critical business operations

6.8    National mourning

Following the King’s death there will undoubtedly be a period of disruption to daily operations for the organisation. A nationwide period of mourning will follow the death and certain plans will be enacted by the UK/Scottish Government and local authorities which VisitScotland will be ready to support where appropriate and required. The impact on Scotland will be dependent on the timing of the death and to this effect the organisation will assess scenarios based on the information we have been provided.

This suite of plans will allow VisitScotland to put in place actions that are appropriate to the level of risk which refers to and may run in conjunction with all the individual Plans within VisitScotland.

7. Roles and responsibilities

There are various roles and responsibilities across the organisation which are aligned to respond to any given business continuity event. These are contained within each plan highlighted above however there is a hierarchy of business continuity management.

 

BCMG Category

 

Management Hierarchy

 

Who Are They

 

Timescales

 

IT / Technology

Building, reputation, staff, visits to Scotland etc.

Major Incident/Gold Team

Strategic Management:

Maintain clear comms channels, authorise implementation of BC plans, invoke the Crisis Communications plan, receive, and consider situation reports, authorise expenditure

Min 1 Director

Depending on Incident however examples may be long term outage or disruption i.e., for more than 48 hours

Loss of all critical systems for more than 2 days.

Loss of primary data centre.

External events impacting the business, e.g., Pandemic, volcanic ash, foot & mouth, terrorism, strikes etc.

Loss of critical amount of office space, loss of access to building, civil emergency, War etc.

Invocation

Team (s)/ SIlver

Tactical Management.

 

Min 1 HOD or Identified Depute

Depending on Incident however examples may be minor Disruption from 1 to 2 days

Loss of multiple critical systems or all systems for 1 to 2 days.

Loss of part of main or local office or all of i-Centre, number of facilities, Events, Resources, Suppliers, Networks, Data, affected for 1 to 3 days

 

The Business Continuity and Resilience Steering group

Plan and set the BCM strategy for VisitScotland, Implement the strategy and co-ordinate the BCM operations, provide advice on tactical issues to National and Invocation teams and prioritise critical services

Business Resilience Steering Group – Director of Corporate Services & Plan Owners.

 

 

8. Reporting arrangements

The intention is to ensure that the Chief Executive, Directors and CEO of Cycling World Championships ltd and Leadership Group of VisitScotland Group are informed every six months, or by exception, of the status of the plans associated with Business Continuity.

These updates will be delivered by a Steering Group of senior staff and owners of the business continuity plans, meeting quarterly, to ensure that they are joined up and cohesive.

The VisitScotland Audit & Risk Committee and Board will receive an annual report on business continuity activity. 

9. Training

All staff are required to complete mandatory training on counter terrorism, cyber security, and data protection as part the organisational induction process. Any other specific training will be highlighted within the business continuity plans. 

10. Testing

Each plan should be tested annually including an organisational desktop exercise.

11. Lessons learned

A lessons learned exercise should be completed following on from an event where deemed appropriate to do so. Any findings should be included and updated in resilience plans.

12. Monitoring 

This Policy will be approved by the VisitScotland Leadership Group (VSLG), ratified by the Audit & Risk Committee, and is owned by the Director of Corporate Services.

The Policy will be reviewed every 3 years unless there are any significant changes to the VisitScotland operation.

The Business Continuity and Resilience Steering group meet quarterly and will monitor the programme related to business continuity and provide regular updates to VisitScotland Leadership Group, ARC and Board.

13. Evaluation

VisitScotland will engage with external professionals through the exercising and testing of plans to provide feedback on areas of improvement through continuous quality assessment programme.

14. How and when to update Business Continuity Plans

Business continuity plans should be checked quarterly at a minimum unless there have been any significant changes to the plans. These would include changes in personnel, contract details or significant changes in department.

Related links

Our best value policy

Find our best value policy, containing the measures we take to deliver best value in our services, including our policy, responsibilities, and…

Our procurement policy

Read about how we promote fair, responsible competition whilst getting the best value for money.