We're the national tourism and events organisation for Scotland. Our main aim, as an economic growth agency, is to drive the visitor economy and grow its value to Scotland.
We have an important role in ensuring Scotland remains globally competitive in an ever-changing economic and technological landscape.
Our strategic focus is to make Scotland a must-visit, must-return destination.
We have a corporate responsibility to protect staff, safeguard assets, and continue operations to promote Scottish tourism and events.
This policy is intended to mitigate the risk, both organisational and reputational, to business activities and to provide details of business continuity corporate governance.
The objectives of this policy are to:
Plan
Do
Check
Act
Business continuity is generally defined as denial of access to:
The focus of the policy and associated documents is to ensure that, following a business continuity incident, the key and critical operations of VisitScotland will be supported as the organisation works towards a managed return to business as usual (BAU).
This policy is a strategic document and is linked to several associated activities.
We have, using the framework provided by ISO 22301, established a Business Continuity Management Programme to ensure that there is ongoing management of the related activities across the organisation.
This programme will review the organisational, business continuity, and resilience action plans that will, on a scheduled basis, be monitored and refreshed to ensure continuity of business in the event of an incident.
The Business Continuity and Resilience Steering Group, programme delivery, and workstream delivery groups will, if / as required, change to reflect the refreshed departmental action plans as required, as they naturally complete and move to business as usual activity throughout the programme lifecycle.
Our approach to business continuity planning is one that is driven by recovery of critical business services, including the medium and long-term loss of systems and data.
Business Impact Assessments are carried out on Activity Business Cases (ABCs). An Activity Business Case is the budget and business planning and monitoring process for our key activities.
It covers operational and strategic activities, core services, capex investment, and government initiatives.
The Business Impact Assessments are to ensure that critical services, along with their supporting activities and resources, are identified and documented. Identification of critical services are risk-based:
The recovery time objective (RTO) and maximum tolerable period of disruption (MTPD) are included in line with the scoring results of the Business Impact Assessments (impact categories have been scored and given a Red, Amber, Green rating).
These scores are then reviewed and, where necessary, will be discussed with the relevant Activity Business Case owner to outline activities which require the development of a Business Continuity Plan (BCP).
The maximum tolerable period of disruption and recovery time objective will be recorded within the Business Continuity Plans to enable owners of the plan and senior management to understand the information recovery requirements of the relevant Business Continuity Plan.
Once maximum tolerable periods of disruption and recovery time objectives have been identified and documented, recovery information within each Business Continuity Plan is cross checked against actual recovery capabilities set out in the IT disaster recovery plan to ensure that this is realistic and can be feasibly implemented in the event of a disruption.
Incident response plans contained within the respective Business Continuity Plans will be updated to focus specifically on the various dependencies and personnel that exist within the Activity Business Case, rather than being based on example scenarios.
The Business Continuity and Resilience Steering Group will provide oversight of the process for performing Business Impact Assessments and updating Business Continuity Plans.
Where an Activity Business Case activity has been through the Business Impact Assessment process and subsequently scored, there may then be a requirement for the Activity Business Case owner to develop a business continuity plan.
This Business Continuity Plan will be a comprehensive document that includes the instructions, tasks, and tools needed to manage an immediate incident or disruption and assist in recovering and restoring the Activity Business Case.
Plans are written based upon identified processes and the necessary dependencies needed to conduct those processes.
All business continuity plans should be tested and exercised annually, including an organisational desktop exercise, and must be fully documented.
Testing and exercising allows us to put our plans to the test and improve our business continuity capability.
Testing and exercising should be a cycle of continual improvement for each business continuity plan.
We will engage with external professionals through the exercising and testing of plans to provide feedback on areas of improvement through continuous quality assessment programme.
A lessons learned exercise should be completed following on from an event where deemed appropriate to do so. Any findings should be included and updated in plans.
As a minimum, business continuity plans should be checked quarterly, unless there have been any significant changes that would influence the plans.
These would include changes in personnel, contract details, or significant changes in department.
This policy will be reviewed every three years unless there are any significant changes to VisitScotland’s operations. Any revisions will be presented to the VisitScotland Executive Leadership Group (ELG), ratified by the Audit and Risk Committee before approval by the Board.
This policy is owned by the Director of Corporate Services (SIRO).
The Business Continuity and Resilience Steering Group meet quarterly and will monitor the programme related to business continuity and provide regular updates to VisitScotland Executive Leadership Group, the Audit and Risk Committee and Board.
The intention is to ensure that the Chief Executive and the Executive Leadership Group of VisitScotland are informed every six months, or by exception, of the status of the plans associated with business continuity.
The VisitScotland Audit and Risk Committee and Board will receive an annual report on business continuity activity.
All staff are required to complete mandatory training on anti-terrorism, cyber security, and data protection as part the organisational induction process and annual mandatory training programme.
Business continuity training is being developed and will be included in the induction and mandatory training programme for 2026. Any other specific training will be highlighted within the business continuity plans.
There are various roles and responsibilities across the organisation assigned to respond to any given business continuity event. We structure the management of incidents upon a framework of three descending levels:
It is important to note that not all tiers will necessarily be convened for all incidents. The control of the incident should be exercised at the lowest practical level with coordination at the highest level necessary.
When an incident occurs, it may be at departmental level initially. When a VisitScotland-wide response is required, Silver will be stood up and this could escalate to Gold.
Strategic (Gold) level meetings must include senior-level colleagues who are empowered to make executive decisions in relation to the incident.
There may be the need for colleagues to hand over to other colleagues and this underlines the necessity to ensure executive-level colleagues are aware and able to carry out their responsibilities.
| Role | Members |
|
|
A Director will chair Gold and be Gold Lead. In the event the incident develops into a threat to VisitScotland e.g. reputationally damaging, then Gold Lead will escalate to the Chief Executive Officer.
The purpose of tactical management is to ensure that actions taken at the operational level are co-ordinated, coherent, and integrated in order to maximise effectiveness and efficiency.
In cases where it becomes clear that the complexity or scale of an incident requires resources, expertise, or co-ordination beyond the capacity of the tactical level, it may be necessary to invoke the strategic level of management (Gold) to take overall command and set the strategic direction.
| Role | Members |
|
|
The Director of Corporate Services will chair Silver meetings and will allocate roles to the wider Silver Team. Silver Lead will report up to Gold if, and when Gold is stood up.
If Silver Lead is unavailable then the Head of Estates & Resilience will deputise and Chair Silver group. Functional members of Silver will communicate with their respective Bronze teams.
The operational response will be delivered by business continuity plan owners and their respective business continuity teams. The plan owners will report to the tactical (Silver) level.
| Role | Members |
The operational response will be delivered by business continuity plan owners and their respective business continuity teams, following pre-agreed processes within the plans. |
|
The Business Resilience Manager (BRM) plays a critical role in safeguarding our ability to withstand and recover from disruptive events.
The Business Resilience Manager will be responsible for developing and implementing strategies to mitigate risks, ensure business continuity, and maintain operational effectiveness in the face of challenges.
The Business Resilience Manager, supported and developed by the Head of Estates and Resilience, is responsible for: