Outline the plan’s scope by identifying what is (and is not) included, ensuring everyone is clear about what the resulting plan will and will not address.
For example:
In Scope
- Critical IT systems and data recovery for all office locations
- Business processes essential to client service delivery
- Communication protocols for staff and clients during disruptions
- Physical security procedures for safeguarding key assets
- Compliance with legal and regulatory requirements
Out of Scope
- Personal devices and home office equipment not managed by the firm
- Non-critical or legacy systems scheduled for decommissioning
- Third-party vendor recovery processes outside the firm’s direct control
- Incidents that do not impact business continuity or critical data, such as storms or short-term power outages
Clearly defining these scope items helps ensure that all stakeholders understand the boundaries of the BC & DR plan and can set appropriate expectations for response and recovery efforts.