Our business continuity policy

2. Objectives

The objectives of this policy are to:

Plan

• provide a business continuity planning framework and approach that will ensure resilience is considered as part of VisitScotland operations giving assurance to the Board, and external stakeholders through appropriate exercising, rehearsing, and reviewing
• provide guidance and procedure to all VisitScotland staff that must be followed in planning for and during the time of disruption, major incident, emergency, or crisis

Do

• minimise the organisational and reputational risks to VisitScotland during business interruptions and ensure that VisitScotland continues to operate at an acceptable level during a time of crisis
• build resilience into VisitScotland’s activities and systems so that they are available at an appropriate level in as short a time as possible following a business disruption
• ensure the health, safety, and welfare of VisitScotland employees during a business continuity event
• support VisitScotland’s risk management approach

Check

• maintain VisitScotland’s reputation during a continuity event
• maintain financial commitments to staff, projects, and suppliers
• prevent breaches of statutory and regulatory requirements that could lead to litigation and ensure appropriate governance is maintained

Act

• maximise opportunity for improvement following a business continuity event
• regularly review the Policy and Plan incorporating lessons learned from previous events

4. Business continuity management process

A business continuity and resilience programme (BCR) has been set up to ensure that there is ongoing management of the related activities across the organisation.

The BCR Programme will review the Directorate Departmental, business continuity & resilience action plans that will, on a scheduled basis, be monitored and refreshed to ensure continuity of business in the event of an incident. The Steering, Programme Delivery and Workstream Delivery Groups will, if/as required, change to reflect the refreshed departmental action plans as required as they naturally complete and move to BAU activity throughout the programme lifecycle.

6. Operational plans

6.1    Crisis comms

There are several different crisis situations that could affect VisitScotland, and the communications response needs to be tailored to these different situations. They could be operational or reputational.

If the crisis involves a situation with any of our operations – (i.e., in one of our buildings, with our systems such as VisitScotland.com or relating to a member of staff on internal matters only), then we would take the lead in the communications response.

If there were a major security or environmental threat, there would be a multi-agency response led by the most appropriate responder as outlined by the Civil Contingencies Act 2004. The Scottish Government would activate its resilience room, known as SGoRR, to coordinate the work of partners and brief Ministers during the emergency. If appropriate, VisitScotland could be asked to take part in SGoRR.

A reputational crisis may emerge due to other issues such as negative commentary on social media, by stakeholders or by the media. VisitScotland would normally lead the response to a reputational crisis of this type.

The Crisis Communications Plan outlines the audiences, channels and messaging that would need to be considered in response to a business continuity issue.

6.2    IT / digital and cyber resilience

The Disaster Recovery Plan (DRP) captures, in a single repository, all the information required for VisitScotland to withstand a disaster as well as the processes that must be followed to achieve Disaster Recovery (DR).

For IT and Digital services, this includes specific situations that would impact on the delivery of underlying internal systems, and user-facing external systems:

• ocean point data centre and / or pulsant data centre are inaccessible, and/or all systems within them are non-functional
• Disruption to several of the internet links into the data centres, taking them "offline"
• Major SaaS services (e.g. Office 365) or public cloud infrastructure (Azure and AWS) are degraded or offline for a period of time

The purpose of the DRP document is twofold: first to capture all the information relevant to VisitScotland’s ability to withstand a disaster, and second to document the processes that will be followed if a disaster were to occur.

In the event of a disaster the primary goal will be to enact the processes detailed in this DRP to bring all VisitScotland’s departments and external digital services back to business-as-usual in as timely a fashion as possible. This includes:

• preventing the loss of resources such as hardware, data, and physical IT assets
• minimising IT related downtime
• keeping the business running in the event of a disaster

The approach to IT and Digital DR is focused on how we recover from a major event and the complete loss of key systems. All other types of failures e.g., hardware are covered under normal BAU processes.

The VisitScotland DRP takes all the following IT functions into consideration:

• server infrastructure
• network infrastructure
• cloud based systems (SaaS, PaaS, and IaaS)
• data storage and backup systems
• organisational applications
• database systems
• public digital services
• IT and digital documentation

6.3    Data resilience

Under the data protection legislation (General Data Protection Regulations (GDPR) and the Data Protection Act 2018), certain personal data breaches must be notified to the Information Commissioner’s Office (ICO). Affected data subjects may need to be informed too.

For a data breach to be confirmed, all suspected and confirmed data incidents should be thoroughly investigated.

The data protection policy and guidelines are to:

• outline VisitScotland’s internal data incident reporting procedure
• define what a data incident and a data breach mean
• remind all staff that any loss or suspected loss of data must be recorded by law
• outline the factors which will be considered when determining whether the ICO and/or the data subjects should be informed of the data breach

6.4    iCentre resilience

VisitScotland operates Visitor Information Centres at various locations across the country. Each iCentre has its own business continuity plans which contain information on emergency contacts within VS, Staff contacts, external contacts such as landlords and trades persons, details of potential alternative locations if appropriate. Consideration is also given to Critical work-based staff and if they can work and home and have access to equipment. information on key business activities and if there is an ability to proceed manually if systems fail and associated critical timelines.

6.5    Group estates resilience

VisitScotland operates 14 local offices including access to Scotland House in London. Each Office has its own business continuity plans which contain information on emergency contacts within VS, Staff contacts, external contacts such as landlords and trades persons. As with iCentre operations consideration is also given to Critical work-based staff and if they can work and home and have access to equipment. information on key business activities and if there is an ability to proceed manually if systems fail and associated critical timelines.

6.6    VisitScotland events resilience

Business resilience is a factor when VisitScotland delivers its own events such as EXPO and the Scottish Thistle Awards, consideration will be given to event cancellation, abandonment or curtailment and ensure resilience plans are in place.

6.7    2023 Cycling World Championships Limited

In August 2023, the inaugural UCI Cycling World Championships (2023 Cycling Worlds) will bring together 13 World Championship events for different cycling disciplines in one unprecedented event for the first time ever.

2023 Cycling World Championships Ltd maintains a Business Continuity Plan to enable it to:

• return to business as usual as soon as possible following any disruption to service
• secure prompt and efficient recovery of critical business operations

6.8    National mourning

Following the King’s death there will undoubtedly be a period of disruption to daily operations for the organisation. A nationwide period of mourning will follow the death and certain plans will be enacted by the UK/Scottish Government and local authorities which VisitScotland will be ready to support where appropriate and required. The impact on Scotland will be dependent on the timing of the death and to this effect the organisation will assess scenarios based on the information we have been provided.

This suite of plans will allow VisitScotland to put in place actions that are appropriate to the level of risk which refers to and may run in conjunction with all the individual Plans within VisitScotland.

8. Reporting arrangements

The intention is to ensure that the Chief Executive, Directors and CEO of Cycling World Championships ltd and Leadership Group of VisitScotland Group are informed every six months, or by exception, of the status of the plans associated with Business Continuity.

These updates will be delivered by a Steering Group of senior staff and owners of the business continuity plans, meeting quarterly, to ensure that they are joined up and cohesive.

The VisitScotland Audit & Risk Committee and Board will receive an annual report on business continuity activity. 

10. Testing

Each plan should be tested annually including an organisational desktop exercise.

14. How and when to update Business Continuity Plans

Business continuity plans should be checked quarterly at a minimum unless there have been any significant changes to the plans. These would include changes in personnel, contract details or significant changes in department.