BCI CBCI Certificate of the Business Continuity Institute (CBCI) Exam Practice Test

External audits provide independent verification that the BCMS complies with relevant standards, policies, and regulatory requirements. The CBCI 7.0 course clarifies that audits assess the design, implementation, and effectiveness of Business Continuity processes and controls to assure stakeholders that the system functions as intended. The audit does not specifically test operational readiness or management performance but focuses on conformance and control integrity, enabling informed decision-making about system improvements.

Business as usual (BAU) plans are designed to restore normal operational conditions after a disruption, often returning systems and processes to pre-incident states. The CBCI 7.0 course underlines that these plans must consider new vulnerabilities that may arise as a result of the disruption’s impact on resources or operational environments. Incidents can introduce changes such as weakened controls, damaged infrastructure, or altered workflows, which must be addressed to prevent recurrence or new risks. While BAU plans should be prepared in advance, the focus is not just on resource availability or reversing recovery sequences but on understanding the dynamic context post-disruption. This approach ensures resilience not only in restoration but in strengthening the organization against future incidents.

While including key suppliers in internal exercises might seem beneficial, the CBCI 7.0 course highlights that external suppliers should be engaged in their own exercises, separate from the organization’s internal exercises. Instead, validation of supply chain continuity is better achieved by requiring suppliers to develop and test their recovery plans independently and sharing outcomes. Contractual obligations such as those embedded in SLAs ensure suppliers maintain their own Business Continuity preparedness, while internal exercises focus on organizational responses to supply chain disruptions. Conducting internal exercises to assess impacts remains essential to understand dependencies and potential vulnerabilities without compromising exercise control.

Aligning supplier capabilities with the organization’s RTOs is essential to maintain continuity of critical supply chain functions. The CBCI 7.0 course specifies that suppliers must be able to recover and deliver their products or services within timeframes that meet the organization’s recovery requirements to avoid operational disruption. While quality in business as usual and procurement review are important, they do not guarantee supplier resilience. Prioritizing existing suppliers solely on relationship basis without evaluating continuity capability risks supply failures. Ensuring RTO alignment is a critical criterion in supplier strategy development.

While stakeholder engagement facilitates collaboration, reduces conflict, and helps identify relevant policies, it does not primarily serve to lessen the workload of the Business Continuity Professional by delegating administrative tasks. The CBCI 7.0 course clarifies that stakeholder involvement is about gaining support, expertise, and ownership rather than shifting administrative burdens. The Business Continuity Professional retains core responsibility for managing the BCMS, though collaboration supports efficient and effective program delivery.

GPG 7.0 explains that Analysis (PP3) uses two techniques: BIA and Risk Assessment. The BIA determines the impacts of disruption over time and identifies priorities and resource requirements; then the risk assessment analyses the relevant risks to prioritised activities to find concentrations of risk or potential points of failure. This sequencing is logical: you first decide what matters most and what must be recovered (BIA outputs), and then you assess what could stop those priorities from being delivered (risk assessment focused on prioritised products/services/activities). That is exactly what option B states.

Option A may be a side benefit, but it is not the core methodological reason. Option C is not a BC good-practice rationale. Option D is incorrect because PP3 risk assessment is typically scoped to prioritised activities rather than being a generic “full organizational risk assessment.”

Note on “100% verified from CBCI 7.0 course documents”: I cannot access the paid CBCI courseware directly, but these answers are verified against official BCI GPG 7.0 materials and BCI PP3/PP2 published guidance, which CBCI 7.0 is based on.

A Business Continuity policy acts as a foundational document that communicates the organization’s commitment to Business Continuity and sets out its scope, objectives, and principles. The CBCI 7.0 course stresses that the policy fosters a shared understanding across the organization about the importance of the BCMS and ensures that personnel recognize its relevance to their roles. It does not specify operational details or mandate actions but guides governance and culture. The policy supports alignment of efforts and continuous improvement of the BCMS.

Maintenance refers to the ongoing process of keeping Business Continuity arrangements current and effective in light of organizational or contextual changes. The CBCI 7.0 course clarifies that maintenance involves regular reviews, updates, testing, and adjustments to plans and processes, ensuring readiness and relevance. While review and audit are important, maintenance is the active continuous process that adapts the BCMS to evolving needs.

The CBCI 7.0 course specifies that activation of strategic, tactical, and operational plans must be based on the conditions or triggering events detailed in each specific plan. Each plan type serves distinct purposes at different organizational levels and phases of incident response. Strategic plans set the overarching direction; tactical plans translate this into actions, and operational plans provide detailed task instructions. The triggering conditions—such as incident severity, scope, or impact—dictate when each plan should be activated to optimize resource use and response effectiveness. Simultaneous activation is neither practical nor efficient. Activation cascading from the strategic team is a controlled process, but ultimately depends on predefined triggers, ensuring an orderly and appropriate escalation.

The CBCI 7.0 course explains that Business Continuity plans should not contain detailed step-by-step instructions for every possible eventuality, as this is impractical and can lead to overly complex, difficult-to-maintain plans. Instead, plans should provide clear, actionable guidance and procedures that focus on managing the most likely or impactful scenarios. Scenario-specific plans targeting particular threats can complement overarching plans to address specific risks more thoroughly. Validation through exercises and reviews is essential to confirm operational readiness, and plans must be regularly updated to reflect changes in organizational context, resources, and threats. Over-detailing can hinder flexibility and rapid decision-making during actual incidents.

In the GPG 7.0 model used for CBCI 7.0, Solutions Design (PP4) takes the requirements identified in Analysis (priorities, recovery targets like RTO, minimum acceptable capacity, key dependencies) and determines the strategies and solutions that will meet those requirements. The purpose is therefore operational: ensure the organization can continue or resume delivery within the approved continuity requirements—timeframes, capacity levels, and quality thresholds agreed by the business.

Option A describes competence management, which supports implementation but is not the purpose of strategies/solutions. Option C is about exercising and validation outcomes (PP6), not solutions design. Option D relates to document quality and usability (important in planning/enabling), but strategies and solutions exist primarily to provide the capability—people, premises, technology, suppliers, workarounds—so that recovery objectives can be achieved when disruption occurs.

When BC plans are updated, the organization must be able to prove which version is current, when it was reviewed, what changed, and who approved it. A formal version control process prevents confusion, reduces the risk of using outdated instructions during an incident, and supports assurance/audit needs. BCI guidance on content management for resilience explicitly highlights that clear version control prevents confusion and ensures teams work with the most current information—especially critical during crises when outdated guidance can compound problems.

Option B directly meets that requirement: it identifies review dates and highlights changes so plan owners and responders can trust the document. Option A (just saving to a shared drive) does not ensure people use the correct version or understand changes. Option C is insufficient for operational control. Option D is passive and does not implement document control; it also risks inconsistent distribution. In CBCI practice, controlled documents + versioning are essential to reliable response and recovery execution.

In CBCI 7.0 (aligned with GPG 7.0 practice), Validation includes exercising and testing to confirm that arrangements and plans work as intended and that people understand their roles. A discussion-based exercise is specifically designed as a low-pressure environment where participants talk through roles, decisions, and plan steps, often using a hypothetical situation to prompt discussion. This format is widely used to help teams explore issues, clarify responsibilities, and identify gaps without the cost, stress, or operational impact of a live simulation.

That is why option D is correct.

A scenario (table-top) exercise is often discussion-based, but the defining feature in the question is the exercise type that is explicitly low-pressure and walk-through in nature—this matches “discussion-based.” A simulation exercise is typically more realistic and pressured (sometimes involving time compression, actual call-outs, or technical failover), and therefore not the best match. “Investigative” is not the standard label for this low-pressure walk-through category in common BC exercise groupings. Discussion-based exercises are often used early to build confidence and validate understanding before moving to more demanding exercise types.

Within CBCI 7.0 (aligned to the BCI GPG 7.0 model), Solutions Design is where strategies are selected that best meet the organization’s continuity requirements while remaining viable and proportionate. Crucially, the outcomes of analysis (BIA/RA and any resulting gap picture) are used to highlight “gaps for top management to address or accept.” If top management decides not to fully close certain gaps, the BC professional should treat this as a governance decision (risk/impact acceptance) and then work constructively to refine options that improve resilience within the constraints set by management. Recommending adjusted strategies and solutions (option B) supports continual improvement without ignoring leadership’s decision, and it keeps momentum by delivering partial risk reduction and capability uplift where feasible.

Option A may be appropriate if the decision appears uninformed, but it does not directly move the BCMS forward. Option C is only one possible input to adjustment (cost is not the only constraint). Option D misplaces the timing—validation tests what exists; it is not the stage to “re-pitch” unapproved solutions.

According to the CBCI 7.0 course, an effective response structure must incorporate clear protocols for timely notification of key suppliers and external stakeholders. This ensures coordinated response efforts and mitigates cascading impacts. Unlimited financial access is unrealistic and can lead to mismanagement. Changes to policies require governance and cannot be unilaterally made during disruptions. While performance measurement is important, notification protocols are fundamental to structured, controlled, and communicative response efforts.

Measuring Business Continuity culture is essential to assess the level of engagement, understanding, and commitment personnel have toward Business Continuity plans and procedures. The CBCI 7.0 course stresses that culture measurement helps predict the likely success of continuity efforts during disruptions. A strong culture supports adherence to plans and proactive risk management, while a weak culture may highlight areas needing targeted improvement. While measurements can indirectly inform reviews and validations, the primary focus is on gauging personnel behaviour and engagement, which is the most critical factor in continuity effectiveness.

The CBCI 7.0 course identifies gaining an understanding of the organization’s culture as a foundational step in moving from merely embedding Business Continuity practices to fully embracing them. Cultural insights enable targeted interventions that align Business Continuity with existing values, beliefs, and behaviours, enhancing engagement and ownership. Policies and role assignments are important but less effective without cultural alignment. Outsourcing continuity as a project risks detachment from organizational realities. Understanding culture guides effective communication, training, and leadership strategies that foster a pervasive continuity mindset.

During an incident, immediate people-related requirements prioritize life safety, welfare, and accountability. In BC response structures, People/HR (often called People & Culture) typically focuses first on confirming who is affected, ensuring personnel are safe, supporting access to medical/physical care, and establishing reliable communications with staff and (where appropriate) family members. These actions reduce harm and enable leadership to make accurate decisions about escalation and support. This aligns with crisis/incident management good practice where “accounting for people” and welfare support are immediate priorities before broader recovery work is initiated. (ready.gov)

Option C—assigning recovery responsibilities to staff away from the site—is important for recovery enablement, but it is not an immediate care/wellbeing requirement. It belongs more to operational recovery coordination and plan activation once the immediate safety picture is understood. Options A, B, and D are directly tied to immediate welfare: confirm personnel status, contact and support staff/families, and enable access to care. Therefore, C is the correct “NOT immediate requirement” for the People and Culture Management team when the focus is specifically care and wellbeing.

The CBCI 7.0 course defines that the BCMS scope must be regularly reviewed and updated in response to significant changes in the organization’s internal or external context. Such changes could include shifts in business operations, legal requirements, market conditions, or organizational structure that affect Business Continuity requirements. This ensures that the BCMS remains relevant and effective. While fresh perspectives and personnel engagement are important, scope reviews are driven by contextual changes.

The CBCI 7.0 course stresses that embracing Business Continuity adds value primarily by enhancing organizational resilience, which translates into a competitive advantage. Being able to maintain operations during disruptions preserves customer confidence, safeguards revenue, and protects reputation. While improved health and safety and conflict resolution are indirect benefits, they are not the primary value drivers. Delegating responsibilities effectively supports continuity but does not capture the strategic benefit. Communicating resilience as a competitive edge helps secure leadership buy-in and resource allocation for continuity initiatives.

The CBCI 7.0 course identifies the integration of Business Continuity into the organization's strategic planning with regular reviews as a clear sign of top management’s commitment. Strategic incorporation ensures Business Continuity is prioritized, resourced, and aligned with long-term objectives, reflecting leadership’s recognition of its importance. Regular review cycles demonstrate ongoing engagement and responsiveness to changing risks. While legal compliance, health and safety management, and operational plan maintenance are important, they may occur without active leadership endorsement. True embracement requires embedding Business Continuity in strategic decision-making and organizational culture.

The CBCI 7.0 course highlights that an effective social media strategy requires establishing and nurturing a following before incidents occur. A pre-existing audience ensures messages disseminated during disruptions reach stakeholders promptly and credibly. While empowering staff to engage may lead to inconsistent messaging and risks, centralized management ensures accuracy and control. Recording engagement can be useful but is secondary. Limiting social media to one-way communications may reduce interaction but safeguards message consistency. Building presence early is foundational to effective crisis communications.

The Process BIA focuses on understanding internal processes, their resource needs, and dependencies that impact the delivery of products and services. The CBCI 7.0 course underlines that this BIA level identifies critical resources, interdependencies among activities, and potential bottlenecks. It complements Product and Service BIAs by providing detailed operational insights necessary for designing effective recovery strategies. Processes outsourced to third parties are typically included to ensure a complete picture. This analysis is a core component of the BIA framework and is not optional.

The purpose of consolidating BIA outputs is to give top management a clear, decision-ready view of what must be protected and recovered first. In CBCI 7.0’s Analysis (PP3), BIAs identify impacts over time and establish priorities and continuity requirements; consolidation brings this together so leaders can approve priorities and ensure strategies/solutions are designed to meet them.

Therefore, the most relevant consolidated information for top management is the ordered priority of products and services, and the associated priority of the activities (and processes where used) that enable those products and services to be delivered (Option C). This is what allows leadership to make informed choices on investment, trade-offs, recovery objectives, and governance decisions (including acceptance of residual gaps).

Options A and B may be useful context but are not the core consolidated BIA output for executive decision-making. Option D is primarily risk assessment territory (likelihood/probability by threat), whereas the BIA is impact-and-priority led; probability is handled in risk assessment after priorities are known, not as the main consolidated BIA deliverable.

In CBCI 7.0’s structure, unacceptable risks and single-point dependencies are typically discovered through analysis outputs (BIA and risk assessment) and are then treated through Solutions Design by selecting strategies and solutions that reduce vulnerability and enable recovery. To identify practical mitigations, the BC professional must work with the people who own the work and the resources—because they understand how activities are performed, where the true bottlenecks are, what constraints exist (skills, technology, suppliers, premises), and what changes are feasible without introducing new risks.

Activity and resource owners are also the stakeholders who will usually operate, maintain, and fund the controls or continuity solutions once agreed (e.g., alternate suppliers, resilience measures, cross-training, technology recovery design). Collaboration here ensures solutions are realistic, implementable, and aligned to operational needs.

Top management (B) approves priorities and budgets, but does not usually design detailed mitigations. Response team leaders (C) focus on incident-time execution, and communications managers (D) focus on messaging—both are important, but neither replaces the operational insight of owners when treating single points of failure. Therefore A is correct.

In BC validation and exercising, “injects” are simulated messages used to drive decisions and actions. Using a clear code word (e.g., “For exercise” / “Exercise only”) is essential to prevent simulated information being mistaken for a real incident notification—especially when exercise communications travel through normal channels (phone, radio, email, chat). This protects people, avoids unnecessary escalation, and prevents operational disruption caused by staff believing a real emergency is underway. Exercise guidance commonly defines “For Exercise” as a preamble meaning the message relates to the exercise only and “is not to be confused with real activity,” and recommends prefixing simulated calls/messages accordingly.

Therefore, option A is correct.

Option B (confidentiality) is not the main purpose of the code word; confidentiality is handled through exercise ground rules and distribution controls. Option C is not what the code word signifies. Option D is the opposite of the intent—while participants should act realistically within the exercise play, the code word ensures everyone understands the scenario is simulated, preventing real-world misinterpretation and unintended consequences.

In CBCI 7.0, exercising sits within Validation (PP6) and is used to confirm that plans, procedures, and response structures can achieve the objectives set by the BC policy and BCMS requirements. An exercise programme must therefore be designed around the scenario and the capabilities being validated—meaning the correct participants are those who would actually perform roles during that type of disruption (strategic decision-makers, incident/crisis team roles, operational recovery leads, communications, IT/service owners, and key support functions), plus any dependent parties as needed.

That is exactly what option D states: include everyone with a role in a team relevant to the scenario being exercised. Including all employees (A) is unnecessary and often counterproductive; awareness activities can target all staff, but exercises should be role-based and objective-led. Including only the response team (B) excludes essential recovery and support roles that are frequently critical to product/service restoration. Including only BC professionals (C) turns an organizational capability test into a specialist discussion and fails to validate real execution.

An effective BC policy is a high-level statement of intent and direction, formally expressed and endorsed by top management. Its effectiveness depends on visible leadership commitment—because leadership is responsible for ensuring the policy aligns with the organization’s strategic direction, is communicated, resourced, and kept under review for suitability. In BCI guidance, establishing the business continuity policy specifically requires top management action, support, and commitment, with governance to maintain and improve the policy over time.

Option A best reflects this core characteristic: top management commitment and continual improvement. The other options describe items that are typically handled in plans or supporting documents (e.g., incident management plan details, budget specifics, supplier constraints, or exercise lessons learned). Those elements may inform the BCMS, but they do not define what a BC policy is. The policy sets the framework and expectations; detailed procedures, constraints, and exercise learnings are managed elsewhere within the BCMS lifecycle.

Defining the initial scope of a BCMS requires a comprehensive understanding of organizational context, risks, and priorities. The CBCI 7.0 course recommends consulting with stakeholders, leveraging internal expertise (e.g., risk management, audit), performing cost-benefit analyses, and horizon scanning to capture potential future threats and opportunities. These methods ensure that the scope is appropriately focused and realistic, considering business objectives, resource availability, and external environment. This thorough approach lays the foundation for a relevant and effective BCMS.

The CBCI 7.0 course indicates that Business Continuity policies should be clear, concise, and focused on the organization's current continuity objectives and governance, rather than including detailed historical background or examples of past approaches. The policy is a guiding document that sets expectations and scope, written in accessible language tailored to the organization’s culture and operating environment. Extensive background details can dilute the clarity and purpose of the policy, making it less effective as a communication tool. Operationalization expectations and cultural appropriateness are key inclusions.

The CBCI 7.0 course clarifies that strategies for resuming operations are developed primarily based on the analysis of the Maximum Tolerable Period of Disruption (MTPD) and the Recovery Time Objectives (RTO). The MTPD defines the maximum duration an activity can be disrupted before causing intolerable impact, while the RTO sets the target time to restore that activity. These recovery parameters provide clear, measurable goals for strategy development, ensuring continuity efforts focus on minimizing downtime and impact. Although stakeholder input and organizational culture influence strategy implementation, the technical parameters of MTPD and RTO form the foundational basis for solutions.

Validation (PP6) confirms whether the BCMS meets objectives set in policy and whether capability works in practice through awareness, exercising, maintenance, and review programmes. Exercise programmes are aimed at improving performance and readiness: they strengthen teamwork and competence (A), provide evidence that recovery performance targets (including RTOs) are achievable (B), and reveal issues such as outdated plan content, role confusion, missing resources, or unclear procedures so improvements can be made (C).

Designing new policies and solutions (D) is not the purpose of exercising. Policies are set within BCMS establishment/governance (PP1), and strategies/solutions are primarily designed in Solutions Design (PP4) and implemented in Enabling Solutions (PP5). Exercises may inform changes to policy or solutions via lessons learned, but “design of additional policies and solutions” is not an aim of the exercise programme itself—it’s a downstream improvement activity that follows from validation findings. Therefore, D is the option that is NOT an exercise-programme aim.

The CBCI 7.0 course clarifies that when activity or resource owners evaluate solutions, they must carefully consider the advantages and disadvantages of each option, including cost, feasibility, operational impact, and alignment with organizational goals. While BIA findings inform priority, and future risk projections shape preparedness, the practical trade-offs in implementing solutions are central to decision-making. The Business Continuity culture index is a tool for measuring engagement, not a direct factor in solution selection. Balanced assessment ensures that selected solutions are not only effective but sustainable and appropriate.

Strategic response teams play a crucial role in managing crises by making timely, high-level decisions that guide the organization's overall continuity response. The CBCI 7.0 course emphasizes that decisiveness and rapid decision-making are essential qualities for such teams, as delays can exacerbate disruptions and increase impacts. While coordination skills and understanding of Business Continuity plans are important, the strategic team must prioritize swift, confident decisions to steer operational teams and allocate resources effectively during dynamic and stressful situations. Identifying commercial opportunities is beneficial but secondary to ensuring continuity and stability.

The CBCI 7.0 course details that one of the primary benefits of conducting Business Continuity exercises is to confirm that personnel understand their roles and the authority they possess during an incident. Exercises simulate actual disruption scenarios, allowing participants to practice decision-making, communication, and coordination within their roles. This hands-on engagement reveals gaps in knowledge, clarifies responsibilities, and builds confidence, which are crucial for effective incident management. While exercises contribute to validating BCMS processes and improving task integration, their immediate operational benefit is ensuring personnel readiness and role familiarity. Understanding the BIA requirements or regulatory compliance are indirect benefits but not the core purpose of exercises. Exercises also reinforce the practical application of plans, helping teams to respond efficiently under pressure.

The CBCI 7.0 course highlights that compliance with regulatory requirements is a critical consideration when identifying risk treatment solutions. Regulatory frameworks often impose mandatory controls or guidelines that shape the selection and design of Business Continuity solutions to ensure legal adherence and avoid penalties. While performance targets, audit trails, and communication protocols are important operational elements, they are subordinate to regulatory compliance, which acts as a baseline constraint and influence on continuity planning. Effective risk solutions balance operational effectiveness with mandatory compliance, supporting sustainable and defensible Business Continuity strategies.

CBCI 7.0 places strong emphasis on Embracing Business Continuity (PP2), which is centred on education and awareness to improve BC culture and build voluntary commitment. PP2 explicitly focuses on understanding “the mindset of an organization” and its existing culture before attempting to influence it, because culture affects how people engage with BC activities and how sustainable the programme will be. An effective awareness strategy must therefore be tailored to organizational context: in a large organization, you may need multiple channels and segmented messaging; in a smaller organization, more direct engagement may work better. Likewise, if the culture is siloed, messages may need different champions than in a collegiate culture. Finally, people’s preferred information channels (briefings, intranet, video, manager cascades, social platforms, etc.) determine how awareness can realistically reach and influence the workforce. This is why these factors are most directly linked to developing an awareness strategy rather than to exercise planning, plan writing, or solution design.

An effectively communicated Business Continuity policy sets the tone for organizational commitment and clarifies the purpose, scope, and relevance of the BCMS. The CBCI 7.0 course stresses that clear communication of the policy ensures all personnel understand the BCMS’s importance and how it will be applied, fostering engagement and shared responsibility. While defining scope and appointing steering groups are critical, they do not on their own generate organization-wide understanding. The policy acts as the foundational document promoting awareness and alignment.

Enabling Solutions (PP5) is where agreed continuity solutions are made usable through response structures and plans—this includes defining how communications will work during disruption. Effective external communications procedures must be role-based and controlled: they should identify who is authorized to communicate, through which channels, and with what approvals—so messages are accurate, timely, and consistent. Option B reflects that good practice: naming the team/group/individual with the required responsibility, authority, and technical capability for each method (e.g., media statement, website updates, customer notifications, hotline, social media).

Option A is dangerous because it decentralizes messaging and increases the risk of conflicting or inaccurate public information. Option C is unrealistic—stakeholders often need updates during the incident (customers, suppliers, regulators, media), not after it ends. Option D removes governance and can create reputational and legal risk; crisis communications normally follow agreed principles, escalation, and approvals, with top management involved in high-impact messaging. Therefore, B is the correct procedural inclusion for communicating outside the organization during disruption

When selecting solutions, resource or activity owners focus on factors such as advantages, disadvantages, costs, and implementation timelines, which directly affect feasibility and operational impact. The CBCI 7.0 course clarifies that while validation exercises are important for testing solutions, the choice and evaluation of solutions themselves typically do not consider the type of exercises planned for later validation phases. Exercise planning is a separate activity handled by the validation team, not the solution selectors.

In CBCI 7.0’s PP5 (Enabling Solutions), returning to BAU is treated as a managed transition from response/recovery arrangements back to normal operations. Good practice recognises that returning to the “original situation” may not be straightforward—sometimes the original state no longer exists (e.g., premises significantly damaged), so plans must be flexible and guide decisions rather than prescribe one rigid approach.

That is why statements A–C are consistent with good practice: a BAU return plan typically gives a general outline and prompts for how to transition, it demonstrates the organization understands the preparatory steps required (people, facilities, technology, suppliers, communications, handover/stand-down), and it should be maintained through review and exercised/trained so teams can execute it confidently.

Statement D is NOT correct because it implies one set of specific procedures applies in all situations. BC planning guidance emphasises that incidents differ and plans need to be adaptable; BAU transition is highly context-dependent (damage level, regulatory requirements, customer obligations, resource availability, safety constraints). A universal, “one-procedure-fits-all” approach is unlikely to remain valid across different disruptions and would reduce effectiveness.

A continuity solution must be viable, lawful, and safe to execute during disruption. If a strategy requires staff to use their personal vehicles for business purposes, a key prerequisite is ensuring appropriate business-use insurance/cover is in place and verified—otherwise the organization and employee may face uninsured liability exposure and the solution may fail when needed. Guidance commonly notes that employers can require confirmation/evidence of business insurance when employees use their own vehicles for work, or arrange cover extensions where appropriate.

Option B is unnecessary and disproportionate to the stated solution (the strategy is “use staff vehicles,” not “create a fleet”). Option C introduces uncontrolled dependency and liability by shifting operational responsibility to customers. Option D is unrealistic, likely inequitable, and not a practical prerequisite for continuity arrangements.

From a BCMS perspective, prerequisites like insurance, safety checks, driver authorization, and clear procedures enable the solution to be executed reliably under pressure—so A is the correct and most defensible prerequisite.

In a response structure, teams operate at different levels to ensure fast operational action and effective executive decision-making. The strategic team (often the crisis management level) focuses on the organization-wide, high-impact decisions: protecting viability, reputation, governance obligations, and stakeholder confidence, and ensuring decisions align with organizational objectives under crisis conditions. This matches option A.

Option B describes the operational focus (containment, immediate consequence management) typically handled by incident/operational responders. Option D (information consolidation) is more aligned to tactical coordination and situational reporting between operational and strategic levels. Option C describes plan development work rather than the real-time strategic decision-making role during an incident.

BCI guidance emphasises that a response structure should be capable of dealing with many types of disruption and should include appropriate roles/teams so information is communicated quickly and accurately and decision-making is properly coordinated across levels. The strategic team’s defining concern is enterprise survival and integrity, which is why A is correct.

According to CBCI 7.0, strategies represent the high-level approaches that define how the organization will maintain or recover critical operations, aligned with Business Continuity requirements identified through BIAs and risk assessments. Solutions, on the other hand, are the specific, detailed methods and resources deployed to implement these strategies effectively. Strategies set the direction, while solutions translate these into practical capabilities such as alternate site arrangements, backup systems, or communication plans. Distinguishing strategies from solutions clarifies planning and execution responsibilities within the BCMS.

In CBCI 7.0’s BCMS flow, Analysis (PP3) defines continuity requirements (priorities, resource needs, recovery targets) and then Solutions Design (PP4) selects strategies/solutions to meet those requirements. A gap analysis is the comparison step: it evaluates the organization’s current recovery capability against the required capability (e.g., can current arrangements meet the RTO/RPO, minimum capacity, dependencies, and response requirements). This is exactly option C.

Options A and B describe what happens after the gap is understood—choosing strategies and designing solutions is the Solutions Design activity itself, not the definition of a gap analysis. Option D is risk-focused and relates more to risk treatment; while single points of failure can be revealed, the primary purpose of a gap analysis is broader: determining whether existing capabilities meet stated BC requirements and documenting where they do not, so management can decide to close, reduce, or accept those gaps.

The CBCI 7.0 course highlights that categorizing strategies by timeframe is an effective method to ensure focus on activities with short RTOs. This approach visually and operationally segments recovery strategies, allowing the organization to prioritize resources and actions that address the most time-critical functions first. Including BIA extracts supports understanding but is insufficient on its own. Risk assessments inform treatment choices but do not inherently prioritize by RTO. Workarounds for non-priority activities are useful but are a secondary measure after prioritization. Categorizing by recovery time frames aligns operational focus with impact tolerances.

Strategy determination is a collaborative process where the Business Continuity professional works directly with owners of priority products, services, activities, or processes to develop detailed specifications for solutions that meet continuity requirements. The CBCI 7.0 course highlights this partnership as essential to ensure strategies are practical, aligned with operational realities, and capable of achieving recovery objectives. While designing high-level strategies and managing communication are important, hands-on collaboration with operational owners facilitates realistic, implementable solutions. This approach increases ownership, ensures accuracy, and fosters smoother implementation.

Embracing Business Continuity increases commitment to ongoing maintenance, including regular plan reviews and updates, to ensure plans remain effective and relevant. The CBCI 7.0 course highlights that a strong Business Continuity culture does not reduce maintenance needs; rather, it ensures such activities are prioritized and valued. Reduction in maintenance requirements would signal neglect, risking preparedness. Other outcomes include prioritization of tasks and external recognition of Business Continuity’s value.

Plans at different levels (strategic, tactical, operational) typically share common foundational elements: a clear purpose and scope, key assumptions, and objectives (C), so users understand when and how to apply the plan. They also usually include escalation guidance (A) so issues are raised to the right level quickly, and stand-down/transition procedures (D) so teams can safely return to normal operations and capture learning after resolution. These elements support coordinated response across the response structure.

However, risk assessments for each possible scenario (B) would not be included “at all levels” of plans. Risk assessment is a distinct analysis activity, and while plans may reference key threats or assumptions, they are generally not built as scenario-by-scenario risk assessment catalogues—especially not across every plan level. The BCI distinguishes BIA (impact over time) and Risk Assessment (risks to prioritised activities) as analysis techniques; plans then enable execution of the chosen solutions and response arrangements.

So, risk assessments may inform plans, but they are not a universal content component at every plan level. Therefore B is correct.

Surveys are a practical and efficient way to collect feedback from participants who may be geographically dispersed or involved in staggered exercise sessions. The CBCI 7.0 course emphasizes that surveys enable broad participation and timely input collection, which can be crucial when participants cannot all meet in person or at the same time. Hot debriefs are typically immediate post-exercise discussions, not extended over a month. One-on-one interviews and limiting input to senior personnel restrict breadth and may delay feedback.

The CBCI 7.0 course highlights that the most effective way to motivate personnel is through clear, accessible, and engaging communication. Materials should be understandable regardless of role or background, avoiding jargon and complexity. This clarity facilitates comprehension and fosters genuine interest in Business Continuity. Detailed explanations and testing may overwhelm or alienate, while relying solely on email or intranet assumes preferences that may not be universal. Recording attendance links to compliance rather than motivation. Tailoring communication style and delivery to audience needs maximizes engagement and encourages embracement.

In PP1 (Establishing a BCMS), defining scope is a foundational activity because it sets clear boundaries for what the BCMS applies to and what it does not. Good practice requires a scope statement that makes coverage explicit (e.g., products/services, sites, functions, legal entities, interfaces, and exclusions) so stakeholders understand the BCMS’s intended reach and so analysis and solutions design are directed appropriately. The GPG 7.0 Lite highlights that BCMS development includes developing the scope and policy, and it emphasizes continual improvement and review—implying scope may need review when organizational context changes. (thebci.org)

Option C captures the definition accurately: scope clarifies what is covered and not covered. Option A is too absolute; you consider relevant suppliers/customers, but scope does not automatically include “all.” Option B is incorrect because scope is reviewed as the organization changes (mergers, delivery model changes, regulatory change). Option D describes the policy, not the scope. Therefore, C is the correct statement.