CBCI Mock Exam Paper PDF

Summary

This is a mock exam for the Certificate of Business Continuity Institute (CBCI) online examination. It contains 90 questions and the time allocated for the exam is 90 minutes. The questions cover various aspects of business continuity.

Full Transcript

CBCI Mock Exam Paper
This is a mock exam that can help with the preparation for the
Certificate of the BCI (CBCI) online examination.

Test Instructions: Please read each question carefully and choose
one answer per question. If you have time at the end of the test you
can choose to review your answers before ending your examination.

Number of Questions: 90

Time-on-Test: 90 minutes

Passing Score:

63 = PASS

62 and below = FAIL

63 -76 = PASS

77 - 90 = PASS WITH MERIT
Q1. Whilst the Business Continuity Management System (BCMS) is being
established for the first time, the organization may need to develop and
implement an interim:

A. Disruption Management Plan

B. Communications Management Plan

C. Threat Management Plan

D. Crisis Management Plan

Q2. While the Business Continuity Management System (BCMS) is being
developed, it is important to coordinate and capture decisions and
progress. Which of the following approaches should be applied?

A. Decisions and processes should be documented, and the documents
should be controlled by an allocated owner.

B. Access to all documents should be provided to everyone with
allocated roles in the project so that they can add their points to the
documents when issues arise or when they feel this is needed.

C. Ensure all staff can see and amend documents to make sure that
they are fit for purpose and stay up to date.

D. Assess the communication style across the organization to
understand how to facilitate interactions.

Q3. When establishing a Business Continuity Management System (BCMS),
engagement with stakeholders is important. Which of the following is
NOT a reason for engaging with internal stakeholders?

A. Existing policies and procedures may be relevant to the BCMS and
early identification will reduce the potential for duplication of work.

B. Early collaboration with colleagues will engage them in the process
and secure support for the ongoing development and implementation
of the BCMS.

C. Engagement of stakeholders will reduce the potential for conflict at
later stages of the programme.

D. Involving stakeholders will reduce the workload and responsibilities
of the Business Continuity Professional as coordination and
administrative activities can be allocated to other personnel.

2
Q4. Which of the following is an activity that would be undertaken as part
of the coordination process when establishing a Business Continuity
Management System (BCMS)?

A. Horizon scanning

B. Developing revised contracts for external experts

C. Stakeholder identification, mapping and engagement

D. Cost-benefit analysis

Q5. Why is it important to provide a defined scope for the Business
Continuity Management System (BCMS)?

A. To clarify the areas that staff do not need to be concerned about.

B. To enable the top management to know what advice and guidance
they can ask the project team to provide.

C. To clarify the strategy for the next three years and provide staff with
firm three-year objectives.

D. To clarify priorities and ensure that the BCMS makes the best use of
resources such as time and finance.

Q6. When determining the scope of the Business Continuity Management
System (BCMS), it is important to consider all aspects of a product or
a service in scope that could be affected by disruption. Which of the
following would NOT be considered?

A. Development requirements for proposed new products and
services.

B. Internal support including Information, Communication and
Technology (ICT), facilities and resources.

C. Regulatory requirements attached to a product or service in scope.

D. The supply chain for an external supplier that is involved with a
product or service within scope.

3
Q7. Consulting with stakeholders, conducting a cost-benefit analysis and
reviewing existing information held by Risk Management are methods
that may be used to define the:

A. High-level governance of the Business Continuity Management
System (BCMS)

B. Initial scope of the BCMS

C. Business continuity policy

D. Monitoring arrangements for the BCMS

Q8. The purpose of a business continuity (BC) policy includes explaining the
importance of BC to the organization as well as:

A. Providing specific information on the Business Continuity
Management System (BCMS) requirements and processes.

B. Defining the operational roles and responsibilities of response teams.

C. Describing how the specific activities within the BCMS will be carried
out.

D. Setting expectations for how the BCMS will be used.

Q9. Which of the following describes the relationship between the Business
Continuity Policy and the Business Continuity Management System
(BCMS)?

A. The policy provides additional detail to enable personnel to
understand the specific actions needed to implement the BCMS.

B. The Business Continuity Policy is written at a level that is
independent of the scope of the BCMS and sets out direction rather
than actions.

C. The Business Continuity Policy is a document that is confidential to
top management and the organization’s board of directors whereas
the BCMS documents are shared with all staff.

D. The Business Continuity Policy provides a detailed summary of the
outcomes of a Business Impact Analysis (BIA).

4
Q10. The first stage in the development of an effective Business Continuity
Policy is:

A. Drafting a statement that outlines the overall purpose of the Business
Continuity Management System (BCMS).

B. Communicating the finished policy widely within the organization to
secure internal support.

C. Agreeing and drafting definitions of the key terms to be used such as
business continuity and Business Continuity Management System.

D. Drafting the outline content of the policy so that it can be reviewed
prior to further development.

Q11. Which of the following would NOT be included in the content of an
effective Business Continuity (BC) Policy?

A. Responsibilities and accountabilities for the Business Continuity
Management System (BCMS).

B. Overall purpose of the BCMS.

C. Detailed information on the scope and implementation of the BCMS.

D. Commitment to the BCMS and its continual improvement.

Q12. It is important to secure top management commitment to governance
in the early stages of establishing a Business Continuity Management
System (BCMS) because this:

A. Can ensure commitment and support across all organizational levels
and functions.

B. Enables the top management team to engage with staff more
frequently.

C. Provides top management with the opportunity to coordinate the risk
assessment.

D. Allows top management to alert incident or crisis responders
(including emergency responders) as appropriate.

5
Q13. In relation to governance arrangements for the Business Continuity
Management System (BCMS), commitment from top management will:

A. Ensure that the BCMS remains aligned with the organization’s
objectives and strategy.

B. Commission a Business Impact Analysis (BIA) every six months.

C. Empower individual departments to write their own business
continuity policies.

D. Consult all staff on changes to the organization’s priorities as set out
in the BCMS.

Q14. Establishing governance for a new Business Continuity Management
System (BCMS) is an iterative process because:

A. The roles, responsibilities, and accountabilities for the BCMS can
only be fully defined after the first validation exercise has been
completed.

B. The organization may not fully understand all of the roles,
responsibilities and authorities required to operate the BCMS in
the early stages of development and may need to revise them over
time.

C. The governance structure needs to be approved by the
organization’s Board and this is often a time-consuming process.

D. Those who have been assigned BCMS roles and responsibilities
have to undergo training and assessment over time.

Q15. Which Business Continuity Management System (BCMS) organization
role will include responsibility for identifying and acknowledging supply
chain priorities and communicating changes relevant to their area of
work that may impact the BCMS?

A. Plan Owner

B. Personnel/Staff

C. Departmental Representative

D. Business Continuity Professional

6
Q16. Which one of the following explains what is meant by the term
“embedding” in the context of business continuity?

A. The ability of an organization to absorb and adapt to a changing
environment.

B. A process that defines and mandates how to integrate business
continuity practice into business-as-usual activities.

C. A culture in which personnel commit to business continuity because
they believe it protects the organization and its interested parties.

D. The ability of individuals to apply knowledge and skills to achieve the
intended result.

Q17. Which of the following is the key outcome of a fit for purpose Business
Continuity Management System (BCMS)?

A. Quality in the way in which the BCMS meets the operational
requirements of the organization.

B. The capability of the organization is appropriate only at the point in
time when the BCMS is first implemented.

C. External consultants take ownership of the BCMS on behalf of the
company and operate it as a project on a controlled budget.

D. Changes are made to operational processes without consideration of
the impact on the BCMS.

Q18. In order to implement a fit-for-purpose Business Continuity Management
System (BCMS), it is important that business continuity is:

A. Developed in isolation from the organization’s culture so that it is not
skewed by this.

B. Developed by external experts who will not be side-tracked by
organizational culture.

C. Underpinned and consistent with the organization’s culture.

D. Limited by organization culture so that cultural boundaries are clear
and unmoveable.

7
Q19. Which of the following is a method that the business continuity
professional can use to analyse the culture in an organization?

A. Carry out a Business Impact Assessment (BIA).

B. Consider top management’s approach to conflict-resolution.

C. Undertake studies of other organizations to identify possible options.

D. Assess the systems in place to audit compliance with regulatory
requirements.

Q20. An organization where business continuity forms part of the operational
fabric of the organization and everyone is committed to the success of
the Business Continuity Management System (BCMS), is demonstrating
a business continuity:

A. Validation plan

B. Risk appetite

C. Mobilisation environment

D. Culture

Q21. Engagement of top management in embracing business continuity will
ensure that business continuity activities align with the organization’s:

A. Product research and design procedures

B. Recruitment policies

C. Strategy and objectives

D. Health and safety rules

8
Q22. An indicator that an organization has an effective business continuity
culture is when:

A. Business continuity training is provided to existing staff regularly and
to new staff during induction.

B. Most of the components of the Business Continuity Management
System (BCMS) have been implemented as mandated by top
management.

C. An internal business continuity audit has been carried out and no
significant actions are required.

D. All regulatory requirements for business continuity have been
identified and there is a plan to introduce appropriate arrangements.

Q23. In order to secure commitment to business continuity from an
organization’s personnel or interested parties, it is important to focus
on:

A. What matters and adds value in their organization context.

B. What the theories and case studies about business continuity
demonstrate.

C. The scale of the work that will be required to reach the organization’s
business continuity requirements.

D. The detailed plans and costs to deliver the required outcomes.

9
Q24. One method that can be used to improve an organization’s business
continuity culture and encourage personnel to embrace business
continuity is to deliver an ongoing marketing programme about the
organization’s Business Continuity Management System (BCMS) to
personnel. Which of the following describes how this approach can
improve culture?

A. It provides positive results quickly, which help the organization to
stay operational in the face of a disruptive event.

B. It raises the profile of business continuity on an ongoing basis and
provides updates on the value of business continuity and promotes
positive progress.

C. As personnel become familiar with the updates and information, they
will no longer need to engage with it as it will be no longer necessary
for them to keep up with news.

D. Personnel do not need to give up additional time to respond as the
communication is one-way.

Q25. Which of the following explains why it is important to measure an
organization’s business continuity culture?

A. A strong business continuity culture influences response behaviour
during an incident and also contributes to recovery performance.

B. Responsible managers need to be aware of the business continuity-
related performance levels of those who report to them.

C. Top management needs to be able to delegate responsibilities in
order to remove pressure from themselves so that they can focus on
managing the organization.

D. Managers need to ensure that personnel complete tasks quickly and
correctly and follow the precise instructions they are given without
question.

10
Q26. Which of the following would NOT be specified in a plan to measure
business continuity culture?

A. The desired purpose of the outputs of the tests and measures.

B. How the information will be collected and assessed.

C. How the Business Impact Analysis (BIA) will be improved as a result
of the measurement.

D. The part, or parts, of the organization that will be involved.

Q27. The method to measure business continuity culture that explores the
possibility of failed outcomes during the plan writing stage is:

A. Behavioural Consistency

B. Pre-Mortem Checks

C. Document Integrity

D. Unstructured Observations

Q28. The new business continuity (BC) marketing programme, begun three
months ago, includes a new blog, regular postings on the Intranet,
and a monthly BC quiz with prizes. As the programme is not receiving
encouraging feedback, the best approach to be taken by the business
continuity professional is to:

A. Outsource the programme to a service provider.

B. Be consistent and keep working on raising awareness as change will
happen over time.

C. Delegate the responsibility for the programme to the business
owners.

D. Turn the programme over to the Marketing Department.

11
Q29. It is important to ensure that internal stakeholders with no direct
responsibilities for business continuity activities are:

A. Not diverted from their other priorities by participation in business
continuity workshops or awareness raising activities.

B. Advised to volunteer for business continuity roles as part of a
corporate strategy to embed objectives.

C. Reminded why the organization needs protection from disruptions
and how business continuity arrangements are of benefit to all
personnel.

D. Not invited to provide opinions or ideas as this may undermine those
who have specific roles.

Q30. A situation where key interested parties have progressed from a lack of
understanding of the benefits of business continuity (BC) to recognition
of how business continuity adds value to operations and sustains
critical functions is among the positive results of:

A. Carrying out a Business Impact Analysis (BIA)

B. An improved BC culture where BC is embraced

C. Introducing a BC Policy

D. Measuring BC culture

Q31. Which one of the following is a technique to define the impact of a
disruption over time?

A. Business Three-Year Strategic Plan

B. Business Impact Analysis

C. Financial Long-term Assessment

D. Risk Assessment

12
Q32. Which of the following statements about a Process Business Impact
Analysis (BIA) is correct?

A. A Process BIA determines the resources and dependencies required
for the continuity of prioritised activities.

B. A Process BIA is optional for organizations that are less process
driven.

C. A Process BIA can be used to confirm or modify the scope of the
Business Continuity Management System (BCMS).

D. The Process BIA determines prioritised activities that enable product
and service delivery to be resumed within a predetermined timeframe
and capacity following a disruption.

Q33. Which of the following would NOT be a step in the Business Impact
Analysis (BIA) process?

A. Determining the resources required for continuity of activities
following an incident.

B. Determining priorities of products and services and the associated
processes (optional) and activities of the prioritised products and
services.

C. Obtaining top management approval for the BIA results.

D. Providing a return to business-as-usual procedure.

Q34. In relation to the roles and responsibilities that need to be undertaken to
ensure the Business Impact Analysis (BIA) process meets its purpose,
which of the following would be responsible for financial approval for
costs and for allocating competent resources?

A. Business Continuity Professional

B. Activity Owner

C. Risk Management Professional

D. Top Management

13
Q35. A key advantage of using workshops as a method to collect Business
Impact Analysis (BIA) information is that:

A. It allows detailed information to be collected using written
questionnaires.

B. It produces higher quality results by allowing teams to discuss issues
and explore solutions.

C. It requires little effort and time to prepare for the workshops.

D. It allows large amounts of information to be collected through
interview-based conversations.

Q36. When preparing to carry out a Business Impact Assessment (BIA), it is
important to identify processes:

A. For communicating with external interested parties during an
emergency.

B. For allocating costs to the cause of the disruption.

C. That provide research opportunities for future case studies.

D. That operate only during a crisis or business disruption.

Q37. Recovery Time Objective (RTO) can be defined as:

A. The point to which information used by an activity is restored to
enable the activity to operate on resumption of pre-defined levels.

B. Coordinated activities to direct and control an organization with
regard to risk during the timeframe of a disruption.

C. The minimum capacity or level of services or products that is
acceptable to an organization in order to achieve its business
objectives during a disruption.

D. The timeframe within the Maximum Tolerable Period of Disruption
(MTPD) for resuming disrupted activities at a specified minimum
acceptable capacity.

14
Q38. Which of the following should be considered when estimating the
Maximum Tolerable Period of Disruption (MTPD) to a product or service
delivery?

A. Loss of financial value or viability (short or long-term).

B. The organization’s risk profile.

C. The length of time necessary to restore full production as required by
key stakeholders.

D. Opportunities for the organization’s competitors.

Q39. Which type of Business Impact Analysis (BIA) can be used to confirm
or modify the scope of the Business Continuity Management System
(BCMS) and determine the impact of introducing a new product or of
discontinuing an existing service?

A. Process BIA

B. Product and Services BIA

C. Risk Assessment BIA

D. Activity BIA

Q40. Which of the following is NOT an outcome of an Activity Business
Impact Analysis (BIA)?

A. An approved list of prioritised activities that contribute to the
processes needed to deliver products and services.

B. A breakdown of internal and external dependencies.

C. Detailed Maximum Tolerable Periods of Disruption (MTPD) and
Recovery Time Objectives (RTO) and the justifications for them
which should determine the timeframe of solutions for each activity.

D. A gap analysis identifying risks that could disrupt the prioritised
activities.

15
Q41. When conducting an Activity Business Impact Analysis (BIA), it is
essential to obtain approval/confirmation on the accuracy of the data
collected from:

A. Top management

B. Procurement manager

C. Business continuity professional

D. Activity owners

Q42. Which of the following is NOT an example of the resources and
dependencies required to support prioritised activities?

A. Finance

B. Number of personnel needed

C. Transportation and logistics

D. Annual report from the organization

Q43. When considering a consolidated Business Impact Analysis (BIA) for
approval, top management should:

A. Assume that all data and content is correct and fit for purpose.

B. Proof-read the document and ensure that outcomes will reflect
stakeholder requirements.

C. Liaise with communications professionals to arrange external
publication of the final document.

D. Challenge and ensure that data presented is credible, complete,
reliable, and justifiable.

16
Q44. Which of the following factors that are relevant to the management of
risk can limit the value and accuracy of risk assessments?

A. Estimates about the possible severity and impact of risk are often
based on assumptions or incomplete sets of data.

B. All risks are provided on a risk register which can be reviewed
regularly.

C. The use of likelihood calculations to clarify the nature of the risk.

D. Risk owners are allocated to take responsibility for monitoring and
mitigating risks.

Q45. When analysing risks, a score is calculated for each risk identified on
the risk register by combining the likelihood of the risk occurring along
with the:

A. Historical evidence of previous events.

B. Evidence from the risk occurring in other organizations.

C. Consequences for prioritised products and services should it occur.

D. Cost of resources required to mitigate the risk should it occur.

Q46. In relation to solutions designed for business continuity, the purpose of
strategies is to:

A. Analyse options available for mitigating all potential disruptions.

B. Outline the high-level approach to meeting the organization’s
business continuity requirements.

C. Create a central list of the internal and external requirements for
recovery.

D. Test capability to deliver all products and services during a
disruption.

17
Q47. Business continuity solutions must be designed in a way that:

A. Accepts high risks to the organization over all in the short-term in
order to secure immediate resolutions to disruptions in one part of
the organization.

B. Provides an immediate solution regardless of the costs involved both
during the disruption and during the recovery phase.

C. Puts the needs of customers ahead of those of the organization to
retain customer loyalty.

D. Considers all costs and benefits associated with actions in relation to
the organization as a whole.

Q48. One of the three main steps in developing strategies and solutions for
the resumption of business operations is:

A. Conducting a gap analysis to identify whether existing resumption
capabilities meet the business continuity (BC) requirements.

B. Establishing a formal process to measure business continuity culture
and integrate business continuity into day-to-day operations.

C. Developing procedures that document how communications are
coordinated across the organization.

D. Developing initial drafts of business continuity plans.

Q49. Following the completion of a gap analysis to identify whether
new strategies and solutions for business continuity are required,
consideration of the outcomes of the analysis and the decisions on the
direction to be taken to address the outcomes will be made by:

A. The activity owner

B. The resource owner

C. The business continuity professional

D. Top management

18
Q50. Following the completion of a gap analysis, top management may decide
not to close the gap between business continuity requirements and
existing capabilities. Where gaps are not scheduled to be closed, which
of the following actions should be taken?

A. The risk register should be updated in respect of the gaps not closed
and should show that the organization has accepted the risk.

B. Resource and activity owners should reduce their commitment to
business continuity and focus on other organization priorities.

C. The business continuity professional should pursue the
recommended actions regardless of the decision.

D. Personnel should be advised of the recommendations so that they
are fully informed of the negative implications of the decision.

Q51. Which of the following actions will the business continuity professional
carry out as part of the process of business continuity strategy
determination?

A. Identify the priority products and services and prioritise them by
Recovery Time Objective (RTO).

B. Identify risks and single points of failure that need to be mitigated
and included in relevant strategies.

C. Group products, services, processes, activities and resources
requiring strategies by the relevant owner.

D. Prepare procedures to address required strategies.

Q52. Throughout the Solution Design process, the business continuity
professional will work with two primary groups of strategy developers.
The groups are:

A. Incident Response Team Leaders and Human Resources

B. Activity owners and resource owners

C. Crisis Communication and Crisis Management Teams

D. Internal Audit and Quality Management Professionals

19
Q53. Which of the following business continuity solutions would support an
information and data strategy of replication in the case of a disruption?

A. Advising personnel that they must remember to save their work in a
passworded system so that it is not lost and remains secure.

B. Making data accessible via available technology across at least two
separate locations.

C. Contracting former employees and contractors to assist in a
disruption.

D. Keeping paper-based information in secure cabinets.

Q54. Which category of resources would have strategies such as continuous
operation, alternate location, relocate to another work area and relocate
to another facility?

A. People strategies

B. Buildings, work environment, and associated utilities strategies

C. Suppliers and outsourcing partners strategies

D. Information and data (viral records) strategies

Q55. In relation to solutions, which one of the following is an essential
prerequisite for enabling access to funding during a disruption?

A. Establishing an agreement with protocols to access funds from cash
reserves under defined criteria.

B. Ensuring that customers pay their invoices on-time to maintain a
positive cashflow.

C. Determining how the organization is going to finance an exercise
programme.

D. Developing a plan for short and long-term funding of personnel
following an incident.

20
Q56. Which of the following should the business continuity professional
recommend for inclusion in contracts with suppliers and partners?

A. Suppliers must advise the organization of any other customers with
whom they are contracting who operate in the same industry sector.

B. Suppliers must review their recruitment and retention policies in
order to secure high quality staff at all times.

C. Suppliers should advise of any changes to their marketing and
communications strategy.

D. Suppliers must advise of any material changes they have planned
that are associated with the delivery of goods and services to the
organization.

Q57. When developing business continuity strategies which of the following
would consider issues such as the number of people on site in an
emergency, whether there are procedures to furlough staff or modify
their work and how to support people with different needs?

A. Chief Financial Officer

B. People and Culture Manager

C. Facilities Manager

D. Crisis Management Team Leader

Q58. In developing strategies and solutions for risk mitigation, it is essential
to:

A. Avoid being influenced by any existing arrangements in order to
ensure that a fresh approach is introduced.

B. Seek advice from risk management experts from outside of the
organization.

C. Be clear that the costs of a solution should not limit its
implementation.

D. Consider any secondary risks that may be associated with a
proposed mitigation solution.

21
Q59. Why would a business continuity professional choose to hold a meeting
or workshop with activity and resource owners to set out the strategies
and solutions available for mitigation of unacceptable risk and/or single
point dependencies?

A. To develop a combined risk mitigation budget.

B. To describe the strategies and solutions that have been designed
and which they are now required to implement.

C. To consult with the owners of the risks to discuss and agree the best
solutions for mitigating risks.

D. To use their time in the most effective way by talking to all relevant
parties at the same time.

Q60. Which of the following is NOT an outcome of putting in place approved
strategies and solutions for mitigating unacceptable risk and/or single
point dependencies?

A. Personnel are aware of the risks and their personal accountability in
managing them.

B. Protection of activities from disruption with respect to the Recovery
Time Objectives (RTOs).

C. Limitation on the impacts of disruptive events to prioritised activities.

D. Cost effective implementation and operational investments.

Q61. The three main activities involved in enabling solutions are
implementing them, designing the response structure and:

A. Developing plans

B. Updating the Business Impact Analysis (BIA)

C. Recruiting new personnel and experts to carry out the relevant
business continuity roles.

D. Sharing the proposed solutions with all stakeholders and customers
so they are prepared for any incidents that may occur.

22
Q62. Which of the following is needed in order to implement a business
continuity solution effectively?

A. Internal communications to keep all organization personnel informed
of general progress.

B. Personnel within the project team with the appropriate competencies
to deliver the implementation of the agreed solutions and measures
as required.

C. An understanding that only business continuity professionals are
required for implementation.

D. Enabling departments to operate independently and to set targets
and timelines that fit with availability of team members.

Q63. In relation to enabling business continuity solutions, what is the
purpose of establishing a response structure?

A. To enable the development of appropriate training programmes.

B. To ensure that risk assessments on the organization’s products,
services and processes have been documented in order to avoid a
disruption.

C. To ensure that the organization has a documented and well
understood hierarchy of teams for reacting to an incident, regardless
of its cause.

D. To determine a list of internal and external requirements for the
continuity and recovery of the most urgent products, services and
activities.

Q64. Which of the following is a feature of an effective response structure?

A. Detailed instructions for documenting the risks associated with a
disruption or incident.

B. Identification of subcontractors who can take over delivery of key
processes during an incident.

C. Identification of commercial opportunities that could arise via
incidents that occur in other organizations.

D. Clear procedures for escalation when an incident has occurred or
may soon occur.

23
Q65. When developing a response structure for an organization, the process
should take into account:

A. The organization’s marketing plan and targets.

B. The training needed to develop organizations in the supply chain so
that they can support the response.

C. The implementation of a supporting performance management
system in the organization.

D. The size of the organization and the subsequent type and number of
teams required.

Q66. For an operational response team to be effective, all of its members
should have:

A. Authority to communicate on behalf of top management and the
strategic team.

B. An understanding of the business processes to be recovered and
their relationship with other processes.

C. Experience of managing finance and transportation in a crisis
situation.

D. A wide reach across the organization so that they can inspire others
to accomplish goals.

Q67. Which of the following explains why it is important for organizations
to have communication plans and procedures in place for use when
responding to incidents?

A. To ensure that all personnel can take control of public
communications in different situations without needing to refer to the
strategic team.

B. To ensure that the situation is kept confidential and information is not
made known to either internal or external people.

C. To position the organization as the central source of information and
demonstrate its control of the situation.

D. To enable individuals to communicate on social media in a flexible
way reflecting their personal views of the situation.

24
Q68. When an incident occurs, messaging, media strategy and the general
tone of communications are usually determined by:

A. Top management

B. Leader of the recovery response team

C. Business unit most impacted by the incident

D. The business continuity professional

Q69. Communications procedures for engagement with media and social
media during an incident should be two-way in order to:

A. Enable the organization to contact individuals who respond to
communications in a one-to-one conversation during the incident.

B. Enable recipients of the organization’s communications to register
interests in products and services that they can purchase after the
incident is resolved.

C. Secure contact details than can be used after the incident is
resolved.

D. Secure ongoing insight into how interested parties are reacting to the
organization’s response to the incident.

Q70. Which of the following is NOT a feature of a fit for purpose business
continuity plan?

A. It should provide clear, action-oriented, time-based instructions and
quick access to vital information.

B. It should provide information on the background and rationale for the
plan and for the instructions provided so users can understand the
requirements.

C. It should be adaptable so it can be used in a wide range of incidents
including those that the organization may not have anticipated.

D. It should be clearly ordered so that information can be found quickly
when teams are under pressure at the beginning of an incident.

25
Q71. In relation to plans, activation and mobilisation:

A. Is included only in strategic level plans and is always activated at this
level.

B. Must always be triggered simultaneously at strategic, tactical, and
operational levels.

C. Is always commenced at operational level, escalated to the tactical
level, then to the strategic level.

D. Is based on activation criteria as documented in individual plans.

Q72. Which one of the following is a requirement when determining team
meeting facilities to be used should an incident occur?

A. They should be chosen at the time of the incident by the business
continuity professional based on immediate requirements.

B. Selection of facilities should be outsourced to a subcontractor to
identify at the time of a disruption based on current requirements.

C. At least two locations or options should be pre-defined in advance to
ensure appropriate facilities and resources are available.

D. They should be located at a specific site at a considerable distance
from the organization’s premises to ensure safety and confidentiality
of meetings.

Q73. Determining if a situation is a crisis, ensuring legal and regulatory
compliance and declaring when a crisis is over, are responsibilities that
are included in:

A. Strategic plans

B. Operational plans

C. Tactical plans

D. Crisis communication plans

26
Q74. Tactical plans will include:

A. Evaluating the situation to determine if it is a new crisis.

B. Identifying and then mobilising agreed specialist service providers.

C. Accounting for the organization’s personnel and staff and verifying
the results of site evacuation.

D. Resumption of activities with a lower priority or longer Recovery Time
Objective (RTO).

Q75. Which of the following would be included in a plan to support returning
to business as usual (BAU)?

A. Ensuring restrooms and washing facilities are available to operational
personnel.

B. Relocating from alternate resources to primary resources.

C. Providing interface between strategic and tactical teams.

D. Preparing a general background statement about the organization for
release to media.

Q76. What is the purpose of validation of a Business Continuity Management
System (BCMS)?

A. To allow the auditing body to gain an overall independent perspective
of the state of business continuity preparedness in the organization.

B. To reassure the authorities that the organization is in compliance
with regulations on incident response.

C. To demonstrate to the emergency services that procedures are in
place within the organization to offer support and assistance in the
case of an incident arising.

D. To provide methodologies to measure the quality and effectiveness
of the BCMS and business continuity capability.

27
Q77. Validation is achieved through a combination of exercising, review and:

A. Tests

B. Maintenance

C. Self-assessment

D. Reporting

Q78. Which of the following outcomes should exercises aim to achieve?

A. The development of spokespersons to be available in the event of
the organization having an incident or crisis event.

B. The efficient introduction of a new product, new regulations or
change of management within the Business Continuity Management
System (BCMS).

C. Verification of the adequacy, availability and capability of resources
that support continuity solutions.

D. External approval of the policies and systems in place in case of
disruption.

Q79. How can an exercise programme be used to encourage staff to embrace
business continuity?

A. By allocating activities to staff that are outside of their normal
operating role and requiring them to undertake additional learning.

B. By involving staff before, during and after the exercise in a
comfortable learning environment and using the programme to raise
awareness.

C. By highlighting errors made by individual staff members during the
exercise and sharing them with the training group as learning points
for everyone.

D. By organizing exercises outside of standard working hours and
at venues away from the usual working places so that staff can
experience situations outside of their usual routine.

28
Q80. When developing an exercise programme and determining where the
exercises will take place, the programme should be designed in a way
that ensures that the individual exercises:

A. Are all held at a location with no connection to the organization to
encourage theoretical discussion.

B. All take place at the same location so that it is easier to make
comparisons of performance in different scenarios.

C. Focus only on situations where personnel work remote from
organization sites.

D. Are spread across all organization working arrangements both on
and off organization sites.

Q81. A key activity in the process of developing an exercise programme is:

A. Identifying any training requirements for exercise participants or
planners

B. Updating the business continuity plans

C. Reviewing the Business Impact Analysis (BIA)

D. Briefing top management on the exercise scenario

Q82. What type of exercise is always carried out in the normal operational
environment and designed to validate the effectiveness of plans and the
competency of individuals in the most realistic manner?

A. Scenario

B. Simulation

C. Test

D. Live

29
Q83. When planning to carry out an exercise, it is important to consider risks
that may arise as a result of the exercise being conducted. Which of the
following is NOT a consideration to manage risks during an exercise?

A. The disruption that may be caused by the exercise taking place is
planned and agreed in advance to minimise the effect on business
as usual.

B. Top management is advised of any possible risks and these are
understood and accepted.

C. Personnel are advised of formal debriefing scheduling in advance to
ensure that there are no delays in preparing a summary of the event
for external stakeholders.

D. There is a process to end an exercise quickly if any unintended
incident or disruption occurs.

Q84. Which of the following steps in the process of developing and
implementing an exercise plan would come last?

A. Follow up to address any issues the exercise raises and take
corrective action as required.

B. Hold a debrief with the participants immediately after the exercise.

C. Conduct the exercise.

D. Draft a plan and have it approved by the appropriate management
level.

Q85. Which of the following topics would NOT be included in a pre-exercise
briefing for participants?

A. Communication tools to be used

B. A summary of the content of the business continuity policy

C. Exercise aims and objectives

D. Roles and responsibilities

30
Q86. A hot debrief should be conducted:

A. Immediately after the exercise has been completed.

B. As soon as possible after the exercise depending on availability of
participants.

C. After two weeks when all data is available for discussion.

D. No later than a month after the exercise.

Q87. Which of the following is NOT an outcome of an exercise programme?

A. Improved competency of those with response and recovery roles.

B. Understanding of roles, responsibilities and authority in response to
an incident.

C. An external audit report describing financial restrictions.

D. An assessment of the effectiveness of technology and
communications involved.

Q88. Activities to maintain the Business Continuity Management System
(BCMS) should be:

A. Embedded within the business-as-usual processes.

B. Be a separate activity.

C. The responsibility of the business continuity professional.

D. Considered as part of the organization’s updated Business Impact
Analysis (BIA).

Q89. Which type of review provides an evaluation of the Business Continuity
Management System (BCMS) by considering the way whether or not
an individual met business continuity targets and delivered outcomes
within the agreed timescales?

A. Performance appraisal

B. Management review

C. Quality assurance

D. Self-assessment

31
Q90. Which of the following outcomes may result following an organization’s
review of a supplier’s performance?

A. A remedial action plan to reduce the risk of dependency on the
supplier.

B. A decision that no further reviews are needed as the supplier’s
performance is adequate.

C. Stakeholder feedback on the supplier’s performance for further
consideration.

D. A plan to finance the supplier so that they can develop internal
resilience.

END OF EXAM

32