BCI CBCI Certificate of the Business Continuity Institute (CBCI) Exam Practice Test

When BC plans are updated, the organization must be able to prove which version is current, when it was reviewed, what changed, and who approved it. A formal version control process prevents confusion, reduces the risk of using outdated instructions during an incident, and supports assurance/audit needs. BCI guidance on content management for resilience explicitly highlights that clear version control prevents confusion and ensures teams work with the most current information—especially critical during crises when outdated guidance can compound problems.

Option B directly meets that requirement: it identifies review dates and highlights changes so plan owners and responders can trust the document. Option A (just saving to a shared drive) does not ensure people use the correct version or understand changes. Option C is insufficient for operational control. Option D is passive and does not implement document control; it also risks inconsistent distribution. In CBCI practice, controlled documents + versioning are essential to reliable response and recovery execution.

BCMS governance exists to ensure the organization has clear direction, oversight, accountability, and decision-making for business continuity. In CBCI 7.0’s PP1 focus, governance provides the structure for defining scope, setting policy and objectives, assigning roles, allocating resources, and ensuring the BCMS is operated and improved over time. Governance is therefore the foundation that enables consistent implementation and prevents BC from becoming fragmented or optional.

This aligns with internal audit/assurance concepts: effective governance is what allows an organization to evaluate and improve the effectiveness of risk management, control, and governance processes in a disciplined way—BCMS governance works similarly by ensuring BC processes are defined, owned, monitored, and improved.

Option B is too narrow (training is only one governance output). Option C contradicts BCMS intent—independent, inconsistent approaches create gaps and misalignment. Option D is irrelevant; governance must fit the organization’s structure and objectives, not the “sector structure.” Therefore, A is correct.

Strategic plans set the overarching framework and objectives for Business Continuity and are often supported by separate tactical or crisis communication plans tailored to communication needs during disruptions. The CBCI 7.0 course clarifies that while strategic plans guide overall responses, detailed emergency procedures and logistics coordination typically reside in operational or tactical plans, ensuring clarity and focus at different planning levels.

A hot debrief is specifically designed to happen immediately after an exercise, before participants disperse, to capture quick observations and concerns while they are still fresh. The BCI’s Good Practice Guidelines describe the hot debrief exactly this way: held immediately after an exercise, prior to personnel leaving the location, allowing participants to highlight immediate issues and concerns.

This immediate capture is valuable because it reduces memory loss, surfaces “near-miss” issues that observers may not have seen, and helps identify priority improvements for more detailed follow-up analysis. Hot debrief outputs often feed into a more structured “cold” debrief or formal after-action report later, once logs and evidence are reviewed and performance can be assessed against objectives.

Therefore, option D is correct. Interviews and surveys can support learning, and formal debriefs can be held later, but the “immediately after, before leaving” definition is the hallmark of a hot debrief.

Effective crisis communications exist to protect people, operations, trust, and reputation by ensuring stakeholders receive timely, accurate, and consistent information. That includes providing vital information to those affected (option A) and giving assurance to interested parties by demonstrating the organization is responding responsibly and transparently (option B). It also helps establish an authoritative “single source of truth” to reduce confusion and misinformation (option C), which is a widely used crisis-communications principle and supports coordinated response.

Option D is NOT a valid reason in BC good practice terms. A crisis is not an ethical marketing opportunity; attempting to leverage public attention for new business can damage trust, distract from response priorities, and conflict with the purpose of crisis communication (safety, clarity, confidence, and stakeholder care). Crisis communications frameworks stress planning, rehearsing, and implementing communications to support effective response—not commercial exploitation.

Important note on “100% verified from CBCI 7.0 course documents”: the official CBCI 7.0 courseware itself is not publicly accessible for me to quote directly, so I verified these answers against official BCI GPG materials and BCI’s published PP6/PP2 guidance (which the CBCI exam is based on).

When selecting solutions, resource or activity owners focus on factors such as advantages, disadvantages, costs, and implementation timelines, which directly affect feasibility and operational impact. The CBCI 7.0 course clarifies that while validation exercises are important for testing solutions, the choice and evaluation of solutions themselves typically do not consider the type of exercises planned for later validation phases. Exercise planning is a separate activity handled by the validation team, not the solution selectors.

In CBCI 7.0, Enabling Solutions (PP5) focuses on implementing the agreed solutions produced in Solutions Design (PP4) and ensuring those solutions can be deployed through the response structure and BC plans. The GPG 7.0 Lite explains that once solutions have been specified and approved (PP4), they must be implemented before they can be deployed, and then supported by response structures and plans. Crucially, validation later confirms that implemented solutions work according to the agreed specifications. That means implementation must align to what was designed and approved—otherwise the organization risks implementing something that does not meet recovery requirements (e.g., RTOs, minimum capacity, dependency assumptions) and will likely fail validation or real incident use. Options A and B misunderstand governance: internal audit doesn’t “approve schedules” as a prerequisite, and the BC professional does not implement everything alone. Option D can undermine control; changes should be managed through governance/change control, not ad-hoc adjustment.

When establishing a BCMS, good practice is to create governance that supports informed decisions, prioritisation, and cross-functional coordination. The BCI’s guidance explicitly recognises the value of a steering group/team to “oversee, advise and make recommendations to top management,” ensuring the programme is guided by the right expertise and stakeholder perspectives rather than being driven by one function alone. This fits the purpose of PP1 (Establishing a BCMS), which includes establishing high-level governance and coordinating interrelated activities such as scope, policy, objectives, and roles/responsibilities.

Options A and B rely on coercion (rules/mandatory obligations). While participation is important, “forcing” engagement often undermines ownership and culture—whereas a steering group creates structured, senior-supported engagement and clearer accountability. Option D can be useful for specific inputs (e.g., supplier continuity requirements), but routinely inviting external parties into BCMS establishment is not the core good-practice governance mechanism; external expectations are normally managed through contracts, SLAs, assurance, and stakeholder communications rather than open-ended participation in internal governance.

A response structure must work under pressure, with clear leadership, decision rights, and coordination across incident management, crisis management, and recovery teams. In PP5 (Enabling Solutions), organizations embed agreed solutions by establishing response arrangements and plans that can actually be executed during disruption; that requires putting competent individuals into key leadership roles so decisions are timely, coordinated, and aligned to priorities.

Option B is therefore the correct inclusion in the process: ensure appropriate and competent individuals are assigned to leadership roles. Competence matters because leadership roles require situational assessment, escalation, communications, and resource prioritization—not just job titles.

Option A can be useful for specific dependencies (e.g., supplier coordination) but it is not a core requirement for designing the internal response structure. Option C is overly rigid: the response structure should integrate with existing management and operational structures where practical, rather than forcing wholesale reorganization. Option D (performance management) is not a prerequisite design step for response structures; it may support broader governance, but effective response depends first on clear roles, authority, and capable leadership.

To foster commitment, Business Continuity must be embedded in the daily organizational culture, not merely treated as an administrative requirement or compliance exercise. The CBCI 7.0 course highlights that including Business Continuity topics in the introductions to meetings and events encourages ongoing dialogue and reinforces its importance. This practice nurtures a sense of shared responsibility and engagement, which is more effective than punitive measures or passive communication. Embedding Business Continuity in routine interactions helps personnel internalize its significance, promotes continual awareness, and strengthens their relationship with the organization’s resilience goals. This proactive, inclusive approach ensures commitment is sustained over time, improving response effectiveness during disruptions.

CBCI 7.0 (via GPG 7.0) is explicit that improving BC culture is not primarily achieved through compliance enforcement; instead, it is achieved by embedding BC into “how we operate” so people personally understand why it matters and choose to engage. PP2 (Embracing Business Continuity) focuses on improving the BC culture underpinning the BCMS over time, shifting away from a compliance-only model toward shared beliefs, attitudes, and behaviours that sustain readiness.

Option D matches this directly: when BC becomes a culture—supported by personal belief (“my role matters”) and corporate behaviours (leaders model it, teams practice it)—voluntary commitment increases. Option A can drive attendance, but forced participation often produces box-ticking rather than ownership. Option B creates resistance by framing BC as “someone else’s mandate.” Option C can overload people and reduce engagement if responsibilities are added without meaning, support, or prioritization. The best CBCI-aligned answer is D.

BCMS governance is about direction, oversight, and control—setting expectations, monitoring whether the BCMS is effective, and ensuring it remains fit for purpose. The BCI GPG 7.0 (Lite) highlights that a BCMS must operate and maintain processes and response structures while monitoring and reviewing performance and effectiveness, and using qualitative/quantitative measures to drive continual improvement. Governance also includes ensuring the BCMS aligns with external obligations such as relevant legal and regulatory requirements, because non-compliance can create unacceptable impacts and can influence priorities and recovery requirements.

What governance does not do is “run the recovery work” itself. Carrying out specific operational activities (e.g., restoring systems, relocating teams, executing step-by-step recovery tasks) is the role of operational teams and plan owners under the response structure, not BCMS governance. Governance ensures those operational capabilities exist, are resourced, and are validated—but it does not execute them day-to-day. Therefore, option A is the activity that is not part of governance, while options B, C, and D are core governance responsibilities.

The CBCI 7.0 course stipulates that appointing deputies or alternates for each BCMS role is a governance best practice ensuring continuity of responsibility and decision-making. Deputies are subject matter experts equipped to act on behalf of the primary role holder during absences, maintaining operational integrity and responsiveness. Relying on the Business Continuity professional or Incident Response Team to cover absent roles without formal deputization risks delays and gaps. Putting responsibilities on hold is unacceptable as it compromises continuity efforts.

Within CBCI 7.0 (aligned to BCI GPG 7.0), validation includes exercising and testing to confirm the BCMS performs as intended and stays effective as the organization changes. Good practice is not to “set and forget” an exercise programme; it must be kept current as threats, dependencies, operating models, staffing, suppliers, technology, and locations evolve. The BCI explicitly states that exercises should be performed at planned intervals and when there are significant changes within the organization or the context in which it operates—this directly supports the need to review the exercise programme regularly at pre-defined intervals or after significant change.

Option A is partly true (exercise objectives should reflect BIA and solutions), but it doesn’t capture the key “effective programme” control: continuous review/update. Option B can help comparison, but repeating the same framework can also create predictability and miss emerging risks. Option D may inform scenarios, yet customer concerns alone should not drive the programme. The strongest CBCI-aligned answer is C.

The CBCI 7.0 course identifies gaining an understanding of the organization’s culture as a foundational step in moving from merely embedding Business Continuity practices to fully embracing them. Cultural insights enable targeted interventions that align Business Continuity with existing values, beliefs, and behaviours, enhancing engagement and ownership. Policies and role assignments are important but less effective without cultural alignment. Outsourcing continuity as a project risks detachment from organizational realities. Understanding culture guides effective communication, training, and leadership strategies that foster a pervasive continuity mindset.

The CBCI 7.0 course states that conducting the risk assessment after the BIA allows the organization to prioritize risk treatments effectively by focusing on the critical activities identified during the BIA. The BIA highlights which business functions are most important and the impact of their disruption, enabling the risk assessment to concentrate on threats that could affect these priority areas. This sequencing ensures that resources and mitigation efforts are directed toward protecting the most significant risks impacting continuity objectives. Resource availability is not the primary reason, and risk assessments are integral to ongoing BCMS maintenance rather than conditional on business plan updates or solution development.

Exercising business continuity plans involves balancing the need to simulate realistic scenarios while minimizing unintended disruption to normal operations. The CBCI 7.0 course instructs that exercise planners must anticipate and control any business as usual impacts through careful planning, monitoring, and mitigation during the exercise. Ignoring risks or dismissing business as usual commitments undermines organizational operations and can reduce support for continuity activities. Managing disruption effectively ensures exercises achieve their objectives without unnecessary operational costs.

Operational plans require detailed instructions tailored to the recovery needs of specific activities. The CBCI 7.0 course explains that factors such as the RTO, the skills of recovery teams, and process complexity influence the granularity of these plans. Shorter RTOs or complex processes demand more detailed operational plans to guide recovery actions precisely and minimize delays. Strategic plans set high-level direction and are less detailed; crisis communication and emergency response plans focus on information and immediate safety rather than detailed recovery steps.

Embracing Business Continuity increases commitment to ongoing maintenance, including regular plan reviews and updates, to ensure plans remain effective and relevant. The CBCI 7.0 course highlights that a strong Business Continuity culture does not reduce maintenance needs; rather, it ensures such activities are prioritized and valued. Reduction in maintenance requirements would signal neglect, risking preparedness. Other outcomes include prioritization of tasks and external recognition of Business Continuity’s value.

The CBCI 7.0 course details that one of the primary benefits of conducting Business Continuity exercises is to confirm that personnel understand their roles and the authority they possess during an incident. Exercises simulate actual disruption scenarios, allowing participants to practice decision-making, communication, and coordination within their roles. This hands-on engagement reveals gaps in knowledge, clarifies responsibilities, and builds confidence, which are crucial for effective incident management. While exercises contribute to validating BCMS processes and improving task integration, their immediate operational benefit is ensuring personnel readiness and role familiarity. Understanding the BIA requirements or regulatory compliance are indirect benefits but not the core purpose of exercises. Exercises also reinforce the practical application of plans, helping teams to respond efficiently under pressure.

In CBCI 7.0 (aligned to BCI GPG 7.0), supplier prioritisation is driven by business continuity requirements, not convenience. The GPG Lite 7.0 defines priority suppliers as those that support prioritised activities and would have the greatest impact if they fail to deliver required resources—thereby affecting the organization’s ability to deliver its products or services. When developing solutions, this means focusing first on suppliers that the organization needs earliest to meet recovery requirements, which typically aligns to shorter RTOs for the activities/products they support. If an activity must be resumed quickly, the supplier inputs that enable that activity must also be available quickly; otherwise, the RTO cannot be met even if internal teams are ready.

Options C and D are not reliable criteria: proximity and prior contracting may help logistics, but they do not tell you whether supplier failure would jeopardize priority delivery within required timeframes. Option A (longer RTO) would delay attention away from the most time-critical dependencies. Prioritising suppliers supporting short-RTO activities is therefore the most CBCI-consistent approach.

CBCI 7.0 emphasizes that establishing and operating a BCMS is not static; it is “an iterative journey of continual improvement over time.” Governance—roles, responsibilities, accountabilities, and authorities—must therefore mature as the organization learns what is required to run the BCMS effectively across policy, analysis, solutions, enablement, and validation. Early in development, organizations often start with a high-level governance model and then refine it as scope, priorities, dependencies, and response structures become clearer through BIA/RA outputs, strategy decisions, and early plan development. This is why option B is correct: the organization may not fully understand all governance requirements at the beginning and must revise them over time.

Option A is too narrow: governance refinement does not depend solely on completing a first exercise; it evolves throughout implementation. Option C may be true in some organizations, but “time-consuming approval” is not the fundamental reason governance is iterative. Option D (training) supports competence, but training alone doesn’t explain why governance structures themselves must be revisited and adjusted as the BCMS develops.

The CBCI 7.0 course highlights that the consolidated BIA report, combining all individual BIAs, serves as a key governance document submitted to top management for review and approval. This final approval confirms that management understands the criticality of prioritized activities, recovery objectives, and resource requirements. It enables informed decision-making regarding resource allocation, strategy development, and risk treatment. While BIA participants, auditors, and exercise planners use the report, top management’s endorsement is critical for organizational commitment and effective BCMS progression.

An Activity Business Impact Analysis (BIA) is a crucial component of the Business Continuity Management System (BCMS) that focuses on identifying and prioritizing the activities within the organization that contribute to delivering critical products and services. According to the CBCI 7.0 course, the Activity BIA maps out which activities are most urgent and vital, and it determines the necessary resources and interdependencies required to maintain or restore these activities following a disruption. This detailed understanding enables the organization to allocate resources effectively and design recovery strategies tailored to priority activities. Unlike a broad process or product BIA, the Activity BIA provides granular insights into operational components, ensuring continuity plans address practical recovery needs and dependencies.

CBCI 7.0 expects visible leadership commitment because BCMS success depends on senior sponsorship, resourcing, and consistent messaging. When top management embraces BC, they actively support awareness, training, and engagement so BC becomes understood beyond the small group formally involved in the BCMS. The BCI’s PP2 guidance highlights that embracing business continuity is a process of education and awareness—reminding staff what is at stake and who depends on the organization’s products and services. Leaders who embrace BC amplify this through promoting awareness and training across the workforce.

Option A contradicts good practice: a BCMS should be aligned to organizational purpose and objectives, not independent. Option C is the opposite of the expected outcome. Option D describes weak governance—reviews only “if time permits” and slow follow-up—whereas leadership embrace typically strengthens governance cadence and improvement discipline. Therefore, B is the correct outcome.

The BCI GPG 7.0 (Lite) explicitly defines Recovery Time Objective (RTO) as: “The time frame within the MTPD for resuming disrupted activities at a specified minimum acceptable capacity.” This matches option B exactly and aligns with ISO-aligned BC terminology used in CBCI 7.0. The key elements are:

Time-based target (how quickly),

Within the MTPD (before impacts become unacceptable), and

Minimum acceptable capacity (not necessarily full restoration—often a Minimum Business Continuity Objective level first). Option A incorrectly frames RTO as a “suspension” period; RTO is a resumption target. Option C is closer to a general “downtime” description but still misses the formal link to MTPD and specified minimum capacity. Option D describes full recovery/return to normal, which is usually a later target than the RTO (many organizations resume at a minimum level first, then restore fully).

The CBCI 7.0 course highlights that categorizing strategies by timeframe is an effective method to ensure focus on activities with short RTOs. This approach visually and operationally segments recovery strategies, allowing the organization to prioritize resources and actions that address the most time-critical functions first. Including BIA extracts supports understanding but is insufficient on its own. Risk assessments inform treatment choices but do not inherently prioritize by RTO. Workarounds for non-priority activities are useful but are a secondary measure after prioritization. Categorizing by recovery time frames aligns operational focus with impact tolerances.

During an incident, immediate people-related requirements prioritize life safety, welfare, and accountability. In BC response structures, People/HR (often called People & Culture) typically focuses first on confirming who is affected, ensuring personnel are safe, supporting access to medical/physical care, and establishing reliable communications with staff and (where appropriate) family members. These actions reduce harm and enable leadership to make accurate decisions about escalation and support. This aligns with crisis/incident management good practice where “accounting for people” and welfare support are immediate priorities before broader recovery work is initiated. (ready.gov)

Option C—assigning recovery responsibilities to staff away from the site—is important for recovery enablement, but it is not an immediate care/wellbeing requirement. It belongs more to operational recovery coordination and plan activation once the immediate safety picture is understood. Options A, B, and D are directly tied to immediate welfare: confirm personnel status, contact and support staff/families, and enable access to care. Therefore, C is the correct “NOT immediate requirement” for the People and Culture Management team when the focus is specifically care and wellbeing.

In BC validation and exercising, “injects” are simulated messages used to drive decisions and actions. Using a clear code word (e.g., “For exercise” / “Exercise only”) is essential to prevent simulated information being mistaken for a real incident notification—especially when exercise communications travel through normal channels (phone, radio, email, chat). This protects people, avoids unnecessary escalation, and prevents operational disruption caused by staff believing a real emergency is underway. Exercise guidance commonly defines “For Exercise” as a preamble meaning the message relates to the exercise only and “is not to be confused with real activity,” and recommends prefixing simulated calls/messages accordingly.

Therefore, option A is correct.

Option B (confidentiality) is not the main purpose of the code word; confidentiality is handled through exercise ground rules and distribution controls. Option C is not what the code word signifies. Option D is the opposite of the intent—while participants should act realistically within the exercise play, the code word ensures everyone understands the scenario is simulated, preventing real-world misinterpretation and unintended consequences.

Business as usual (BAU) plans are designed to restore normal operational conditions after a disruption, often returning systems and processes to pre-incident states. The CBCI 7.0 course underlines that these plans must consider new vulnerabilities that may arise as a result of the disruption’s impact on resources or operational environments. Incidents can introduce changes such as weakened controls, damaged infrastructure, or altered workflows, which must be addressed to prevent recurrence or new risks. While BAU plans should be prepared in advance, the focus is not just on resource availability or reversing recovery sequences but on understanding the dynamic context post-disruption. This approach ensures resilience not only in restoration but in strengthening the organization against future incidents.

Questionnaires and surveys are widely used and effective techniques for gathering BIA information. They enable the Business Continuity professional to collect standardized data on activity priorities, dependencies, and recovery requirements from a broad range of stakeholders. The CBCI 7.0 course highlights that well-designed questionnaires provide structured insights while being scalable and efficient, especially in larger organizations. While workplace observation and reviews provide useful context, and budget reviews may give financial perspectives, they are not primary tools for capturing the detailed operational data needed for BIAs.

Planning an exercise is about designing a safe, realistic, objective-led activity that validates defined capabilities. Core planning considerations include the budget (what scale is feasible), the participants/teams needed to meet the objectives, and the plausibility of the scenario so the exercise is credible and produces meaningful performance evidence. GPG-aligned exercise guidance also highlights that exercises aim to improve capability and competency and should be delivered in a controlled learning environment—scenario realism is a key part of that.

Option D is the one that would not normally be a planning consideration for the exercise itself. After an exercise, communications are typically handled internally through debriefs, reports, and improvement actions; external communications “after completion” is not a standard exercise-planning requirement in BC validation. External messaging is more relevant when the exercise is public-facing or regulatory-driven, but that is not implied here. The planning focus is on objectives, scope, participants, realism, logistics, and safe delivery.

CBCI 7.0 treats maintenance and review as part of ensuring the BCMS remains effective and fit for purpose over time. In BCI guidance, maintenance activities are commonly triggered by meaningful change—especially changes that alter risk, dependencies, or the organization’s operating context. A core trigger explicitly referenced in BCI Good Practice material is “changes to the environment in which the organization operates.” This includes shifts such as new geopolitical conditions, supply-chain volatility, technology changes, emerging threats, regulatory changes in the wider environment, or market/infrastructure changes that can invalidate assumptions in the BIA, strategies, plans, and response structures.

Option A therefore represents a direct and widely recognized trigger for BCMS maintenance. By contrast, option B (performance appraisal process) is usually an internal HR mechanism and only indirectly relevant unless it changes competence/accountability expectations for BC roles. Option C (external auditor changes) does not inherently change continuity capability. Option D (competitor organizational structure) is not a BCMS maintenance trigger in itself; benchmarking can inform improvement, but it doesn’t automatically require maintenance updates.

In CBCI 7.0 (based on the BCI GPG Edition 7.0), Solutions Design (PP4) is where the organization determines how it will meet its business continuity requirements identified in Analysis (PP3). PP3 outputs—especially risk assessment results—are key inputs into PP4 so that proposed strategies and solutions address real disruption risks and resource vulnerabilities.

Assessing viability is not only about whether a solution meets recovery requirements; it must also be justified and sustainable. The GPG highlights that strategies and solutions must meet BC requirements while remaining considerate of costs and benefits, noting that mitigation cost should not exceed disruption cost or create secondary risk.

Horizon scanning fits this same viability purpose: it helps anticipate emerging external threats, trends, and changes that could invalidate a solution over time, ensuring chosen strategies remain fit-for-purpose as the operating environment evolves. This is consistent with the GPG emphasis on designing solutions that remain appropriate to the organization’s needs and context, rather than selecting options in isolation.

Automation tools can significantly improve the efficiency of the BIA process: they help store results for reuse, standardize data capture, speed up consolidation, and generate reports quickly and consistently (supporting options A–C). However, they do not eliminate the need for direct engagement with the right people. In CBCI 7.0 / GPG-aligned practice, BIA quality depends on accurate understanding of products/services, activities, dependencies, minimum resources, and time-based impacts—information that typically resides with product owners, activity owners, and resource specialists. Tools can streamline collection and analysis, but they cannot replace the judgment, context, and validation that come from workshops, interviews, and stakeholder review. BCI commentary on using AI/automation for BCM highlights the efficiency gains while warning that human intelligence remains vital for interpreting data and designing effective continuity outcomes—supporting the conclusion that engagement is still required. Therefore, D is the option that is NOT a benefit.

In CBCI 7.0 (aligned with GPG 7.0 practice), Validation includes exercising and testing to confirm that arrangements and plans work as intended and that people understand their roles. A discussion-based exercise is specifically designed as a low-pressure environment where participants talk through roles, decisions, and plan steps, often using a hypothetical situation to prompt discussion. This format is widely used to help teams explore issues, clarify responsibilities, and identify gaps without the cost, stress, or operational impact of a live simulation.

That is why option D is correct.

A scenario (table-top) exercise is often discussion-based, but the defining feature in the question is the exercise type that is explicitly low-pressure and walk-through in nature—this matches “discussion-based.” A simulation exercise is typically more realistic and pressured (sometimes involving time compression, actual call-outs, or technical failover), and therefore not the best match. “Investigative” is not the standard label for this low-pressure walk-through category in common BC exercise groupings. Discussion-based exercises are often used early to build confidence and validate understanding before moving to more demanding exercise types.

Risk treatment is a fundamental phase within the risk management process, focusing on how identified risks will be managed to reduce their potential impact or likelihood. The CBCI 7.0 course clarifies that risk treatment involves selecting and implementing measures to either prevent risks from occurring or to minimize their adverse effects on the organization. This step is critical to building resilience, as it directly influences the mitigation of unacceptable risks that could disrupt key business activities. While assigning responsibility, scoring risks, and reporting are important supporting actions, the core purpose of risk treatment is to apply controls and strategies that reduce risk exposure effectively, thereby enhancing continuity readiness.

Aligning supplier capabilities with the organization’s RTOs is essential to maintain continuity of critical supply chain functions. The CBCI 7.0 course specifies that suppliers must be able to recover and deliver their products or services within timeframes that meet the organization’s recovery requirements to avoid operational disruption. While quality in business as usual and procurement review are important, they do not guarantee supplier resilience. Prioritizing existing suppliers solely on relationship basis without evaluating continuity capability risks supply failures. Ensuring RTO alignment is a critical criterion in supplier strategy development.

CBCI 7.0 aligns its risk assessment language to ISO/BCI terminology. BCI guidance defines risk assessment as an overall process of risk identification, risk analysis, and risk evaluation. In the wording of your question, “listing risk sources” maps to risk identification, and “performing a risk source analysis” maps to risk analysis (examining likelihood and consequences to understand risk level). The third step, therefore, is risk evaluation—comparing analysed risks against agreed criteria (risk appetite/tolerance) to decide whether further action is needed and to prioritise treatment.

Option C (assessing consequences) is part of risk analysis, not the final step. Options A and B can be helpful techniques, but they are not the standard third step in the three-step risk assessment model used in BC/ISO-aligned frameworks. Therefore, the correct answer is D: Evaluating risks.

An effectively communicated Business Continuity policy sets the tone for organizational commitment and clarifies the purpose, scope, and relevance of the BCMS. The CBCI 7.0 course stresses that clear communication of the policy ensures all personnel understand the BCMS’s importance and how it will be applied, fostering engagement and shared responsibility. While defining scope and appointing steering groups are critical, they do not on their own generate organization-wide understanding. The policy acts as the foundational document promoting awareness and alignment.

An alternate location strategy for physical infrastructure focuses on providing usable workspace quickly when a primary site is unavailable. Solutions that can be available within hours typically rely on options the organization already controls—such as repurposing internal space (often described in continuity guidance as “displacement/budge-up,” using other facilities, or relocating teams into existing sites). This is the most realistic “hours-scale” approach because it avoids procurement lead times and complex engineering dependencies.

Option B fits that model precisely: repurposing other work areas and facilities can be activated rapidly with basic logistics (access, seating, connectivity, and prioritization of critical teams).

Option A (working from home) can be a valid continuity strategy, but the question specifies physical infrastructure and an alternate location approach; remote working is not a physical alternate site solution in the same sense. Options C and D typically take longer than hours: ordering/installing equipment and rebuilding/reconnecting utilities involve supply chains, specialist work, and external dependencies. Therefore, B is the best answer.

The CBCI 7.0 course explains that defining the BCMS scope is a dynamic process, which means that the parameters set are not necessarily permanent and may be reviewed and revised as organizational needs, risks, and priorities evolve. While the scope provides clarity on which parts of the organization, products, services, and activities are included, it must remain flexible to adapt to change. Permanent or fixed parameters risk locking the BCMS into outdated or incomplete coverage, reducing effectiveness. Efficient use of time and resources is a benefit of appropriate scoping, but permanence is not a characteristic of good scope definition.

The CBCI 7.0 course specifies that activation of strategic, tactical, and operational plans must be based on the conditions or triggering events detailed in each specific plan. Each plan type serves distinct purposes at different organizational levels and phases of incident response. Strategic plans set the overarching direction; tactical plans translate this into actions, and operational plans provide detailed task instructions. The triggering conditions—such as incident severity, scope, or impact—dictate when each plan should be activated to optimize resource use and response effectiveness. Simultaneous activation is neither practical nor efficient. Activation cascading from the strategic team is a controlled process, but ultimately depends on predefined triggers, ensuring an orderly and appropriate escalation.

Plans at different levels (strategic, tactical, operational) typically share common foundational elements: a clear purpose and scope, key assumptions, and objectives (C), so users understand when and how to apply the plan. They also usually include escalation guidance (A) so issues are raised to the right level quickly, and stand-down/transition procedures (D) so teams can safely return to normal operations and capture learning after resolution. These elements support coordinated response across the response structure.

However, risk assessments for each possible scenario (B) would not be included “at all levels” of plans. Risk assessment is a distinct analysis activity, and while plans may reference key threats or assumptions, they are generally not built as scenario-by-scenario risk assessment catalogues—especially not across every plan level. The BCI distinguishes BIA (impact over time) and Risk Assessment (risks to prioritised activities) as analysis techniques; plans then enable execution of the chosen solutions and response arrangements.

So, risk assessments may inform plans, but they are not a universal content component at every plan level. Therefore B is correct.

In GPG 7.0’s Validation practice (PP6), a post-incident review is emphasised as a way to evaluate response and recovery efforts and determine the extent to which “plans, capabilities, and competencies met the business continuity requirements.” To do that credibly, the review must capture factual, first-hand evidence from the people who experienced the incident and those who executed the response and recovery—what happened, what decisions were made, what worked, what didn’t, and why. That is exactly what option A provides.

Option B shifts the review into blame allocation, which undermines the constructive learning mindset that validation aims to build (identify strengths and improvements positively). Option C contains a desirable outcome (an improvement plan), but the question asks what should be included in the post-incident review itself; without structured input from participants, improvement actions become speculative. Option D (audit reports) can be a useful reference, but it is not the defining content of a post-incident review of actual response/recovery performance.

While stakeholder engagement facilitates collaboration, reduces conflict, and helps identify relevant policies, it does not primarily serve to lessen the workload of the Business Continuity Professional by delegating administrative tasks. The CBCI 7.0 course clarifies that stakeholder involvement is about gaining support, expertise, and ownership rather than shifting administrative burdens. The Business Continuity Professional retains core responsibility for managing the BCMS, though collaboration supports efficient and effective program delivery.

BCI GPG 7.0 places business continuity plans inside PP5 – Enabling Solutions. PP5 covers implementing agreed solutions, establishing a response structure, and developing/managing strategic, tactical, and operational BC plans so the solutions can be used effectively during incidents. Therefore, option A is correct.

Option B (exercising plans) is part of PP6 – Validation, where exercising, maintenance, review, and post-incident learning confirm whether the established BCMS meets the objectives set in policy. Option C (developing strategies) belongs to PP4 – Solutions Design, where strategies and solutions are identified and selected based on analysis outputs. Option D (updating policy) is a management practice activity within establishing/maintaining the BCMS governance and direction (PP1). In short: PP5 is where solutions become operational through response structures and plans, so the organization can actually execute recovery.

The CBCI 7.0 course defines embracing Business Continuity as a cultural commitment by personnel who recognize the importance of Business Continuity in protecting organizational interests. It goes beyond policy mandates or role compliance and reflects genuine belief and ownership. Embracing Business Continuity is integrated with the broader organizational culture rather than existing separately. This deep commitment improves resilience and the effectiveness of continuity efforts at all levels.

Within PP5 (Enabling Solutions), communications arrangements are enabled through defined roles, procedures, and coordination mechanisms so messaging is timely, accurate, and controlled during an incident. A designated spokesperson is a core crisis-communications role because they provide the public-facing “voice” of the organization and personify the response to external audiences. The CDC’s Crisis & Emergency Risk Communication guidance describes the designated spokesperson as critical in a crisis and emphasizes that the spokesperson embodies the organization’s response for various audiences.

That aligns directly with option C: representing the organization at press conferences (and similar media interactions). Option A can be performed by communications advisors, but it is not the defining duty of the spokesperson role itself. Option B (writing social media for operational teams) is typically handled by communications staff under the communications lead, not necessarily the spokesperson. Option D (regulator post-incident reviews) is usually led by accountable executives, legal/compliance, and incident owners; the spokesperson may support, but it is not the primary spokesperson duty described in crisis-communications guidance.

Personnel embracing Business Continuity fosters a culture that supports the design and implementation of a BCMS tailored to the organization’s unique culture, risks, and operational realities. The CBCI 7.0 course underscores that when personnel actively engage with continuity practices, the BCMS reflects actual organizational needs, leading to practical, accepted, and effective continuity programs. Commitment does not reduce the necessity for regular updates or validation; instead, it enhances the quality and relevance of those processes. While public confidence may improve indirectly, the key outcome is the fit-for-purpose nature of the BCMS driven by engaged personnel.

In CBCI 7.0, PP3 – Analysis introduces the BIA as a core technique used to estimate impacts over time and determine recovery priorities and resource requirements. Because BIA must be repeatable and comparable across the organization, it requires strong coordination, clear methodology, and consistent language. The BCI’s PP3 overview notes a key emphasis on making BIA practical and ensuring consistent language and messaging, with clearly defined stakeholder roles and responsibilities.

That coordination responsibility sits with the Business Continuity Professional (or BCMS lead) who prepares the approach, plans the work, manages stakeholders, delivers facilitation and consolidation, and ensures consistent application of definitions (e.g., products/services, prioritised activities, MTPD/RTO) and outputs for decision-making.

An Activity Owner typically provides the subject-matter detail for their activity (dependencies, impacts, minimum resources) but does not usually design or manage the enterprise-wide BIA process. A Risk Assessment Professional may support risk analysis, but BIA is distinct and focuses on impact/priority and continuity requirements. Top management sponsors, sets direction, and approves outcomes, but does not normally run the end-to-end BIA production process.

The CBCI 7.0 course identifies Business Continuity awareness measurement as a method involving regular assessments of personnel engagement levels with Business Continuity culture initiatives. Periodic checks gauge how many employees have been reached by awareness programs, training, and communications. This quantitative approach provides tangible data on the penetration of continuity culture across the organization, informing areas needing focus or improvement. Unlike unstructured observations or broader culture indices, awareness measurement specifically targets the spread and effectiveness of Business Continuity messaging and understanding.