Regulatory compliance is the adherence to laws, regulations, guidelines and specifications relevant to an organization's business processes. It has always been a challenge to organizations since it has a significant influence on corporate planning, such as strategic objectives, policies, procedures, risk management, performance measurement and improvement. Regulatory compliance can also affect the organization's reputation, customer satisfaction, stakeholder confidence and legal liability. Therefore, organizations need to establish, implement, maintain and improve a business continuity management system (BCMS) that meets the requirements of ISO 22301 and other applicable regulations.Reference: ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems (BCMS), Section 1.2: Regulatory Compliance, page 9.

:The document that is owned by executive management and sets the purpose of BCM in an organization is the Business Continuity Policy. The Business Continuity Policy is a high-level document that defines the scope, objectives, principles, and roles and responsibilities for business continuity management within the organization. It also demonstrates the commitment of top management to support and continually improve the BCMS.The Business Continuity Policy is one of the mandatory documents required by ISO 22301, the international standard for BCMS12.

The other options are not correct because they are not documents that are owned by executive management and set the purpose of BCM in an organization. A Business Process Policy is a document that describes the procedures and rules for performing a specific business process, such as procurement, sales, or accounting. A Register is a document that records and tracks the status of certain items, such as risks, incidents, or assets. A Worksheet is a document that contains data and calculations, such as a spreadsheet or a form.

The Act phase of the PDCA cycle consists of improvement. The Act phase is the fourth and final phase of the PDCA cycle, following the Check phase. In the Act phase, the organization takes action based on what it learned from the Check phase, where it monitored and evaluated the results of the Do phase, where it implemented the plan developed in the Plan phase.The action can be one of the following options1:

If the change was successful, the organization can standardize and stabilize the change, and communicate and document the results and the lessons learned. The organization can also identify opportunities for further improvement and start a new PDCA cycle with a different plan.

If the change was not successful, the organization can identify the root causes of the failure and revise the plan accordingly. The organization can also start a new PDCA cycle with the revised plan or a different plan. The Act phase is the phase where the organization improves its processes and performance by incorporating the learning from the previous phases. The Act phase also helps the organization to sustain the improvement and prevent the recurrence of problems.The Act phase is aligned with the clause 10 of ISO 22301, the international standard for business continuity management systems, which requires the organization to improve its business continuity management system by taking corrective actions, addressing nonconformities, and enhancing customer satisfaction2.Reference:

ISO 22301 Auditing eBook, Chapter 1: Introduction to Business Continuity Management Systems, Section 1.3: PDCA Cycle1

ISO 22301:2019 - Security and resilience --- Business continuity management systems --- Requirements, Clause 10: Improvement2

Corporate defences are the measures and mechanisms that an organization implements to protect itself from internal and external threats and disruptions. Corporate defences include guidelines, procedures, and physical control systems that aim to prevent, detect, respond to, and recover from incidents that may affect the organization's assets, operations, performance, reputation, or continuity. Corporate defences are an essential component of business continuity management, as they help to ensure the organization's resilience and sustainability in the face of uncertainty and volatility. Corporate defences should be aligned with the organization's objectives, values, and culture, as well as the requirements and expectations of its stakeholders.Corporate defences should also be based on a systematic assessment of the organization's risks and opportunities, as well as the best practices and standards for business continuity, such as ISO 223011.Reference:

ISO 22301:2019 - Security and resilience --- Business continuity management systems --- Requirements1

ISO 22301 Auditing eBook, Chapter 2: Business Continuity Concepts and Principles, Section 2.5: Corporate Defences2

Policy documents are developed in accordance to the framework of objectives, which are derived from the organization's strategic direction, context, and interested parties' needs and expectations. Policy documents provide guidance and direction for the organization's business continuity management system (BCMS) and set the overall tone and commitment of top management. Policy documents also define the scope and boundaries of the BCMS and the roles and responsibilities of the relevant parties.Reference: ISO 22301 Auditing eBook, page 28; ISO 22301:2019 standard, clause 5.2