Good practice is to agree what the BCMS covers before building the rest of the system. Determining the scope defines the boundaries (products/services, locations, functions, and interfaces) and ensures subsequent work—policy, objectives, roles, analysis, and solutions—targets the right parts of the organization. BCI’s GPG 7.0 focus on PP1 includes developing both scope and policy, and wider BC guidance reinforces that it is important to agree the scope before progressing through later lifecycle stages such as analysis, design, implementation, and validation.

That makes option C the correct “first” activity. Option B (risk assessment) is part of the Analysis practice and should be performed once scope is set. Option D (policy) is foundational and should follow quickly, but it must align to the defined scope. Option A (governance) is also established early, yet governance design is driven by and must support the scoped BCMS; the scope decision is the logical starting point that anchors everything else.