Tip

Defining, reviewing and updating your organization's BC/DR policy

One of the key initial activities in a business continuity management system (BCMS) is to establish BCMS policy. Policies set the ground rules for how a BCMS operates under both normal

    Requires Free Membership to View

operating conditions and also during a disaster situation, and without approved policies your BCMS may not function at an optimal level.

A business continuity/disaster recovery (BC/DR) policy typically includes the scope of what the BCMS covers, who is responsible for the BCMS, who is responsible for approving BCMS revisions, and activities performed under the BCMS (e.g., plan development, performance assessments, plan exercises, business impact analyses and risk assessments).

Setting policy for a BCMS is typically overlooked and rarely deemed a principal activity. Many BC and disaster recovery (DR) plans, assessments, and even exercises, are set up quickly, with the goal of rapid completion to satisfy a short-term, urgent requirement. Regrettably, once the activity is completed, the results are then ignored and ultimately forgotten. Lack of a BC/DR policy doesn't necessarily mean the BC plan, BC program or BCMS will fail. But it is generally considered "good practice" to have policies, or at least a general policy statement, and makes it easier for senior management to understand BCMS procedures.

The following items will help ensure that you include policies in your business continuity initiatives.

A good place to learn all about what should be included in your BC/DR policy is the new ISO 22313:2012 standard, Business Continuity Management Systems -- Guidance.

To ensure senior management support for a business continuity initiative, formulate policies for all components of your BCMS in advance of the program, and seek senior management approval. Before investing a lot of time -- and to avert a possible rejection of your program -- let the policy statement effectively set the stage for your program, why it's important, how it aligns with company business objectives and what the program will and won't accomplish. You can save yourself a lot of wasted time with this strategy, and may even gain management support sooner.

Examine other company operational policies to get a sense of how your company addresses policymaking. Examine the structure and organization of several policies, and make sure that your policy statement mirrors the same format and structure. If senior managers see something in a familiar format, they may be more inclined to look further, which of course is what you want. Clearly indicate how your BCMS policy supports corporate goals and objectives, as this will also get senior management's attention. Make sure there's a business focus to your BC/DR policy.

Since there are now well-established domestic and international standards for business continuity (and disaster recovery), be sure that your policy statement addresses how the program will comply with applicable standards, regulations, legislation and guidelines that will ensure your organization maintains compliance where needed.

Recognize that your BC/DR program may be subject to periodic audits and quality assurance (QA) reviews. Acknowledge that fact in your policy statement, confirming that your program will be in compliance with all application and auditable standards. Your BC/DR policy should also state that the BC program will be audited at least once a year, and be subject to other periodic scrutiny.

In addition to defining the key attributes of your program by virtue of the policy, you may also use the business continuity/disaster recovery policy to define how your BC program will interact with other parts of the organization. These can include, and are certainly not limited, to other departments (e.g., IT, operations and human resources), domestic and global locations, and outside organizations such as key investors, stakeholders and vendors.

Summary

When formulating BCMS policy, first be sure to understand and articulate how the BC program fits into the organization. This will help establish the potential value of your BC program to the organization. Be sure to regularly review and update your BCMS policy to ensure it is consistent with the goals and objectives of your organization.

This was first published in April 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.