One of the key initial activities in a business continuity management system (BCMS) is to establish BCMS policy. Policies set the ground rules for how a BCMS operates under both normal
A business continuity/disaster recovery (BC/DR) policy typically includes the scope of what the BCMS covers, who is responsible for the BCMS, who is responsible for approving BCMS revisions, and activities performed under the BCMS (e.g., plan development, performance assessments, plan exercises, business impact analyses and risk assessments).
Setting policy for a BCMS is typically overlooked and rarely deemed a principal activity. Many BC and disaster recovery (DR) plans, assessments, and even exercises, are set up quickly, with the goal of rapid completion to satisfy a short-term, urgent requirement. Regrettably, once the activity is completed, the results are then ignored and ultimately forgotten. Lack of a BC/DR policy doesn't necessarily mean the BC plan, BC program or BCMS will fail. But it is generally considered "good practice" to have policies, or at least a general policy statement, and makes it easier for senior management to understand BCMS procedures.
The following items will help ensure that you include policies in your business continuity initiatives.
A good place to learn all about what should be included in your BC/DR policy is the new ISO 22313:2012 standard, Business Continuity Management Systems -- Guidance.
To ensure senior management support for a business continuity initiative, formulate policies for all components of your BCMS in advance of the program, and seek senior management approval. Before investing a lot of time -- and to avert a possible rejection of your program -- let the policy statement effectively set the stage for your program, why it's important, how it aligns with company business objectives and what the program will and won't accomplish. You can save yourself a lot of wasted time with this strategy, and may even gain management support sooner.
Examine other company operational policies to get a sense of how your company addresses policymaking. Examine the structure and organization of several policies, and make sure that your policy statement mirrors the same format and structure. If senior managers see something in a familiar format, they may be more inclined to look further, which of course is what you want. Clearly indicate how your BCMS policy supports corporate goals and objectives, as this will also get senior management's attention. Make sure there's a business focus to your BC/DR policy.
Since there are now well-established domestic and international standards for business continuity (and disaster recovery), be sure that your policy statement addresses how the program will comply with applicable standards, regulations, legislation and guidelines that will ensure your organization maintains compliance where needed.
Recognize that your BC/DR program may be subject to periodic audits and quality assurance (QA) reviews. Acknowledge that fact in your policy statement, confirming that your program will be in compliance with all application and auditable standards. Your BC/DR policy should also state that the BC program will be audited at least once a year, and be subject to other periodic scrutiny.
In addition to defining the key attributes of your program by virtue of the policy, you may also use the business continuity/disaster recovery policy to define how your BC program will interact with other parts of the organization. These can include, and are certainly not limited, to other departments (e.g., IT, operations and human resources), domestic and global locations, and outside organizations such as key investors, stakeholders and vendors.
When formulating BCMS policy, first be sure to understand and articulate how the BC program fits into the organization. This will help establish the potential value of your BC program to the organization. Be sure to regularly review and update your BCMS policy to ensure it is consistent with the goals and objectives of your organization.
This was first published in April 2013