A business continuity policy is the set of standards and guidelines an organization enforces to ensure resilience and proper risk management. Business continuity policies vary by organization and industry and require periodic updates as technologies evolve and business risks change.Content Continues Below
The goal of a business continuity policy is to document what is
While business continuity policies are different for every company, they all include basic components. Key components of business continuity policy include staffing, metrics and standard requirements.
Internal staffing in a business continuity policy should outline the roles and responsibilities of department heads, corporate management liaisons and members of the BC/DR team. It may also include external personnel such as vendors, stakeholders
This article is part of
Common metrics in a policy may include key performance indicators (KPIs) and key risk indicators (KRIs). KPIs are used by corporate executives and managers to analyze crucial functions and processes required to meet goals and performance targets. KRIs measure the likelihood of an event affecting the company, These can help plan risk management.
The International Organization for Standardization and the British Standards Institution issue common business continuity standards. These standards are occasionally updated, so changes should be monitored.
Important policy considerations
The primary thing to consider when crafting a business continuity policy is the particular risks an organization is likely to face. Is the company in an area that frequently has hurricanes or other major weather events? Is there a geopolitical element that could bring failures? Have there been problems with ransomware or other malware in the past that need particular attention? Organizations should take all these factors into account when creating a business continuity policy.
A risk assessment is a reliable method of figuring out potential threats and determining their likelihood. A risk assessment identifies potential hazards and provides ways to reduce the impact of them on the business. Similar to a business continuity policy, risks assessments differ, but follow general steps:
- Identify the hazards;
- Determine what or who could be harmed;
- Evaluate the risks and create control measures;
- Record the findings;
- Review and update the assessment.
Along with a risk assessment, conducting a business impact analysis (BIA) can help form the backbone of a business continuity policy. A BIA determines the effects of a potential disaster on an organization by finding existing vulnerabilities. Though similar to a risk assessment, a BIA often takes place
Business continuity policy oversight and verification is another element to be aware
If non-compliance is found according to the policy, corporate management may be brought in to address it.
When to bring in a vendor
While creating a business continuity policy is a company decision, taking a look at BC/DR vendors and what services they provide can help the process. Managed BC/DR vendors can take some of the work out of an organization's hands and help facilitate tests of a business continuity strategy.
With the wider availability of the cloud, disaster recovery as a service (DRaaS) is a popular BC/DR option. DRaaS comes in all shapes and sizes, which makes it an appealing option when deciding on a BC/DR plan. Able to handle minor issues to major disasters, DRaaS is a fairly universal method to implement.
Business continuity policy vs. business continuity plan
A business continuity policy and business continuity plan (BCP) have a lot in common, in that they address all of the unique requirements and preparations for an organization to maintain continuity. They both serve different purposes within the organization, however. While the policy outlines the standards to be followed and benchmarks to be met, a plan maps out from beginning to end how the organization will get through an event. Business continuity policy information should be included in the business continuity plan, but as a separate entity.