Your organization is committed to setting up a business continuity management system (BCMS). You’ve consulted best practice, but where should you start?
The natural place to start is crafting the business continuity policy. Not sure what the BC policy is? Read on to learn what you should know.
What is the business continuity policy?
A high-level statement of the organization’s business continuity intentions and direction, the business continuity policy is developed and maintained by senior management.
But what’s the actual purpose of the business continuity policy?
Most significantly, the BC policy articulates the meaning and importance of business continuity management to the organization. It also signals the following from senior management:
- Commitment to the BCMS and its continual improvement
- Expectations for how the BCMS will be used by all workers
- The guiding principles for setting, reviewing, and meeting BCMS requirements (objectives)
How to know your BC policy is on the right track?
Sounds important. How will you know, though, if you’ve developed a business continuity policy that suits your organization's BC needs?
BC policy, given the nature of business continuity itself, necessarily varies from organization to organization.
There are, however, general considerations when developing the BC policy. Those include:
- Be appropriate to the size, complexity, and type of the organization
- Be aligned with the organizational culture and operating environment
- Focus on what the organization will do, not how it will be done
6 steps to develop an effective BC policy
Where to go from there? When developing an effective BC policy, senior management should take the following steps:
- Agree and draft definitions of key terms such as business continuity and business continuity management system.
- Draft a statement that outlines the overall purpose of the BCMS, the reason why it is important to the organizations, and the benefits it will bring.
- Draft the rest of the policy. Make sure it includes a commitment to the BCMS and its continual improvement, expectations for how the BCMS will be used, and guiding principles for setting, reviewing, and meeting BCM objectives.
- Consult on and finalize the draft policy according to the organization’s usual processes for establishing a policy.
- Make the policy available as documented information, subject to the organization’s usual information management practices and controls.
- Communicate the policy widely within the organization and make it available externally for interested parties.
When to update the BC policy?
Organizations should now know how to develop and evangelize the BC policy. What happens after that?
BC policies shouldn’t be materially altered by whim. That’s why they should be written at a sufficiently high level to ensure they remain relevant.
However, they aren’t set in stone for eternity. Indeed, there are certainly times when the business continuity policy needs to be updated.
It’s important, therefore, to know when and why.
To that end, the BC policy should be reviewed:
- At agreed intervals,
- Following significant changes to the operating context, and/or
- Following company-wide changes to risk management.
Of course, that only scratches the surface of what organizations should know about the BC policy. And so, for a more comprehensive clarification of the business continuity policy, take a look at our article, What Is a Business Continuity Policy?