Elements of a business continuity policy
A growing number of organizations rely on a formal, documented business continuity policy to drive the business continuity program. Although the content and the format of business continuity policies differ based on existing standards and the culture of the organization, the following nine key elements are recommended in order to drive this process toward an optimal level of maturity and preparedness:
• Accountability: Names the executive or executives accountable for the BCM program planning and execution, to include responsibility for resourcing and strategy decision making.
• Roles and Responsibilities: In addition to the executive sponsor, the policy establishes roles and responsibilities for all employees regarding planning, as well as activities before, during and after the disaster.
• Analysis: Establishes the need for and standards associated with risk assessments and business impact analyses (the cornerstones of the planning effort).
• Legal, Regulatory and Contractual Assessment: Requires the participation of the organization’s general counsel in the analysis of federal, state and local regulations, as well as customer contractual requirements impacting business continuity strategies.
• Business Continuity Execution: Identifies specific actions necessary to develop optimal business continuity strategies that meet business requirements, as well as how the organization intends to manage crises and business interruptions.
• Business Continuity Strategy and Plan Maintenance: Specifies the standards regarding the review and maintenance of business continuity analysis, strategies and documentation.
• Testing (Exercising): Defines test types, frequency of testing activities and standards associated with planning for testing (setting objectives, success criteria, etc.).
• Training and Awareness: Sets specific standards regarding the training of personnel named in the response and recovery plans, as well as general awareness for employees affected by the business continuity strategies.
•Internal Audit Participation: Requires the participation of internal audit in the planning process and/or the review of compliance with the requirements set forth in the BCM policy.
Taken together, the above mentioned elements of a business continuity policy will assist an organization’s planning team in gathering the necessary support and resources to effectively manage the BCM program.
Business continuity policy should be reviewed occassionally by the internal audit department