Why would you need a Policy once you have Business impact analysis, Business continuity strategy and Business continuity plan? This is probably a question many experienced business continuity/disaster recovery practitioners are asking themselves, so here’s why ISO 22301 (a leading business continuity management standard) says it’s mandatory.
Main purpose
The main purpose of Business continuity policy is that the top management defines what it wants to achieve with business continuity. Now why would that be important? Because in many cases the executives have no idea how business continuity can help their organization, which means they won’t be particularly interested in supporting the business continuity effort in their company.
And this lack of interest is the main problem for business continuity practitioners – therefore, by requiring a policy to be written, ISO 22301 is taking a first step toward creating this recognition in the eyes of top management.
The second purpose is to create a document that the executives will find easy to understand, and with which they will be able to control everything that is happening within the BCMS (Business Continuity Management System) – they don’t need to know the details of, say, risk assessment or business impact analysis, but they do need to know who is responsible for BCMS, and what to expect from it.
The content required by ISO 22301
Basically, ISO 22301 doesn’t say too much about the policy, but it does say the following:
- The policy needs to be adapted to the organization – this means you cannot simply copy the policy from a large manufacturing company and use it in a small IT company.
- It needs to define the framework for setting business continuity objectives – basically, the policy needs to define how the objectives are proposed, how they are approved, and how they are reviewed.
- The policy must show the commitment of top management to fulfill the requirements of all interested parties, and to continually improve the BCMS – this is normally done through some kind of a statement.
- It must be communicated within the company, but also – where appropriate – to interested parties; best practice is to define who is responsible for such communication, so that it is done continuously.
- The policy must be regularly reviewed – an owner of a policy should be defined, so that this person can make sure it is kept up to date.
So, as you can see, the policy doesn’t have to be a very long document. However, it is useful to include the following:
- The scope of the BCMS – this way the scope doesn’t have to exist as a separate document.
- Responsibilities for key parts of the BCMS – e.g. who is responsible for the day-to-day operations and coordination, who is responsible on the executive level, etc.
- Measurement – who will measure whether the business continuity objectives have been achieved, to whom the results need to be reported, how often, etc.
The link between the top management and the business continuity
So, Business continuity policy should actually serve as a main link between your top management and your business continuity, especially because ISO 22301 requires the management to ensure that “BCMS is compatible with the strategic direction of the organization” (clause 5.2). I would argue that the policy is probably the best way to do this.
Business continuity policy by itself will not resolve all the problems in business continuity implementation; but, a properly written policy will certainly make the job of a business continuity professional much easier.
Click here to download a free preview of Business Continuity Policy template.