A business continuity policy (BC) is like a mirror. When you look into it, it should reflect, as sect 3.38 of ISO22301 puts it – “the intentions and direction of an organisation as formally expressed by its top management.”
A policy provides the framework for the development of BC within an organisation based on its aspirations and objectives. It should not leave the reader in any doubt as to what the organisations position is on BC, who is responsible for it and how to go about complying with it.
If it doesn’t do that, then not only will the reader will be lost and not know what is expected of them, but an early opportunity to promote business continuity has also been lost.
Take some time this week to reflect on your organisations policy and see what it looks like – maybe ask a few questions of it:
- Does the policy represent the intentions and directions formally expressed by top management for BC?
- Is your organisation doing what the policy it says it will do regarding its BC programme?
- Is what is happening out in the workplace the same as what the policy says should be happening?
The policy provides the force that gives BC life within an organisation, and so I think is worth spending time on.
If you are looking for ideas, I have added a specimen policy at the end of this article that I think aligns well with the ISO guidance and would be suitable for public or private sector.
If you like it, please use it.
Specimen Business Continuity Policy
This policy advocates the development and maintenance of business continuity plans that as far as is practicable, Insert company or department name here can continue to carry out and maintain time critical services in the event of an emergency in compliance with the Civil Contingencies Act 2004 (CCA 2004). Compliance with the CCA 2004 does not apply if you are a private company. You may choose to align yourself with the BCI Good Practice Guide or the international standards for business continuity ISO22301/313.
This policy and associated appendices provide comprehensive guidance on how to develop and maintain business continuity plans.
Insert company or department name here will apply this process to all areas of business to determine those activities that are time critical to the continued delivery of our strategic objectives. If you are public sector add” and meet our duties under the act, CCA 2004.” We recognise / intend to comply with / the principles within the International Organisation for Standardisation (ISO 22301) for business continuity, which will be used to benchmark our BC activities and success.
If you are public sector, use this. The civil contingencies act places a duty on……name your service, police, ambulance etc.…. as a category 1 responder to produce plans that ensure they can continue to carry out their respective functions and maintain critical services to a pre-determined level in the event of an emergency.
This policy is the key document which sets out the scope and governance of business continuity management (BCM) in name your company or department here. It provides the context in which BCM will be developed to ensure that it supports the objectives and culture of our organisation, and includes:
· Scope of the BCM programme
· BCM framework and responsibilities
· BCM guidelines and standards
This policy will be reviewed every put in the timescale here, should be at least annually or after any major disruption or reorganisation.
Terms and Definitions
A list of terms and definitions used in this policy are in Appendix 1.
This appendix should contain all of the acronyms used in the policy and its appendices.
Relationship with Organisation Risk Process
The risk management process in put organisation name or department here provides the primary mechanisms for identification, analysis and control of operational and strategic business risks. Business continuity management supports this in the following ways:
· Through the impact analysis of the loss or disruption to a time critical activity that supports our core business objectives.
· Through the planning undertaken to enable the restoration of time critical activities to a pre-determined level within an agreed time scale.
· Through the identification of risks to these activities that may need a business decision to resolve.
Strategic Objectives / Core Business
The strategic objectives / core business for insert company name or department here are:
· Protection of life and vulnerable people
· Next objective
· Next objective
· Next objective
· Next objective
These objectives should reflect the activities that you do not want to stop, they are your principle reasons why your organisation exists.
Using the business continuity process to ensure that as far as is practicable we can carry out our strategic objectives / core business activities in the event of an emergency.
BC Process Objectives
· Identify those activities and processes critical to our strategic objectives / core business.
· Understand the impact of their disruption or loss
· Anticipate and mitigate risks to their delivery
· Produce validated flexible plans that restore disrupted activities to a pre-determined level.
BC Plan scope
BC plans will define the scope of the incidents that they are designed to address, and will take account of those disruptions most likely to impact time critical activities:
· Loss of access to key building
· Substantial reduction in staff
· Loss of IT systems, telecommunications
· Loss of data, information, vital records
· Loss of utilities, supply chain
Most scenarios will affect one of the general categories above, however you can add anything that is relevant to the delivery of your activity, e.g. specialist equipment.
The application of this policy will reflect our alignment to ISO22301/313. Public sector. – will ensure compliance with the duties set out in CCA 2004
The implementation of this policy will enable organisation name here to:
· Identify, mitigate and manage risks to strategic objectives / core business
· Improve our ability to deal with, and recover from a disruption
· Provide our key services during a disruption
There are specific responsibilities for the roles listed below which are detailed in Appendix 2 of this policy.
· Name the governing board for business continuity
· Name of executive who is responsible for BC
· Name of BC manager or Coordinator
· Heads of business units and departments
· Business continuity representatives
· Line managers
There may be other headings for BC responsibilities that you would like to name here, but they should be set out in detail in the appendix and agreed by the organisation executive board.
Business Continuity Planning Process
The business continuity process, and planning template that we intend to follow is set out in Appendix 3 of this policy. Part 1 of which, will guide you through the details of the planning process. Once completed, the information gathered in part 1 can be used to complete part 2, which is the business continuity plan template.
Use this appendix to set out a method of achieving a BC plan. The people that use this information will need to have received some basic training in BC, and would usually be the person responsible for writing the plan. For details on training contact firstname.lastname@example.org
Public sector. Where there are any teams working across collaborative areas they will develop joint plans that will improve the resilience of the group as a whole and cover both areas.
Completed Business Continuity Plans
Once plans have been completed and signed off by the appropriate authority they should be validated by exercise, they should be made available to staff.
All plans should be exercised at least once per year, or after major organisational change.
Debriefing and update
All plan activations and exercises should be debriefed by an appropriate person with the express aim of identifying areas of success and areas that require improvement within the plan.