The key elements of a business continuity policy include:
A statement of purpose. This is a mini-summary the policy; it clearly and unambiguously state the need for the policy and what its high level goals are.
A statement of scope. For example, does the policy apply to the entire organization or does it only apply to a particular division within the organization? Does the policy apply to all business processes or only to some? What general business functions and support systems are covered? In other words, what is the product that will be produced as a result?
Definitions of terms. A business continuity policy will use some jargon that will need to be clearly defined. For example, what is “risk,” “impact,” “event,” “crisis,” “disaster,” etc? These terms are often seen but can be broadly interpreted. Define all relevant terms such that a business person can understand.
Definitions of roles and responsibilities. This will likely identify key roles in the organization, such as the sponsor of the policy, any steering group or committee that is formed to guide the process and the composition of that committee (i.e. legal, human resources, facilities, information technology, product owners, etc.) and other staff members. In addition to listing and defining roles, the responsibilities of each should be clearly stated. A responsibility assignment matrix can be useful in this case.
Principles, regulatory requirements, and related policies. When requirements come into conflict, what will be used to resolve that conflict? How are risks prioritized? To whom does the business owe obligations (stockholders, executives, employees, customers, etc.) and how are their interests prioritized? What kinds of or regulatory obligations does the firm have regarding continuity of service? What other company policies are related to the BC/DR policy?
Verification of policy compliance. How will compliance with the policy be determined? What artefacts will be examined in lower divisions to determine compliance? Who performs the compliance audit? What are the penalties for non-compliance and who can levy them?
Approval history and policy review schedule. This is a list of document version numbers and dates of effectiveness. Further, a schedule for future review of the policy should be established to ensure that the policy is updated within the context of the business and the changing environment.
Contact person. Who should be contacted with questions or concerns about the policy? How are they contacted?
Approval signatory. Have a place for the senior executive sponsoring the policy (defined in “roles and responsibilities”) to sign and date the policy.
Action Items
Examine a few business continuity policy templates that you can find on the Internet. For example, Victoria University of Wellington has a good policy statement, Tech Target has a template, and many more are available.
Develop a business continuity policy that contains at least the sections outlined above for the company for which you are consulting.
Proofread your assignment carefully. Improper English grammar, sentence structure, punctuation, or spelling will result in significant point deductions.