This article provides an overview of GPG Professional Practice 1 (PP1) – Policy and Program Management, the first of the six professional practices, and discusses the importance and recommendations in establishing the foundation for a repeatable and scalable business continuity program.
PP1 outlines a number of activities that organizations should consider completing before performing business continuity planning activities (business impact analysis through exercising):
- SET A BUSINESS CONTINUITY POLICY that “communicate[s] to interested parties the principles to which the organization aspires” by outlining the purpose and objectives of the business continuity program. A strong program policy statement should be short and succinct while also providing necessary program details against which its performance can be measured. PP1 suggests that policies provide the organization’s definition of business continuity, program scope, involved parties, and how the program will be managed.
- DETERMINE A PROGRAM SCOPE that defines “what [the program] is designed to protect and the maximum extent of damage, loss or interruption the organization can realistically survive.” Often times, organizations choose to first focus their business continuity program on a sub-set of the organization (as opposed to the entire organization), typically with management selecting the most important products or services that the organization delivers (e.g., revenue generating, external facing). A well-developed scope statement clearly documents what is and isn’t (exclusions) included within the program. This helps focus resources on what is most important and time-sensitive, and avoid planning activities (e.g. plan development) occurring outside of the approved program boundaries.
- DEFINE GOVERNANCE that establishes a top management-supported program. This helps ensure that management continuously drives program implementation and monitors/validates the program performance and outcomes. Required management support may include approving necessary budget or investment, providing adequate staffing, participating in highly-visible program activities, and regularly reviewing program outputs.
- IMPLEMENT A BCM PROGRAM that is sustainable, repeatable, and based on management-approved scope and objectives. As part of program implementation, practitioners should perform stakeholder onboarding (e.g., presentation, introductory program walkthrough, or tabletop), execute program elements (e.g., business impact analysis, plan development, and testing activities), develop employee awareness, and ensure continuous improvement by adopting project/program management techniques.
- ASSIGN ROLES AND RESPONSIBILITIES to individuals that can properly implement and maintain the business continuity program per management expectations. As part of the staff onboarding process, management must ensure that assigned staff have the necessary competencies based on their role within the business continuity program; if they do not, staff must pursue and obtain the necessary internal or external training.
- ADOPT PROJECT AND PROGRAM MANAGEMENT TECHNIQUES to enable a consistent project roll-out that meets management expectations and stays within approved timelines and budgets. To accomplish this, staff should establish a list of program management elements, such as the objective, scope, timeline, tasks, staff, resources, and milestones, and ensure these elements are properly identified prior to project initiation. Once projects are complete and the program fully implemented, staff must continue a cycle of continual improvement to ensure program effectiveness, which can be done through regular self-assessments, audits, or benchmarking studies.
- MANAGE OUTSOURCED ACTIVITIES AND SUPPLY CHAIN CONTINUITY to minimize organizational impact during an incident affecting a third-party on which the organization relies. Organizations may choose to (and should) prequalify incoming vendors/suppliers through reviewing and assessing the vendor/suppliers’ business continuity program and documentation, and organizations should regularly monitor vendor service level agreements and recovery strategies to ensure they meet internal expectations.
- MANAGE PROGRAM DOCUMENTATION so the documents are consistent and easy to use. Depending on organizational size, some practitioners choose to use software to maintain internal business continuity documentation (e.g. BIAs and plans). Regardless of the method, organizations should ensure that all necessary documentation is developed, accessible to all participating parties, and reviewed/refreshed on a regular basis.
PP1 contains a set of foundational elements necessary to ensure business continuity aligns to organizational strategy. PP1 also contributes to a repeatable planning process to deliver business continuity outcomes consistent with stakeholder needs and expectations.
Without the PP1 outcomes, the business continuity program would lack focus and priority, and it is likely that program participants would be guessing as to what their roles entail and the best way to engage in the planning effort.
- A POLICY ALIGNS THE BUSINESS CONTINUITY PROGRAM TO INDUSTRY BEST PRACTICES. Industry professionals develop best practices and standards (e.g., BCI Good Practices and ISO 22301) based on common practices and guidance across various industries, countries, and organizational considerations. Practitioners that follow program development best practices help ensure that the organization’s business continuity program reflects common and proven industry strategies and the evolving threat and planning environment.
- A POLICY PROVIDES CUSTOMER/CLIENT ASSURANCE. Many organizations require that their vendors and suppliers have an established business continuity program to ensure supplier and vendor continuity. An established program policy provides the organization a consistent and concise summary of their program that can be provided to customers or clients for reference.
- A POLICY ENSURES PROGRAM CONSISTENCY. Large organizations often choose to implement a large, dedicated international business continuity team, or utilize local/regional support staff to assist in program roll-out. A clear policy statement sets expectations for all employees and program participants in the organization, ensures consistent program execution, and communicates management objectives, drivers, and expectations. In addition, well established program activities, project management strategies, and roles and responsibilities also aid in this effort.
- A POLICY ENSURES PROGRAM REPEATABILITY. A well-developed policy statement that clearly defines the program’s scope, participants, and activities prevents management from redefining and reinventing the program year after year. While the program itself should change to reflect changing organizational priorities or threats, a documented policy provides management a baseline to review and change, when necessary.
- A POLICY ENGAGES MANAGEMENT AND ENLISTS THEIR SUPPORT. Management buy-in is critical in driving program improvements and addressing ongoing changes to accommodate evolving threat environments while also meeting internal and external commitments. Management buy-in also helps establish organizational awareness and drive program activities. Adopting a management-approved policy helps carry momentum and align planning strategies with organizational priorities.
When organizations decide to implement a business continuity program, many tend to jump straight into tactical program elements (such as conducting a business impact analysis and developing plans), thus ignoring the need to first set a strong program foundation on which to build those program elements. While tactical elements are often the most visible, there are multiple reasons why an organization should put in the effort to follow the guidance provided in PP1.
Consider the following case study that illustrates why organizations benefit from establishing a repeatable program and a policy before jumping straight to implementing tactical elements of the business continuity lifecycle.
Company X’s Board of Directors issued a directive for the organization to implement a business continuity program. To comply with the directive, the organization charged an internal resource as the business continuity coordinator to begin this process. After reading a number of web articles, the coordinator decided to begin with performing the business impact analysis and writing business continuity plan documentation. After plan documentation was finalized, the coordinator realized a few major concerns:
- She didn’t know if the organization could really meet management’s expectations if a disruptive incident were to actually occur
- She realized that her efforts were a point-in-time evaluation, and didn’t know how the efforts would continue after the initial effort
- She didn’t think the organization was actually in a much better position than it was before her efforts because it had not invested any resources into having actual recovery capabilities (e.g. alternate workspace or IT disaster recovery)
- The people that she originally wanted to participate in the efforts did not actually participate as they delegated down to lower levels of the organization
Due to these concerns, the business continuity coordinator began performing more research and talking to industry groups. This additional research made her realize that she did not establish a program before performing business continuity-specific activities. Therefore, she did not gain the results she was hoping to accomplish. The coordinator then took a step back and implemented the following actions:
- Developed, presented, and received endorsement from top management for her business continuity policy, which was published and communicated to the organization
- Developed standard operating procedures, which outlined the process by which she implemented the business continuity activities in order to ensure the process would keep occurring on a recurring basis
- Chartered a steering committee who provided input on the program’s scope and downtime tolerances, reviewed and approved findings and investments, provided leadership, and ensured the ‘right’ level of participation and support
Following these actions, the coordinator found that the program was aligned to the organization’s strategic objectives, supported by the appropriate levels of the organization’s senior management, and could actually meet internal and external stakeholder expectations during an actual disruptive incidents.
The guidance found in the BCI Good Practices assists practitioners in understanding and implementing the program while ensuring consistency with international standards found in ISO 22301.