This article provides an overview of GPG Professional Practice 1 (PP1) – Policy and Programme Management, the first of the six professional practices, and discusses the importance and recommendations in establishing the foundation for a repeatable and scalable business continuity programme.

PP1 OVERVIEW

PP1 outlines a number of activities that organisations should consider completing before performing business continuity planning activities (business impact analysis through exercising):

  • SET A BUSINESS CONTINUITY POLICY that “communicate[s] to interested parties the principles to which the organisation aspires” by outlining the purpose and objectives of the business continuity programme. A strong programme policy statement should be short and succinct while also providing necessary programme details against which its performance can be measured. PP1 suggests that policies provide the organisation’s definition of business continuity, programme scope, involved parties, and how the programme will be managed.
  • DETERMINE A PROGRAM SCOPE that defines “what [the programme] is designed to protect and the maximum extent of damage, loss or interruption the organisation can realistically survive.” Often times, organisations choose to first focus their business continuity programme on a sub-set of the organisation (as opposed to the entire organisation), typically with management selecting the most important products or services that the organisation delivers (e.g., revenue generating, external facing). A well-developed scope statement clearly documents what is and isn’t (exclusions) included within the programme. This helps focus resources on what is most important and time-sensitive, and avoid planning activities (e.g. plan development) occurring outside of the approved programme boundaries.
  • DEFINE GOVERNANCE that establishes a top management-supported programme. This helps ensure that management continuously drives programme implementation and monitors/validates the programme performance and outcomes. Required management support may include approving necessary budget or investment, providing adequate staffing, participating in highly-visible programme activities, and regularly reviewing programme outputs.
  • IMPLEMENT A BCM PROGRAM that is sustainable, repeatable, and based on management-approved scope and objectives.  As part of programme implementation, practitioners should perform stakeholder onboarding (e.g., presentation, introductory programme walkthrough, or tabletop), execute programme elements (e.g., business impact analysis, plan development, and testing activities), develop employee awareness, and ensure continuous improvement by adopting project/programme management techniques.
  • ASSIGN ROLES AND RESPONSIBILITIES to individuals that can properly implement and maintain the business continuity programme per management expectations. As part of the staff onboarding process, management must ensure that assigned staff have the necessary competencies based on their role within the business continuity programme; if they do not, staff must pursue and obtain the necessary internal or external training.
  • ADOPT PROJECT AND PROGRAM MANAGEMENT TECHNIQUES to enable a consistent project roll-out that meets management expectations and stays within approved timelines and budgets. To accomplish this, staff should establish a list of programme management elements, such as the objective, scope, timeline, tasks, staff, resources, and milestones, and ensure these elements are properly identified prior to project initiation. Once projects are complete and the programme fully implemented, staff must continue a cycle of continual improvement to ensure programme effectiveness, which can be done through regular self-assessments, audits, or benchmarking studies.
  • MANAGE OUTSOURCED ACTIVITIES AND SUPPLY CHAIN CONTINUITY to minimize organisational impact during an incident affecting a third-party on which the organisation relies. Organisations may choose to (and should) prequalify incoming vendors/suppliers through reviewing and assessing the vendor/suppliers’ business continuity programme and documentation, and organisations should regularly monitor vendor service level agreements and recovery strategies to ensure they meet internal expectations.
  • MANAGE PROGRAM DOCUMENTATION so the documents are consistent and easy to use. Depending on organisational size, some practitioners choose to use software to maintain internal business continuity documentation (e.g. BIAs and plans). Regardless of the method, organisations should ensure that all necessary documentation is developed, accessible to all participating parties, and reviewed/refreshed on a regular basis.

PP1 VALUE

PP1 contains a set of foundational elements necessary to ensure business continuity aligns to organisational strategy.  PP1 also contributes to a repeatable planning process to deliver business continuity outcomes consistent with stakeholder needs and expectations.

Without the PP1 outcomes, the business continuity programme would lack focus and priority, and it is likely that programme participants would be guessing as to what their roles entail and the best way to engage in the planning effort.

PP1 Value Overview:

  • A POLICY ALIGNS THE BUSINESS CONTINUITY PROGRAM TO INDUSTRY BEST PRACTICES. Industry professionals develop best practices and standards (e.g., BCI Good Practices and ISO 22301) based on common practices and guidance across various industries, countries, and organisational considerations. Practitioners that follow programme development best practices help ensure that the organisation’s business continuity programme reflects common and proven industry strategies and the evolving threat and planning environment.
  • A POLICY PROVIDES CUSTOMER/CLIENT ASSURANCE. Many organisations require that their vendors and suppliers have an established business continuity programme to ensure supplier and vendor continuity. An established programme policy provides the organisation a consistent and concise summary of their programme that can be provided to customers or clients for reference.
  • A POLICY ENSURES PROGRAM CONSISTENCY. Large organisations often choose to implement a large, dedicated international business continuity team, or utilize local/regional support staff to assist in programme roll-out. A clear policy statement sets expectations for all employees and programme participants in the organisation, ensures consistent programme execution, and communicates management objectives, drivers, and expectations. In addition, well established programme activities, project management strategies, and roles and responsibilities also aid in this effort.
  • A POLICY ENSURES PROGRAM REPEATABILITY. A well-developed policy statement that clearly defines the programme’s scope, participants, and activities prevents management from redefining and reinventing the programme year after year. While the programme itself should change to reflect changing organisational priorities or threats, a documented policy provides management a baseline to review and change, when necessary.
  • A POLICY ENGAGES MANAGEMENT AND ENLISTS THEIR SUPPORT. Management buy-in is critical in driving programme improvements and addressing ongoing changes to accommodate evolving threat environments while also meeting internal and external commitments. Management buy-in also helps establish organisational awareness and drive programme activities. Adopting a management-approved policy helps carry momentum and align planning strategies with organisational priorities.

PP1 CASE STUDY

When organisations decide to implement a business continuity programme, many tend to jump straight into tactical programme elements (such as conducting a business impact analysis and developing plans), thus ignoring the need to first set a strong programme foundation on which to build those programme elements. While tactical elements are often the most visible, there are multiple reasons why an organisation should put in the effort to follow the guidance provided in PP1.

Consider the following case study that illustrates why organisations benefit from establishing a repeatable programme and a policy before jumping straight to implementing tactical elements of the business continuity lifecycle.

Company X’s Board of Directors issued a directive for the organisation to implement a business continuity programme.  To comply with the directive, the organisation charged an internal resource as the business continuity coordinator to begin this process.  After reading a number of web articles, the coordinator decided to begin with performing the business impact analysis and writing business continuity plan documentation.  After plan documentation was finalized, the coordinator realized a few major concerns:

  • She didn’t know if the organisation could really meet management’s expectations if a disruptive incident were to actually occur
  • She realized that her efforts were a point-in-time evaluation, and didn’t know how the efforts would continue after the initial effort
  • She didn’t think the organisation was actually in a much better position than it was before her efforts because it had not invested any resources into having actual recovery capabilities (e.g. alternate workspace or IT disaster recovery)
  • The people that she originally wanted to participate in the efforts did not actually participate as they delegated down to lower levels of the organisation

Due to these concerns, the business continuity coordinator began performing more research and talking to industry groups. This additional research made her realize that she did not establish a programme before performing business continuity-specific activities.  Therefore, she did not gain the results she was hoping to accomplish. The coordinator then took a step back and implemented the following actions:

  • Developed, presented, and received endorsement from top management for her business continuity policy, which was published and communicated to the organisation
  • Developed standard operating procedures, which outlined the process by which she implemented the business continuity activities in order to ensure the process would keep occurring on a recurring basis
  • Chartered a steering committee who provided input on the programme’s scope and downtime tolerances, reviewed and approved findings and investments, provided leadership, and ensured the ‘right’ level of participation and support

Following these actions, the coordinator found that the programme was aligned to the organisation’s strategic objectives, supported by the appropriate levels of the organisation’s senior management, and could actually meet internal and external stakeholder expectations during an actual disruptive incidents.

CONCLUSION

The guidance found in the BCI Good Practices assists practitioners in understanding and implementing the programme while ensuring consistency with international standards found in ISO 22301.