Management involvement is not the only driving force behind repeatable, organizational performance.  Short, concise policy statements also set expectations and drive consistent performance.  Consequently, Riskonnect finds that regardless of the size or culture of an organization, a policy statement can be a tool to drive business continuity program performance, particularly in organizations where business professionals perform planning in a decentralized manner.  This article describes the benefits of, the objections against, and recommendations for an organization-wide business continuity policy.

What Is A Business Continuity Policy?
A business continuity policy is a document written to convey management expectations, in this case, regarding long-term, life-cycle-oriented business continuity program performance.  In order to be effective, it should be signed, communicated and enforced throughout the organization by senior management. The contents of a policy statement should rarely change and are such that they define particular actions from every employee in the organization related to the business continuity program.  A policy statement should provide a high-level overview of the objectives and expectations.  A growing number of organizations supplement a high-level policy statement with management-reviewed and approved program charter and framework documentation. The charter and framework provide the additional level of detail needed to explain how the business will perform key program activities – short and long-term.  Many organizations remain skeptical regarding the need for an organization-wide business continuity program policy, so it is important to understand the benefits behind authoring and approving one.

What Does A Policy Provide?
Repeatability is a key factor behind any mature program and a staple of every reputable business continuity standard. It is also a key motivator for establishing a business continuity policy for any organization. A well-written policy that describes the program’s key role players and their responsibilities provides clear expectations for business continuity personnel, senior management, key program contributors and all other employees. A policy prevents the need for the program to waste valuable time reinventing itself year-after-year. Instead, it allows the organization to align its culture and operations around a single, simple and repeatable vision for organizational resiliency and recoverability

Because many business continuity programs fight for attention amongst all the other priorities of an organization, a business continuity program’s worst enemy can be inconsistent execution.  Consistent execution provides the basis for a program to integrate with the organization’s strategy, operations and even other risk management disciplines. In many cases, a program’s effectiveness is only as strong as its weakest link.  For example, a program that consistently updates plan documentation but fails to perform exercises or train its personnel continues to take on unnecessary business risk.  Policy statements set organizational and management objectives, which in turn provide the necessary motivation to complete needed business continuity activities and remove such risk.

Business continuity program benchmarking, frankly, is challenging. When comparing a variety of program capabilities and elements across the organization, it can be difficult to evaluate progress or performance; however, the policy can serve as that internal benchmark for management’s review of the program.  Each year, a policy should be reviewed and reevaluated in light of the strategic vision management sets for the organization and the business continuity program.  This process of reviewing and updating the policy, when necessary, provides an up-to-date and measurable benchmark for how the business continuity program aligns with the organization’s goals. When the cliché “what gets measured gets done” holds favorably with senior management, the business continuity program can leverage its policy to provide a measurable evaluation of the program’s performance.

A business continuity policy can also play the important role of casting vision for organizational continuity and recoverability when dedicated program personnel are few to none.  The policy, when communicated across the entire organization, provides a common set of expectations.

Similarly, industries without business continuity regulatory requirements sometimes do not have the same incentive to address business continuity risks when compared to those with stringent requirements. For instance, the U.S. banking industry has an external mandate to meet the requirements set forth in the FFIEC’s business continuity handbook, and the results have produced some of the most resilient organizations and mature business continuity programs in the world.  A business continuity policy can become the standard and incentive that an unregulated organization needs to propel a program to that same level of success.

What Are The Objections To A Policy?
Objections to developing a business continuity policy are often culturally-driven.  In most cases, objections to policy statements occur because the organization has few policies governing other business activities.  These concerns are understandable in organizations that do not have policies in the format described above or cultures where policy alone does not have the power to create change. In these situations, less formal methods of communicating expectations may suffice, even if the tool is not a formal policy statement.  A management-approved alignment to a standard may be the answer or a less-formal email or letter from a senior executive.  Overall, it may take some creativity, but a management approved mandate is necessary to build a repeatable program that consistently executes necessary program elements, enables performance measurement and clearly communicates program expectations.

Policy Recommendation
Whether or not an organization historically creates policy statements, leadership should consider developing formal business continuity program expectations.  When done right, all of an organization’s stakeholders align behind a common set of expectations.  Since relatively few organizations employ a team of dedicated business continuity professionals, setting management expectations for a decentralized program is critically important.  A policy should be created, approved, reviewed often and communicated to all internal stakeholders to ensure the prioritization and sustainability of a business continuity program that protects critical organizational interests.