As governance is another of the terms with many different definitions based on context and disciplines, let’s look at some basics. A dictionary definition of governance tells us that governance is, “Establishment of policies and continuous monitoring of their proper implementation by members of the governing body of an organization.”
To expand on that definition, corporate governance is defined as a system of rules and practices by which an organization is directed, managed, and controlled, taking into consideration and balancing the interests of the organization and its stakeholders that typically include owners/shareholders, executive management, employees, customers, financial institutions, suppliers, government agencies, regulators, and, for some, the general community.
Why a Business Continuity Policy is needed
Thoughtfully developed and adopted policy is an integral part of governance and becomes a critical part of the organization as it helps ensure that the organization in general and, specifically, its management and other employees across the organization are provided with an understanding of the organization’s goals and values. This then provides a foundation for achieving the organization’s purpose.
In addition to corporate policies that apply to the entire company, there are likely also policies that apply to a specific business function or department within the company (often referred to as functional policies). A Business Continuity Management (BCM) policy may be considered an example of a functional policy.
Many ISO standards, including ISO-22301, as well as the Business Continuity Institute’s (BCI) Good Practice Guidelines, include governance requirements and the need for a Business Continuity policy, and for good reason. Among the many benefits of having a BCM formal policy:
- Establishes your program’s true north
- Outlines strategic direction for the program
- Establishes the program scope
- Identifies overall program ownership and management
- Establishes a central point of accountability, oversight, and support
- Establishes necessary reporting to support coordination, collaboration, and communication
- Builds in proper monitoring and reporting to ensure that policy requirements are fulfilled
- Assigns roles and responsibilities
- Ensures that the program aligns with the organization’s other policies and strategic objectives
- Identifies the standard or best practice guidelines to use as a program framework
Developing a Business Continuity Policy
If your organization does not yet have dedicated Business Continuity policy, consider the value of developing and adopting one. Most organizations have a standard procedure for policy development – yes, a policy about policies. Learn what that process and requirements are.
Boilerplate policies just do not work. Collaborate with those directly involved to create a policy that is tailored specifically to your organization and fits its BCM needs and requirement. Then seek appropriate approvals for adoption.
Reviewing your Business Continuity Policy
For those with existing policies, even the best of policies, if not viewed as living documents, can become dated and inadequate. Just as a business impact analysis (BIA), risk assessment, strategies, and plans are reviewed annually, establish a firm schedule, and assign responsibility for reviewing and revising the business continuity policy on at least a yearly basis. Consider whether it may be time to conduct a governance and policy review and make necessary updates and revisions.
To determine if that may be case for your company, begin by conducting a policy review to evaluate whether or not the existing written policy is current and relevant.
When conducting a policy review, here are some of the questions you may want to ask:
- Does this policy align with other current polices?
- Does the policy require the commitment of top management to fulfill the requirements?
- Is ownership correctly assigned?
- Are roles and responsibilities appropriately assigned?
- Are current central points of accountability, oversight, and support still appropriate and realistic?
- Does the policy recognize and reflect relationships among BCM and other related programs and establish channels for coordination?
- Does the policy define the appropriate program scope for today?
- Are there requirements for the program to be communicated throughout the organization and to all current external interested parties as appropriate?
- Are there proper monitoring, reviews, and updates to ensure continual improvement?
- Does the policy reflect what we have learned from actual events?
Our written Business Continuity policy is the foundation of our programs. There can be a flawed and problematic view of policies as being set in stone. While the core elements of the policy may stay the same, to remain fit for purpose and effective, policy details must be regularly reviewed, evaluated, and updated to keep pace with a continually changing world environment. Regular reviews and updates help ensure that the Business Continuity policy remains a sound foundation for your program and provides essential guidance and direction.
You liked what you read ? Leave a comment.