|A BCM policy is a document drawn up by top management, which indicates that the organization has a reasoned duty to engage in BCM. This document then refers to other documents that describe the BCM process (or BCM system). The advantage of separating these documents and having them refer to each other is that one can always optimize a sub-aspect of BCM and include it in the documents.
|Author: Manu Steens
In this post I write my own opinion, not that of any organization.
A document that describes the continuity policy, what does it say, what is it?
The BCM Process is a framework that promotes resilience for the organization. It consists of processes and people who carry out these processes. The continuity policy determines in certain terms the raison d’être of this BCM Process. It is therefore a strategic document that explains why the BCM Process is a supporting process.
The policy: a blueprint
The policy and related documents are the blueprint of the BCM in the organization for the common good of all employees.
So, it must always be up to date. The policy of the BCM Process mainly consists of a policy statement that motivates strategic goals and works in the long term. This means that the policy statement may be more impervious to the changes in the environment than the documents to which it refers.
A common goal of the BCM Process is to minimize the disruptions of primary processes, with which products and services are delivered to customers.
This makes BCM strategically important as a supporting process in times of crisis, in which it comes into effect to continue to guarantee critical processes at a predetermined minimum level.
This applies to a minimal BCM policy document: that it mainly consists of a policy statement.
What does a more detailed BCM Policy Document look like?
Note in advance: the more details of the BCM Process are incorporated into the policy document, the more susceptible it is to changes. That is why I always call for the BCM policy to perhaps put the what and the why, but not the how. This will help extend the lifespan of each version of the document.
Here I give a rudimentary table of contents with a guideline on how to fill it in
- Introduction with Management Motivation: contains the policy statement of the top management and briefly refers to the chapters. Basically, this could be limited to the accountability of why BCM is being done in the organization. So, the why and purpose of the BCM policy comes here.
- Definitions: a glossary with the description, as used in the organization. This is necessary, because neither BCM nor risk management is an exact science. The meaning in which words are used may differ from that of other organizations. This helps to tailor the BCM Process to the needs of the organization.
- Client and contractors: Who has what responsibility in the BCMP. Here’s my advice to use job titles, and not fill them in with names yet. You do this in the business continuity management process document with the roles and responsibilities section, where this is further elaborated. It also makes it clear how important BCM is for the organization.
- The desired situation of the BCMP in the final situation: here the aim is to outline the BCM target. The description of the current situation and comparing it with the target is a topic for the cyclical up to date BCMP project plan.
- “Reasonable Worst-Case Scenario”: I consider this to be outdated. In my opinion, this is best a list of “reasonable worst cases” in the form of crisis files that can be referenced to in the business continuity plan.
- Main relevant standards, laws, and regulations for the BCMP: here an important contribution of lawyers in the organization is possible. Any organization can get into trouble if it doesn’t know what legislation it must comply with. This can vary from organization to organization.
- BCM Process Model to use: Which steps does your BCM Process go through? Each step can be further elaborated in a manual for the employees listed in the roles and responsibilities of the BCMP. It refers to the BCMP documentation.
A large part of this policy is, mutatis mutandis, that for risk management, opportunity management and information security. It is therefore a substantive strength not to always draw up a policy for each of these resilience aspects, but to draw up a policy for the resilience operation of the organization in which reference is made to each of these components. In doing so, BCM can then be given the above interpretation, which it can partly share with the other management techniques for resilience.