Business continuity and disaster recovery (BC/DR) planning are critical activities for organizations of any size, whether it's a large enterprise or a small- to medium-sized business (SMB). An important starting point in business continuity planning is the creation of a business continuity policy. A business continuity policy can help your organization recover from a disaster faster and get your systems up and running smoothly, rather than addressing problems only after a crisis strikes.
This article and our free, downloadable business continuity policy template will provide a useful starting point for preparing a business continuity policy. Read our tips below and then download the policy template.
Components of a business continuity policy
Policies for BC/DR can be simple—a few paragraphs can set the foundation for BC/DR activities without going into a lot of specifics. More detail can be included if it’s necessary, but most SMBs will want to keep their initial policies relatively simple.
Here’s a policy outline that addresses most issues:
- Introduction: States the fundamental reasons for having a BC/DR policy
- Purpose and scope: Provides details on the policy’s purpose and scope
- Statement of policy: States the policy in clear and unambiguous terms
- Policy leadership: States who is responsible for approving and implementing the policy, as well as levying penalties for non-compliance
- Verification of policy compliance: States what is needed, e.g., assessments or exercises, to verify that BC/DR activities are in compliance with policies
- Penalties for non-compliance: States penalties, e.g., verbal reprimand or note in personnel file, for failure to comply with policies
- Appendixes (as needed): Additional reference information, such as lists of contacts, service-level agreements and additional details on specific policy statements
After you have drafted a set of policies, be sure to at least have them reviewed by your department management, human resources and legal departments. Invite other relevant departments to comment if you have time.
In this article, we have provided a convenient starting point for developing business continuity policies. The process can be fairly simple, but the decision to develop and approve BC/DR policies is critical for organizations of any size.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at firstname.lastname@example.org.