This sample outlines a set of policies and procedures for formalizing a Business Continuity program, and provides guidelines for developing, maintaining and exercising Business Continuity Plans (BCPs).
PURPOSE:
The purpose of this policy is to formalize the Business Continuity program of Company X and to provide guidelines for developing, maintaining and exercising Business Continuity Plans (BCPs).
This policy establishes the basic principles and framework necessary to ensure emergency response, resumption and recovery, restoration and permanent recovery of the Company X’s operations and business activities during a business interruption event.
SCOPE:
This policy applies to all Company X staff, facilities and IT systems at all locations, throughout the world. The Company X shall be prepared for scenarios including, but not limited to, natural disaster, power outage, hardware/telecommunications failures, data corruption, explosives and chemical, biological and nuclear hazards. These events may be local in nature, rendering only a single Company X facility inaccessible, or could have regional impact, with multiple Company X facilities in a geographic region becoming inaccessible.
This policy provides guidance for the Resumption and Recovery of time sensitive business operations in accordance with pre-established timeframes as well as ensuring that adequate plans are in place for the less time sensitive business operations.
POLICY:
Company X recognizes the potential strategic, operational, financial and stakeholder support risks associated with service interruptions and the importance of maintaining viable capability to continue the Company X’s business processes with minimum impact in the event of an emergency.
DEFINITIONS:
- BCC – Business Continuity Center
- BCMG – Business Continuity Management Group
- BCP – Business Continuity Plan
- BIA – Business Impact Analysis
- CMT – Crisis Management Team
- RTO – Recovery Time Objective
- SFR – Strategy, Finance, and Risk Management
PROCEDURES:
Statement of Policy
Business continuity policy and planning are fundamental to ensure against organizational and reputation risk to Company X in case of business interruption. All Company X organizations must develop, exercise, test and maintain plans for the resumption and recovery of business functions and processing resources. The resumption and recovery plans must be based on a risk assessment that considers potential losses due to unavailability of service versus the cost of resumption. These plans shall anticipate a variety of probable scenarios ranging from local to regional crisis. BC policy and planning complement crisis management in recognizing that Company X staff are the most important assets of Company X and ensuring the necessary ability of Company X to continue critical business processes in spite of an emergency or to resume them before their unavailability disrupts the work of the affected unit(s) or Company X.
Responsibilities
The BCMG of the Information Solutions Group (ISG) is responsible for this policy. The following sections denote the distribution of responsibilities for Company X business continuity.
Key Stakeholders
The key stakeholders who participate in institutional BC program policy, planning and governance are senior management and critical systems, services and applications owners:
- Board;
- Crisis Management Team;
- Business Continuity Management Group;
- Vice Presidential Units (business units);
- Business Continuity Coordinators;
- Business Continuity staff;
- General Services Department;
- Information Solutions Group;
- Human Resources Services;
- External Affairs;
- Internal Audit;
- Legal;
- Strategy, Finance, and Risk Management (SFR).
Business Impact Analysis (BIA) and Risk Assessment
The BCMG shall sponsor a bi-annual institutional BIA to identify and prioritize the critical business processes and costs of downtime. The institutional BIA shall cover the major business processes that cut across multiple business units or organizations. It shall identify the business process availability Recovery Time Objectives (RTOs) and business process Recovery Point Objectives (RPOs).
The BCMG shall extend the results of the institutional BIA to the business units as a basis for developing business unit-specific BIAs, identifying key business processes and the associated risks if these processes were not available. Each business unit shall appoint a BC Coordinator who will coordinate the development of the business unit-specific BIAs and resulting business unit-specific BCP, with guidance of the BCMG.
The BCMG shall sponsor a bi-annual risk assessment for business continuity and, as needed, coordinate with SFR in this task’s methodology and findings.
The Business Continuity Plan
The BCMG shall develop the institutional BCP to recover from an institutional crisis and provide, at the very minimum, the ability to recover critical processes with RTOs less than three days.
The recovery plans for a local crisis and recovery of critical processes with RTOs greater than three days shall be developed by the BC coordinator and the senior management responsible for the business units. Recovery plans for business functions and systems with Company X-wide impact shall be the responsibility of the BCMG and be addressed in the enterprise-wide business continuity plans. The BCMG shall have overall oversight as to the creation of local plans to provide leadership and guidance, and ensure appropriate consistency and coordination among the various business dependencies, as well as compliance with international standards.
During an institutional business interruption event, the CMT shall activate the Business Continuity Center (BCC) if required. The BCMG shall work with the affected business units to ensure smooth execution of the institutional and business unit-specific BCPs requiring activation of the BCC.
In some cases, it may not be necessary to relocate staff to the BCC. To address local crisis situations, alternate approaches for resumption including remote work, working from other office buildings, etc., shall be identified for affected business units working with the respective management and BC Coordinator(s), the BCMG and institutional security, facilities and IT teams.
Develop Resumption and Recovery Plans for People Assets
Human Resources (HR), working with Legal, is responsible for establishing a clear chain of command for the institution, starting with the Company X President, for business continuity policy and procedures.
Each business unit shall be responsible for their own chain-of-command planning. The plan shall be communicated to Legal and HR.
The BCMG shall ensure fulfillment of chain of command planning by the business units for business continuity.
Company X senior management shall be provided with communication approaches and tools to ensure communication among themselves and with the staff for emergency response and business continuity.
Company X business units shall implement and maintain a basic communication plan for all business-unit staff for emergency response and business continuity. Guidance on what constitutes a basic communication plan shall follow a standard to be developed and issued jointly by the BCMG, HR and Corporate Security. Confidentiality of staff personal contact information for this purpose shall be managed in compliance with the Company X’s Information Security and HR policies and practices.
Business continuity plans shall identify the designated primary staff member (from the business operation) and an alternate who can perform functional responsibilities in the absence of the primary staff member. Some BC staff members may be required to work from remote offices or from home.
The BCMG shall work with HR to develop clear guidance on how the non-BC staff shall report their time during crisis. These staff may be directed to suspend their regular duties until the operations are restored at a permanent site or some alternate direction is provided by Company X senior management.
Develop Resumption and Recovery Plans for Facilities and Office Space
In order to successfully resume the Company X’s critical business operations during an institutional crisis, the BCMG must provide a safe, easily accessible and fully operational location with adequate resources (IT and others) for the Company X’s BC staff to report to and initiate operations from during the period of crisis.
The alternate facility, the BCC, should be at a safe distance from the primary work area to withstand regional disruption. The alternate facility must provide a Command Center facility that leverages a separate power grid and dedicated Internet and telephone lines to support efficient response during crisis. The facility must provide adequate office space and alternate communication links for the senior management of Company X to perform operational decision-making.
For Business Restoration and Permanent Recovery, the BCMG office shall work closely with the business units to coordinate the activities involved in restoring the business operations of Company X and ultimately return to an original/new permanent operating site.
Develop IT Systems Resumption and Recovery Plans
The institutional BCP shall develop a coordinated strategy involving plans, policies, procedures, and technical measures that enable the recovery of IT systems, operations, and data that is identified as critical. The BCMG shall also work with other Company X units that are responsible for development and maintenance of the technology and information that support critical business processes of the Company X.
The Company X’s network architecture and global telecommunications shall ensure redundancy and the institution’s ability to withstand local and regional crisis.
BC policy and planning shall be integrated in IT policy, budget and implementation decisions. IT budget guidelines and incentives shall take into account good practices concerning business continuity planning and preparedness.
For new application development, BC planning should be integrated in all phases of the IT project life cycle, starting from Business Requirements, System Architecture, Design, Construction, Testing, Implementation, Maintenance and Retirement.
Testing
The institutional BCP should be tested at least annually to ensure credible recovery preparedness. The scope, objectives, and measurement criteria of each test shall be determined and coordinated by the BCMG on a per event basis. Test results shall be shared with the CMT.
Business unit-specific BCPs should also be tested at least annually. The respective business-unit management and the BC coordinator shall work with the BCMG to perform these business-unit specific tests.
Corporate Communications
The institutional and business unit-specific BCPs shall include mandatory instructions, advice, process, procedure or guidance concerning internal and external communications.
External communication during time of crisis is a critical business process. The CMT shall work with the External Affairs office to develop the process and messages that will be communicated to the press and to staff in the event of an institutional or business unit-specific business interruption.
Training
Business Continuity training for the BCMG, BC Coordinators, and BC staff is essential for effective resumption and recovery of operations. BCMG staff shall ensure training to keep current in the business continuity industry and the Company X’s business processes, latest technologies, tools, international standards and regulations that guide the development of BC plans. BC coordinators and BC staff must be trained about their business resumption and recovery roles in coordination with the BCMG.
BCP Maintenance and Management Reporting
Institutional and business unit-specific BCPs shall be updated bi-annually using the templates issued by the BCMG. All Company X organizations shall update their BCPs as often as changes require, with notification of changes to the BCMG. All major updates should be incorporated as soon as possible and not held to satisfy a pre-arranged schedule.
The BCMG shall evaluate and implement automated tools to support business continuity planning.
Reporting business continuity planning status and progress is a key element of creating an effective BC program in the organization. The BCMG shall report the status and progress of the BC program to the CMT on a semi-annual basis or after every institutional BC test.
Business Continuity Program Governance
As demonstrated in this policy, Business Continuity is an institutional concern affecting all organizations and therefore must receive senior management guidance and oversight.
The organizations listed in the Key Stakeholders section of this policy shall participate in the Company X’s BC program governance.
A formal BC program governance structure shall be developed to ensure effective decision-making and compliance with international standards such as PAS 56.
Policy Compliance
Consistent compliance with this policy is essential to its effectiveness. All Company X organizations are expected to adhere to this policy and to follow it consistently. The BCMG will assess the preparedness of all the organizational groups, business units and COs and report annually to senior management via the CMT. The assessment will include the quantification and qualification of the Company X’s exposures including, but not limited to, the resumption of time-sensitive operations and the recovery of other operations.
Internal Audit, as part of its work program, will review the business continuity plans periodically to ensure compliance of the overall Business Continuity Program with International Standards such as BS-7799 and PAS-56.
Applicable International or National Standards
International standards such as BS-7799, ISO/IEC 17799 extension require organizations to have a clearly stated BC policy to guide BC planning and execution. The Company X’s BC policy is based on these international standards and also takes direction from the PAS-56 standard.
BS7799 is the most widely recognized security standard in the world. BS7799 Section 11 requires appropriate business continuity and disaster recovery planning and compliance. BS 7799 (ISO17799) is comprehensive in its coverage of security issues, containing a significant number of control requirements.
The British Standards Institute Publicly Available Specification 56 (PAS 56) "Guide to Business Continuity Management" provides an overview of the activities and outcomes involved in setting up a BC management process and makes recommendations for best practices.
Download the Policy:
(5 Pages, 56 KB)