What Is a Business Continuity Policy?
A business continuity policy provides high-level guidelines a company uses to ensure it can run in a crisis and keep addressing new risks. Each company’s policy is unique. To be successful, a policy needs the support of top leadership.
“The policy sets out that a company knows it cannot just sail through the good times,” explains Alex Fullick, General Manager of business continuity consultancy Stone Road Inc. “It knows it has to be able to respond to the bad times to maintain client satisfaction. A policy outlines that, first of all, a company is dedicated to ensuring employee safety and protecting shareholders, stakeholders, and partners. A policy shows that a company will prepare for, respond to, and recover from any adverse situations that it encounters to ensure public safety and employee safety.”
Top leadership and the business continuity planning committee shape the policy. The policy writers specify the business continuity plan's purpose. They also describe what facilities and processes the business continuity plan will cover.
The policy specifies key personnel who will administer the plan and outlines the role of staff in the continuity system. A business continuity policy also notes any legal, regulatory, or contractual obligations, as well as exclusions, such as service level agreements, that a company must maintain in all circumstances. Learn more about business continuity management from our article on business continuity planning.
The document defines how the company communicates to staff that the organization is implementing a business continuity management system and has the endorsement of the C-level.
Today, in the era of social media, reputation is everything. “If you're not protecting your brand, it's very easy for someone to suddenly start sending off messages in social media saying, no, they're not doing this, they're not doing that. It comes down to the brand. If you do things right, the policy protects the brand,” says Fullick.
The procedures in the business continuity plan puts the policy into action. Together both documents emphasize these elements:
- Contingency Planning: A company makes a proactive effort to foresee possible events and plan how to deal with them. This planning mostly addresses events that are negative but can also be positive. Contingency planning is different from crisis management, which is how a company reacts to an incident.
- Recovery: This step describes the efforts of a company to save and restart critical processes after an incident. A recovery approach also dictates acceptable levels of service after a disruption.
- Resilience: This concept refers to a company’s ability to provide critical products and services during and after a crisis. Resilience includes protecting staff, other resources, and the brand.
Large companies usually have a business continuity policy; small companies often don’t. “I've worked for a medium-sized company, and there wasn't a documented policy,” says Fullick. “I worked for a large company that had a documented policy that the president looked at every year. In reality, he probably just signed it and added a new date.”
A written policy is mandatory for any business pursuing ISO 22301 certification. For Service Organization Control (SOC) 2 compliance, which governs how service providers manage data to ensure privacy, you need documented business continuity and disaster recovery plans. See our article to learn more about ISO 22301.
Policy also does not exist on its own. “I use the image of a three-legged stool,” explains Mike Semel, President and Chief Compliance Officer of Semel Consulting. “A three-legged stool can't stand without all of its legs. Take away a leg, it's going to fall. If you have a policy, then you have to back it up with procedures and back the procedures up with evidence that you're following them. That’s the hardest and most expensive part.” Learn more about writing procedures and work instructions in our article.
Business Continuity Policy in a Pandemic
Business continuity policy templates can save you time when writing a policy. Editing an existing document takes less effort than formatting a new one and serves as a reminder to add key information.
Use our free downloadable business continuity policy template available in Microsoft Word and Google Docs formats. The document contains all the sections you might need for a policy document, along with a customizable header block and confidentiality label.
Download Simple Business Continuity Policy Template
Microsoft Word | Google Docs | Smartsheet
For other most useful free, downloadable business continuity plan (BCP) templates please read our "Free Business Continuity Plan Templates" article.
How to Write a Business Continuity Policy
When drafting a business continuity plan, a company must write a business continuity policy document. The policy document outlines requirements for developing the business continuity plan.
Use concise, simple words when writing a business continuity policy. Write in the third person using “he,” “she,” and “it.” If possible, avoid adding information that may quickly go out of date. Consult good examples of straightforward policies for reference. (We provide examples of policy statements later in this article).
Step by Step: Writing a Business Continuity Policy
Follow this procedure to prepare your business continuity policy:
- Gather a Business Continuity Writing Team
The team should consist of the business continuity manager and their alternate, a business continuity plan coordinator, your Chief Information Security Officer (CISO), CTO, CIO, and other pertinent stakeholders. Charles Cox is a Principal at Firefly Consulting, an Austin-based boutique consulting firm specializing in innovation and operational excellence. He likes to think of any collection of policy writers as a group because the breadth of input matters to reduce bias toward particular business functions.
- Write the Policy Statement
The statement describes the aim of the policy. Directors or managers often sign the document. “In most cases I’ve been associated with [for any type of policy document], about 80 percent of the statement is written at the beginning,” says Cox. “After there’s been some discussion, often after completing a risk analysis, there are some modifications and expansions on the original statement.” Learn more about business continuity policy statements later in this article. - Conduct the Risk Assessment and BIA
A business impact analysis (BIA) determines the financial and functional impact of disruption and reveals key processes and information about recovery time objectives. Conduct a risk assessment to determine and rank threats and risks. Read our guide to learn how to write a BIA.
A business continuity policy is a tactical tool, but it must be grounded in company strategy, which comes from senior management (senior management could be an executive in a corporation or the owner in a small business). Mike Semel gives the example of an accounting firm with employees who thought their recovery time objective (RTO) was eight business hours. The managing partner said the company couldn’t possibly afford to recover so quickly and determined it was cheaper to pay any fees clients incurred from late filings. Thus, it’s management’s job to determine risk tolerance.
Semel explains further that companies often guess at RTO without a full understanding of what the number really means. For example, if power goes out, unless you can fire up a generator, your recovery must wait on power being restored. Thus, an eight-hour RTO clock doesn’t begin until power is restored.
“The problem with RTO is that it's usually like a hope or a wish or a guess,” he says. “The biggest flaw when it comes to recovering systems is that nobody tests them adequately. They do the backups. Every day, they get the message that the backup is successful. But they don't test recovering from the backup and trying to operate the business. Then they go to recover in a disaster, and instead of eight hours, let's say it takes 14 hours. If the policy says it should take eight hours, they either have to change the policy to say 14 hours, or they have to change the process to get it down to eight hours.”
When describing scope and recovery parameters in a policy, also consider that the timing of a disruption makes a difference. “A disaster the day before payday is completely different from a disaster the day after payday. In accounting firms, a disaster a week before tax day is different from a disaster the week after. Those are the things that people don't always think through,” shares Semel. - Determine Your Strategy for Business Continuity
A business continuity strategy provides a high-level view of what recovery and continuity mean for a company. Consider the scope, approaches, and recovery timelines. - Write the Policy
Document the scope, key business areas and functions as determined by the BIA, key roles, and the general approach to continuity. - Secure Stakeholders’ Review for Both the Policy Statement and the Document
If you haven’t included them already on your writing team, be sure to get input from the CISO, CTO, and CIO, as well as comments from important third parties. - Get Executive Endorsement of the Policy Statement
Obtaining senior sponsorship will set your business continuity planning on the path to success. - Promote the Policy
Share the policy with employees and interested third parties. Promotion can be as simple as posting the statement on bulletin boards where people gather frequently.
Finally, although every business has unique needs, brevity is indeed the soul of wit for business continuity policies. “If a policy is 20, 30 pages, that means nothing, because that’s too much detail, which means too much fluff,” explains Fullick. “Policies must be short and simple: This is what it is, this is why we're doing it, and this is everyone's part in it.”
Common Structure of a Business Continuity Policy
Knowing the typical format of a policy frees you to focus on the content of the document. Here is an example of a business continuity policy format:
Header Block: Depending on your company’s style, you might need to include a header block on the policy. A header block includes the policy holder, policy signatory, policy date, review cycle, and version control details.
Introduction: Policy documents might or might not include an introduction. The introduction explains why a business continuity policy is important to the organization and the fundamental reasons for the policy.
Policy Statement: The policy statement might be one paragraph or an entire page. The statement describes the purpose and aims of the business continuity policy. The statement might also be called an aim or the purpose. In some organizations, the managing director or another officer signs and dates the statement page.
Definitions: Your industry might use specialized terminology that needs clarification. Definitions can also help explain the business continuity system’s scope.
Purpose and Scope: The scope section describes the facilities, processes, and activities the policy covers. “The scope tells you what to worry about. For example, ‘We’re only worrying about our main office in Mississauga. That’s the one we have to make sure is always running 24/7,’” Fullick explains.
Policy Personnel: This section lists the individuals or roles who review, approve, and enact the policy. Those responsible for policy administration are also responsible for ensuring compliance.
Compliance: The compliance area describes the requirement for testing to verify that the business continuity plans and activities adhere to the policy.
Consequences for Non-Compliance: Detail the results of not conforming to the policy.
Confidentiality Level: The confidentiality level describes who may see the document. This label usually appears in the header or footer of each page of the policy. Outside of government, businesses typically use three confidentiality levels: confidential, wherein only management can read it; restricted, wherein only company employees can read it; and public, when anyone can read it.
References and Resources: When your business continuity planning is complex, you might have a suite of policies and plans. You might also refer to legal or regulatory documents that affect business continuity policy.
Appendixes: In some cases, it makes sense to attach documents, charts, or drawings to a policy.
Business Continuity Management Policy Statement Examples
A business continuity policy statement outlines the broad goals of a company’s business continuity management program. The statement sets out the scope of efforts and outlines staff roles and duties for carrying out the continuity plan.
Top leadership should sign and endorse the statement, and you should communicate the policy to all employees. A statement might include the following:
- Details on the purpose and scope of the policy.
- A clear explanation of the framework of the organization’s business continuity management program.
- Details on who within the organization is responsible for implementing the policy.
- Details on how the organization will monitor its compliance with the policy.
In these examples of real policy statements, note the different formats and locations of the statement within the policy document:
Healthcare Providers
This healthcare business continuity policy example calls the statement an aim, but it serves the same purpose as a policy statement. Here’s an example:
Commercial Company
Business continuity policy statements for commercial organizations tend to specify an expected time to resume service. Here’s an example:
Universities
These business continuity management policy statements might begin with a purpose, which can help you to understand business continuity systems. Universities might incorporate objectives and scope. See these examples:
City Government
A statement for a city’s business continuity policy outlines what continuity planning aims to accomplish for the city. Here’s an example:
Business Continuity Policy Best Practices
Keep your policy simple and remember to focus on creating attainable continuity goals. Follow these best practices to enhance your business continuity policy preparation experience:
- Bring in expert help when needed. Creating a policy and business continuity system requires a concerted level of effort.
- Understand your key assets and processes.
- Recognize the difference between disaster recovery and business continuity.
- Consider third-party risks. Knowledge of third-party risks is especially important for regulated industries because you are liable, even if your data is stored offsite on infrastructure you don’t own.
- Promote transparency and visibility. “Once you have a policy, make it visible to all staff. Be sure to communicate the policy — a detailed policy with extensive resources is useless if staff don’t know it exists,” advises Alex Fullick.
Manage Your Business Continuity Policy Statement and Collect Relevant Documents with Smartsheet
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change. The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed. When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.