270 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
particularly in organizations where business professionals perform planning in a
decentralized manner.
A business continuity policy is a document written to convey management expecta-
tions regarding long-term, life-cycle-oriented business continuity program performance.
In order to be eective, it should be signed, communicated, and enforced throughout
the organization by senior management. e contents of a policy statement should
rarely change and are such that they dene particular actions from every employee in
the organization related to the business continuity program. A policy statement should
provide a high-level overview of the objectives and expectations. A growing number of
organizations supplement a high-level policy statement with a management reviewed
and approved program charter and framework documentation. e charter and frame-
work provide the additional level of detail needed to explain how the business will
perform key program activities—short and long term. Many organizations remain
skeptical regarding the need for an organization-wide business continuity program
policy, so it is important to understand the benets of authoring and approving one.
A well-written policy that describes the program’s key role players and their
responsibilities provides clear expectations for business continuity personnel, senior
management, key program contributors, and all other employees. A policy prevents
the need for the program to waste valuable time reinventing itself year after year.
Instead, it allows the organization to align its culture and operations around a sin-
gle, simple, and repeatable vision for organizational resiliency and recoverability.
Because many business continuity programs ght for attention among all the
other priorities of an organization, a business continuity program’s worst enemy
can be inconsistent execution. Consistent execution provides the basis for a pro-
gram to integrate with the organization’s strategy, operations, and even other risk
management disciplines. In many cases, a program’s eectiveness is only as strong
as its weakest link. For example, a program that consistently updates plan docu-
mentation but fails to perform exercises or train its personnel continues to take on
unnecessary business risk. Policy statements set organizational and management
objectives, which in turn provide the necessary motivation to complete needed
business continuity activities and remove such risk.
Business continuity program benchmarking can be challenging. When
comparing a variety of program capabilities and elements across the organiza-
tion, it can be dicult to evaluate progress or performance; however, the policy
can serve as that internal benchmark for management’s review of the program.
Each year, a policy should be reviewed and re-evaluated in light of the strate-
gic vision management sets for the organization and the business continuity
program. is process of reviewing and updating the policy, when necessary,
provides an up-to-date and measurable benchmark for how the business con-
tinuity program aligns with the organization’s goals. When the cliché “what
gets measured gets done” holds favorably with senior management, the business
continuity program can leverage its policy to provide a measurable evaluation
of the program’s performance.