A well-crafted business continuity policy is essential for your organisation to navigate unexpected interruptions while ensuring the continued delivery of products and services.

Because of industry confusion, most people think a business continuity policy and plan are the same. But they’re not.

  • The policy sets guiding principles for managing business continuity. It typically establishes standards of behaviour, compliance with legal obligations and guidelines, and consistent approaches to handling various situations.
  • Whereas a plan maps out from beginning to end how your organisation will get through a disruption and the individuals responsible for each task during the disruption. It normally includes targeted timelines, locations, communication channels, and documented progress.

This post promises ten practical steps to draft a business continuity policy.

Step 1: Establish a definition and objectives

Defining business continuity

Begin by agreeing on a clear definition of business continuity that suits your organisation’s context.

If you’re stuck, consider adopting the definition offered by ISO 22301:2019: the “capability of an organisation to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption”.

Identifying business continuity objectives

Then, identify the specific objectives the business continuity programme aims to achieve.

For context, your programme is the guidelines, plans and procedures designed to ensure your organisation can continue its essential operations and provide products or services even during unexpected disruptions or emergencies. However, you need to define the objectives your programme aims to achieve. For guidance, check out our post on “Practical steps to drafting business continuity objectives”.

Ultimately, your business continuity objectives should be aligned with your organisation’s overall goals and strategic direction.

Step 2: Determine standards and guidelines

Next, identify and agree on the standards or guidelines that will serve as benchmarks for the business continuity programme. These can include industry standards such as ISO 22301 or relevant frameworks specific to your organisation’s sector. In the end, adhering to established standards ensures a robust and comprehensive approach to business continuity.

Step 3: Review related documents and collaboration opportunities

It’s vital to review your organisation’s related policies, plans and procedures to identify any areas of overlap or duplication. These documents typically include your information security policy and incident response plan.

Moreover, seek opportunities for collaboration with related management disciplines such as risk management or disaster recovery planning. Collaborating with relevant stakeholders can enhance the effectiveness and efficiency of the business continuity programme.

Step 4: Draft and review the business continuity policy

To ensure the policy is accessible, helpful and empowering, draft it in plain language.

Also, remember that the policy should focus on “what” the organisation will do rather than “how” it will be done. The policy should define the strategic direction, approach, and resource allocation for the business continuity programme.

As an extra tip, ensure that the policy is supported, approved, and owned by top management to provide effective governance and leadership.

Step 5: Conduct a gap analysis

Review the current policy against any new requirements and conduct a gap analysis. For instance, identify areas where the existing policy falls short. If that‘s the case, you need to revise or enhance it to align with your organisation’s changing needs and industry best practices.

Step 6: Seek consultation and feedback

Circulate the draft policy for consultation with relevant stakeholders, including top management and other interested parties. Encourage feedback and input to ensure the policy captures different perspectives and addresses potential concerns. This collaborative approach increases buy-in and facilitates the adoption of the policy throughout your organisation.

Step 7: Amend and finalise the policy

Based on the feedback received, amend the draft policy as necessary. Incorporate valuable suggestions and ensure the policy reflects your organisation’s culture, size, complexity, and operating environment.

Once finalised, obtain the necessary approvals and sign-offs from top management.

Step 8: Communicate the policy

Ensure the approved policy is effectively communicated to all interested parties within your organisation. Utilise appropriate communication channels to disseminate the policy and make it readily available to personnel, stakeholders, and external partners.

Step 9: Review and update

Regularly review the business continuity policy at pre-agreed intervals or following significant organisational changes.

Changes can include shifts in risk approach, market conditions, acquisitions or disposals, alterations to products or services, and updates to legal or regulatory requirements. This review process ensures that the policy remains relevant and effective over time.

Step 10: Demonstrate compliance and commitment

When reviewing or auditing the business continuity policy, ensure the following aspects are demonstrated:

  • Top management’s commitment to effective communication and satisfying internal and external requirements.
  • Clarity on measurable deliverables of the business continuity programme.
  • Documented ongoing commitment to business continuity and continual improvement.
  • Identification of opportunities for adaptation to change and continuous enhancement.

Actions to can take next

  • Set standards and guidelines for business continuity in your organisation by asking us to draft a business continuity policy.
  • Ensure you comply with applicable laws by asking us to review your business continuity plan.
  • Train your personnel on the ins and outs of business continuity by asking us to host a workshop on the topic.
  • Ensure your vendors, suppliers, and contractors comply with your business continuity programme by asking us to draft the relevant contractual clauses.
  • Understand the relationship between business continuity, data protection, and information security by reaching out to us for training.