S 6.111 Policy for business continuity management and acceptance of overall responsibility by management

Initiation responsibility: Top Management

Implementation responsibility: Emergency Officer, Top Management

The business continuity management policy sets a clear framework for the conception and implementation of the business continuity management system. It documents the most important cornerstones of business continuity management in the organisation. With this policy, the top management of the government agency and/or company demonstrates that it assumes the responsibility for business continuity management and backs all requirements and procedures.

Contents of the business continuity management policy

The business continuity management policy should be formulated clearly and concisely. It should contain the following aspects:

• a brief explanation of what is understood by the term "business continuity management",
• the scope of the business continuity management system,
• the importance of business continuity management to the organisation,
• the goals of business continuity management,
• the core statements of the business continuity strategy
• the acceptance of responsibility by the organisation's management, also documented by explicitly approving the document by signature.

The policy could also contain or refer to the following optional information:

• how the business continuity management system is integrated into the established management systems of the organisation,
• the underlying procedural model (and/or the underlying standard) for the establishment and operation of the business continuity management system,
• the organisational structure of business continuity management, including the most important roles and their responsibilities,
• the obligation of the organisation's management to optimise the business continuity management through regular examinations, tests, and drills,
• the relevant laws, policies, and regulations that need to be followed, and
• general statements on how the success of the business continuity management will be monitored.

Releasing the business continuity management policy

The business continuity management policy must be released in writing by the organisation's management. All internal and external employees, and if necessary all cooperation partners, must be informed of the policy. The policy should be released in a manner that emphasises the importance of business continuity management to the organisation.

Updating the business continuity management policy

The business continuity management policy must be checked at regular intervals to ensure it is up to date and modified, if necessary. Changes to the requirements, general conditions, business goals, tasks, business continuity management strategy, and other relevant changes should automatically trigger an examination of the policy, and if necessary, the policy should be updated to reflect these changes. Due to the rapid development of business areas and information technology nowadays, it is recommended to revise the business continuity management policy at least once every two years.

Review questions:

• Is a current business continuity management policy available that has it been approved by management?
• Does the business continuity management policy contain the most important information?
• Is the business continuity management policy checked regularly and revised when necessary?
• Have all employees been informed of the business continuity management policy?