You have a documented and approved BCM policy. You’re done, right? Well, not really. You told your stakeholders in the policy that they have to play in your BCM game; but what does the playbook look like? That’s where your standards come in; they outline how your stakeholders will be required to play the game. If you don’t tell them upfront how they need to play, it will lead to inconsistency in performance and execution of the BCM program.
So what standards are minimally required? The following minimum standards should be a part of your program:
- Plan Development & Maintenance – This standard should outline the BCM programs expectation for how a recovery plan (Business and IT) will be developed, the minimum content expected from plan developers (business and IT) and required maintenance. Stakeholders should be able to clearly understand the process to develop and maintain their plan by reading the standard.
- Recovery Strategy – This standard clearly outlines, based on the Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) derived from your Business Impact Analysis (BIA), what the recommended recovery strategy (dedicated alternate work area, work from home, redundant computer systems/applications, etc.) should be for business units and their processes as well as systems/applications. Plan developers need to reference this standard and implement the recommended recovery solutions and strategies to ensure they can meet their specific RTOs and RPOs.
- Recovery Exercise – So you told me in your BCM policy that I need to exercise annually but what does that mean? This standard should outline the type of exercises (tabletop, walkthrough, functional, etc.) required to be conducted based on the RTO of my business unit/process and/or computer system/application, the documentation required (pre and post exercise) and signoff/approvals needed following the exercises.. Your standards should mandate increasingly complex exercises for business and technology over time.
Planners are often concerned that by setting standards they will cause more headaches if they can’t meet what they set as the minimum baseline; set reasonable standards that make sense for your organization and recovery requirements. Standards are not cast in stone; they can be updated to reflect the nature and needs of the organization as it matures over time. The policy and its supporting standards work hand in hand to provide a clear picture of the expectations of the program.
Lastly, establishing and documenting standards will heighten your level of compliance with today’s industry standards, best practices and guidelines.