Policies and Standards in Business Continuity – Old Hat or Essential?

Policies? Sometimes that sounds like something from the 1960s, when companies were all ‘command and control’ and corporate rules couldn’t even be bent, let alone broken. In that sense, applying policies to business continuity could almost be an oxymoron: policies were what often hindered or halted enterprises, instead of encouraging continuity. Standards don’t always get good press either. But if there’s a problem concerning ‘policies’ and ‘standards’ for business continuity, it’s more one of perception. Policies and standards, when used correctly, become a useful, indeed essential, backbone for business continuity across the organization. So how can you make them work for you, and not against you?

The first thing to understand is that policies and standards, just like products and services, are defined after correctly identifying and specifying needs. When the requirements for business continuity for critical business processes are well-understood, they then translate naturally enough into policies and standards. Strategic e-commerce platforms, financial trading applications and medical systems may only be able to tolerate downtimes of a second or less. That might be the equivalent of “five nines” (99.999%) availability or better, in which a system or network has on average less than 6 seconds of downtime per week. By comparison, a human resources or back-office accounting application may be able to tolerate 1 to 2 hours of downtime a week (although of course you’d rather avoid it). That’s the equivalent of “two nines or 99% availability.

The problem comes when applications with low criticality get wastefully high availability (99.999% availability costs money!), or worse – the really critical applications suffer unacceptable levels of outage. Some policies and standards were defined years ago. Since then, business goals and needs have often moved on. The solution is to go back to the needs analysis, the risk analysis and the risk matrix that are all part of good business continuity planning, rework them and then redefine policies and standards accordingly. That way you’ll apply resources where they’re needed, when they’re needed to achieve business continuity efficiently and effectively.