What makes a good… business continuity management program governance document?

Written by Fiona Raymond-Cox

Program governance is the framework upon which a program’s strategy is defined, agreed upon, and monitored.

Have you ever wondered what compels organizations to develop these documents?

In this article you will have a better understanding of:

  • The benefits of a program governance document
  • How to develop a program governance document
  • How to keep program governance current
1. The Benefits of a Program Governance Document

The purpose of the governance document is to articulate management’s expectations of what should fall within the scope of, or be excluded from, the business continuity management (BCM) program, in line with the BCM program policy. Equally, it should identify what is excluded. It defines the roles, responsibilities, and authorities of those with oversight of the program as well as identifies the various program components and the frequency with which they must be developed, maintained, and exercised. Effectively, the governance document lays the foundation for how the program is managed.

From the BCM program office perspective, the governance document can be used as leverage for getting buy-in from the business to adhere to deliverable timelines. From the auditor’s perspective, it serves as a baseline against which they can evaluate and validate whether the program complies with its stated objectives. While this may identify gaps, it does ensure the program is set up to continually improve.

2. How to develop a Program Governance Document

When we work with clients, we identify members of management with the experience and appropriate authority to create corporate-level policies and procedures that can provide input to the governance document. Examples include the project sponsor, directors of communications, facilities, finance, IT, operations, risk management, security.

We bring these participants together to identify and document the following:

Policy – A statement that reflects what is to be achieved from the program. Consider including if the policy applies to a single location, multiple locations nationally or is applicable to all locations globally.

Program goals – Defines the expected outcomes of the program.

Program-specific roles and responsibilities – How the program will be governed. For example, the role of the Board, executive sponsor, program steering committee, program manager. Include other stakeholders who are expected to actively support program activities that are assigned to them (e.g., crisis management team members, department team leads….) and specific authorities (e.g., Board appoints the program sponsor who in turn appoints the program manager).

Legal and regulatory oversight – Where the organization operates in a regulated industry, it is recommended that the name and requirements of the applicable legal or regulatory bodies be noted.

Administrative program oversight and validation – By what means the overall program will be monitored and measured. By way of example, all organizations use qualitative metrics but as their programs mature, we find many of our clients choose to also capture quantitative metrics as shown below:

  • Qualitative: Annual crisis management exercise is conducted
  • Qualitative: 85% of primary and alternate crisis management team members participate in the annual crisis management exercise

To ensure full visibility of the program, also record the frequency with which management (Board and program steering committee) will be kept apprised of program developments, and steps to be taken to ensure continuous improvement.

Program components – These are the elements of business continuity that fall within the scope of the program, for which plans, processes, training and exercises will be necessary. In some organizations this might include emergency response, crisis management, business recovery, technology disaster recovery, travel security, emergency notifications, and so on. Be sure to include all deliverables that are pertinent to your organization’s program (exclude those that do not apply).

It should be noted that business recovery encompasses several planning documents that should also be defined in the program governance document, namely the risk assessment and business impact analysis as these are fundamental to a well-defined BCM program.

Program awareness, tests and exercises – The method and frequency of:

  • Awareness training – For example, a new member of staff may be required to listen to a short training video as part of their onboarding process. Thereafter, all staff take online training once per year.
  • Tests and exercises – As a general rule these should be minimally annually. However it is important to define the type of test and exercise based on program component as well as to list specific participant types (e.g., quarterly emergency notification system test to all staff).

Program maintenance – The success of the program is predicated on ongoing revisions to reflect organizational changes (acquisitions, divestitures, reorgs), business activities, personnel and more. It is therefore important to include the timeframe within which every aspect of the program will be reviewed. For example, the governance document itself may only need to be reviewed and approved biennially, while it may be acceptable for a department to review their business impact analysis once a year, their business recovery plan needs to be reviewed quarterly to maintain an accurate list of staff and their contact details.

Glossary of terms – An appendix which defines terms the terms you want to be used consistently across the organization when communicating about the program.

3. How you can maintain Program Governance

As the BCM program manager you now have a document that sets out the “rules of the road” as to when each of the different program components needs to be created, reviewed, tested, exercised.

Be sure to retain good records, ideally through online workflow approval processes, that can be used to substantiate that the program is being maintained in compliance with the terms set out in the governance document.

Regular reporting to the program steering committee and to the board (or even an audit committee), minimally in accordance with the governance document, ensures top management oversight of the BCM program.

The activities set out in this section – namely maintaining good recordkeeping and regular reporting are, in effect, the audit trail you will need to validate conformance to the stated program governance document’s policy and goals.

In conclusion, establishing and maintaining a governance program document will outline the “rules of the road”.  Then, the document will guide BCM program managers as to when each of the different program components needs to be created, reviewed, tested, and exercised.

If you have any questions about this article, don’t hesitate to reach out to info@raymondcoxconsulting.com.

Tagged in