Designing a governance structure and describing its intended performance in the form of program documentation is the first step to ensure your business continuity program produces repeatable results that align to stakeholder expectations.
According to the Business Continuity Institute’s Good Practice Guidelines’ first professional practice, governance provides the foundation for a repeatable and scalable business continuity program.
But what exactly is “governance”? Governance is typically the combination of documented policies and procedures, supported by senior/executive-level management, that define the scope, objectives, approaches, and outcomes associated with a business continuity program.
What are policies and procedures? A policy defines management’s business continuity requirements and expectations. A procedure (noted throughout this article as a standard operating procedure) defines how the organization will meet requirements defined in the policy, including who is responsible for what and when they are responsible for executing business continuity activities. In short, the policy describes “what” business continuity is at the organization, whereas the procedure describes “how” business continuity is executed within the organization.
Policies are commonly understood elements within any organization, as they are socialized for a number of organizational requirements (e.g. HR and IT policies). However, many practitioners struggle to understand what standard operating procedures are, why they are important, and what they should include to support an effective, repeatable business continuity program. This perspective aims to answer those commonly asked questions.
WHAT ARE STANDARD OPERATING PROCEDURES (SOP)?
As previously mentioned, an SOP defines how your program intends to meet and continually improve the organization’s desired business continuity outcomes in a repeatable, sustainable manner. Specifically, the SOP answers the following questions:
- What should be done and how should it be done? The policy should list required business continuity program outcomes, and the SOP should explain, in detail, what activities should be performed to deliver the required outcomes, as well as the documentation required to prove performance.
- Who should do it? The SOP should define business continuity program roles, as well as specific responsibilities for performing activities and the competencies necessary to perform each role effectively, to ensure the right people are involved to meet desired business continuity outcomes.
- How should it be done? The SOP should provide guidance and set standards for how responsible parties should execute business continuity activities.
- When should it be done? The SOP should define the frequency of completing program activities, to ensure the timeframe meets program requirements.
Documenting program activities and assigning responsibility for activities ensures accountability for completing business continuity activities in alignment with program requirements, allowing top-level management to ensure resources and business continuity-related efforts continue to align to the organization’s desired outcomes.
WHY ARE STANDARD OPERATING PROCEDURES IMPORTANT?
Would you build a bridge before designing and documenting a blueprint that ensures the bridge is built appropriately and will be maintained to ensure it meets its purpose long-term? The answer is probably no, but executing business continuity activities without a documented SOP is similar to doing just that!
The SOP provides your organization with the blueprint necessary to design, implement, and continually improve a business continuity program. Specifically it provides:
- Alignment to Desired Business Continuity Outcomes and Regulatory Requirements
Based on the desired business continuity outcomes described in the policy, the SOP provides the instruction manual of how the organization plans to achieve these outcomes and align to applicable business continuity-related obligations. The SOP achieves this by describing and aligning detailed activities with capable, competent responsible parties, in order to deliver desired outcomes.
- Repeatability of Program Activities
By documenting how to complete business continuity activities, who is responsible, the frequency of completing each activity, and the required outcome, the SOP ensures the repeatability of program activities within defined standards.
- A Method of Reviewing Program Performance to Drive Continual Improvement
Documenting an SOP allows senior management to compare actual program performance against a defined standard – applicable to the unique needs of the organization – for business continuity activities. Said another way, the SOP allows the organization to answer the question “are we doing what we said we were going to do?”
- Certification To Business Continuity Standards
A documented standard for completing business continuity activities allows the organization to align its business continuity program to standards, such as ISO 22301, as well as many regulatory requirements. To achieve certification, the organization must demonstrate the operation of a management system in alignment to the standard’s requirements, which includes documented, repeatable processes.
HOW ARE EFFECTIVE STANDARD OPERATING PROCEDURES DESIGNED?
The following SOP elements are key to the success of your business continuity program:
- Customize the Program to the Organization’s Desired Business Continuity Outcomes
There is no “one size fits all” business continuity program or SOP. The desired outcomes of the program should be customized to the organization and its business objectives/requirements. The SOP should define the organization’s desired outcomes in measurable terms and explain how the business continuity program activities lead to the delivery of those expected outcomes. As an organization and its business requirements change, the expected outcomes and program activities should change with it.
- Design the Program and Document the SOP to Drive Continual Improvement
A good business continuity program is based on a Plan, Do, Check, Act (PDCA) cycle to ensure continual improvement and business continuity activity sustainability and repeatability. The SOP should define the PDCA cycle and the activities involved in each phase. The Plan phase includes the preparation work to ensure accountability and repeatability of program activities, and that the program aligns to expectations and obligations. The Do phase involves the execution of program activities. Next, the Check phase evaluates the execution of business continuity activities (and the resulting outcomes) to determine alignment to expectations. Finally, the Act phase involves applying corrective actions to remediate any gaps or improvement opportunities necessary to meet program objectives.
- Assign Responsibility and Frequency for Completing Business Continuity Activities
An effective SOP defines roles responsible for completing each business continuity activity. The SOP should also define competencies for each role to ensure the organization selects the right person with the required knowledge for each role. In addition, the SOP should establish a cadence for completing activities to ensure the program continually improves and aligns to expectations.
- Attain Management Endorsement and Involvement in the Program
To ensure the effectiveness of the SOP, management must approve of and enforce the SOP through consistent program performance reviews and assignment of corrective actions. Management is ultimately responsible for ensuring the program activities outlined in the SOP align to desired business continuity outcomes.
Establishing a governance structure provides the foundation for a repeatable and scalable business continuity program. An effective governance structure includes a documented policy statement and SOP, supported by senior/executive-level management, describing the purpose, scope, and objectives of the business continuity program. While the policy statement defines management’s business continuity requirements and expectations, the SOP defines how the organization will meet those requirements, including who is responsible and when they are responsible for executing business continuity activities.
In summary, the SOP represents the blueprint for ensuring your business continuity program continuously produces desired results.
About the Author
Jake Hay is a senior consultant at Avalution Consulting, providing Business Continuity Management and IT Disaster Recovery solutions for organizations across a variety of industries. He can be reached at firstname.lastname@example.org