لطفا منتظر باشید ...
POLICY STATEMENT
Once you have consensus from senior management on the value of Business Continuity Planning, it is beneficial to communicate that message to the healthcare organization. This can best be accomplished through the construction of a corporate BCP policy statement. The following is a policy statement template that can be used to assist the senior management of the healthcare organization in the development of a BCP policy statement:
TYPICAL HEALTHCARE ORGANIZATION
Policy on Disaster Recovery/Business Continuity
PURPOSE
This policy statement defines TYPICAL HEATHCARE ORGANIZATION'S (THO's) policy on assessing risks associated with threats to business continuity and for devising appropriate business continuity plans.
Business Impact Analysis is the process of evaluating the potential impact of a major interruption to business activity at a specific business location. Based on the level of risk, an essential aspect of any operation is to prepare a business continuity plan that provides for the continuity of business in an emergency situation. Each business unit is responsible for compliance with any other applicable local or state regulations not mentioned in the policy.
This policy defines a framework for:
Assessing a business unit's exposure to continuity risk and determining the necessity for a business continuity plan.
Developing an appropriate and cost-effective business continuity plan that will insure the continuity of business in emergency situations.
Requirements for business impact analysis and business continuity planning are auditable and require compliance.
SCOPE
This policy applies to all business units and all controlled subsidiaries and affiliates worldwide within THO.
A business unit is defined as one or more departments within THO which provide products or service to customers or other business units within THO. A business unit may be composed of one or more operating locations. For the purpose of this policy, the business unit management responsible for each operation location will determine risk.
Based upon the level of assessed risk, a business unit may or may not be required to develop a business continuity plan. When a business continuity plan is required, the plan will not be restricted to computer operations. Procedures for the continuity of business apply to all service functions, whether or not they are supported by computer systems.
The business continuity plan will develop action plans for the reactivation of all vital components of a service. Additionally, the business continuity plan will include provisions for the loss of service of external agents upon which THO is critically dependent.
COMPLIANCE
The business impact analysis and business continuity plan must be updated annually and within 30 days of any major operational or system change that has a material effect on the contingency strategy of a given operation. The assessment need not be completely redone every year; where the risks are essentially unchanged a confirmation of the adequacy of the existing assessment will suffice.
According to this policy, the business continuity plan must be continually reviewed to assure the continuity of business in the event of emergency or crisis. A formal review for relevance and adequacy must be conducted semiannually and results documented by line management. The plan must then be updated to keep it current.
For high-risk business units or locations, the plan must be tested annually or within 30 days of major changes to the operation environment when such changes invalidate the results of previous tests.
TYPICAL HEATHCARE ORGANIZATION'S POLICY
