The NIST description is a bit dry: the “policy provides the authority and guidance necessary to develop an effective
contingency plan.” Dry or not, a clear statement of the “authority and guidance necessary” is vital to the success of the planning venture.
The policy statement is really about communication between management and those responsible for developing the plan.1 By making clear the driving goals of the project, the level of financial and other resources the effort commands and the particular people who are to be responsible, the policy statement gives planners everything they need to work out options that can achieve the organization’s goals. It also provides a basis for planners to communicate back to
management either their success or the need to reassess the goals or the resources, should that be necessary.
The importance of this step extends well beyond the stage of DR plan development and implementation. Why? Because
much, sometimes most of the cost is incurred after the initialization phase, during testing and maintenance and of
course, in the worst case, during and after a disaster that proves the inadequacy of the plan.
This is probably a good time to point out that you may need a couple of cycles through the steps. The first version of the
policy may set goals that turn out to be impossible under the resource constraints specified. You will need to reevaluate
the policy and scale down goals, scale up resources, or attempt some radical rethinking. The important point to remember always in disaster recovery planning is that reality is your partner and like it or not, you must cooperate with it, not fight it.