Clause 5 appears in all ISO management system standards because management systems only work when leadership is genuinely committed. In BCMS, this is uniquely critical. Business continuity fails when executives treat it as an IT function or a compliance exercise. It fails when continuity is delegated entirely to the facilities manager or the IT director without executive oversight. It fails when the board approves a BC Policy once and then never reviews it again.
ISO 22301 uses the term ‘top management’ deliberately and specifically. Top management is the person or group of people who direct and control the organisation at the highest level — the board, the CEO, the managing director. It is not the IT director, the Chief Information Security Officer, the Chief Operating Officer, or the Business Continuity Manager, though these roles have important responsibilities within the BCMS. The standard requires top management to personally take concrete actions to demonstrate their commitment to business continuity.
This article addresses what top management must do to demonstrate commitment, what the Business Continuity Policy must contain, and how to structure organisational roles and responsibilities so that continuity accountability is distributed across the organisation while ultimate ownership remains with top management. Getting this right is the foundation on which everything else in the BCMS is built.
What Clause 5 Requires
Clause 5 has three sub-clauses. Clause 5.1 addresses top management commitment — what actions top management must take to demonstrate commitment to the BCMS. Clause 5.2 addresses the Business Continuity Policy — what the policy must contain, how it must be approved, and how often it must be reviewed. Clause 5.3 addresses organisational roles, responsibilities, and authorities — how continuity responsibility is distributed across the organisation and where decision-making authority lies.
These three elements together establish the governance structure of the BCMS. They answer the questions: What are the actions that demonstrate top management commitment? What does the organisation publicly commit to regarding business continuity? Who is responsible for what in the BCMS? If these are not clearly established, the BCMS lacks the sponsorship and structure it needs to function effectively.
Top Management Commitment (5.1)
ISO 22301 Clause 5.1 is explicit: top management shall demonstrate commitment to the BCMS by taking eight specific actions. These are not optional; they are required. Demonstrable commitment means that auditors can point to evidence — board minutes, approved budgets, signed policies, communications to staff, resource allocation decisions — that show the board or CEO personally took these actions. Delegation of these actions to the BCM team or the IT department does not satisfy Clause 5.1, though it may be necessary for execution.
The eight actions are: ensuring the BCMS achieves its intended outcomes; directing and supporting all people contributing to the BCMS; promoting continual improvement; supporting other management roles in demonstrating commitment; establishing the Business Continuity Policy; ensuring the BCMS is integrated into the business processes and culture; allocating resources; and communicating the importance of BCM to the organisation.
In practice, demonstrating commitment means: approving the BCMS scope and objectives at board level; allocating budget for continuity activities and alternate recovery sites; participating in at least one exercise or BCP review annually; ensuring business continuity appears on board or risk committee agendas regularly; approving major BCMS changes; and visibly supporting the BCM programme through communications to staff and recognition of BCM contributions.
| Leadership Requirement | What It Means in Practice | Evidence for Auditors |
|---|---|---|
| Ensuring BCMS achieves intended outcomes | Setting clear BCMS objectives; allocating the necessary resources; removing obstacles; making decisions when continuity conflicts with other priorities | Board-approved BCMS objectives; budget allocation that reflects continuity priorities; board minutes showing continuity discussions and decisions |
| Directing and supporting people contributing to BCMS | Ensuring BCM roles are filled by competent people; providing them with authority to act; removing obstacles; acknowledging their work; holding them accountable | BCMS roles and responsibilities documented; training records for BCM personnel; performance management including BCM contributions; recognition of BCM achievements |
| Promoting continual improvement | Ensuring the BCMS is reviewed regularly; using exercise findings and incident lessons to improve capability; supporting innovation in continuity approaches | Management review records showing discussion of improvement opportunities; corrective action register with management decisions; evidence of BCMS enhancements implemented |
| Supporting other management roles | Ensuring functional leaders (IT, HR, operations) understand their continuity responsibilities; providing them with authority and resources to fulfil those responsibilities | Role definitions for department heads; BCMS objectives cascaded to departments; evidence of departmental continuity activities (training, exercise participation) |
| Establishing BC Policy | Approving a Business Continuity Policy at board level; ensuring it reflects the organisation’s continuity commitments; ensuring staff are aware it exists | Signed BC Policy approved by the board; evidence of communication of the policy; policy review records |
| Ensuring BCMS integration into business processes | Treating continuity as a business requirement, not an IT project; integrating continuity considerations into technology decisions, supply chain management, HR decisions, real estate planning | Evidence of continuity in business decisions: technology vendor selection criteria include BCM requirements; supplier agreements include BCM clauses; real estate decisions account for disaster risk |
| Providing resources | Budget for continuity activities; personnel for BCM programme; technology investments for recovery capability; training and testing resources | Annual budget allocation for continuity; BCM staffing plan; investment in technology and sites; training participation budgets |
| Communicating importance of BCM | Chief executive or board-level communications about continuity; visible participation in exercises; inclusion of business continuity in induction for new staff | CEO/Chairman communications mentioning continuity; evidence of board participation in exercises; continuity included in new staff induction |
| KEY IDEA | ISO 22301 uses the phrase ‘top management’ deliberately. Top management is the person or group of people who direct and control the organisation at the highest level — the board, the CEO, the managing director. It is not the IT director, the CISO, the Chief Operations Officer, the facilities manager, or the BCM team. The standard requires top management to demonstrate leadership and commitment — which means they must personally take the actions listed in Clause 5.1, not delegate them entirely to another team. Delegation of execution is acceptable; delegation of accountability is not. |
The Business Continuity Policy (5.2)
The Business Continuity Policy is the top management’s public statement of continuity commitment and intent. It must be approved at board level, communicated to all relevant personnel, and reviewed at planned intervals — typically annually during the management review. The policy is not a detailed technical document; it is a high-level statement of principles and commitments.
The BC Policy must include the organisation’s commitment to establishing, implementing, and maintaining the BCMS; a commitment to fulfil regulatory and contractual obligations related to business continuity; a commitment to continual improvement; and a commitment to ensuring people and resources are made available to support continuity activities. Many organisations also include statements about the organisation’s risk tolerance, the importance of preventing or mitigating disruption impacts, and the role of leadership in driving continuity.
Common policy errors include policies that are too vague (“we are committed to continuity” without substance); policies that are not approved at board level (approved by the BCM team or IT director, then discovered by auditors to lack board sponsorship); policies that have not been reviewed or updated in years (creating audit findings that top management is not actively engaged); and policies that are not communicated to staff (people do not know they exist).
Organisational Roles, Responsibilities, and Authorities (5.3)
Clause 5.3 requires the organisation to define BCMS roles and responsibilities and communicate them to relevant people. This is not just an organogram; it is a clear definition of who is responsible for what in the BCMS, what authority they have, and how they interact with other roles. Effective BCMS governance typically includes a BCMS owner (ultimately top management, often with a Chief Risk Officer or Director of Risk as the operational owner), a BCM programme manager who coordinates the programme day-to-day, departmental continuity coordinators who drive continuity planning in their areas, IT/ICT continuity leads who manage technology recovery, a crisis management team leader who controls incident response and continuity activation, and internal audit functions that oversee BCMS effectiveness.
The structure should ensure that BCM programme decisions have sufficient authority to require cooperation from IT, HR, operations, and business units. A BCM programme that must request permission from every department to conduct a BIA interview or introduce a new continuity requirement will stall. Conversely, a BCM programme that operates entirely separately from IT and operational departments will develop plans that do not reflect operational reality. The right structure balances authority with integration.
In Indonesian organisations, the most effective BCM governance model we observe positions the BCM programme under the Chief Risk Officer or Risk Director, with direct reporting to the board risk committee. This positioning gives the programme the executive authority to require cross-functional cooperation while ensuring board-level visibility of continuity risks and programme progress. BCM programmes positioned under IT or Compliance typically struggle to achieve the cross-functional authority that effective BCMS requires.
| BCMS Role | Responsibilities | Typical Title in Indonesian Organisations |
|---|---|---|
| BCMS Owner (Top Management) | Approves BCMS scope and objectives; approves BC Policy; allocates resources; reviews BCMS performance; makes continuity strategy decisions; ensures integration into business | CEO, Managing Director, Board Risk Committee |
| BCM Programme Manager | Coordinates BCMS programme; owns the business impact analysis; develops continuity strategy; oversees plan development; manages exercise programme; ensures document currency | Chief Risk Officer, Director of Business Continuity, Risk Manager |
| Departmental BCM Coordinator | Participates in BIA interviews; develops and maintains departmental BCPs; ensures staff training and awareness; participates in exercises; provides department-level input to continuity decisions | Business Unit Head, Department Manager, Process Owner |
| IT/ICT Continuity Owner | Manages technology recovery strategy and capability; owns backup and recovery procedures; conducts technical recovery testing; manages supplier agreements for cloud/SaaS; ensures ICT continuity plan alignment | IT Director, Chief Information Officer, IT Operations Manager |
| Crisis Management Team Leader | Owns crisis management procedures; leads incident response and continuity activation; manages communication during disruption; coordinates multi-functional response; authorises BCP activation | Chief Operations Officer, General Manager, Senior Manager |
| Internal Auditor (BCMS) | Plans and conducts internal audits of BCMS; evaluates compliance with Clause 4-10; reports findings to management; tracks corrective action closure | Internal Audit Manager, Compliance Manager |
| Executive Sponsor / Board Oversight | Provides board-level sponsorship; ensures BCMS performance is reviewed at board risk committee; champions continuity culture; ensures regulatory obligations are met | Board Risk Committee Chair, Board Member with Risk Oversight |
| IMPORTANT | The most common Clause 5 finding in ISO 22301 audits is a BC Policy that was approved two or three years ago, has not been reviewed since, and no longer reflects the organisation’s current scope, objectives, or regulatory obligations. ISO 22301 requires the policy to be reviewed at planned intervals and updated when significant changes occur (new regulatory requirements, significant organisational restructuring, change in risk appetite, merger/acquisition activity). A stale policy is evidence that top management is not actively demonstrating commitment to the BCMS. Keep the policy current. |
Leadership in Practice — Making BCM a Board Priority
The test of genuine leadership commitment is whether business continuity is an active part of board governance, not a compliance checkbox. This means BCM appears on the risk committee or board agenda regularly — at minimum annually as part of the management review, but better as a quarterly discussion of progress, risks, and decisions. It means the board review of BCMS performance is thorough: KPIs are examined, exercise findings are discussed, improvement actions are tracked to closure, and resource decisions are made based on continuity capability assessments.
Effective boards ensure business continuity is integrated into major business decisions. When the organisation is evaluating a new technology platform, the board asks: What is the recovery time and data loss tolerance? When evaluating a significant supplier, the board asks: What is their business continuity capability and what contractual commitments do we have? When reviewing a major capital investment, the board asks: How does this affect our critical activity dependencies and our recovery strategy? These questions, asked routinely, send a signal that continuity is a serious governance matter.
In the Indonesian context, where governance expectations are evolving and regulatory oversight is increasing, boards that position BCM as a core risk management discipline benefit in multiple ways: regulatory relationships improve, insurance costs may decrease (demonstrating capability to insurers), operational resilience increases, client and supplier confidence strengthens. Board-level engagement with BCMS is not just compliance; it is risk management leadership.
| BITLION INSIGHT | In Indonesian organisations, the most effective BCM governance model we observe positions the BCM programme under the Chief Risk Officer or Risk Director, with a direct reporting line to the board risk committee. This positioning gives the BCM programme the executive authority to require cooperation from IT, HR, operations, and department heads — without which BIA completion and BCP maintenance inevitably stall. BCM programmes positioned under IT or Compliance divisions rarely achieve the cross-functional authority that effective BCMS requires. The best programmes have independence and board visibility. |