The fact that Identity Management and Business Continuity are often mentioned in a context of Compliance is just a coincidence; they are often some of the key business requirements for security. Possible business value goals are mentioned at the end of my article "Can you prove Confidentiality, Integrity and Availability are fundamental security concepts?" and some other, in connection with Identity Management in the article If you don’t undertand Use, Ownership and Control, you don’t understand cybersecurity. I am planning an upcoming article on the Value Chain of Cybersecurity that will tie everything together. IMHO business value should be the main driver for cybersecurity, but unfortunately most professionals are still using techniques that prevent them communicating or demonstrating the value of cybersecurity. What you call "policy statements" are such if these requirements came from some compliance need and not some Business Owner saying: This is what I want.