We've written before about how all organizations need to have a robust business continuity plan. A comprehensive BCP gives your business assurance that it can continue operations, even in the event of an unexpected incident or full-blown crisis.
Putting in place a plan is the first stage in this process, but far from the only on Business continuity plan review checklist. Business continuity plan maintenance, review and testing form equally vital steps in your business continuity strategy.
Is Business Continuity Plan Maintenance Important?
Those who were best-prepared have shown themselves to be most resilient when it comes to facing the challenges of Covid-19. The pandemic has provided an all-too-live example of the need for a plan B. If ever there was a time to be confident in your business continuity strategy, it's now. However, it's a mistake to think that creating a BCP is a one-time exercise; that once you've put your plan in place, you can sit back and breathe a sigh of relief. There's no room for complacency in business continuity - the threats you face are ever-changing, and the potential remedial actions need to evolve in tandem. Your business continuity plan might follow best practice guidelines. You might be certified to ISO23301 standards and have put in place the ideal team to manage your disaster planning and BCP strategy. But none of this compensates for a BCP that has grown stale, failing to move with the times when it comes to identifying the latest threats and using the newest approaches to tackle them. That's why reviewing, testing and updating your BCP is as vital as the process of creating a plan in the first place.Questions You Should Ask When Scheduling BCP Reviews and Drills
Your BCP plan needs to be a living document. Creating a BCP isn't a one-off; once you have put your plan in place, you should ask yourself the following questions:- How often should a business continuity plan be reviewed?
- How often should a business continuity plan be tested?
- How often should a business continuity plan be updated?
- The nature and severity of the threats you face may change
- Your business operations may have evolved, leading to, for instance, a larger number of entities or subsidiaries to consider in your planning or new operating geographies. You may have taken your company public, which brings with it a range of new regulatory obligations
- Your personnel may have changed, so the people responsible for continuity planning may re no longer be current
Business Continuity Plan Testing Considerations and Best Practices
Testing is an equally essential stage in ongoing BCP management. What should testing your business continuity plan look like? And during what stage of the business continuity lifecycle do we need to test the business continuity plan? Of course, the real test is an incident itself. But doing business continuity drills will give you the reassurance that your plan is robust enough to face a real incident - and enables you to determine this in a less pressured way than waiting for a real crisis.Business Continuity Plan Testing Types
When it comes to types of business continuity plan testing, there are three main routes: a table-top exercise, a structured walk-through or full disaster simulation testing. First: Table-top or role-playing exercises allow everyone involved in the plan to go through it and identify any missing steps, inconsistencies or errors. Second: A walk-through is a more in-depth test of your approach, with everyone involved examining their own responsibilities to spot any weak points. Third: A full simulation of a possible disaster goes a step further, creating a scenario that mirrors an actual disaster to determine whether your plan enables you to maintain operations. It should include your internal team, alongside any vendors or relevant external partners like security or maintenance companies. However you test your plan, it should be rigorous - CIO suggests that 'you try to break it' to ensure that it's fit for purpose. And whatever route - or combination of approaches - you choose, you should carry out business continuity plan testing at least once a year.How To Keep Your Business Continuity Plan Current
Of course, however comprehensive your reviews and testing, they're of no benefit if you don't act on the findings. Updating your BCP is the final stage in the business continuity plan maintenance lifecycle, taking on board the results of your walk-through or simulation and finessing your plan to adopt any improvements noted during your reviews and tests. How often should a business continuity plan be updated? Every time you identify any shortcomings - whether this is due to your testing/reviewing regime or whenever any errors or omissions come to light. What elements should you consider in an update? While all aspects of your plan are worth checking to ensure they remain current, some areas deserve singling out for special attention:- Your contact list: To ensure you have up-to-date details of everyone you need to contact in the event of an incident.
- Your business entities and subsidiaries data: This forms the basis for your plan. Do you have an up-to-date picture of your organizational structure? Do you have accurate information on all your legal entities and critical functions?
- Challenge assumptions: Play devil's advocate to challenge your beliefs about incidents that could occur.
- Your technologies and systems: Including entity data management software, CRM systems and other IT systems central to supporting your operations.