Business continuity plan maintenance: How to review, test and update your BCP
We've written before about how all organizations need to have a robust business continuity plan. A comprehensive BCP gives your business assurance that it can continue operations, even in the event of an unexpected incident or full-blown crisis.
Putting in place a plan is the first stage in this process, but far from the only on Business continuity plan review checklist. Business continuity plan maintenance, review and testing form equally vital steps in your business continuity strategy.
Is Business Continuity Plan Maintenance Important?
Those who were best-prepared have shown themselves to be most resilient when it comes to facing the challenges of Covid-19. The pandemic has provided an all-too-live example of the need for a plan B. If ever there was a time to be confident in your business continuity strategy, it's now.
However, it's a mistake to think that creating a BCP is a one-time exercise; that once you've put your plan in place, you can sit back and breathe a sigh of relief. There's no room for complacency in business continuity ' the threats you face are ever-changing, and the potential remedial actions need to evolve in tandem.
Your business continuity plan might follow best practice guidelines. You might be certified to ISO23301 standards and have put in place the ideal team to manage your disaster planning and BCP strategy. But none of this compensates for a BCP that has grown stale, failing to move with the times when it comes to identifying the latest threats and using the newest approaches to tackle them.
That's why reviewing, testing and updating your BCP is as vital as the process of creating a plan in the first place.
Questions You Should Ask When Scheduling BCP Reviews and Drills
Your BCP plan needs to be a living document. Creating a BCP isn't a one-off; once you have put your plan in place, you should ask yourself the following questions:
- How often should a business continuity plan be reviewed?
- How often should a business continuity plan be tested?
- How often should a business continuity plan be updated?
Here we look at each of these questions and identify the best strategies for testing, updating and reviewing your plan.
The Importance of the Business Continuity Plan Review
Why is it important for the business continuity plan reports to be submitted and reviewed regularly? There are several reasons:
- The nature and severity of the threats you face may change
- Your business operations may have evolved, leading to, for instance, a larger number of entities or subsidiaries to consider in your planning or new operating geographies. You may have taken your company public, which brings with it a range of new regulatory obligations
- Your personnel may have changed, so the people responsible for continuity planning may re no longer be current
Your business continuity plan should be reviewed when any of these situations apply. How often you should review your plan is another question organizations often ask; cio.com recommends that you '''Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.'''
Feedback from employees is essential in the review. Intentionally seek input from those involved in creating the plan and those involved in its execution. What can they tell you about changes to staff, operations or other factors that impact the plan?
This is particularly important if you have numerous locations or remote operations where changes might not be immediately apparent to people sitting in a headquarters building. Ensuring your plan is based on comprehensive, accurate information about all your entities and subsidiaries ' a '''single source of truth' for your entire organization ' is vital.
Putting in place a checklist is often a good strategy for any business review, and your BCP is no exception. Consider creating a business continuity plan review checklist to ensure you capture all the elements you need to consider.
And of course, if you've been unfortunate enough to face a business continuity issue that forced the enactment of your plan, you can use the real-life experience you gained to finesse it. What worked well; what should be changed?
Business Continuity Plan Testing Considerations and Best Practices
Testing is an equally essential stage in ongoing BCP management. What should testing your business continuity plan look like? And during what stage of the business continuity lifecycle do we need to test the business continuity plan?
Of course, the real test is an incident itself. But doing business continuity drills will give you the reassurance that your plan is robust enough to face a real incident ' and enables you to determine this in a less pressured way than waiting for a real crisis.
Business Continuity Plan Testing Types
When it comes to types of business continuity plan testing, there are three main routes: a table-top exercise, a structured walk-through or full disaster simulation testing.
First: Table-top or role-playing exercises allow everyone involved in the plan to go through it and identify any missing steps, inconsistencies or errors.
Second: A walk-through is a more in-depth test of your approach, with everyone involved examining their own responsibilities to spot any weak points.
Third: A full simulation of a possible disaster goes a step further, creating a scenario that mirrors an actual disaster to determine whether your plan enables you to maintain operations. It should include your internal team, alongside any vendors or relevant external partners like security or maintenance companies.
However you test your plan, it should be rigorous - CIO suggests that '''you try to break it' to ensure that it's fit for purpose. And whatever route ' or combination of approaches ' you choose, you should carry out business continuity plan testing at least once a year.
How To Keep Your Business Continuity Plan Current
Of course, however comprehensive your reviews and testing, they're of no benefit if you don't act on the findings.
Updating your BCP is the final stage in the business continuity plan maintenance lifecycle, taking on board the results of your walk-through or simulation and finessing your plan to adopt any improvements noted during your reviews and tests.
How often should a business continuity plan be updated? Every time you identify any shortcomings ' whether this is due to your testing/reviewing regime or whenever any errors or omissions come to light.
What elements should you consider in an update? While all aspects of your plan are worth checking to ensure they remain current, some areas deserve singling out for special attention:
- Your contact list: To ensure you have up-to-date details of everyone you need to contact in the event of an incident.
- Your business entities and subsidiaries data: This forms the basis for your plan. Do you have an up-to-date picture of your organizational structure? Do you have accurate information on all your legal entities and critical functions?
- Challenge assumptions: Play devil's advocate to challenge your beliefs about incidents that could occur.
- Your technologies and systems: Including entity data management software, CRM systems and other IT systems central to supporting your operations.
Maintain Confidence in Your BCP
It's clear, then, that putting in place a BCP is only the first step. Reviewing, testing and updating your plan are all equally important stages. In other words, business continuity plan maintenance is crucial.
Underpinning all of this is the need for reliable data on your organizational structure, people, systems and dependencies. Diligent's software suite can help you create the single source of truth you need to manage all your business entities effectively. Find out more by getting in touch with us for a no-obligation demo.
