Getty Images/iStockphoto
How often should you review a business continuity plan?
Business continuity plans are not a one-and-done deal. Before a disaster strikes, ensure your organization's BC plan is up to date with regular reviews.
To ensure a business continuity plan runs smoothly, it must be up to date. If an organization moves to multi-cloud storage, a BC plan built with the previous legacy storage in mind won't be any good. There is no room for downtime, so regular reviews will help prevent hitting avoidable snags during a recovery.
Traditional business continuity practice suggests that the organization must review completed business continuity plans on at least two occasions. The first is an annual review, and the second is after the business goes through a material change. This might be an IT or hardware change, or it can be when the company goes through a merger or acquisition.
In practice, the person responsible for the BC plan and its associated program will determine how often the company reviews the plan. Since it is often up to that individual's discretion, based on their view of the company's readiness, review schedules vary greatly among different organizations.
Available guidance for BC plan reviews
Businesses that believe BC plans should be reviewed regularly are in good company.
The following standards and guidelines cover the importance of conducting business continuity plan reviews:
- ISO 22301:2019, the global standard on business continuity.
- NFPA 1600:2019, the American standard for emergency response and business continuity.
- The Federal Financial Institutions Examination Council's Business Continuity Management handbook.
The Business Continuity Institute and Disaster Recovery Institute International also advocate for regular plan reviews.
Aside from various standards and practices advocating plan reviews, it is simply good business to ensure BC plans are accurate, appropriate for the organization and easy to understand, and that they initiate and address the issues essential for keeping the business operational.
How to perform a review
Think of a plan review as a gap analysis. Using one or more standards and good practices documents as guides, begin by comparing the plan's sections with the frameworks presented in the various standards and guidance.
Where something appears to be missing, make a note to add the missing section and relevant data after the initial run-through. It might be useful to change the sequence of sections in the plan, again based on the guidance. It might help to convert a standard or other guidance document into a checklist. This way, as each element is reviewed, enter a check in the appropriate box.
Business continuity plan examples and templates from other organizations can also help, as the way someone else structures a plan might make more sense than the way the plan is currently structured.
When digging deeper into the plan's details, it might be necessary for BC managers to speak with others in the organization, such as business unit leaders and IT department staff. These individuals can help identify potential changes and clarify existing procedures.
Many different BC plan development software tools are available, and it might be useful to acquire one of these to assist with the review. Retain a BC consultant to complete a plan review, based on the expectation that the consultant has expertise in plan development, review and testing.
Participation in professional BC organizations, such as the national Association of Continuity Professionals, provides opportunities to discuss BC plans and related activities with other professionals. Their insights are based on real-world experience, might save the organization a lot of time and often won't cost more than a phone call or two.
The good news is that plenty of source materials and expert professionals are available to support a BC plan review.
Using the review results to update the plan
Once the review is complete and the organization has identified necessary revisions, it is time to update the plan document with the changes. Be sure that all contact data is current; this is often an overlooked activity. It should address not only employees, but also every external vendor that is needed to support business operations. The plan might also include information about the organization's supply chains, such as the primary suppliers and alternates.
When performing a plan review, ask the question, "Will this plan be sufficient to recover the business to its pre-incident status?" Another way of asking that question is, "Will this plan work when a disaster strikes?" A regularly updated and exercised BC plan, regardless of the many types of disasters possible, is far better than not having any plan at all.
Circulate the updated plan to people previously interviewed, as well as other knowledgeable employees and third parties, for their comments.
Don't forget plan testing and exercising
Often used interchangeably, testing and exercising -- no matter which term is used -- verify that the BC plan will perform as designed to facilitate business recovery and resumption. In a live event, it might be difficult to use the plan, depending on how the event is occurring. This is where prior plan testing can also identify alternate procedures, such as backdoors. Businesses can launch these in lieu of or to supplement the original plan procedures.
Finally, once plan testing has been completed, identify changes to the plan from the exercise and complete an additional update. It is a good idea to circulate the test-updated plan as the final step in the review process.
Consider setting up an annual schedule of BC-related activities such as plan reviews, exercises and business impact analysis updates. This will ensure BC plan reviews are part of an organization's regular roster of activities.