Business continuity plan maintenance: How to review, test and update your BCP
We've written before about how all organizations need to have a robust business continuity plan . A comprehensive BCP gives your business assurance that it can continue operations, even in the event of an unexpected incident or full-blown crisis.
Putting in place a plan is the first stage in this process, but far from the only on Business continuity plan review checklist. Business continuity plan maintenance, review and testing form equally vital steps in your business continuity strategy.
Is Business Continuity Plan Maintenance Important?
Those who were best-prepared have shown themselves to be most resilient when it comes to facing the challenges of Covid-19 . The pandemic has provided an all-too-live example of the need for a plan B. If ever there was a time to be confident in your business continuity strategy, it's now. However, it's a mistake to think that creating a BCP is a one-time exercise; that once you've put your plan in place, you can sit back and breathe a sigh of relief. There's no room for complacency in business continuity ' the threats you face are ever-changing, and the potential remedial actions need to evolve in tandem. Your business continuity plan might follow best practice guidelines. You might be certified to ISO23301 standards and have put in place the ideal team to manage your disaster planning and BCP strategy. But none of this compensates for a BCP that has grown stale, failing to move with the times when it comes to identifying the latest threats and using the newest approaches to tackle them. That's why reviewing, testing and updating your BCP is as vital as the process of creating a plan in the first place.
Questions You Should Ask When Scheduling BCP Reviews and Drills
Your BCP plan needs to be a living document . Creating a BCP isn't a one-off; once you have put your plan in place, you should ask yourself the following questions:
- How often should a business continuity plan be reviewed?
- How often should a business continuity plan be tested?
- How often should a business continuity plan be updated?
Here we look at each of these questions and identify the best strategies for testing, updating and reviewing your plan.
The Importance of the Business Continuity Plan Review
Why is it important for the business continuity plan reports to be submitted and reviewed regularly? There are several reasons:
- The nature and severity of the threats you face may change
- Your business operations may have evolved, leading to, for instance, a larger number of entities or subsidiaries to consider in your planning or new operating geographies . You may have taken your company public , which brings with it a range of new regulatory obligations
- Your personnel may have changed, so the people responsible for continuity planning may re no longer be current
Your business continuity plan should be reviewed when any of these situations apply. How often you should review your plan is another question organizations often ask; cio.com recommends that you '''Bring key personnel together at least annually to review the plan and discuss any areas that must be modified.''' Feedback from employees is essential in the review. Intentionally seek input from those involved in creating the plan and those involved in its execution. What can they tell you about changes to staff, operations or other factors that impact the plan? This is particularly important if you have numerous locations or remote operations where changes might not be immediately apparent to people sitting in a headquarters building. Ensuring your plan is based on comprehensive, accurate information about all your entities and subsidiaries ' a '''single source of truth' for your entire organization ' is vital. Putting in place a checklist is often a good strategy for any business review, and your BCP is no exception. Consider creating a business continuity plan review checklist to ensure you capture all the elements you need to consider. And of course, if you've been unfortunate enough to face a business continuity issue that forced the enactment of your plan, you can use the real-life experience you gained to finesse it. What worked well; what should be changed?
Business Continuity Plan Testing Considerations and Best Practices
Testing is an equally essential stage in ongoing BCP management. What should testing your business continuity plan look like? And during what stage of the business continuity lifecycle do we need to test the business continuity plan? Of course, the real test is an incident itself. But doing business continuity drills will give you the reassurance that your plan is robust enough to face a real incident ' and enables you to determine this in a less pressured way than waiting for a real crisis.
Business Continuity Plan Testing Types
When it comes to types of business continuity plan testing, there are three main routes: a table-top exercise, a structured walk-through or full disaster simulation testing.
First: Table-top or role-playing exercises allow everyone involved in the plan to go through it and identify any missing steps, inconsistencies or errors. Second: A walk-through is a more in-depth test of your approach, with everyone involved examining their own responsibilities to spot any weak points. Third: A full simulation of a possible disaster goes a step further, creating a scenario that mirrors an actual disaster to determine whether your plan enables you to maintain operations. It should include your internal team, alongside any vendors or relevant external partners like security or maintenance companies. However you test your plan, it should be rigorous - CIO suggests that '''you try to break it' to ensure that it's fit for purpose. And whatever route ' or combination of approaches ' you choose, you should carry out business continuity plan testing at least once a year.
How To Keep Your Business Continuity Plan Current
Of course, however comprehensive your reviews and testing, they're of no benefit if you don't act on the findings. Updating your BCP is the final stage in the business continuity plan maintenance lifecycle, taking on board the results of your walk-through or simulation and finessing your plan to adopt any improvements noted during your reviews and tests. How often should a business continuity plan be updated? Every time you identify any shortcomings ' whether this is due to your testing/reviewing regime or whenever any errors or omissions come to light. What elements should you consider in an update? While all aspects of your plan are worth checking to ensure they remain current, some areas deserve singling out for special attention:
- Your contact list: To ensure you have up-to-date details of everyone you need to contact in the event of an incident.
- Your business entities and subsidiaries data : This forms the basis for your plan. Do you have an up-to-date picture of your organizational structure? Do you have accurate information on all your legal entities and critical functions?
- Challenge assumptions: Play devil's advocate to challenge your beliefs about incidents that could occur.
- Your technologies and systems: Including entity data management software , CRM systems and other IT systems central to supporting your operations.
Maintain Confidence in Your BCP
It's clear, then, that putting in place a BCP is only the first step. Reviewing, testing and updating your plan are all equally important stages. In other words, business continuity plan maintenance is crucial. Underpinning all of this is the need for reliable data on your organizational structure, people, systems and dependencies. Diligent's software suite can help you create the single source of truth you need to manage all your business entities effectively. Find out more by getting in touch with us for a no-obligation demo.
- Board Management
- Enterprise Risk Management
- Audit Management
- Market Intelligence
- Research & Reports
Your data matters.
3 Ways to Test Your Business Continuity Plan
You’re a positive person. We think that’s spectacular. And though remaining positive is great in principle, sadly it isn’t always a smart risk management mindset. The companies that subscribe to Murphy’s Law are generally best equipped to mitigate risk and handle the unknowns – whether that’s economic downturns, natural disasters, data breaches or server failures. Regardless of risk appetite, smart companies plan against interruptions to business with what’s known as a Business Continuity Plan or BCP. A Business Continuity Plan evaluates how your company will sustain operations, communicate to personnel and clients, and generally weather the storm in the event of a business interruption. If the Murphy Law mantra feels negative, then just stack the deck and consider it a smart wager instead, since it is FAR better to be ready for a disaster that may never come than be caught unprepared and risk your business collapsing.
We’ve discussed the value of Disaster Recovery Plans (DRPs) and Business Continuity Plans (BCPs) in previous articles, so today we turn this topic toward a vital and often overlooked component of risk mitigation and continuity assurance….Testing.
Even the best plans fall apart without proper implementation. Success in plan execution increases exponentially with testing. Consider testing your Business Continuity Plan annually at a minimum so that all employees and stakeholders are knowledgeable and primed for continuity measures in case of an emergency. Here’s our suggestions for three (3) things you can consistently do to ensure your Business Continuity Plan is tested and your organization is better prepared should disaster strike.
It’s not just for the compulsive personalities like project managers and analysts. Creating a checklist not only defines the successive order in which key operational and administrative procedures should be carried out, it also naturally comes in the form of a quick-reference guide (also known as a QRG). When confusion increases and communication deteriorates, a continuity plan checklist at either a high-level or multiple checklists across your more granular functional areas are an easy and comforting distillation of the business continuity plan that ensures two key components for successful plan implementation: 1) that steps are conducted in the right order, and 2) that no steps are missed.
Two sets of checklists should be made. The first set encompasses those key procedures, contacts, communications, and steps that should be done at the moment of business interruption and throughout any disaster in order to successfully execute on the Business Continuity Plan. The second set of checklists – your BCP Audit Lists – are the items and key information that should be tested and verified on the previous set. Using both in tandem during annual or periodic testing greatly increases the quality of your Business Continuity Plan testing and also the likelihood of successful plan implementation if a disaster occurs.
Common things to include on your BCP Audit List include your employee’s contact details. Much of business downtime and conversely a company’s speed in operations getting back up and running is contingent on internal communications. Having an outdated phone number is a painfully avoidable mistake that can carry considerable cost to your company. At testing time, validate all internal and external contact information to be sure details are current and accurate. If you maintain an offsite cache of emergency supplies, check to ensure that you have the appropriate types and volumes of supplies and backup equipment to last you until normal operations can be restored. Work with your analysts or external business consultation partners to help you determine which supplies, equipment and quantities are appropriate at varying levels and types of business interruption. In addition, be sure to review and secure copies of all required and supplemental documents for personnel, processes and operations (especially emergency forms, contact info, and the Business Continuity Plan itself).
One BCP Audit List item to include should be an evaluation of the overall plan for validity and appropriateness based on the current state of the company. Testing helps business continuity plans stay up to date and provides for more continual adaptation and updating, but your company’s key strategic leadership should periodically evaluate the current state of the company in light of new strategies, technologies, or capabilities and determine whether the existing Business Continuity Plan still covers all of the current needs, strategy and direction. New strategies/technologies may now exist that are more practical and efficient than the ones currently in your plan from last year, and company direction and capabilities may reveal a need to overhaul the business continuity plan or at least amend it.
A walk-through or run-through promotes both procedural and muscle memory. Recall the fire drills and tornado drills of your elementary school days. Drills were conducted as a live activity rather than a verbal this-is-what-we-would-do review. The reason for this may be intuitive but studies show that active practice facilitates more efficient internalization of procedures, and (as instructional gurus will tell you) key process components have a much higher likelihood of cognitive transfer from working to long-term memory. What that boils down to is simply that your employees will care about it more and remember it longer.
Consider a structured walk-through with department heads to make sure that key points of command and delegation points to internal teams know precisely what to do in an emergency. Elect a team leader from each department and have each form their own testing team which should have extra duties and responsibilities (like making sure the building is clear) and will likely require extra rehearsal. After testing, department team leaders should discuss findings and then draft a unified report on plan efficacy and suggestions for improvement.
Walk-throughs are not just for the human parts of the plan. Kick off boot sequences, scripted and automated contingencies, data replication tasks, stand-by server switch-overs, cloud backup and data validation – whatever key technical components fall into your operations and continuity plan procedures. And then measure key continuity performance indicators (KCPIs) to report and leverage in your plan’s overall evaluation, such as quality or viability and speed to accessibility.
Simulation testing methods address the recovery and restoration aspects of the plan through seemingly real-life scenarios. Build your continuity simulation by creating scenarios that feel real and address key components of the Business Continuity Plan. Form testing teams and assign each a specific scenario that its members will enact using the facilities, equipment, and supplies available to them. If you can create cascading scenarios – ones that overlap and require inputs from or depend on processes to be completed by other testing teams – your simulation will be a better true-to-life representation of a business-interruption event or disaster.
Members of the company’s disaster response team should evaluate overall company response performance based on the simulation, determine how well teams were able to effectively carry out critical functions of the Business Continuity Plan, and identify key improvements and lessons learned to incorporate in the Business Continuity Plan and implementation procedures.
Don’t have a disaster response team? Assemble one as soon as possible.
Use the results from your checklists, walk-throughs and simulations to identify your Business Continuity Plan’s strengths and weaknesses, signal gaps between your plan and company’s current state of strategy and capability, determine how well your personnel can comply with the plan, and assess how ready you are for a disaster now that you’ve done the work of creating the BCP.
If testing your plan feels daunting, you aren’t alone. Many BCPs are constructed and then are shelved due to hesitation around the critical component of testing. The journey of a thousand tests begins with a single checklist, so start planning your Business Continuity Plan testing today. And as always, if you have questions about testing your Business Continuity Plan, need help with any of the techniques mentioned above, or need help constructing your Business Continuity Plan, let us help. Dynamic Quest offers business consultation services with a focus on disaster recovery , business continuity, plan testing, data analysis, and more. Just click the orange “Ask an Expert” button below to inquire about Dynamic Quest’s services or ask one of our experts a question.
Curious to learn more? Contact Dynamic Quest, your managed IT service provider ?
Professional services page, archives by subject.
- Backup Solutions
- Cloud Computing
- Company News
- Disaster Recovery
- IT Insights
- Managed IT Services
- Managed Security Services
- Security Management
Forty-three percent of attacks are aimed at SMBs, but only 14% are prepared to defend themselves (Accenture).
The internal team was energized. With the Level 1 work off its plate, the team turned its attention to the work that fueled company growth and gave them job satisfaction.
Large Healthcare Company
More than 33 billion records will be stolen by cybercriminals by 2023, an increase of 175% from 2018.
40% of businesses will incorporate the anywhere operations model to accommodate the physical and digital experiences of both customers and employees (Techvera).
The three sectors with the biggest spending on cybersecurity are banking, manufacturing, and the central/federal government, accounting for 30% of overall spending (IDC).
The cost of cybercrime is predicted to hit $10.5 trillion by 2025, according to the latest version of the Cisco/Cybersecurity Ventures “2022 Cybersecurity Almanac.”.
The average cost of a data breach in the United States is $8.64 million, which is the highest in the world, while the most expensive sector for data breach costs is the healthcare industry, with an average of $7.13 million (IBM).
It takes an average of 287 days for security teams to identify and contain a data breach, according to the “Cost of a Data Breach 2021” report released by IBM and Ponemon Institute.
We did a proof of concept that met every requirement that our customer might have. In fact, we saw a substantial improvement.
Steve Fout, VP Sales, Godlan, Inc
We did everything that we needed to do, financially speaking. We got our invoices out to customers, we deposited checks, all the things we needed to do to keep our business running, and our customers had no idea about the tragedy. It didn’t impact them at all.
Denise Koontz, CFO, Got You Floored
“We believe our success is due to the strength of our team, the breadth of our services, our flexibility in responding to clients, and our focus on strategic support.”
How can we help?
Testing, testing: how to test your business continuity plan
Disruptions are by their nature unexpected. but your organisation’s response to hitting pause on normal business operations doesn’t have to be equally as unexpected..
A comprehensive business continuity plan maps out every stage of your business’ response to relevant risks that could affect business-as-usual. This could be a powercut, a cyber-attack or a supply failure. Whatever the disruption, the right continuity plan can ensure that your business minimises downtime and recovers as quickly as possible, reducing the risk of lost revenue or reputation.
However, even the most detailed plan can become ineffective if it is not regularly tested. Businesses rarely stand still, and this means your plan may have to adapt to new circumstances. Lack of knowledge, communication and practice can also compromise your business’ response, which could extend your recovery.
So, how should you test your business continuity plan, and how often should it be put in practice?
How often should a business continuity plan be tested?
There is no hard and fast rule that governs how often your business should test its plan.
It really depends on the complexity of your business and the number, scale and likelihood of the risks it faces. These should be identified as part of a Business Impact Assessment (BIA), which will inform your business’ response.
If your business has high risks for revenue loss, a damaged reputation or the possibility of lengthy downtime, then testing should be carried out more regularly and more areas of the plan should be tested.
The regularity of the testing is also dependent on the type of test being performed.
How can a business continuity plan be tested?
There are three main ways of testing your business continuity plan: checklist or walkthrough exercises, desktop scenarios or simulations.
Checklist or walkthrough exercises
A checklist or walkthrough exercise is one of the easiest forms of test. It consists of a desktop exercise in which senior managers determine if the plan remains current by checking off or ‘walking through’ each step.
When going through the plan they should also ask key questions, such as does the business have the right supplies to cope? Are copies of the plan known by key personnel? Do key personnel know what their roles are?
To make this test as valuable as possible, an emphasis must be placed on any weak areas. The mission is not to find fault or assign blame, but to promote improvement, which will make your plan more effective if the worst should happen.
A desktop scenario test is a little more specific than the checklist. Using a scenario relevant to the business, this test can help you to establish all the processes of your business’ response to a specific disruption. For example, you can check the processes of your plan in the event of sudden data loss.
Simulations are full re-enactments of business continuity procedures and could involve most, if not all, of your workforce. They also tend to take place on site in the relevant business areas.
In this test, each employee involved will need to physically demonstrate the steps needed in order to react to the disruption and recover from it. This could involve driving to a back-up location, making phone calls, completing communication templates or visiting server rooms. These kinds of tests are good for establishing staff safety, asset management, leadership response, relocation protocols and any loss recovery procedures.
Due to the large scale of a full simulation, these kinds of tests may be limited to annual occurrences. They may also need to be moved to quieter business days or even non-operational days so that disruption to normal work is minimised.
Organising a test
Before beginning a test, you will need to set out a clear objective as well as define exactly what is being tested. For example, you may want to check your continuity plans in the event of a power outage.
For a desktop exercise, you need to ensure that key personnel or top management are available to participate. A venue also needs to be arranged, but this doesn’t necessarily have to be in a key location unless you are planning a simulation.
Before the test, circulate the testing plan along with the objective to everyone involved. This team should also familiarise themselves with the current business continuity plan.
Assign some people within the team to record the test’s performance and any shortcomings that are identified. After the test, feedback should also be sought. These findings then need to be formally recorded and used to update the business continuity plan. Once finalised, the revised plan should be shared among the workforce.
Remember that testing a business continuity plan is not about passing or failing – it is about improving processes to give your business the best possible chance of dealing with disruption. Regular testing asserts the effectiveness of your processes, trains your staff in what to do for faster, more confident responses and highlights areas that need strengthening.
Solution for disruption
Business continuity plans give your business a blueprint for disruption survival, but only if they are fit for purpose.
An internationally recognised mark of best practice, ISO 22301 will enable you to implement, maintain and improve a business continuity management system, which will support your business before, during and after disruption.
To find out more, visit our dedicated webpage for ISO 22301 .
You can also get in touch on 0333 259 0445 or by emailing [email protected] .
Sign up to get the latest in your inbox
- Email address
About the author
Content Marketing Executive
Claire worked for Citation ISO Certification between 2020 and 2022 writing creative and informative content on ISO certification and consultation to help businesses reach their potential.
Looking for some guidance? Join us for one of our upcoming seminars!
Allow All Cookies
Allow Strictly Necessary Cookies Only
Checklist for Business Continuity Testing
By Agility Recovery October 11, 2022
Business continuity plan (BCP) testing is the most reliable way to validate a BC strategy, and it is a critical component of continuity planning. Use this checklist for business continuity testing for an actionable plan. By skipping regular testing, you won’t know if your organization is prepared for a disaster—until it’s too late.
About Agility Recovery
Through its business continuity management platform, called Agility Central, Agility works to reduce the impact of business interruptions on credit unions and the communities they serve. They help businesses be prepared before, during, and after an incident happens. After decades of helping businesses recover from real disasters and streamline emergency preparedness and incident response, they bring the collective experiences of thousands of hours in the field.