When Should You Do an Unscheduled Business Continuity Plan Review?

AUGUST 24TH, 2021

In the wake of several high-profile ransomware attacks against critical infrastructure sectors, the U.S. Department of Justice (DOJ) announced that it would begin investigating ransomware attacks with the same level of scrutiny with which it investigates terrorism.Although this escalation may at first seem extreme, in reality, ransomware is quickly becoming IT security teams’ biggest cybersecurity concern.

The onset of the COVID-19 crisis ushered in a new era of ransomware. Attacks became more frequent, more targeted, and more difficult to defend against. 

In response, IT teams are taking a hard look at their business continuity plans and updating them to address new and previously unnoticed vulnerabilities the pandemic uncovered. 

Why Every Business Needs a Business Continuity Strategy

Hackers and ransomware aren’t the only reasons an up-to-date business continuity plan is essential. Unplanned network disruptions and outages can be caused by natural disasters, technology failures, global health crises, and even human error. 

The middle of a crisis is the wrong time to start thinking about how to keep the business running, which is why every organization—from two-person startups to Amazon—needs to proactively plan for both business continuity and disaster recovery. 

Business Continuity

A business continuity plan is all the processes, policies, and procedures that allow an organization to manage risk, minimize disruption to business-critical services, and restore operations quickly during and after a disaster.

The primary objective of a business continuity plan is to “keep the lights on” so critical business operations can continue to run during a disaster. 

Disaster Recovery

A disaster recovery plan is a step-by-step guide for getting your IT systems back up and running quickly after a crisis has passed to minimize downtime and prevent data loss.

The primary objectives of a disaster recovery plan are to proactively protect data with backups, re-enable systems and technology after a crisis, and restore any affected data.

Both business continuity and disaster recovery plans are essential to supporting an organization’s resilience, with business continuity more focused on business objectives and disaster recovery focusing on the technology infrastructure.

What Should Your Business Continuity Plan Include?

A robust business continuity plan will detail all of the processes and policies needed to minimize the impact of a disaster on operations.

Every plan will be tailored to each organization’s specific objectives and requirements, but there are a few key components every plan should include:

  • Business continuity team: These are the people who will start to implement the plan as soon as a crisis occurs.
  • Known and potential risks: The plan should include specific steps to take based on the type and severity of each risk and threat.
  • Inventory of all technology: You can’t protect your company’s assets if you don’t know they exist. Create a list of all software, hardware, peripherals, and devices that the company owns or that have access to the company’s networks. Update the list regularly.
  • Secure backup: A 3-2-1-1 backup strategy that includes immutable storage and an air-gapped copy of the data off-site and offline is essential to reinstating operations.

Why It’s Important to Schedule Regular Reviews of Your Business Continuity Plan

Regularly scheduled tests and reviews of your business continuity plan are critical to ensure the plan will work when and how it needs to in a crisis.

Use the review as an opportunity to: 

  • Identify gaps in the plan
  • Update systems and dependencies
  • Incorporate changes to business processes and policies
  • Add new technology
  • Address personnel changes and update continuity team

Not every part of the plan needs to be reviewed each time, but establishing and adhering to a review schedule will keep your business continuity plan current and ready to be deployed.

When You Should Do an Unscheduled Business Continuity Plan Review

As important as it is to conduct regular business continuity plan reviews, there are times when impromptu reviews are appropriate. 

For example, it is a best practice to spontaneously test how prepared employees are to carry out the plan in the event of a real crisis. 

Any time there is a major disruptive event, the business continuity team should run through the plan. Some types of events that warrant an unscheduled business continuity plan review include:

  • System outage
  • Security breach or cyberattack
  • Major personnel change
  • Major technology update

Reviewing and updating the business continuity plan after these types of events will help IT and the business continuity team: 

  • Keep the technology inventory up to date in the plan
  • Locate any new dependencies
  • Re-prioritize essential and non-essential systems
  • Address unexpected gaps in the plan 

Without a business continuity plan in place, organizations risk losing data, revenue, and customers. Scheduling regular reviews of the plan—and spontaneously testing it as needed—will help ensure all critical systems can be quickly brought back online after an unplanned disruption.

Download Smart Strategies for Business Continuity to learn more ways to protect your business operations and your data from cyberthreats and other types of disasters.