How Often Should a Business Continuity Plan Be Reviewed?

JULY 30TH, 2020

Today’s business landscape is in a constant state of uncertainty. As we navigate the unknowns, it is important to make business continuity planning a priority. 

A comprehensive business continuity plan (BCP) can mean the difference between weathering a disaster gracefully with minimal disruption to business operations and taking a devastating hit to your revenue and reputation. Implementing a BCP is about building resiliency for your business, so it is important to create a BCP that offers both protection and a recovery strategy. 

As with any complex, integrated business initiative, you can’t set-and-forget a BCP if you want it to work when you need it. A high-functioning BCP requires regular maintenance and quality reviews. 

How Often Should You Review the Business Continuity Plan?

Unfortunately, there isn’t a short and sweet answer to how frequently you need to review your BCP. The truth is, it depends.

The more complex the plan, the more care and feeding it requires. For example, a large, multinational corporation will require a far more intensive continuity plan than a two-person startup. 

The products and services an organization provides also play a large role in how often the BCP needs to be reviewed and updated. Companies that rely on complex supply chains will need to ensure their BCP addresses dependencies, vulnerabilities, and changes that affect continuity along the chain.

 

Highly regulated industries such as healthcare and banking need to maintain compliance and regulatory standards, so frequent review of the BCP is necessary to ensure all requirements will be met in the event of an outage or other disruption.

How frequently you need to schedule BCP reviews is also dependent on the type of technology your organization has in place. Some organizations have implemented business continuity tools that provide automated backup, high availability, and email archiving technologies that can be easily tracked through a central management console, minimizing the need for frequent reviews.

Establish a Schedule to Test Different Parts of the Business Continuity Plan

You may have heard the saying, “If you don’t test your business recovery plan, you don’t have a business recovery plan.” Even with robust automated tools in place, you can’t leave business continuity to chance. It is crucial to schedule regular testing to ensure your BCP will work when you need it. 

That’s not to say you need to run a full, end-to-end recovery test each month. Here is a breakdown of the generally accepted BCP test schedule:

Checklist Test—Twice a Year

Two times a year, conduct a high-level check that objectives are still being met by the current BCP. If you find gaps, correct the plan and recirculate to all stakeholders.

Emergency Drill—Once a Year

An annual emergency drill will help ensure everyone knows what to do if there’s a disaster. The leaders conducting the drill should observe the staff’s response. This is especially important with today’s fluctuating employment outlook as new hires may not be aware of BCP protocols.  

Tabletop Review—Every Other Year

This is the time to sit down with all stakeholders, leadership, and the business continuity response team to look for gaps, inconsistencies, and outdated information. This should be a business-driven (not IT-driven) review because business objectives and priorities may have changed.

Comprehensive Review—Every Other Year

A lot can change in a couple of years. This review should include a reassessment of risks, a new impact assessment, and an updated recovery plan.

Recovery Simulation Test—Every 2-3 Years

This is the big one. Simulate a real disaster and walk through your BCP from end to end so you are confident that operations can be quickly restored after a major disruption.

When to Do an Unscheduled Business Continuity Plan Review

Even if you stick to the recommended schedule, there will be events that require an impromptu BCP review. 

For example, a major system outage or security event may expose gaps in continuity coverage that need to be addressed. Also, as mentioned above, we are seeing a large amount of personnel movement, so more frequent reviews may be needed to ensure everyone is on the same page.

If your organization undergoes a major technology change—a new email system, a move from on-premises servers to the cloud, upgraded POS software—a BCP review is crucial to incorporate new hardware, dependencies, business priorities, and so on into the continuity plan. 

Post-Business Continuity Plan Review Activities

After any BCP review, you’ll need to take a few follow-up steps. First, update the BCP with any changes you identified, including new links and passwords, recovery team member changes, and shifts in priorities and business objectives.

Then prepare and present a report to company leadership and stakeholders. Visibility is key to successful recovery after a major disruption, so it is important that everyone is aware of changes and updates to the continuity plan. 

It is difficult to get all the major players in one place at one time, so the end of the annual tabletop review is the perfect opportunity to create the next year’s testing schedule.

Tips to Ensure the Business Continuity Plan Review Is a Success

No one likes to waste time or effort, so here are a few best practices that can help ensure your BCP reviews go smoothly: 

  • Schedule testing so it doesn’t disrupt normal operations.
  • Walk through the tests with staff ahead of time so they know what to expect and you can estimate how long the real test will take.
  • Establish the review objectives up front and re-evaluate them as needed.

Successful business continuity doesn’t just happen. Implementing a comprehensive BCP and then reviewing and updating the plan regularly is the only way to ensure your business applications are available when your users need them. 

To learn more about creating a bulletproof BCP, download Smart Strategies for Business Continuity now.