How often should a business continuity plan be reviewed?
Maintaining your business continuity plan (BCP) can be challenging and each business continuity plan is different (because all organisations are different). Many organisations require a review once a year, others perform a review each time there is a major change within the organisation. Ultimately, an organisation must decide when it is right to review and/or update their BC plan, but how do you determine when it is right to update or review your BC plan?
The key question to ask here is what do you want from the review? In other words the what should the BCP review achieve? In some instances need for a business continuity plan review may be obvious in other situations it may be less so. However, even in absence of no change a business continuity plan can slowly erode to extent that it becomes irrelevant.
The more obvious indicators are things such as:
-
Changes to the organisations operating environment
-
Following corporate actions such as mergers, takeovers etc.
-
Organisation changes,
-
Changes in business recovery needs
-
External factors such as regulatory changes and customer requirements
Environmental factors and your disaster recovery plan
Environmental factors relate to changes within the organization. Some examples of the most common environmental changes are It infrastructure changes, outdated or replaced applications, staffing changes, restructuring and new facilities and buildings. Any of these changes can mean that roles and responsibilities within the plan must change.
.
Changes to Business recovery needs
If factors regarding your recovery time objective changes, so should your BC plan. Several different things can cause these changes. For example, business recovery requirements for functions and processes may become more or less urgent. Any or all of these changes should prompt your organization to take a second look at your DR plan and make any necessary revisions.
External factors and your disaster recovery plan
External factors can also lead to changes in your BC plan, and they relate to entities outside your organization including mandatory and optional aspects. The mandatory requirements may emanate from regulatory and other legal or regional requirements. Other initiatives such as outsourcing creates challenges from two perspectives: it may decrease awareness levels between the parent organisation and the outsourced function; it also may increase recovery requirements on the parent organisation. Also, external technological innovation may introduce new risks to disaster recovery, as well as new solutions. It is important to be aware of any external changes to your IT organisation. Changes in your outsourced services use, legal requirements or new technologies can significantly affect your original business continuity plan.
Avoiding slow erosion
Slow erosion - is the process by which a business continuity plan becomes increasingly irrelevant to the organisation. The root cause of slow erosion is many small changes that occur over time. individually each change is trivial, but their combined effect compromises the plan until it becomes completely ineffective. Some of the key causes of slow erosion within business continuity plans are:
-
Adds, moves and changes within the the organisations technology infrastructure. No major new systems, just tweaks, upgrades and enhancements can compromise back-up regimes and processes
-
Physical workplace changes - office moves can compromise workplace recovery strategies
-
Joiners leavers and movers can undermine your original business continuity organisations and lave gaps in roles and responsibilities within incident management and business recovery actions plans.
A BCP Review designed to prevent slow erosion within the business continuity plan should cover:
.
-
Are all contact details for staff, customers and suppliers correct?
-
Are the roles defined in the plan still relevant to our incident management and recovery requirements
-
Is the contact plan still relevant
-
Are the correct people included in the contact plan
-
Are roles and responsibilities still relevant
-
Are all individuals assigned roles in the plan the correct person for the role?
-
Have all role holders been trained in their role?
-
Have all role holders participated in a wider simulation test within the last 12 months?
-
Are alternative workplace arrangements still relevant?
-
Are IT systems recovery requirements still relevant?
So how often should you update your BC plan? The answer is “it depends”. Many companies opt for an annual review frequency - to avoid slow erosion. Some may not ever consider more frequent alternatives to that review schedule. Others adopt a semi-annual or quarterly update for selected plans, based or attributes such as risk rating or criticality.
But ultimately, you should update your business continuity plan whenever an important factor in your organization changes, whether that variable is internal or external. And the time frame on those changes is unpredictable. Frequent updates lead to more complete and reliable disaster recovery plans, which therefore lead to a work environment safe from disasters.
Develop a review schedule
Generally speaking an organisation should be adopting an approach of regular, scheduled review and update, complemented by the same types of review which might be performed when significant change has occurred. For instance:
• All critical functions should review and update their plans, if necessary, every six months
• All other functions should perform an annual review and update of their plans every 12 months
• All functions should review and/or test their plans when significant organisational change occur or when there has been a major change to the organisation’s IT infrastructure or operating model.
Follow or connect with Steve, RiskCentric's owner & founder via LinkedIn