Who Should Perform a BCP Review?
BCP Review: the value of independent expertise
To get an unbiased view of your business continuity plan, it should be evaluated by someone who has not been involved with it's development and who is suitably qualified to provide creible feedback on your BCP. So who might be able to help?
Your internal audit department. If you have one, your internal audit function should be able to provide a critique of your business continuity plan. Business continuity is likely to be on your organisations risk register and so internal audit will have a mandate to look at many aspects of business continuity as part of their remit. Bear in mind though, that internal auditors may not always have deep expertise in this area and so may be relying on pre-prepared audit programmes on which to base their evaluation. These programmes may not reflect current developments.
Your external auditors may be able to assist. But bear in mind that they, too, my not be specialists. You may get a "generalist with a checklist"
An independent, specialist consultant may be the best (but admittedly not the cheapest) option. An independent specialist will likely have a breadth of experience having seen business continuity plans from many different organisations. If they also have experience of developing, deploying and managing business continuity for an organisation then they will be much more likely to have practical experience of what works and what does not. An experienced specialist will also be able to "read between the lines" of your plan and ask the type of questions that just won't be prompted by a checklist.
Sector experience can be useful in terms of understanding the business environment that you are operating in. Having an understanding of business conventions & operations within a specific commercial sector, any industry regulations and customer expectations that might apply can significantly add to the value of a BCP review
BCP Review: Beware of confirmation bias
Having the BCP review performed by someone who has been in the thick of the development can introduce confirmation bias into the review - which can undermine it's effectiveness .Confirmation bias is the tendency to process information by looking for, or interpreting, information that is consistent with our existing beliefs - in other words we will see what we want to see. Having a BCP review performed by someone who has developed the BCP plan risks introducing confirmation bias into the activity.