Disruption was a common theme in 2020, and if early indicators are correct, 2021 isn’t going to be particularly stable, either. So far, we’ve experienced significant supply chain issues, whiplash-inducing changes to public health and safety recommendations, and a spate of ransomware attacks on technology giants and critical infrastructure providers—and we’re barely halfway through the year.
One positive thing that came out of the chaos that was 2020 is the increased awareness of how critical a comprehensive, well-tested business continuity plan is to the success—and, sometimes, survival—of an organization. For example, some companies that thought they had planned for all contingencies found they hadn’t addressed continuity for a 100 percent virtual workplace, which, as it turns out, was a critical oversight.
Why Business Continuity Plan Reviews Are a Must
A business continuity plan is your company’s roadmap for how to keep the business running after a disaster or unplanned outage. The plan should document very specific details about getting critical business operations back online and functioning as quickly as possible to minimize loss of data, revenue, and productivity.
In theory, your business continuity plan will cover all possible scenarios and provide a fast path back to normalcy. But if the plan isn’t reviewed frequently and thoroughly, a crucial component of the plan could be missing or no longer valid, and you wouldn’t know until it’s too late.
Regularly scheduled reviews let you evaluate the continuity and recovery capabilities for critical processes and identify shortcomings and gaps in the continuity plan that may interfere with resuming business operations. The review is also the perfect opportunity to update, revise, and adjust the plan as needed to address any major staffing, threat, or technology changes that occurred since the last review.
When to Review Your Business Continuity Plan
Although thoroughly testing the plan regularly may sound daunting, the good news is that not every review needs to be an end-to-end assessment. Here are the generally accepted guidelines for which parts of your business continuity plan to test and how often to test each:
- Every six months: Conduct a checklist test to determine whether the objectives are still being met and update the plan as needed.
- Annually: Stage an emergency drill to evaluate authentic employee response to a disaster.
- Every other year: Schedule a tabletop review with leadership and stakeholders to update business objectives and address gaps.
- Every other year: Run a comprehensive review to reassess risks and conduct a new impact assessment.
- Every 2-3 years: Initiate a full end-to-end recovery simulation test to measure the effectiveness of your business continuity plan.
Following these frequency guidelines will help ensure that all of the business-critical systems and their dependencies are recoverable in a crisis, the business objectives aren’t obsolete, and everyone in the organization knows their role in implementing the business continuity plan.
How to Ensure Your Business Continuity Plan Review Goes Smoothly
Plan reviews should not be conducted ad hoc. Instead, establish and document a repeatable process with defined objectives to ensure accurate results, no matter who is leading the review.
Additionally, your team should break down the review process into three distinct sets of activities that occur before, during, or after the review.
1. Before the Review
Preparation is key to getting the most out of your business continuity review. Set your organization up for success by following a few pre-review best practices:
- Schedule testing to minimize disruptions: Be aware of other departments’ commitments and plan accordingly. For example, accounting won’t be fully engaged in a review scheduled during their end-of-quarter closeout.
- Walk through the tests with staff in advance: Unless the goal is to gauge staff reaction to an unplanned review, be clear about what the review is assessing and how so employees know what to expect.
- Establish the review objectives upfront: Transparency is crucial to establishing an effective business continuity plan. Be sure all employees and stakeholders know what success looks like.
- Re-evaluate plan review objectives as needed: Business processes, technology, and risk factors are constantly changing. Don’t be shy about adjusting review objectives before getting started, so the results reflect the current reality.
2. During the Review
Your business continuity plan review should focus on two main factors: 1) how well prepared critical areas of the business are to bounce back from a crisis, and 2) the effectiveness of each phase of the continuity plan.
During the review, assess the following systems and elements for business continuity preparedness. Be sure to note whether there have been any changes to equipment, resources, or policies since the last review.
- Contact lists
- Communication channels
- Supply chain
- Essential personnel
- Equipment
- Data backup and restoration
The business continuity plan review should evaluate the three main phases of the plan to determine how well continuity is supported in the event of a crisis.
- Initial response: This step will be specific to the type of disruption you are dealing with, but at a high level, this is the time to assess the severity of the damage, identify which systems are affected, and determine whether any data has been lost or corrupted.
- Mobilization/relocation of resources and staff: Many organizations were ill-prepared for a wholesale shift to virtual business operations and a remote workplace at the outset of the coronavirus pandemic. However, with more than a year of lessons learned and infrastructure upgrades, many businesses now have the flexibility to shift between physical and virtual operations fairly quickly.
- Recovery and restoration: Once the immediate threat or disruption is resolved, your business continuity plan should kick in and begin the process of restoring operations almost immediately. If it doesn’t, find out why.
3. After the Review
Once the business continuity plan review is complete, the final stage is to evaluate the results and update the plan as needed to address gaps, inconsistencies, and changes to the systems, technology, policies, and processes.
The results should also be compiled into a report and presented to leadership and stakeholders along with the updated plan.
When to Initiate an Impromptu Plan Review
Occasionally, circumstances may dictate the need for an unscheduled review to address any significant changes. If your organization undergoes one or more of the following events, schedule a thorough review and update:
- Major system outage
- Ransomware attack or another security event
- Major staffing change
- Major technology change
- Merger or acquisition
Smart Strategies for Business Continuity
Business continuity is too important to leave to chance. Organizations must have a solid strategy to quickly recover business operations after a security event or major disruption. Download Smart Strategies for Business Continuity for additional tips on how to disaster-proof your business.