Business Continuity Plan Maintenance: A Step-by-Step Guide

A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme and a key component of organisational risk management. Businesses must test, review and adapt the plan regularly to meet emerging risks and challenges. It is an ongoing process, not a point-in-time exercise.

The true value of robust business continuity planning has been demonstrated over the past year, and organisations are renewing their focus on ensuring they are well-positioned to respond to any scenario that arises. But once an organisation has created the plan, how should it tackle business continuity plan maintenance and testing?

1. Establish a Business Continuity Plan Review Schedule That Fits Your Business

The question of how often a business continuity plan should be reviewed and to what degree depends on the scale of the organisation, the scope of risks and the frequency with which new material risks emerge.

Smaller organisations with simpler operations and fewer external dependencies will have different requirements than larger, more complex counterparts; the review schedule should be designed proportionally. PWC notes that it’s not a case of one-size-fits-all and that “over-engineering a BCM programme can be costly and result in unnecessary ongoing work, and a loss of confidence and engagement with the programme.”

As a broad rule of thumb, the senior management lead for the business continuity management (BCM) programme should conduct a high-level check every six months on whether the plan still meets its desired objectives. The board and executive team should review the plan annually against the organisation’s risk appetite and recovery time objectives. A comprehensive update, including a reassessment of risks and a refreshed business impact assessment, should be undertaken every two years.

However, this is not a rigid schedule. The business continuity plan should be reviewed when there is any significant change — such as a new risk or a significant merger, acquisition or change in personnel —  to make sure it is still fit for purpose. An example of an organisation that has done this to good effect is Wimbledon, which responded to the emergence of the SARS virus in 2002 by adding an infectious disease clause to its insurance policy. Following the 2020 tournament’s cancellation, the organisation is set for a £174m pay-out.

2. Design and Implement a Business Continuity Plan Testing Calendar

When deciding how often to test a business continuity plan, consider that it doesn’t all need to be tested every time. A BCP has numerous elements that can be tested in isolation and a schedule for monthly, quarterly, half-yearly and annual testing of each element can be devised.

Some will require more frequent testing than others. For example, companies should test IT system backup and disaster recovery regularly. Good backup and disaster recovery service providers will facilitate this and deliver reports detailing performance against recovery time objectives (RTOs) and recovery point objectives (RPOs).

Some aspects will already be scheduled into operational management activities, such as employee safety drills like fire alarm testing. Others, like full simulation exercises, are complex and will disrupt business-as-usual. So, while they are a critical part of testing the BCP, they should be limited in frequency to avoid “drill fatigue” that can result from too frequent testing, and coordinated so maximum intelligence can be gained when they do take place.

There are different business continuity testing types to be considered. Scheduled testing creates cadence and familiarity, building in muscle memory that is valuable when disruption strikes. However, disasters don’t turn up on demand, so it is also important to conduct unscheduled drills to replicate a genuine scenario more accurately.

3. Create an Audit and Reporting Framework

With testing distributed across different elements of the programme at different times, there must be a framework for auditing and reporting on test exercises to feed outcomes into the review process.

Test reports should be submitted in a timely fashion to ensure any problems are quickly identified and can be acted on before the risk becomes significant. A process should be developed for managing issues that arise during testing, then agreeing and implementing any changes that are necessary to the BCP. This ensures that issues are given the right degree of consideration and that the business continuity programme is transparent with good visibility over critical issues.

A business may decide — or be required by regulation — to have its business continuity plan externally audited. This allows the business to benefit from an objective perspective and the expertise of business continuity specialists. Even if not mandatory, it can be a good idea to employ an external consultant to evaluate the plan.

4. Conduct Employee Education and Awareness Training

It’s essential that anyone involved in executing a business continuity programme is aware of the actions required of them. Training is a key part of maintaining the plan.

Implementing a rigorous programme starts with identifying the key actors and the knowledge they need to carry out the responsibilities assigned to them. Any gaps between what they know and what they need to know should be addressed with education, including refresher sessions as required.

Organisations must be alert to the natural changes in personnel and job roles, to ensure that responsibilities don’t fall through the gaps and the corporate memory is maintained when employees leave or change roles.

Now Is the Time to Prioritise Business Continuity Strategy

By devising and enacting a business continuity plan maintenance programme that includes regular review, testing, reporting and employee training, businesses are taking an active approach to preparedness. The importance of keeping the business operational and ensuring employee safety is high on the corporate agenda, making this an excellent time to reinforce the tenets of sound business continuity planning as a continuous activity, not a point-in-time exercise.