This is the final stage of the Business Continuity Planning documents, by now you should have:
1. Understood your organisation’s priorities
2. Captured the Current Capabilities & Core Resources
3. Developed the Response & Recovery Plans
4. Built the Business Continuity Organisation
Thankfully, most of the hard work has now been completed! Now it is important to ensure that there is a management structure in place, and associated responsibilities assigned, to ensure the ongoing integrity of the BCP’s planning and arrangements. In order to achieve this there needs to be ongoing feedback and assurances, and these can be provided by performing the following tasks:
- Periodically re-confirming the understanding of business priorities and tolerances.
- Ensuring capabilities and available resources remain in line with recovery needs. Examples of this are:
- to Undertaking IT failover tests to ensure that systems can be recovered within the required timeframes, and
- to Performing remote working ‘stress tests’ to ensure that the off-site access capabilities can support your users.
- Ensuring that key role holders are proficient in their respective posts and can operate any required processes (such as notification systems).
- Delivering general awareness training to familiarise the wider organisation with actions that are likely to be taken if plans are invoked and what actions, if any, they will be required to perform. These need to be captured in a predefined Assurance Schedule that details the activities, how frequently they should be reviewed, and a process for correcting any issues identified. Managing this schedule is one of the key responsibilities of the Steering Group, as discussed in Stage 4.
Example: Assurance Schedule
The activities defined in this schedule can be can be categorised into three types:
1. Confirmation
This is to ensure that the business priorities and tolerances remain as originally envisaged, and periodically updated to meet the company’s needs, as they evolve.
2. Review & Test
Core capabilities, such as IT and Facilities should be assured by performing recovery plans in a test environment. Examples of these are a) backed-up data must be proved to be integral and recoverable within expected timelines, and b) the processes governing alternative working practises and locations are in place. Both of these will ensure that any company downtime is minimised, if invoked.
3. Exercising & Walkthrough
It is necessary that a high-level walkthrough of the plans are performed to ensure that the key role holders understand their tasks, and processes remain relevant. Different scenarios, for example a cyber-attack or pandemic, should be practised where participants are expected to adopt their roles as if it were a real incident.
The final part of the Oversight and Assurance Framework focusses on communication and educating the whole organisation. This ensures that if an unexpected event occurs those affected know that continuity plans exist and an understanding in what they need to do, which could be to just be to await instruction. This Awareness Initiative should inform staff of the following:
- Where to get information
- How to receive updates and notifications
- What transport arrangements are made in the event of relocation
- How to use remote access facilities
- How to remain safe in particular situations
As with all stages of a Business Continuity Plan, the Oversight and Assurance process needs to be reassessed on a regular basis to make sure that the correct documentation is in place and up to date, and the aligned personnel fully understand their role(s). Remember, the BCP is not just a box-ticking exercise, it is about creating continuity capabilities to ensure that your business remains agile if an unexpected incident occurs.
The final takeaway: if you feel need for some assistance in putting together a BCP, then contact ADAM Continuity. With over 25-years of experience in supporting hundreds of organisations, we are the trusted experts that you can rely upon. Click here for more information.