Maintaining your business continuity plan (BCP) can be challenging, but it needs to be done. How often should a business continuity plan be updated? Well, each BC plan is different. Most require a review once a year, others require a review each time a product or the environment it’s in changes. Each organisation must decide when it is right to review and/or change their BC plan, but how do you determine when it is right to update or review your BC plan? In this article we consider the most common reasons why an organisation updates their BC plan and how to go about doing it.
Updates or reviews should be performed when a change occurs with one or any of these three factors in an organisation: the operating environment, how you exercise your plan, changes in business recovery needs and external factors.
Environmental factors and your disaster recovery plan
Environmental factors relate to changes within the organisation. Some examples of the most common environmental changes are IT infrastructure changes, outdated or replaced applications, staffing changes, restructuring and new facilities and buildings. Any of these changes can mean that roles and responsibilities within the plan must change.
How you exercise your BC plan can highlight changes that need to be made to it. If your disaster recovery test adequately challenges its participants, you should be able to tell whether or not your plan is realistic, complete and achievable. Unfortunately, many exercises may fall short of replicating the complexity of an incident scenario or fall off the priority list altogether. Well-planned and well-executed exercises provide the best source of plan assessment, short of a major live event.
If factors regarding your recovery time objective changes, so should your BC plan. Several different things can cause these changes. For example, business recovery requirements for functions and processes may become more or less urgent. Any or all of these changes should prompt your organisation to take a second look at your DR plan and make any necessary revisions.
External factors and your disaster recovery plan
External factors can also lead to changes in your BC plan. They relate to entities outside your organisation including mandatory and optional aspects. The mandatory requirements may emanate from regulatory and other legal or regional requirements. Other initiatives such as outsourcing creates challenges from two perspectives:
- It may decrease awareness levels between the parent organisation and the outsourced function.
- It may increase recovery requirements on the parent organisation. Also, external technological innovation may introduce new risks to disaster recovery, as well as new solutions. It is important to be aware of any external changes to your IT organisation. Changes in your outsourced services use, legal requirements or new technologies can significantly affect your original business continuity plan.
So how often should you update your BC plan? The answer is “it depends”. Many companies opt for an annual review frequency. Some may not ever consider more frequent alternatives to that review schedule. Others adopt a semi-annual or quarterly update for selected plans, based or attributes such as risk rating or criticality.
But ultimately, you should update your disaster recovery plan whenever an important factor in your organisation changes, whether that variable is internal or external. And the time frame on those changes is unpredictable. Frequent updates lead to more complete and reliable disaster recovery plans, which therefore lead to a work environment safe from disasters.
Develop a review schedule
Generally speaking an organisation should be adopting an approach of regular, scheduled review and update, complemented by the same types of review which might be performed when significant change has occurred. For instance:
- All critical functions should review and update their plans, if necessary, every six months
- All other functions should perform an annual review and update of their plans every 12 months
- All functions should review and/or test their plans when significant organisational change occur or when there has been a major change to the organisation’s IT infrastructure or operating model.
We can help
Regardless of how often a business continuity plan should be updated, We offer a range of consultancy services to help organisations like you. Our skilled consultants have many years’ experience helping organisations to create a robust business continuity plan.