After Writing a Business Continuity Plan

Congratulations are in order! You’ve got that overall Business Continuity Plan put together for your business.  You’ve also put together all of the important departmental plans that you need so that you can be sure your business is able to react and survive whatever adverse conditions come your way. You’ve presented it to upper management, you’ve made your auditors happy, and you’ve even shown it off to your insurers to demonstrate how prepared you are. A job well done.

But, there is still some work to do. In order for your overall program to be successful, there are definitely some things that you need to do after your plans are built.  The individual tasks are going to vary some depending on your industry and company, but the work overall falls into three categories:

• Testing
• Gap Analysis
• Maintenance

Business Continuity Testing

Testing is important because if you don’t test your plans, you won’t know how well they’ll work when you need them to.  There’s a number of different types of testing out there, and the more you read about testing (particularly from some vendors in the marketplace) the more confusing it can get.  It doesn’t necessarily have to be that way, though.

Simply put, testing your plans will consist of simulating some event where the plan would be activated, and then following the plan to see how well it works in response.  During that process, you note what works well and what needs improvement so you can fix the problems.

The more different simulations you can throw at your plan, the better you can gauge how completely it covers your business.  Most companies also find that it’s easier to test parts of their plans in smaller tests, rather than trying to test an entire plan all at once.  Part of that is because it is difficult to simulate a widespread outage that impacts the entire company.  Another part of that is because there are some sections of response plans (particularly dealing with communications) that are fairly easy to test and can be tested more often.  Companies also find that certain types of tests lend themselves well to working with multiple departments across the organization, and they can be used to improve the overall visibility of the program.

Like I said, there are lots of different types of tests, but I will highlight three of them here because they are fairly ubiquitous across all industries. With a little bit of planning and preparation (and maybe some outside help from a vendor), any company can do these types of tests against their business continuity plans. 

Communication Testing

This is probably the easiest type of testing to perform, and it’s also probably the most important. You don’t really need any specialized technology to do a communications test, you just need a methodology and a way to contact people. Lots of companies will do a simple communications test by having a high level manager contact his underlings, and then creating a record of who was able to respond. Naturally, there are tools out there that can help with this, and there are different groups that would benefit from this type of testing (such as vendor contacts or customers), but the simple act of going through and contacting your employees is something that will be vital in response to an incident. If you can’t test anything else, test this. 

Tabletop Testing

As the name suggests, this type of testing is where you bring representatives from your company “around a table” and ask them to go through the thought experiment of simulating an event where the plan would be activated.  That thought experiment could take your participants through any scenario you would like, from a simple weather-related business interruption, to a ransomware attack, or even to an active shooter incident.  By forcing your people to look objectively at how well the plan can respond to that event, you can gain valuable insights into areas of the plan that might need improvement. Putting together a test like this can require more skill than a simple communications exercise, but it can have much deeper benefits to the organization. 

Alternate Work Site Testing

This sort of testing used to be performed only by the largest firms that could afford to have dedicated alternate work sites. However, in this post-pandemic world that we live in now, having people work outside the office is far more commonplace. If your plans are to have people work from home or from some other work location in response to business interruptions, then it is definitely in your company’s best interest to test that capability. This type of testing is probably easier now than it ever was.

Best practices say you should plan on testing all of your plans annually, and in multiple ways.

Gap Analysis 

An important part of improving plan coverage is doing gap analysis. Generally, gap analysis will consist of looking at what a plan is supposed to accomplish, and then going through the plan to make sure that it meets those requirements.  You’re basically trying to answer the question “Will this plan do what we need it to?” 

For example, You might have tasks outlined for a particular department to notify important customers of an outage during the response phase of your plan. An easy gap analysis to perform would then be to make sure that contact information is provided in the plan for all of those important customers. 

Gap analysis is particularly important in Disaster Recovery planning, because you want to make sure that all of your important systems are covered underneath your Disaster Recovery plans. You also want to make sure that the recoverability of those systems can meet the requirements of the business that you established in your Business Impact Analysis (BIA).

Maintenance

This is the process of keeping your plans up to date and fixing problems that you find.

I’ve often joked that a Business Continuity plan has about the same shelf life as processed cheese, but there is some truth to that. Thanks to employee turnover, changes in business processes, and variances in the marketplace, today’s Business Continuity plans might look very different from what the business actually needs a year from now. Also, if you are doing testing and gap analysis like you should, you are going to find things in your plans that need to be updated.

You should refresh your plans (and ideally your BIA data too) at least once a year.  Many businesses wait until after they’re done testing and doing their gap analyses before refreshing their plans, so they can update everything at once.  That works just fine.

It’s worth noting here that many external stakeholders are going to take a keen interest in whether or not you are doing that annual maintenance on your plans.  It’s very likely that more and more of your customers are asking about maintenance on your business continuity program, your insurers are probably asking about it too.  Depending on what industry you are in, you may well have regulators or auditors that are also very interested in your BC Plan maintenance.

Doing the testing, the gap analysis, and the plan maintenance might all seem like a big pain, But it will save you a lot of effort in the long run. If you wait too long between tests, you let too many things slip through your gap analysis, or you just don’t do your maintenance, your plans will eventually get so far out of date that they won’t do you any good.  Arguably that’s even worse than not having any plans at all, because having an outdated plan can give you a false sense of security.

If it all seems like too much to take on though, Sayers is here to help.  Sayers can help you plan and create exercises that meet the needs of your individual business, can perform in-depth gap analyses to uncover potential trouble spots, and can put tools in your hands to make plan maintenance more precise and effective.  Whether you need a little help or a lot, the experts from Sayers can keep your Business Continuity Program on the right track.

---