How Often Should a Business Continuity Plan Be Reviewed?
Creating an effective business continuity (BC) plan can be a challenge, especially at a large or fast-growing organization. But here’s the harsh truth: The long and often difficult road of establishing a plan and getting it approved is just half the battle.
Reviewing and testing the plan are steps you absolutely can’t skip. Business continuity planning must be a process—not a one-time task. Today, many organizations recognize this: A 2015 survey found that 52.5 percent of organizations expected to incorporate small changes to their BC plan that year; nearly 33 percent anticipated significant changes.
With the dynamic nature of BC in mind, how often should your organization review its business continuity plan? The answer depends on several factors:
The size of your organization.
Larger businesses are naturally going to have more complex BC plans because they will involve more employees and facilities, often spread over broader geographic areas. While small and mid-sized organizations can also have complex plans, they typically require less frequent review.
The nature of your business.
Of course, the type of work your organization does will also impact business continuity planning. For example, companies with a complex supply chain or locations in foreign countries will probably require a more frequent and robust management and review process than those without.
The BC systems you have in place.
How your organization administers its BC functions can also impact review frequency. Many newer business continuity innovations, such as a mobile crisis app with actionable and role-based digital playbooks, help streamline and automate certain BC tasks, which ensures that plans stay up to date and relevant over time. With these types of systems in place, the review process can be much easier and faster, reserving resources for other key BC duties.
A Recommended Schedule
With the above factors in mind, you can begin to develop a schedule for reviewing your BC plan. The review process should be continual, with different aspects being appraised and using various methods at least a few times a year.
Many organizations strive for a schedule that includes the following:
Checklist review: Twice a year
The BC team conducts a high-level check on each element of the plan, ensuring that all objectives are still being met.
Emergency drills: Once a year
A key part of business continuity is ensuring that all stakeholders know what to do before, during, and after an emergency situation. Hold annual emergency drills to keep their skills sharp and ensure BC plans account for all facets of a potential business-impacting event.
Tabletop review: Every other year
In this type of review, you’ll gather all key stakeholders, including the BC owner and steering committee, to do a verbal walk-through of the plan. This type of review is helpful because it doesn’t require much time or many resources but can often reveal gaps, inconsistencies, or outdated information in the plan.
Comprehensive review: Every other year
This stage should include a close look at the organization’s risk assessments, business impact analysis, and recovery protocol. This is also an opportunity to update the BC plan to reflect any recent changes to the company’s structure, business, operations, or location.
Mock recovery test: Every two or three years
Larger organizations will also benefit from the occasional recovery simulation, in which the BC plan is fully tested. This active review identifies any gaps in your plan and helps employees and other stakeholders feel prepared and comfortable with their roles.
How often does your business review its business continuity plan? Do you feel that this frequency should be increased?