Maintenance of business continuity and disaster recovery plans is a critical part of any business continuity initiative,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
and it's also a key component of business continuity management systems as advocated in the new global BCM standard, ISO 22301.
After you have completed the development of business continuity and disaster recovery plans, a DR/BC maintenance program ensures that plans and other documentation are accurate and up to date.
An effective change management process is an ideal prerequisite for establishing a BC maintenance program. Many of the issues that show up in tests and exercises are the result of internal changes within the organization, including with staff, physical sites or technology. Change management programs address essentially the same things: situations that change the way the business functions.
A typical DR/BC maintenance program, like a change management program, includes both scheduled and unscheduled activities. Scheduled activities might include new or updated risks, new or updated business impact analyses (BIAs), and BC/DR plan exercises. Unscheduled activities might include responding to an inquiry from a vendor in the company's supply chain for information about the firm's BC program or researching BC vendors for specific technical solutions.
Additional maintenance activities include keeping staff rosters current; keeping BC/DR procedures aligned with needs of the business; scheduling new and updated BIAs; reviewing and updating BC/DR policies; reviewing the BC/DR capabilities of other vendors; scheduling audits and other reviews; reviewing and updating BC/DR budgets; scheduling and delivering training sessions; scheduling and delivering awareness programs; reviewing and updating crisis communications materials and messages to the media; reviewing any legal issues that affect BC/DR; analyzing new products and services for possible use; and analyzing current research and white papers to ensure that the program is using best practices and leading-edge thinking.
Think of a DR/BC maintenance program as a detailed schedule of activities that keep the overall program up to date, keep plans up to date, ensure that policies are consistent with global standards, ensure that emergency teams are properly trained and understand their roles and responsibilities, and ensure that employees understand the value of BC/DR. Many of the activities must be scheduled to ensure that all can be addressed on a timely basis and that the program remains consistent with company BC policies.
Other activities may be triggered as a change management activity, such as a major change in business processes for a department or the acquisition of a company. Other areas that are change management-based might include changes to a plan following an exercise, post-audit recommendations or following activation of a BC/DR plan, updating the plan based on lessons learned from the plan's activation.
Plan maintenance outputs can include a formal maintenance plan schedule, a formal maintenance plan document, DR/BC maintenance summary reports to senior management, and an up-to-date business continuity program with accurate and current plans.
Launching a business continuity maintenance program demonstrates that the BC/DR program is real and reinforces management's commitment to the process.
About the author: Paul Kirvan, CISA, FBCI, has more than 24 years of experience in business continuity management (BCM) as a consultant, author and educator. He has completed dozens of BCM consulting and audit engagements that address all aspects of a business continuity management system and are aligned with global standards, including BS 25999 and ISO 22301. Kirvan currently works as an independent business continuity consultant/auditor and is secretary of the Business Continuity Institute USA chapter and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.