speaking, if the company’s BIA is more than a year old, a new analysis should be commissioned—followed by an immediate update of the company’s business continuity plan.
Is business continuity plan maintenance tied to change management?
To remain viable, a business continuity plan must be revised coincident with major organizational, system, or business changes. These changes may include:
The opening of a new office
The introduction of a new product line, or
The passage of new laws and regulations, like Sarbanes-Oxley, which imposes new records retention standards
Any change that affects critical business functions should trigger an automatic review of the business continuity plan. Importantly, if any plan updates are indicated, these updates should be performed prior to—not after—the precipitating business change.
Is the business continuity plan tested on a regular basis?
To remain viable, a business continuity plan must be regularly tested.
Does the business continuity plan require periodic retrieval and testing of osite storage media?
Importantly, the testing does not have to be extensive or expensive. In many cases, full- scale tests—especially those involving IT facilities—can be replaced by smaller-scale, “tabletop” exercises. These scenario-based tabletop drills are especially useful in establishing an organization’s ability to adapt to a rapidly evolving disaster environment. After all, in a real world disaster, it may be necessary to rewrite portions of the business continuity plan, literally “on the fly.”
The data backup and recovery process is notoriously unreliable. Despite that fact, many IT departments adopt a “tape it and forget it” attitude, refusing to test the integrity of off-site storage media. The business continuity plan should provide for the random retrieval and testing of backup volumes.
Does the business continuity plan oer sucient detail?
One revealing test is to determine if the plan can be executed by “non-
Boardroom Brieng: Business Continuity and Disaster Recovery
experts.” Planners often cut corners during the documentation phase, depending on the availability of subject-matter experts to “fill in the blanks” if the plan is invoked. Unfortunately, many of these experts may not be available in the aftermath of a disaster, leaving plan activation and execution to junior staffers. As a result, the documentation should be geared to lower level personnel.
Does the business continuity plan provide for adequate post-disaster security?
In addition to disrupting business operations, large-scale disasters often disturb security operations. For