12.0 Practice Advisory - Part Two
IMPLEMENTING AND MAINTAINING THE PLAN
This section of the Guideline contains those functions and tasks required for the Business Continuity Plan to remain a living document: one that grows and changes with the organization and remains relevant and actionable.
12.1.1 Educate and Train
The BCP is only as valuable as the knowledge that others have of it. Education and training are important components of the BCP process. They require a time commitment from the Crisis Management Team, the Response Teams, and the general employee population.
12.1.1.a Educate and Train Teams
The Crisis Management and Response Teams should be educated about their responsibilities and duties. Check lists of critical actions and information to be gathered are valuable tools in the education and response processes. Teams should be trained at least annually and new members should be trained when they join. These Teams should also be trained with respect to prevention of crises, as described in the next section.
12.1.1.b Educate and Train All Personnel
All personnel should be trained to perform their individual responsibilities in case of a crisis. They should also be briefed on the key components of the BCP, as well as the Response Plans that affect them directly. Such training could include procedures for evacuation, shelter-in-place, check-in processes to account for employees, arrangements at alternate worksites, and the handling of media inquiries by the company.
It is recommended that any external resources that may be involved in a response – such as Fire, Police, Public Health, and third party vendors – should be familiar with relevant parts of the BCP.
12.1.2 Test the BCP
12.1.2.a Benefits of Testing
The benefits and necessity for testing, which involves training and exercises, cannot be overemphasized. Testing can keep Teams and employees effective in their duties, clarify their roles, and reveal weaknesses in the BCP that should be corrected. A commitment to testing lends credibility and authority to the BCP.
12.1.2.b Goals and Expectations
The first step in testing should be the setting of goals and expectations. An obvious goal is to determine whether a certain crisis response process works and how it can be improved. Other less obvious goals can be to test capacity (as in the case of a call-in or call-out phone system, for instance), to reduce the time necessary for accomplishment of a process (for example, using repeated drills to shorten response times), and to bring awareness and knowledge to the general employee population about the BCP.
Lessons learned from previous tests, as well as actual incidents experienced, should be built into the testing cycle for the BCP.
12.1.2.c Planning and Development
The responsibility for testing the BCP should be assigned. Larger organizations may consider establishing a Test Team. Where appropriate, the expertise of external resources (consultants, local emergency organizations, etc.) can be leveraged.
A test schedule and timeline as to how often the plan and its components will be tested should be established.
12.1.2.e Scope of Testing
The scope of testing should be planned to develop over time. In their infancy, tests should start out relatively simple, becoming increasingly complex as the test process evolves. Early tests could include checklists, simple exercises, and small components of the BCP. As the test schedules evolve, tests should become increasingly complex, up to a full-scale activation of the entire BCP, including external participation by public safety and emergency responders.
12.1.2.f Test Monitoring
When feasible, assign observers to take notes during the test. If possible, arrange to videotape and/or use audiotape devices for further appraisal at the conclusion of the exercise. If videotape and/or audiotape devices are not available, then a person should be assigned to document the chronological list of events during the testing.
12.1.2.g Test and Exercise Scenarios
Testing scenarios should be designed using the events identified in the Risk Assessment.
12.1.2.h Test and Exercise Roles
There are several roles that test participants can fill. All participants should understand their roles in the exercise, and the exercise should involve all participants. As part of the exercise, participants should be allowed to interact and discuss issues and lessons.
12.1.2.i Test and Exercise Participation
Various groups from the organization itself, as well as from the public sector, can participate in the tests:
12.1.2.j Test and Exercise Evaluation
After completion, the test should be critically evaluated. The evaluation should include, among other things, an assessment of how well the goals and objectives of the test were achieved, the effectiveness of participation, and whether the BCP itself will function as anticipated in the case of a real crisis. Future testing, as well as the BCP itself, should then be modified as necessary based on the test results.
12.1.2.k Ongoing Development of Test Schedules
Design of tests should be evaluated and modified as necessary. They should be dynamic, taking into account changes to the BCP, personnel turnover, actual incidents, and results from previous exercises.
12.2.1 Develop BCP Review Schedule
The BCP should be regularly reviewed and evaluated. Reviews should occur according to a pre-determined schedule, and documentation of the review should be maintained as necessary. The following factors can trigger a review and should otherwise be examined once a review is scheduled:
- Risk Assessment: The BCP should be reviewed every time a Risk Assessment is completed for the organization. The results of the Risk Assessment can be used to determine whether the BCP continues to adequately address the risks facing the organization.
- Sector/Industry Trends: Major sector/industry initiatives should initiate a BCP review. General trends in the sector/industry and in business continuity planning techniques can be used for benchmarking purposes.
- Regulatory Requirements: New regulatory requirements may require a review of the BCP.
- Event Experience: A review should be performed following a response to an event, whether the BCP was activated or not. If the plan was activated, the review should take into account the history of the plan itself, how it worked, why it was activated, etc. If the plan was not activated, the review should examine why and whether this was an appropriate decision.
- Test/Exercise Results: Based on test/exercise results, the BCP should be modified as necessary.
12.2.2 Develop BCP Maintenance Schedule
Regular maintenance of the BCP cannot be overemphasized. Clear responsibility for BCP maintenance should be assigned. Maintenance can be either planned or unplanned and should reflect changes in the operation of the organization that will affect the BCP. The following are examples of procedures, systems, or processes that may affect the plan:
- Systems and application software changes
- Changes to the organization and its business processes
- Personnel changes (employees and contractors)
- Supplier changes
- Critical lessons learned from testing
- Issues discovered during actual implementation of the plan in a crisis
- Changes to external environment (new businesses in area, new roads or changes to existing traffic patterns, etc.)
- Other items noted during review of the plan and identified during the Risk Assessment.