A thorough review of a business resumption plan can involve some time and effort. For purposes of this article, “review” means at least sitting down with the plan, and any supporting documentation, and reading the plan to check that it is still valid. If the plan is for the recovery of a single unit, the review should include some of the key staff of that unit. If the plan is for the recovery of multiple units, some staff from those units could be involved in the review process. People from units that might support recovery may also be included. Each organization will have its own guidelines for what constitutes a review and who should be involved. A review could lead to updates to the plan, as well as a walkthrough, tabletop exercise, or even a more robust exercise to validate the plan.
Changes
Following is a list of some changes that may occur in either the business or infrastructure/technical environments. These changes may trigger an out-of-cycle review, and could lead to plan updates and/or exercises. The following list of possible changes is not intended to be exhaustive.
Type of Change
• Add/delete a business function or new line of business
• Add/delete applications
• Add/lose/change key staff
• Change to the business functions’ recovery time objectives (RTOs) or recovery point objectives (RPOs)
• Change the business functions’ back-up strategies or the back-up/recovery technology
• Change the timing of a business function (ex. a function that was run 8 a.m. to 5 p.m. Monday-Friday is now run 6 a.m. to 6 p.m. Monday-Saturday)
• Changes in upstream/downstream business dependencies (timing, applications, interfaces, outside entities, etc.)
• Corporate policy changes
• Functional unit moves to a new physical location, or some other substantial change in the physical environment
• Functional unit’s overall RTO changes (for example, a unit operating from 6 a.m. to 6 p.m. has a 12-hour TO, or less depending on other factors. If the units’ hours of operation change to 6 a.m. to midnight, the RTO becomes six hours, or less.)
• Issues/problems discovered during exercises or during an event
• Move functions to a substantially different technology
• Move the functional unit to a new organization
• New mandatory/legal/regulatory requirements
• New or changed roles for units that may support recovery, or new support units (infrastructure support, computer operations, physical security or travel, for example)
• New relocation sites
• New threats or changed assessment of threats
• Reorganization of the functional unit
• Research into best practices
• Substantial changes to a business function, such as new processes or machinery
• Substantial changes to number of employees or skill set of employees
• Substantial changes to applications
The following minor changes will probably not trigger a plan review:
• Changes to employee contact information (might trigger a communication exercise)
• Hire/loss of non-key staff
• Minor changes in technology, applications or the physical environment
Periodically, the business continuity manager or staff, working with the business partners, should examine the list of changes that have occurred since the last review/update and determine if an out-of-cycle review of the plan is warranted. The above list of triggers could also be used as a checklist to track changes that have occurred.
A series of minor changes to the technology, applications, number of staff, or physical environment may cause enough overall changes in the plan to warrant a plan review and possibly an update or walkthrough.
The business continuity staff, working with others if appropriate, should carry out the plan review. The goal is to decide if the plan itself actually needs updating, and may need a walkthrough or exercise to validate it. The plan review may indicate that a walkthrough or some other exercise is needed to show that the plan still works. A substantial change in the number of people involved in the functional units might not trigger plan updates, but might indicate an exercise is needed to help with training and familiarization.
Review the plan using the list of changes to determine how the individual plan components themselves may have been impacted by the changes. For example, moving the functional unit to a new physical site may have a high impact on relocation instructions. The following table may help track the impact of changes on plan components. Each organization will have their own plan components and their own impacts.
Exercises
The changes that have occurred in the business or technical environments can provide the basis for scenarios for exercises. For example, if a functional unit moves to a new physical location, a scenario for an exercise might involve damage to that location to show that the plan will support relocation from the new location. Or, if the business functions move to a substantially different technology, a scenario might be developed to show that that technology can be recovered within the time frames required.
Reorganizing the functional unit may indicate the need for a communications exercise, or an emergency response exercise, or an emergency command center exercise to show that the flow of control and information is still valid, as well as train the new staff and managers.
Conclusion
Tracking the changes that have occurred in the business and technical environments that our plans operate in can provide us with valuable information that can tell us if a plan needs to be reviewed outside its normal cycle. Tracking changes can also tell what areas of the plan should be addressed during a review, and help us develop exercises to validate our plans and show that they will still work as expected.
Chris Rohrs, CBCP, is an independent consultant specializing in business resumption/continuity and project management. He has more than seven years experience in business resumption and more than 20 years experience as a technical project management/team leader. Rohrs lives in northern California and can be reached at derhexer@aol.com.
