- Español (LATAM)
- Português (LATAM)
- English (APAC)
How Often Should a Business Continuity Plan Be Reviewed?
Today’s business landscape is in a constant state of uncertainty. As we navigate the unknowns, it is important to make business continuity planning a priority.
A comprehensive business continuity plan (BCP) can mean the difference between weathering a disaster gracefully with minimal disruption to business operations and taking a devastating hit to your revenue and reputation. Implementing a BCP is about building resiliency for your business, so it is important to create a BCP that offers both protection and a recovery strategy.
As with any complex, integrated business initiative, you can’t set-and-forget a BCP if you want it to work when you need it. A high-functioning BCP requires regular maintenance and quality reviews.
How Often Should You Review the Business Continuity Plan?
Unfortunately, there isn’t a short and sweet answer to how frequently you need to review your BCP. The truth is, it depends.
The more complex the plan , the more care and feeding it requires. For example, a large, multinational corporation will require a far more intensive continuity plan than a two-person startup.
The products and services an organization provides also play a large role in how often the BCP needs to be reviewed and updated. Companies that rely on complex supply chains will need to ensure their BCP addresses dependencies, vulnerabilities, and changes that affect continuity along the chain.
Highly regulated industries such as healthcare and banking need to maintain compliance and regulatory standards, so frequent review of the BCP is necessary to ensure all requirements will be met in the event of an outage or other disruption.
How frequently you need to schedule BCP reviews is also dependent on the type of technology your organization has in place. Some organizations have implemented business continuity tools that provide automated backup, high availability, and email archiving technologies that can be easily tracked through a central management console, minimizing the need for frequent reviews.
Establish a Schedule to Test Different Parts of the Business Continuity Plan
You may have heard the saying, “If you don’t test your business recovery plan, you don’t have a business recovery plan.” Even with robust automated tools in place, you can’t leave business continuity to chance. It is crucial to schedule regular testing to ensure your BCP will work when you need it.
That’s not to say you need to run a full, end-to-end recovery test each month. Here is a breakdown of the generally accepted BCP test schedule:
Checklist Test—Twice a Year
Two times a year, conduct a high-level check that objectives are still being met by the current BCP. If you find gaps, correct the plan and recirculate to all stakeholders.
Emergency Drill—Once a Year
An annual emergency drill will help ensure everyone knows what to do if there’s a disaster. The leaders conducting the drill should observe the staff’s response. This is especially important with today’s fluctuating employment outlook as new hires may not be aware of BCP protocols.
Tabletop Review—Every Other Year
This is the time to sit down with all stakeholders, leadership, and the business continuity response team to look for gaps, inconsistencies, and outdated information. This should be a business-driven (not IT-driven) review because business objectives and priorities may have changed.
Comprehensive Review—Every Other Year
A lot can change in a couple of years. This review should include a reassessment of risks, a new impact assessment, and an updated recovery plan.
Recovery Simulation Test—Every 2-3 Years
This is the big one. Simulate a real disaster and walk through your BCP from end to end so you are confident that operations can be quickly restored after a major disruption.
When to Do an Unscheduled Business Continuity Plan Review
Even if you stick to the recommended schedule, there will be events that require an impromptu BCP review.
For example, a major system outage or security event may expose gaps in continuity coverage that need to be addressed. Also, as mentioned above, we are seeing a large amount of personnel movement, so more frequent reviews may be needed to ensure everyone is on the same page.
If your organization undergoes a major technology change—a new email system, a move from on-premises servers to the cloud, upgraded POS software—a BCP review is crucial to incorporate new hardware, dependencies, business priorities, and so on into the continuity plan.
Post-Business Continuity Plan Review Activities
After any BCP review, you’ll need to take a few follow-up steps. First, update the BCP with any changes you identified, including new links and passwords, recovery team member changes, and shifts in priorities and business objectives.
Then prepare and present a report to company leadership and stakeholders. Visibility is key to successful recovery after a major disruption, so it is important that everyone is aware of changes and updates to the continuity plan.
It is difficult to get all the major players in one place at one time, so the end of the annual tabletop review is the perfect opportunity to create the next year’s testing schedule.
Tips to Ensure the Business Continuity Plan Review Is a Success
No one likes to waste time or effort, so here are a few best practices that can help ensure your BCP reviews go smoothly:
- Schedule testing so it doesn’t disrupt normal operations.
- Walk through the tests with staff ahead of time so they know what to expect and you can estimate how long the real test will take.
- Establish the review objectives up front and re-evaluate them as needed.
Successful business continuity doesn’t just happen. Implementing a comprehensive BCP and then reviewing and updating the plan regularly is the only way to ensure your business applications are available when your users need them.
To learn more about creating a bulletproof BCP, download Smart Strategies for Business Continuity now.
- Business Continuity
You May Also Like
Arcserve ceo to channel partners: data resilience is the top priority for 2023, cisa red team cybersecurity advisory: improve monitoring and hardening of networks to strengthen data resilience, ibm report: better ransomware detection hasn’t stopped hackers from locking up company data.
- Reputation Risk Management
- Critical Event Management
- Security Risk Management
- Workplace Safety Management
- In Case of Crisis 365 Platform Overview
- Threat Intelligence & Social Listening
- Issues & Incident Management
- Role-based & Actionable Playbooks
- Microsoft Teams Integration
- News and Events
How Often Should a Business Continuity Plan Be Reviewed?
Reviewing and testing the plan are steps you absolutely can’t skip. Business continuity planning must be a process—not a one-time task. Today, many organizations recognize this: A 2015 survey found that 52.5 percent of organizations expected to incorporate small changes to their BC plan that year; nearly 33 percent anticipated significant changes.
With the dynamic nature of BC in mind, how often should your organization review its business continuity plan? The answer depends on several factors:
The size of your organization.
Larger businesses are naturally going to have more complex BC plans because they will involve more employees and facilities, often spread over broader geographic areas. While small and mid-sized organizations can also have complex plans, they typically require less frequent review.
The nature of your business.
Of course, the type of work your organization does will also impact business continuity planning. For example, companies with a complex supply chain or locations in foreign countries will probably require a more frequent and robust management and review process than those without.
The BC systems you have in place.
How your organization administers its BC functions can also impact review frequency. Many newer business continuity innovations, such as a mobile crisis app with actionable and role-based digital playbooks, help streamline and automate certain BC tasks, which ensures that plans stay up to date and relevant over time. With these types of systems in place, the review process can be much easier and faster, reserving resources for other key BC duties.
A Recommended Schedule
With the above factors in mind, you can begin to develop a schedule for reviewing your BC plan. The review process should be continual, with different aspects being appraised and using various methods at least a few times a year.
Many organizations strive for a schedule that includes the following:
Checklist review: Twice a year
The BC team conducts a high-level check on each element of the plan, ensuring that all objectives are still being met.
Emergency drills: Once a year
A key part of business continuity is ensuring that all stakeholders know what to do before, during, and after an emergency situation . Hold annual emergency drills to keep their skills sharp and ensure BC plans account for all facets of a potential business-impacting event.
Tabletop review: Every other year
In this type of review, you’ll gather all key stakeholders, including the BC owner and steering committee, to do a verbal walk-through of the plan. This type of review is helpful because it doesn’t require much time or many resources but can often reveal gaps, inconsistencies, or outdated information in the plan.
Comprehensive review: Every other year
This stage should include a close look at the organization’s risk assessments, business impact analysis, and recovery protocol. This is also an opportunity to update the BC plan to reflect any recent changes to the company’s structure, business, operations, or location.
Mock recovery test: Every two or three years
Larger organizations will also benefit from the occasional recovery simulation, in which the BC plan is fully tested. This active review identifies any gaps in your plan and helps employees and other stakeholders feel prepared and comfortable with their roles.
How often does your business review its business continuity plan? Do you feel that this frequency should be increased?
Crisis Management Pillars: Building Alignment With Stakeholders
Use a Risk Assessment to Prioritize the Issues you Need to Manage
Build a Crisis Management Plan Using These 4 Key Steps
You Don’t Need Just a Plan
- In Case of Crisis 365 Overview
- Terms of Service
Business Continuity Plan Maintenance: How To Review, Test and Update Your BCP
We've written before about how all organizations need to have a robust business continuity plan . A comprehensive BCP gives your business assurance that it can continue operations, even in the event of an unexpected incident or full-blown crisis.
Putting in place a plan is the first stage in this process, but far from the only on Business continuity plan review checklist . Business continuity plan maintenance, review and testing form equally vital steps in your business continuity strategy.
Is Business Continuity Plan Maintenance Important?
Questions you should ask when scheduling bcp reviews and drills.
- How often should a business continuity plan be reviewed?
- How often should a business continuity plan be tested?
- How often should a business continuity plan be updated?
- The nature and severity of the threats you face may change
- Your business operations may have evolved, leading to, for instance, a larger number of entities or subsidiaries to consider in your planning or new operating geographies . You may have taken your company public , which brings with it a range of new regulatory obligations
- Your personnel may have changed, so the people responsible for continuity planning may re no longer be current
Business Continuity Plan Testing Considerations and Best Practices
Business continuity plan testing types, how to keep your business continuity plan current.
- Your contact list: To ensure you have up-to-date details of everyone you need to contact in the event of an incident.
- Your business entities and subsidiaries data : This forms the basis for your plan. Do you have an up-to-date picture of your organizational structure? Do you have accurate information on all your legal entities and critical functions?
- Challenge assumptions: Play devil's advocate to challenge your beliefs about incidents that could occur.
- Your technologies and systems: Including entity data management software , CRM systems and other IT systems central to supporting your operations.
Maintain Confidence in Your BCP
The Rising Tide of ESG – Navigating the Road Ahead
The Board's Role in Leading and Enabling GRC
Board and Executive Collaboration: Components of a Secure Platform for the Evolving Workplace
How Often Should A BCP [Business Continuity Plan] Be Reviewed? [And When Should It Be Tested?]
The process of developing, finalizing, and communicating your initial business continuity plan (BCP) is no small feat. However, ongoing monitoring and reviewing of your BCP is critical to account for both internal and external changes that may impact your business. So how often should your BCP be reviewed? This blog post will dive into the answer to that question, as well as the results you’ll see from an effective business continuity program, the benefits of conducting business continuity planning, how to improve your organization’s business continuity planning process and more.
How Often Should A BCP Be Reviewed & Tested?
As a best practice, your BCP (business continuity plan) should have a scheduled review annually at a minimum, as well conducting a business review whenever something in your business changes (e.g. a process, product, service, etc.) or there is an external factor impacting your business (e.g. environmental changes, new regulations, an acquisition, etc.).
What are the results of an effective business continuity program?
Having an effective business continuity plan review process can impact your business in many ways:
Better resource planning
With a complete profile of business unit information mapped out within your business continuity plan, you can identify critical functions and analyze the impact they have on your organization. As a result, you’ll be able to better allocate the necessary resources and ensure that backup strategies are in place to maintain basic operations following a loss or outage.
Added insights Gain insight into which business units are most critical to business operations, which are prepared for a business continuity event, and which need to be reevaluated. Housing everything in one centralized program allows you to quickly and easily navigate to the right resources amidst an emergency event.
Reduced losses Having an effective business continuity plan allows you to create various scenarios and recovery strategies for recovering in the case of any losses.
This enables you to take a proactive, risk-based approach to your organization’s recovery and get back up and running sooner, reducing losses.
FREE DOWNLOAD: BCP CHECKLIST
Download our free BCP checklist to learn how to protect your organization in the long term.
What are the benefits of conducting business continuity planning?
Having a formalized process in place for business continuity planning yields a variety of benefits for your organization. Let’s dive into a few of them:
Overcome challenges more quickly
Relying on reactive efforts following a business continuity event leads to higher probability of missteps that could only catastrophize the problem at hand. If you’ve actively invested time and energy into preparing for any potential risk before it manifests, if and when it does, your BCP will direct you to the necessary resources to return to business as usual. This approach results in less collateral damage and shorter downtime periods.
Identify critical areas of improvement
Building a business continuity plan with an enterprise-wide approach empowers your frontline employees to identify dependencies across your organization. This offers better insight to improve your plans; by looking at common risk factors across all departments, you’ll be better enabled to identify unique risks on a function-by-function basis, see which risks are specific to certain teams and which are prevalent throughout the entire organization.
Increase stakeholder confidence
Investing resources into developing a strong BCP assures vendors, investors, customers, employees, and regulators alike that your organization is being run properly. Mitigating risks before they happen is good governance, and that demonstrates corporate responsibility and fosters a positive corporate culture.
Related Post: We compare business continuity and disaster recovery here
How can I improve my organization’s business continuity planning?
Depending on how mature your business continuity management program currently is, there are several ways to improve. First and foremost, without software streamlining your business continuity planning process, reviewing and optimizing your BCP for success can be extremely difficult.
That’s because your business continuity plan is inherently central to being prepared for potential disruptions and solidifying trust with external parties such as vendors, clients, or potential shareholders.
Your organization has multiple business units, functions, teams, and products to keep track of, and lacking insight into which aspects are critical for internal operations and which provide critical services to your downstream dependencies will hinder you from being able to properly allocate resources and lengthen the time of delays.
Here’s a step-by-step outline for improving your business continuity planning process using risk-based software:
- Start by identifying your most critical processes. When a business continuity event occurs, ERM software enables you to understand what the most critical processes to your organization are that need to be prioritized first to get back up and running to minimize any impacts.
- Assess the various risks your organization faces. By evaluating all of the various types of risks that a business continuity event could bring up – such as financial, reputational, customer, legal or strategic impact – you’re able to adequately determine which steps must be included in your BCP to minimize those impacts.
- Mitigate with purpose. Building a business continuity plan through a risk-based lens empowers you to design more effective policies, procedures, and other controls that simultaneously minimize the impact of the disruption at hand.
- Monitor the effectiveness of your plan over time. Continually monitor the effectiveness of your mitigating efforts using automated software to ensure that your BCP is directly aligned with your most up-to-date risks.
- Connect your departments. Your business continuity plan does not exist in a vacuum. Using integrated software allows you to identify interdependencies that must be known if an event occurs to ensure all steps are taken.
- Report historical data. Reporting is a key step in any risk-based approach, as it reveals patterns over time so that you can improve your BCP where needed and keep your organization protected from any future disruption.
Conclusion: Why Complete A Business Continuity Plan Review
When calamity strikes, it shouldn’t be a scramble to get your business back up and running.
Ensuring consistent updating of your BCP as well as having reliable disaster recovery plans helps ensure that no matter how much stress your business is put under, you have steps in place that eliminate uncertainty and minimize downtime.
This means including everything in your BCP that you need and knowing which functions of your business are the most critical, which resources employees use to keep crucial processes functioning, and the recovery steps for getting those functions and resources back online should havoc come to visit.
While doing all of this for disaster recovery may deem you a superhero, superheroes are only as good as their sidekicks. Consider LogicManager’s business continuity planning software as your new sidekick:
- Easily access, review and update all of your business continuity and disaster recovery plans (like business processes and related assets) within one centralized framework.
- Manage your responsibilities and track the status of your projects with easily accessible to-do lists.
- Improve coordination between business continuity, disaster recovery, and crisis response teams with automated tasks, alerts, and reminders.
- Ensure the BCP you have in place is operational and effective with automated testing.
- Link risks and controls directly to the business continuity plans they relate to with our taxonomy technology.
- Evaluate the criticality of each business process with pre-built, intuitive business impact analysis templates.
- Track business continuity events when they occur, identify the gaps in your plans, and determine follow-up improvements to your procedures with our intuitive incident templates.
- Prove BCP compliance to auditors and BCP effectiveness to senior management with highly configurable reports and compliance checklists.
With your business continuity planning process improved, you can focus on going beyond the call of duty. At its core, our business continuity planning software is designed to help you align strategic goals with operational objectives.
By giving you an enterprise-wide view of your risk and a risk rating at all times, LogicManager’s business continuity management program not only drastically reduces the time and money you spend on business continuity management, but it also helps you prove your invaluable impact on your company’s success with a comprehensive review to reduce internal and external factors threatening your organization.
What Is Reputational Risk For Banks?
Why Is Sustainability So Important To A Corporation
What Is an Integrated Risk Management Approach for an Organization?
How to Report On ESG
My Favorites List
Submit your Favorites List and our experts will reach out to you with more information. You will also receive this list as an e-mail which you can share with others. Here are the solutions you've added to your list so far:
How often should a business continuity plan be reviewed?
Maintaining your business continuity plan (BCP) can be challenging and each business continuity plan is different (because all organisations are different). Many organisations require a review once a year, others perform a review each time there is a major change within the organisation. Ultimately, an organisation must decide when it is right to review and/or update their BC plan, but how do you determine when it is right to update or review your BC plan?
The key question to ask here is what do you want from the review? In other words the what should the BCP review achieve? In some instances need for a business continuity plan review may be obvious in other situations it may be less so. However, even in absence of no change a business continuity plan can slowly erode to extent that it becomes irrelevant.
The more obvious indicators are things such as:
Changes to the organisations operating environment
Following corporate actions such as mergers, takeovers etc.
Changes in business recovery needs
External factors such as regulatory changes and customer requirements
Environmental factors and your disaster recovery plan Environmental factors relate to changes within the organization. Some examples of the most common environmental changes are It infrastructure changes, outdated or replaced applications, staffing changes, restructuring and new facilities and buildings. Any of these changes can mean that roles and responsibilities within the plan must change.
. Changes to Business recovery needs
If factors regarding your recovery time objective changes, so should your BC plan. Several different things can cause these changes. For example, business recovery requirements for functions and processes may become more or less urgent. Any or all of these changes should prompt your organization to take a second look at your DR plan and make any necessary revisions.
External factors and your disaster recovery plan External factors can also lead to changes in your BC plan, and they relate to entities outside your organization including mandatory and optional aspects. The mandatory requirements may emanate from regulatory and other legal or regional requirements. Other initiatives such as outsourcing creates challenges from two perspectives: it may decrease awareness levels between the parent organisation and the outsourced function; it also may increase recovery requirements on the parent organisation. Also, external technological innovation may introduce new risks to disaster recovery, as well as new solutions. It is important to be aware of any external changes to your IT organisation. Changes in your outsourced services use, legal requirements or new technologies can significantly affect your original business continuity plan.
Avoiding slow erosion
Slow erosion - is the process by which a business continuity plan becomes increasingly irrelevant to the organisation. The root cause of slow erosion is many small changes that occur over time. individually each change is trivial, but their combined effect compromises the plan until it becomes completely ineffective. Some of the key causes of slow erosion within business continuity plans are:
Adds, moves and changes within the the organisations technology infrastructure. No major new systems, just tweaks, upgrades and enhancements can compromise back-up regimes and processes
Physical workplace changes - office moves can compromise workplace recovery strategies
Joiners leavers and movers can undermine your original business continuity organisations and lave gaps in roles and responsibilities within incident management and business recovery actions plans.
A BCP Review designed to prevent slow erosion within the business continuity plan should cover:
Are all contact details for staff, customers and suppliers correct?
Are the roles defined in the plan still relevant to our incident management and recovery requirements
Is the contact plan still relevant
Are the correct people included in the contact plan
Are roles and responsibilities still relevant
Are all individuals assigned roles in the plan the correct person for the role?
Have all role holders been trained in their role?
Have all role holders participated in a wider simulation test within the last 12 months?
Are alternative workplace arrangements still relevant?
Are IT systems recovery requirements still relevant?
So how often should you update your BC plan? The answer is “it depends”. Many companies opt for an annual review frequency - to avoid slow erosion. Some may not ever consider more frequent alternatives to that review schedule. Others adopt a semi-annual or quarterly update for selected plans, based or attributes such as risk rating or criticality.
But ultimately, you should update your business continuity plan whenever an important factor in your organization changes, whether that variable is internal or external. And the time frame on those changes is unpredictable. Frequent updates lead to more complete and reliable disaster recovery plans, which therefore lead to a work environment safe from disasters.
Develop a review schedule Generally speaking an organisation should be adopting an approach of regular, scheduled review and update, complemented by the same types of review which might be performed when significant change has occurred. For instance:
• All critical functions should review and update their plans, if necessary, every six months • All other functions should perform an annual review and update of their plans every 12 months • All functions should review and/or test their plans when significant organisational change occur or when there has been a major change to the organisation’s IT infrastructure or operating model.
Get in touch by completing our contact form
Follow or connect with Steve, RiskCentric's owner & founder via LinkedIn
Why You Need to Review, Update Your Business Continuity Plans
We often urge you to have a risk management plan in place so that you are prepared for the many eventualities that can affect your business. Your risk management plan should be part of a larger business continuity plan for keeping your organization going during periods of disruptions that are both large and small. The plan should be broad to cover prevention and response, and that can only be done with input from representatives of all your firm’s divisions.
Companies can spend considerable time putting together a risk management plan that is unique to their workplace and operations. But, after they have created and implemented their plan, many businesses fail to evaluate and update it on a regular basis. You will need to test, evaluate and update your risk management and business continuity plans regularly because risks can change as your business, your industry and the environment you operate in also change.
A prime example of a new risk is the cyber threat that continues to grow in significance, having cost many businesses millions of dollars in response, remediation and notification costs. If you have not included this eventuality in your business continuity plans, you should do so.
If you set aside time once or twice a year to review your plans, you can identify new risks and monitor the effectiveness of your current risk management strategies. This gives you an opportunity to modify or enhance your plan in response to those emerging or newly identified threats. As you did when you created your original plans, you should involve personnel from your various departments and also consider inviting key vendors or customers to the planning sessions. This will help bring different perspectives to the table, resulting in a more comprehensive overall plan.
The business continuity plan
Besides identifying and trying to mitigate for risks that you identify, your risk management plan should be part of a broader business continuity plan that includes strategies for responding to and recovering from incidents if they do happen. Business continuity planning has four steps:
• Prevention – This is essentially the risk management part of the plan, which is to prevent problems from occurring in the first place.
• Preparedness – This should be the fruits of your risk management plan, requiring to you have plans and resources in place to respond and recover from an incident. You should conduct a business impact analysis that identifies all of the resources, personnel and equipment critical to keeping your business running. Your plan should identify external stakeholders, the skills and knowledge necessary to run your business and how long your business can survive without performing these tasks.
• Resp onse – This part of the plan should cover what you do following an incident, such as containing, controlling and minimizing the effects. This should include details on when the plan would be activated, assembling an emergency kit, having evacuation procedures in place and a communication plan to implement during an event.
• Recovery – After the initial response to an incident you will want to ramp up to full operations again as quickly as possible. You need to map out strategies to recover your business activities in the quickest possible time. That entails a description of key resources, equipment and staff required to recover your operations – and a time objective.
Making sure your business continuity plan is reliable and up to date will help you resume operations quickly after an incident and reduce the effects on your business. While you may be able to predict and deal with a number of potential risks, there will be some that are unexpected or impossible to plan for. That’s why the last two parts of your business continuity plan – incident response and recovery – are important, as they can be used after both foreseeable and unforeseeable events. Also, depending on the size of your business, you may choose to have separate risk management, impact analysis, incident response and recovery plans, or a single plan incorporating all of the above elements – known as a business continuity plan. A business continuity plan is a practical blueprint for how your organization will recover or partially restore critical business activities after a change or interruption.
[su_button url=”https://coremarkins.com/reviewrequest/” style=”3d” background=”#33cbfc” color=”#1a1a1a” size=”5″ center=”yes” icon=”https://coremarkins.com/wp-content/uploads/2018/06/checklist-1622517_640.png” desc=”No Cost Review Of Your Business Continuity Plan” title=”Get the Guide”]REQUEST A REVIEW[/su_button]
With health insurance laws in flux, flexible spending accounts can save your workers money.
The Internal Revenue Service is reminding eligible employees that now is the time to begin planning to take full advantage ...
Baseline Health Tests Can Shave Workers’ Comp Claims Costs
More employers are testing new hires in physical jobs to establish a baseline in case they ever file a workers’ ...
New Law AB 2257 Adds Independent Contractor Exemptions
A new law has come to the rescue of a number of freelance professions by exempting them from the onerous ...
For Industry Professionals
Registered representatives can fulfill Continuing Education requirements, view their industry CRD record and perform other compliance tasks.
- FINRA Gateway
For Member Firms
Firm compliance professionals can access filings and requests, run reports and submit support tickets.
For Case Participants
Arbitration and mediation case participants and FINRA neutrals can view case information and submit documents through this Dispute Resolution Portal.
Need Help? | Check Systems Status
Log In to other FINRA systems
- Frequently Asked Questions
- Interpretive Questions
- Rule Filings
- Rule Filing Status Report
- Requests for Comments
- Rulebook Consolidation
- National Adjudicatory Council (NAC)
- Office of Hearing Officers (OHO)
- Disciplinary Actions Online
- Monthly Disciplinary Actions
- Sanction Guidelines
- Individuals Barred by FINRA
- Broker Dealers
- Capital Acquisition Brokers
- Funding Portals
- Securities Industry Essentials Exam (SIE)
- Continuing Education (CE)
- Classic CRD
- Financial Professional Gateway (FinPro)
- Financial Industry Networking Directory (FIND)
- Conferences & Events
- FINRA Institute at Georgetown
- E-Learning Courses
- Small Firm Conference Call
- Systems Status
- Entitlement Program
- Market Transparency Reporting Tools
- Regulatory Filing Systems
- Data Transfer Tools
- Cybersecurity Checklist
- Compliance Calendar
- Weekly Update Email Archive
- Peer-2-Peer Compliance Library
- Compliance Vendor Directory
- Investor Insights
- Tools & Calculators
- Credit Scores
- Emergency Funds
- Investing Basics
- Investment Products
- Investment Accounts
- Investor Alerts
- Ask and Check
- Avoid Fraud
- Protect Your Identity
- For the Military
- File a Complaint
- FINRA Securities Helpline for Seniors
- Dispute Resolution
- SIPC Protection
- Avenues for Recovery of Losses
Business Continuity Planning FAQ
1. What is the purpose of the disclosure requirement in FINRA Rule 4370(e)?
The purpose of the disclosure requirement in FINRA Rule 4370(e) is to assist customers in making educated decisions about whether to place their funds and securities at a specific firm. The disclosure may state that the firm's BCP is subject to modification. Each firm is required to disclose to its customers how its BCP addresses the possibility of a future significant business disruption and how the firm plans to respond to events of varying scope. However, firms are not required to disclose their actual BCP, including any proprietary information, but rather can provide appropriate levels of summary information.
2. Our firm's business consists primarily of selling variable insurance products. Although we sell the product, the customer needs to deal with the insurance company in question if there is a problem. How do we treat this situation in our BCP under FINRA Rule 4370?
A firm that sells variable insurance products cannot defer its regulatory and customer protection responsibilities to a third party. A firm may, however, tailor its BCP to the needs and business of the firm. In tailoring the plan, the firm must consider its customers' needs in the event of a significant business disruption, and plan accordingly. In the situation presented, the plan should, for instance, consider what the firm's primary responsibilities are, but also include information on the entities that customers would need to contact to access their assets and funds. The firm should also provide customers with any needed information regarding assets held away from the firm.
3. Our firm is a market maker that deals solely with other firms, so we have no retail "customers." To whom, if anyone, should we disclose how our BCP addresses the possibility of a future significant business disruption and how we plan to respond to events of varying scope under FINRA Rule 4370?
As we have stated, each firm's BCP must be tailored to meet its specific needs. This underlying principle also applies to disclosure of how a firm plans to address a significant business disruption. Therefore, although there is no obligation to disclose how your BCP addresses the possibility of a future significant business disruption to non-customers, a copy of the disclosure should be made available to any non-customer with which you do business so that these individuals and firms can determine for themselves the efficacy of the firm's BCP.
4. In what manner should our firm disclose to our customers a summary of how our Business Continuity Plan (BCP) addresses the possibility of a future significant business disruption and how we plan to respond under FINRA Rule 4370?
At a minimum, this disclosure must be made in writing to customers at account opening, posted on your website (if you have one), and mailed to customers upon request.
5. How often should our firm review its Business Continuity Plan (BCP) under FINRA Rule 4370?
FINRA Rule 4370 requires each firm to conduct an annual review of its BCP. In addition to an annual review, your firm must update its BCP in the event of any material change to your firm's operations, structure, business, or location.
6. What does FINRA Rule 4370(e) require?
FINRA Rule 4370(e) states:
Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the member's Internet Web site (if the member maintains a Web site), and mailed to customers upon request.
The intent behind this part of the rule is to provide customers and counterparts with appropriate levels of information so that they may make an informed decision about doing business with your firm.
7. Our firm's business is done solely on an RVP/DVP basis. To whom should we disclose how our Business Continuity Plan (BCP) addresses the possibility of a future significant business disruption and how we plan to respond to events of varying scope under FINRA Rule 4370?
BCPs should be reasonably designed to enable a firm to meet its existing obligations to customers and address existing relationships with other broker/dealers and counterparties. To the extent a firm does not have any customers, it should disclose this information to the business constituents or other non-customers that rely on the firm as part of the overall transaction process.
8. My firm is a sole proprietorship. I am the sole registered principal, but I employ two registered representatives. I will register myself as the first emergency contact person, but who should be the second emergency contact person under FINRA Rule 4370?
The second emergency contact person should be one of the registered representatives at your firm who is a member of senior management and has knowledge of your firm's business operations.
9. Under FINRA Rule 4370, how do I register the names of my firm's two emergency contact persons?
This is done electronically through the FINRA Contact System (FCS) .
10. What kind of information should be disclosed to customers, as required by Rule 4370?
FINRA Rule 4370(e) does not require firms to disclose their entire BCPs to their customers. Under this rule, members are required only to summarize the manner in which their BCPs address the possibility of significant business disruptions. Firms are not required to disclose the specific location of any back-up facilities, any proprietary information contained in the BCP, or the parties with whom the firm has back-up arrangements. Instead, the disclosure should address how the firm would react to events of varying scope. For example, the disclosure should provide:
- A statement as to whether the firm intends to stay in business and, if so, based on the BCP, estimates of how long the firm expects it will take to recover from business disruptions of varying intensities (such as a disruption to the building, the business district, the city, or the whole region) and resume business. Firms should include a summary statement of the operating areas covered in its BCP and the firm's plans for business operation recovery. The firm should disclose the existence of back-up facilities and arrangements, if any, but it is not required to disclose specific back-up locations to its customers.
- Alternative telephone number(s), Web site information, and clearing firm information, if applicable.
- Information regarding the firm's clearing firm, if applicable, and the services the clearing firm may provide to customers in the event of a significant business disruption.
11. Our firm is a member of the Securities Investor Protection Corporation (SIPC). Won't SIPC take care of my customers, with respect to access to their funds and securities, in the event of a significant business disruption?
FINRA's BCP requirements do not conflict with SIPC rules or with a firm's obligation under such rules. FINRA Rule 4370(c)(10) requires firms' BCPs to state how the firm will assure customers prompt access to their funds and securities in the event that the firm determines that it is unable to continue its business. If you believe that SIPC rules might affect your response to this requirement, you should address it in your BCP. You cannot, however, rely on SIPC membership, by itself, to satisfy your obligations under FINRA Rule 4370(c)(10).
12. Should disclosure statements be updated? If so, should updated disclosure statements be communicated to the firm's customers?
NASD Notice to Members 04-37 states in the Disclosure Requirements section that "Members may use cautionary language in their business continuity plans indicating that such plans are subject to modification, that updated plans will be promptly posted on the member's Web site, and that customers may alternatively obtain updated plans by requesting a written copy of the plan by mail." This section is referring to disclosure statements, not BCPs. Disclosure statements should only be updated and communicated to customers when changes to a firm's BCP materially change the firm's response to a significant business disruption.
13. How often should our firm update our emergency contact information under FINRA Rule 4370?
FINRA Rule 4370(f) requires each firm to promptly update its emergency contact information in the event of a material change. In addition firms must review and, if necessary, update its emergency contact information. This update must include any change to the designation of the two emergency contact persons.
Each firm must review and, if necessary, update its emergency contact information in the manner prescribed by NASD Rule 1160 . NASD Rule 1160 requires firms, via the FINRA Contact System (FCS) , to update designated contact information promptly upon any material change (but no later than 30 days following the change) and verify such information within 17 business days after the end of each calendar year.
14. FINRA Rule 4370 require firms to disclose their BCPs to their customers?
No. Disclosure statements and BCPs are separate documents. Firms are required to prepare and give their customers a disclosure statement that describes how the firm intends to respond to a significant business disruption, but firms are not required to disclose their BCPs to their customers.
15. Would my firm be required to stay in business in the event of a significant business disruption?
No. However, under FINRA Rule 4370(c)(10) , your BCP must address how you will assure customers' prompt access to their funds and securities in the event that you determine that your firm is unable to continue its business.
16. My business is not located in an earthquake or hurricane zone. I do not believe we are at risk for a flood. What other types of disruptions should we consider for our BCP?
As the question notes, firms have varying and often unique types and levels of exposure to potential business disruptions. Some potential disruptions, like hurricanes, only occur in certain geographic areas while others, like a pandemic, could impact all firms. Each firm needs to conduct their own risk analysis to determine where critical impact points and exposures exist within the firm and with its counterparties and suppliers. The extent to which any member needs to prepare for various types of disruptions depends on, among other things, the size of the firm, its office locations, its counterparty and service provider relationships, and the nature of its business. Firms should also look beyond potential disruptions relating only to meteorological or geological events. Firms should consider their susceptibility to evolving risks and disruptions. Such potential disruptions may result from an infectious pandemic , as noted above, or from a technology-related disruption such as technology viruses, large-scale or targeted brokerage account intrusions, denial of service attacks, or other cyber attacks.
17. My firm is a sole proprietorship with no other personnel. I will register myself as the first emergency contact person, but who should be the second emergency contact person under FINRA Rule 4370?
The second emergency contact person should be an individual, either registered with another firm or nonregistered, who has knowledge of the member's business operations (e.g., the member's attorney, accountant, or clearing firm contact).
18. Is my firm required to test its BCP?
The required annual review may include testing of specific functions or functionality. For example, a firm may test the functionality of back-up technology or of a designated "emergency personnel team" in a simulated business disruption. Testing in such a manner would help a firm better determine whether it has met the "reasonably designed" threshold of FINRA Rule 4370(a) . See Notice to Members 06-74 regarding the importance of effective and appropriate BCP testing as it related to Hurricanes Katrina and Rita in 2005. Additionally, the importance of testing was also highlighted in Regulatory Notice 09-59 which addresses pandemic preparedness. Assuming no changes in operations, structure, business or location, a firm may decide to rely on initial or prior due diligence work or testing performed by internal personnel or a vendor when conducting its annual BCP review. For example, one year a firm tests a back-up server that is part of its BCP. The following year during the firm's annual BCP review, the firm may determine not to conduct a new server test but rather to rely on the previous year's test, since there were no material changes in conditions.
If a firm relies on initial or prior due diligence or testing for its annual BCP review, it should consider whether changes in the firm's operations, structure, business or location make such information out-dated or unreliable.
How Testing Your Business Continuity Plan Identifies Gaps
Testing your business continuity plan allows you and your workforce to exercise how to approach an incident and find gaps in the plan to address where it needs improvement. Even though a developed business continuity plan provides your organization with the tools to predict, drafting a plan is only half the battle.
Businesses face myriad threats , from a rodent infestation to a planned renovation. A developed business continuity plan provides your organization with the tools to predict, prevent, and respond to risk efficiently. The strategy ensures that the organization and its clients will remain operational with minimal to no downtime or threat to operations.
However, drafting a plan is half the battle. What’s most important is ensuring your business continuity strategy is sound, useful, and practical. This is where testing your plan comes into play. Testing business continuity allows you and your workforce to exercise how to approach an emergency and find gaps in the plan to address where it needs improvement.
Types of Business Continuity Tests
A plan review is much like an audit of the BCP. The BCP team and the C-level management or department heads get together to review the plan and decide if any components are missing or need revision. This type of test is beneficial for training new members of the BCP team or in regular onboarding. Among other aspects reviewed during a meeting are contact information, the validity of recovery contracts, and coverage of applicable business continuity and disaster recovery scenarios. A plan review may also include training new managers on plan details so they can pass that knowledge down to their teams.
This is a more involved way of reviewing and testing a BCP. Employees participate in an actual exercise during a tabletop—a scenario-based, role-playing exercise. Everyone involved practices their roles and responsibilities during an emergency, such as an earthquake, hurricane, or active shooter.
A BCP simulation test is a more hands-on type of tabletop exercise. While a tabletop test, as the name suggests, typically consists of discussing plan details around a table, a simulation test combines real recovery actions. It can be data loss and restoring backups, live testing of redundant systems, network outage, physical recovery, emergency notification, and other relevant processes. In addition to critical personnel, all employees would be involved in this BCP event testing process.
Frequency of Business Continuity Plan Testing
The frequency of testing your BCP depends on your company.
We recommend evaluating each of your emergency preparedness plans, such as business continuity, disaster recovery, incident response, and other plans, during a year. Testing would typically include an annual tabletop exercise or a walk-through test of all individual EPP plans, including testing various scenarios for threats that are a high risk to your organization. Make sure to continually test those scenarios of higher priority to your organization.
Many factors can help you determine how often your organization needs to test its EPP plans.
- Employee count changes
- Changes in clients/vendors or their contact information
- Department changes
- Employee job function updates
- Structural changes to the building
The size, location, and how often your company goes through changes are typically the most significant factors in determining how often you should test your BCP. Enterprise companies and employees who experience regular turnover should be updating and testing their BCPs twice a year. For small to mid-sized organizations, it is recommended to do a run-through test once a year to make sure that the plan is still effective and all staff is refreshed on what to do in the event of an emergency.
Involving Vendors in Your BC Testing
In the course of your testing process, whether you’re doing a plan review, tabletop test, or simulation test, you need to make sure your critical vendor partners are included in your testing. Verifying that your vendors are prepared for the unexpected and have a contingency plan is essential, as it allows for greater accuracy and usability of your strategy. It also allows your vendors to provide feedback that may be valuable to your plans or testing process.
Document the Testing Process
Finally, it’s necessary to document the results of any testing conducted, along with any actionable findings from those tests. Doing so will help your workforce learn what can and should be improved and visualize progress that's been made. Following up on these items and consolidating recommendations from tests is the most crucial process in the BCP testing lifecycle. Testing, registering your testing results, and executing methods to improve your BCP is the most reliable way to strengthen your organization’s response processes.
Exercise Your Plan
Build muscle memory, find gaps in your plan, and produce audit-ready reports with Incident Manager's Exercise Manager module.
Subscribe to Our Newsletter
Get the latest business continuity news and insights
Put your plan to the test.
Using a controlled environment guided by our team of experts, you can strengthen your plans, build business resilience, clarify organizational responsibilities, and guarantee your resources meet your recovery needs.
Business Continuity for the Manufacturing Industry
Exercising Your Plans with Exercise Manager
Introducing Exercise Manager: Streamline Your Organization’s Business Continuity Exercises
Get the Latest Business Continuity Insights
0330 122 2345
[email protected], managed it services.
Explore our Managed IT services to find out how your business can benefit
- IT Consultancy
Business continuity, cloud services, connectivity, data cabling.
- Cyber Security
Texaport provides best in-class, certified cyber security services to protect businesses from online threats.
- Cyber Essentials Accreditation
Managed Cyber Security
- GDPR Consultancy
Cyber Security Training
Incident response center.
If you are currently experiencing a cyber attack, contact our response desk immediately.
Texaport is a Managed Service Provider delivering a complete portfolio of IT solutions to support our clients’ operations across the UK and throughout the globe.
Articles, News & Case Studies
Case studies, bidding on government contracts why cyber essentials is a requirement.
Cyber essentials are well known as the first basic step that businesses take to improve their protective measures in the cyber security sector. There are…
How To Create An IT Growth Strategy With The Help of Your Outsourced IT Support
Growing a business requires a lot of research and resources. Investing in technology is a vital part of expanding any modern company, but it can…
When Should a Business Continuity Plan be Reviewed?
A business continuity plan is essential to any organization’s risk management strategy. But how often should a business continuity plan be reviewed?
The answer depends on a few factors, including the size and complexity of your organization, the nature of your business, and the level of risk you’re comfortable with. However, there are a few best practices that all organizations should follow when reviewing their business continuity plans.
In this blog post, we’ll explore when you should review your business continuity plan and what factors you should consider in making that determination. We’ll also provide some tips for conducting an effective review process.
The Importance of Reviewing Business Continuity Plans
IT Consultancy services understand the importance of regularly reviewing business continuity plans to ensure successful implementation during unexpected disruptions.
In addition, reviewing business continuity plans identifies potential risks and areas for improvement, allowing IT teams to plan appropriately and create comprehensive strategies for dealing with IT-related issues.
IT consultants can work with you to carefully refine your existing plans or create new ones if necessary. In addition, having reliable IT-related policies and procedures can protect businesses and allow their IT infrastructure to function in unpredictable circumstances.
Reviewing business continuity plans is essential, and IT consultancy should be engaged early in the process.
Why You Should Review Your Business Continuity Plan Regularly
Keeping your business continuity plan up-to-date and reviewed regularly is essential for ensuring the longevity of your company. While it may be easy to overlook examining your plan, the consequences can be far-reaching, from financial losses due to downtime to damaged reputation from unpaid orders or poor customer service.
Regular reviews of your business continuity plan will help you identify changes within the business structure that need to be addressed and potential risks associated with a new product rollout or an expansion in another location.
Such careful inspection should also include feedback from relevant stakeholders and evaluating external threats to ensure the most appropriate mitigation strategies are employed. Reviewing your current business continuity procedure can positively impact efficiency in responding to unexpected events and ultimately provide your business with greater protection and a stronger bottom line.
How Often should you Review your Business Continuity Plan?
It is essential for business owners to make reviewing their business continuity plan a priority. Information that could impact an organization may change quickly, and organizations must stay aware of these changes to maintain an adapted plan.
Reviewing your business continuity plan every six months, or even sooner if pressing events or drastic shifts occur in business operations, is essential.
An up-to-date program not only helps you anticipate potential disruptions but also gives a clear direction on how to prepare and respond to the various types of disasters that may happen. Taking the time now could save your business countless resources in the future.
What to do When you Review your Business Continuity Plan
Reviewing your business continuity plan can be a daunting task. An IT consultant is important to help you through the process and ensure you are following best practices. The IT consultant can review the document, evaluate it against industry standards, and recommend plan changes.
It’s also good practice to conduct a walkthrough of each step, so everyone involved understands what needs to happen during an emergency.
Lastly, make sure to test the plan periodically to ensure it will work when it needs to. A little bit of preparation goes a long way in helping you weather any storms that may come your way.
Why it’s Important to Have a Business Continuity Plan in the First Place
When running a business, it is essential to be prepared for unexpected disruptions. A business continuity plan , provides a roadmap of what to do when the unexpected occurs.
The plan includes detailed instructions for restoring operations and minimizing loss following an emergency. It also involves planning for resources and personnel needed during the recovery period.
A continuous process can be implemented quickly in an emergency, ensuring smooth operations and retention of customers even during difficult times. Therefore, an effective Business continuity plan is a major asset, saving time, money and effort while keeping your business moving forward.
If you wish to learn more on the importance of a business continuity plan, read more below:
The Importance of a Business Continuity Plan
Although we may not be able to predict when something unexpected will happen, it is important to ensure that you have an effective business continuity plan.
Firstly, assess your current plan and review it regularly to ensure you are constantly preparing for potential disruptions.
You should also update contacts, procedures and protocols as needed. Finally, it’s essential to understand the importance of having a good business continuity plan in the first place – to guarantee minimal impact on your business when something goes wrong.
At Texaport, we understand the importance of these advancements, and we work with our clients to put a reliable system in place to improve their business efficiency. Our team has a wide range of IT knowledge and remains acquainted with the movements in the IT industry. Find out more here .
IT Support, Case Study
Read our Reviews
Google rating, more articles, should your team take a cybersecurity course.
Cyber security is something that you will hear more and…
How IT Support is Revolutionizing the Way Charities Operate
In recent years, Charity IT Support has revolutionised the way…
Your IT Support issues are resolved immediately at the first point of contact so you can get on with what's important
We hold Cyber Essentials Certification and Microsoft Silver Competency, reinforcing our commitment to quality
Secure your business from within. Enabling you to create a security-focused culture with automated training within your business
Keep your team connected with Texaport's suite of business grade connectivity and information communication solutions
Outsource your Managed IT Services , improve your operations and cut your expenses
Providing the lifelines to your communications with structured cabling design and instalation
Take your business higher with Texaport's Cloud Consulting, Cloud Migration and Cloud Management
Tap Into our strategic experience with our project management and IT Consulting services
World-class IT Support UK and Cybersecurity built on vast expertise, cutting-edge technology and strong client relationships working with clients throughout the UK and across the globe.
- Office 365 Support
- Charity IT Support
- SharePoint Migration
- Cloud Migration
- Terms and Conditions
Built By Texaport
Copyright © 2012-2023 Texaport Limited | All Rights Reserved
Co No. SC434356 | VAT No. GB 150609137
Would you like to leave us a Google review?
Contact us for more information.
Establish a Schedule to Test Different Parts of the Business Continuity Plan · Checklist Test—Twice a Year · Emergency Drill—Once a Year · Tabletop Review—Every
Comprehensive review: Every other year ... This stage should include a close look at the organization's risk assessments, business impact analysis, and recovery
However you test your plan, it should be rigorous - CIO suggests that '''you try to break it' to ensure that it's fit for purpose. And whatever
The process of developing, finalizing, and communicating your initial business continuity plan (BCP) is no small feat.
Maintaining your business continuity plan (BCP) can be challenging and each business continuity plan is different (because all organisations are different).
If you set aside time once or twice a year to review your plans, you can identify new risks and monitor the effectiveness of your current risk
You should plan to review along with their strategic and financial plans on a yearly basis. If they have been written efficiently, you probably will only need
FINRA Rule 4370 requires each firm to conduct an annual review of its BCP. In addition to an annual review, your firm must update its BCP in the event of any
The size, location, and how often your company goes through changes are typically the most significant factors in determining how often you
Reviewing your business continuity plan every six months, or even sooner if pressing events or drastic shifts occur in business operations, is