• Español (LATAM)
  • Português (LATAM)
  • English (APAC)

How Often Should a Business Continuity Plan Be Reviewed?

Today’s business landscape is in a constant state of uncertainty. As we navigate the unknowns, it is important to make business continuity planning a priority. 

A comprehensive business continuity plan (BCP) can mean the difference between weathering a disaster gracefully with minimal disruption to business operations and taking a devastating hit to your revenue and reputation. Implementing a BCP is about building resiliency for your business, so it is important to create a BCP that offers both protection and a recovery strategy. 

As with any complex, integrated business initiative, you can’t set-and-forget a BCP if you want it to work when you need it. A high-functioning BCP requires regular maintenance and quality reviews. 

How Often Should You Review the Business Continuity Plan?

Unfortunately, there isn’t a short and sweet answer to how frequently you need to review your BCP. The truth is, it depends.

The more complex the plan , the more care and feeding it requires. For example, a large, multinational corporation will require a far more intensive continuity plan than a two-person startup. 

The products and services an organization provides also play a large role in how often the BCP needs to be reviewed and updated. Companies that rely on complex supply chains will need to ensure their BCP addresses dependencies, vulnerabilities, and changes that affect continuity along the chain.

Highly regulated industries such as healthcare and banking need to maintain compliance and regulatory standards, so frequent review of the BCP is necessary to ensure all requirements will be met in the event of an outage or other disruption.

How frequently you need to schedule BCP reviews is also dependent on the type of technology your organization has in place. Some organizations have implemented business continuity tools that provide automated backup, high availability, and email archiving technologies that can be easily tracked through a central management console, minimizing the need for frequent reviews.

Establish a Schedule to Test Different Parts of the Business Continuity Plan

You may have heard the saying, “If you don’t test your business recovery plan, you don’t have a business recovery plan.” Even with robust automated tools in place, you can’t leave business continuity to chance. It is crucial to schedule regular testing to ensure your BCP will work when you need it. 

That’s not to say you need to run a full, end-to-end recovery test each month. Here is a breakdown of the generally accepted BCP test schedule:

Checklist Test—Twice a Year

Two times a year, conduct a high-level check that objectives are still being met by the current BCP. If you find gaps, correct the plan and recirculate to all stakeholders.

Emergency Drill—Once a Year

An annual emergency drill will help ensure everyone knows what to do if there’s a disaster. The leaders conducting the drill should observe the staff’s response. This is especially important with today’s fluctuating employment outlook as new hires may not be aware of BCP protocols.  

Tabletop Review—Every Other Year

This is the time to sit down with all stakeholders, leadership, and the business continuity response team to look for gaps, inconsistencies, and outdated information. This should be a business-driven (not IT-driven) review because business objectives and priorities may have changed.

Comprehensive Review—Every Other Year

A lot can change in a couple of years. This review should include a reassessment of risks, a new impact assessment, and an updated recovery plan.

Recovery Simulation Test—Every 2-3 Years

This is the big one. Simulate a real disaster and walk through your BCP from end to end so you are confident that operations can be quickly restored after a major disruption.

When to Do an Unscheduled Business Continuity Plan Review

Even if you stick to the recommended schedule, there will be events that require an impromptu BCP review. 

For example, a major system outage or security event may expose gaps in continuity coverage that need to be addressed. Also, as mentioned above, we are seeing a large amount of personnel movement, so more frequent reviews may be needed to ensure everyone is on the same page.

If your organization undergoes a major technology change—a new email system, a move from on-premises servers to the cloud, upgraded POS software—a BCP review is crucial to incorporate new hardware, dependencies, business priorities, and so on into the continuity plan. 

Post-Business Continuity Plan Review Activities

After any BCP review, you’ll need to take a few follow-up steps. First, update the BCP with any changes you identified, including new links and passwords, recovery team member changes, and shifts in priorities and business objectives.

Then prepare and present a report to company leadership and stakeholders. Visibility is key to successful recovery after a major disruption, so it is important that everyone is aware of changes and updates to the continuity plan. 

It is difficult to get all the major players in one place at one time, so the end of the annual tabletop review is the perfect opportunity to create the next year’s testing schedule.

Tips to Ensure the Business Continuity Plan Review Is a Success

No one likes to waste time or effort, so here are a few best practices that can help ensure your BCP reviews go smoothly: 

Successful business continuity doesn’t just happen. Implementing a comprehensive BCP and then reviewing and updating the plan regularly is the only way to ensure your business applications are available when your users need them. 

To learn more about creating a bulletproof BCP, download Smart Strategies for Business Continuity now. 

You May Also Like

Arcserve ceo to channel partners: data resilience is the top priority for 2023, cisa red team cybersecurity advisory: improve monitoring and hardening of networks to strengthen data resilience, ibm report: better ransomware detection hasn’t stopped hackers from locking up company data.


How Often Should a Business Continuity Plan Be Reviewed?

How Often Should a Business Continuity Plan be Reviewed.jpg

Reviewing and testing the plan are steps you absolutely can’t skip. Business continuity planning must be a process—not a one-time task. Today, many organizations recognize this: A 2015 survey found that 52.5 percent of organizations expected to incorporate small changes to their BC plan that year; nearly 33 percent anticipated significant changes.

With the dynamic nature of BC in mind, how often should your organization review its business continuity plan? The answer depends on several factors:

The size of your organization.

Larger businesses are naturally going to have more complex BC plans because they will involve more employees and facilities, often spread over broader geographic areas. While small and mid-sized organizations can also have complex plans, they typically require less frequent review.

The nature of your business.

Of course, the type of work your organization does will also impact business continuity planning. For example, companies with a complex supply chain or locations in foreign countries will probably require a more frequent and robust management and review process than those without.

Download Now: The Guide to Building vs. Buying a Mobile Business Continuity  Software Solution 

The BC systems you have in place.

How your organization administers its BC functions can also impact review frequency. Many newer business continuity innovations, such as a mobile crisis app with actionable and role-based digital playbooks, help streamline and automate certain BC tasks, which ensures that plans stay up to date and relevant over time. With these types of systems in place, the review process can be much easier and faster, reserving resources for other key BC duties.  

A Recommended Schedule

With the above factors in mind, you can begin to develop a schedule for reviewing your BC plan. The review process should be continual, with different aspects being appraised and using various methods at least a few times a year.

Many organizations strive for a schedule that includes the following:

Checklist review: Twice a year

The BC team conducts a high-level check on each element of the plan, ensuring that all objectives are still being met.

Emergency drills: Once a year

A key part of business continuity is ensuring that all stakeholders know what to do before, during, and after an emergency situation . Hold annual emergency drills to keep their skills sharp and ensure BC plans account for all facets of a potential business-impacting event.

Tabletop review: Every other year

In this type of review, you’ll gather all key stakeholders, including the BC owner and steering committee, to do a verbal walk-through of the plan. This type of review is helpful because it doesn’t require much time or many resources but can often reveal gaps, inconsistencies, or outdated information in the plan.

Comprehensive review: Every other year

This stage should include a close look at the organization’s risk assessments, business impact analysis, and recovery protocol. This is also an opportunity to update the BC plan to reflect any recent changes to the company’s structure, business, operations, or location.

Mock recovery test: Every two or three years

Larger organizations will also benefit from the occasional recovery simulation, in which the BC plan is fully tested. This active review identifies any gaps in your plan and helps employees and other stakeholders feel prepared and comfortable with their roles.

How often does your business review its business continuity plan? Do you feel that this frequency should be increased?

Build vs Buy Business Continuity Software Guide

Crisis Management Pillars: Building Alignment With Stakeholders

Use a Risk Assessment to Prioritize the Issues you Need to Manage

Use a Risk Assessment to Prioritize the Issues you Need to Manage

Build a Crisis Management Plan Using These 4 Key Steps

Build a Crisis Management Plan Using These 4 Key Steps

You Don’t Need Just a Plan

You Don’t Need Just a Plan

App Store Badge


Business Continuity Plan Maintenance: How To Review, Test and Update Your BCP

when should a business continuity plan be reviewed

We've written before about how all organizations need to have a robust business continuity plan . A comprehensive BCP gives your business assurance that it can continue operations, even in the event of an unexpected incident or full-blown crisis.

Putting in place a plan is the first stage in this process, but far from the only on Business continuity plan review checklist . Business continuity plan maintenance, review and testing form equally vital steps in your business continuity strategy.

Is Business Continuity Plan Maintenance Important?

Questions you should ask when scheduling bcp reviews and drills.

Business Continuity Plan Testing Considerations and Best Practices

Business continuity plan testing types, how to keep your business continuity plan current.

Maintain Confidence in Your BCP

Facebook icon

The Rising Tide of ESG – Navigating the Road Ahead

when should a business continuity plan be reviewed

The Board's Role in Leading and Enabling GRC

when should a business continuity plan be reviewed

Board and Executive Collaboration: Components of a Secure Platform for the Evolving Workplace

Kezia Farnham Diligent

ERM Software Logo

How Often Should A BCP [Business Continuity Plan] Be Reviewed? [And When Should It Be Tested?]

why is esg important main image

The process of developing, finalizing, and communicating your initial business continuity plan (BCP) is no small feat. However, ongoing monitoring and reviewing of your BCP is critical to account for both internal and external changes that may impact your business. So how often should your BCP be reviewed? This blog post will dive into the answer to that question, as well as the results you’ll see from an effective business continuity program, the benefits of conducting business continuity planning, how to improve your organization’s business continuity planning process and more.

How Often Should A BCP Be Reviewed & Tested?

As a best practice, your BCP (business continuity plan) should have a scheduled review annually at a minimum, as well conducting a business review whenever something in your business changes (e.g. a process, product, service, etc.) or there is an external factor impacting your business (e.g. environmental changes, new regulations, an acquisition, etc.).

What are the results of an effective business continuity program?

Having an effective business continuity plan review process can impact your business in many ways:

Better resource planning

With a complete profile of business unit information mapped out within your business continuity plan, you can identify critical functions and analyze the impact they have on your organization. As a result, you’ll be able to better allocate the necessary resources and ensure that backup strategies are in place to maintain basic operations following a loss or outage.

Added insights Gain insight into which business units are most critical to business operations, which are prepared for a business continuity event, and which need to be reevaluated. Housing everything in one centralized program allows you to quickly and easily navigate to the right resources amidst an emergency event.

Reduced losses Having an effective business continuity plan allows you to create various scenarios and recovery strategies for recovering in the case of any losses. 

This enables you to take a proactive, risk-based approach to your organization’s recovery and get back up and running sooner, reducing losses.


Download our free BCP checklist to learn how to protect your organization in the long term.

What are the benefits of conducting business continuity planning?

Having a formalized process in place for business continuity planning yields a variety of benefits for your organization. Let’s dive into a few of them:

Overcome challenges more quickly

Relying on reactive efforts following a business continuity event leads to higher probability of missteps that could only catastrophize the problem at hand. If you’ve actively invested time and energy into preparing for any potential risk before it manifests, if and when it does, your BCP will direct you to the necessary resources to return to business as usual. This approach results in less collateral damage and shorter downtime periods.

Identify critical areas of improvement

Building a business continuity plan with an enterprise-wide approach empowers your frontline employees to identify dependencies across your organization. This offers better insight to improve your plans; by looking at common risk factors across all departments, you’ll be better enabled to identify unique risks on a function-by-function basis, see which risks are specific to certain teams and which are prevalent throughout the entire organization.

Increase stakeholder confidence

Investing resources into developing a strong BCP assures vendors, investors, customers, employees, and regulators alike that your organization is being run properly. Mitigating risks before they happen is good governance, and that demonstrates corporate responsibility and fosters a positive corporate culture.

Related Post: We compare business continuity and disaster recovery here

How can I improve my organization’s business continuity planning?

Depending on how mature your business continuity management program currently is, there are several ways to improve. First and foremost, without software streamlining your business continuity planning process, reviewing and optimizing your BCP for success can be extremely difficult.

That’s because your business continuity plan is inherently central to being prepared for potential disruptions and solidifying trust with external parties such as vendors, clients, or potential shareholders.

Your organization has multiple business units, functions, teams, and products to keep track of, and lacking insight into which aspects are critical for internal operations and which provide critical services to your downstream dependencies will hinder you from being able to properly allocate resources and lengthen the time of delays.

Here’s a step-by-step outline for improving your business continuity planning process using risk-based software:

Conclusion: Why Complete A Business Continuity Plan Review

When calamity strikes, it shouldn’t be a scramble to get your business back up and running.

Ensuring consistent updating of your BCP as well as having reliable disaster recovery plans helps ensure that no matter how much stress your business is put under, you have steps in place that eliminate uncertainty and minimize downtime.

This means including everything in your BCP that you need and knowing which functions of your business are the most critical, which resources employees use to keep crucial processes functioning, and the recovery steps for getting those functions and resources back online should havoc come to visit.

While doing all of this for disaster recovery may deem you a superhero, superheroes are only as good as their sidekicks. Consider LogicManager’s business continuity planning software as your new sidekick:

With your business continuity planning process improved, you can focus on going beyond the call of duty. At its core, our business continuity planning software is designed to help you align strategic goals with operational objectives.

By giving you an enterprise-wide view of your risk and a risk rating at all times, LogicManager’s business continuity management program not only drastically reduces the time and money you spend on business continuity management, but it also helps you prove your invaluable impact on your company’s success with a comprehensive review to reduce internal and external factors threatening your organization.

Related Posts

A woman reads an article about banks on her computer

What Is Reputational Risk For Banks?

when should a business continuity plan be reviewed

Why Is Sustainability So Important To A Corporation

when should a business continuity plan be reviewed

What Is an Integrated Risk Management Approach for an Organization?

how to report on esg

How to Report On ESG

when should a business continuity plan be reviewed

My Favorites List

Submit your Favorites List and our experts will reach out to you with more information. You will also receive this list as an e-mail which you can share with others. Here are the solutions you've added to your list so far:



How often should a business continuity plan be reviewed?

bcp review.jpg

Maintaining your business continuity plan (BCP) can be challenging and each business continuity plan is different (because all organisations are different). Many organisations require a review once a year, others perform a review each time there is a major change within the organisation. Ultimately, an organisation must decide when it is right to review and/or update their BC plan, but how do you determine when it is right to update or review your BC plan? 

The key question to ask here is what do you want from the review? In other words the what should the BCP review achieve?  In some instances need for a business continuity plan review may be obvious in other situations it may be less so. However, even in absence of no change a business continuity plan can slowly erode to extent that it becomes irrelevant. 

 The more obvious indicators are things such as:

Changes to the organisations operating environment

Following corporate actions such as mergers, takeovers etc.

Organisation changes,

Changes in business recovery needs

External factors such as regulatory changes and customer requirements

​ Environmental factors and your disaster recovery plan Environmental factors relate to changes within the organization. Some examples of the most common environmental changes are It infrastructure changes, outdated or replaced applications, staffing changes, restructuring and new facilities and buildings. Any of these changes can mean that roles and responsibilities within the plan must change.

  .  Changes to Business recovery needs

If factors regarding your recovery time objective changes, so should your BC plan. Several different things can cause these changes. For example, business recovery requirements for functions and processes may become more or less urgent. Any or all of these changes should prompt your organization to take a second look at your DR plan and make any necessary revisions.

External factors and your disaster recovery plan External factors can also lead to changes in your BC plan, and they relate to entities outside your organization including mandatory and optional aspects. The mandatory requirements may emanate from regulatory and other legal or regional requirements. Other initiatives such as outsourcing creates challenges from two perspectives: it may decrease awareness levels between the parent organisation and the outsourced function; it also may increase recovery requirements on the parent organisation. Also, external technological innovation may introduce new risks to disaster recovery, as well as new solutions. It is important to be aware of any external changes to your IT organisation. Changes in your outsourced services use, legal requirements or new technologies can significantly affect your original business continuity plan.   

Avoiding slow erosion

Slow erosion - is the process by which a business continuity plan becomes increasingly irrelevant to the organisation.  The root cause of slow erosion is many small changes that occur over time. individually each change is trivial, but their combined effect compromises the plan until it becomes completely ineffective.  Some of the key causes of slow erosion within business continuity plans are:

Adds, moves and changes within the the organisations technology infrastructure. No major new systems, just tweaks, upgrades  and enhancements can compromise back-up regimes and processes

Physical workplace changes - office moves can compromise workplace recovery strategies

Joiners leavers and movers can undermine your original business continuity organisations and lave gaps in roles and responsibilities within incident management and business recovery actions plans.

A BCP Review designed to prevent slow erosion within the business continuity plan should cover: 

Are all contact details for staff, customers and suppliers correct?

Are the roles defined in the plan still relevant to our incident management and recovery requirements

Is the contact plan still relevant

Are the correct people included in the contact plan

Are roles and responsibilities still relevant

Are all individuals assigned roles in the plan the correct person for the role?

Have all role holders been trained in their role?

Have all role holders participated in a wider simulation test within the last 12 months?

Are alternative workplace arrangements still relevant?

Are IT systems recovery requirements still relevant?

So how often should you update your BC plan? The answer is “it depends”. Many companies opt for an annual review frequency - to avoid slow erosion. Some may not ever consider more frequent alternatives to that review schedule. Others adopt a semi-annual or quarterly update for selected plans, based or attributes such as risk rating or criticality. 

But ultimately, you should update your business continuity plan whenever an important factor in your organization changes, whether that variable is internal or external. And the time frame on those changes is unpredictable. Frequent updates lead to more complete and reliable disaster recovery plans, which therefore lead to a work environment safe from disasters.

Develop a review schedule Generally speaking an organisation should be adopting an approach of regular, scheduled review and update, complemented by the same types of review which might be performed when significant change has occurred. For instance:

•    All critical functions should review and update their plans, if necessary, every six months  •    All other functions should perform an annual review and update of their plans every 12 months •    All functions should review and/or test their plans when significant organisational change occur or when there has been a major change to the organisation’s IT infrastructure or operating model.


Get in touch by completing our contact form

Follow or connect with Steve,  RiskCentric's owner  & founder via LinkedIn

Why You Need to Review, Update Your Business Continuity Plans

Why You Need to Review, Update Your Business Continuity Plans

We often urge you to have a risk management plan in place so that you are prepared for the many eventualities that can affect your business. Your risk management plan should be part of a larger business continuity plan for keeping your organization going during periods of disruptions that are both large and small. The plan should be broad to cover prevention and response, and that can only be done with input from representatives of all your firm’s divisions.

Companies can spend considerable time putting together a risk management plan that is unique to their workplace and operations. But, after they have created and implemented their plan, many businesses fail to evaluate and update it on a regular basis. You will need to test, evaluate and update your risk management and business continuity plans regularly because risks can change as your business, your industry and the environment you operate in also change.

A prime example of a new risk is the cyber threat that continues to grow in significance, having cost many businesses millions of dollars in response, remediation and notification costs. If you have not included this eventuality in your business continuity plans, you should do so.

If you set aside time once or twice a year to review your plans, you can identify new risks and monitor the effectiveness of your current risk management strategies. This gives you an opportunity to modify or enhance your plan in response to those emerging or newly identified threats. As you did when you created your original plans, you should involve personnel from your various departments and also consider inviting key vendors or customers to the planning sessions. This will help bring different perspectives to the table, resulting in a more comprehensive overall plan.

The business continuity plan

Besides identifying and trying to mitigate for risks that you identify, your risk management plan should be part of a broader business continuity plan that includes strategies for responding to and recovering from incidents if they do happen. Business continuity planning has four steps:

• Prevention – This is essentially the risk management part of the plan, which is to prevent problems from occurring in the first place.

• Preparedness – This should be the fruits of your risk management plan, requiring to you have plans and resources in place to respond and recover from an incident. You should conduct a business impact analysis that identifies all of the resources, personnel and equipment critical to keeping your business running. Your plan should identify external stakeholders, the skills and knowledge necessary to run your business and how long your business can survive without performing these tasks.

• Resp onse – This part of the plan should cover what you do following an incident, such as containing, controlling and minimizing the effects. This should include details on when the plan would be activated, assembling an emergency kit, having evacuation procedures in place and a communication plan to implement during an event.

• Recovery – After the initial response to an incident you will want to ramp up to full operations again as quickly as possible. You need to map out strategies to recover your business activities in the quickest possible time. That entails a description of key resources, equipment and staff required to recover your operations – and a time objective.

Making sure your business continuity plan is reliable and up to date will help you resume operations quickly after an incident and reduce the effects on your business. While you may be able to predict and deal with a number of potential risks, there will be some that are unexpected or impossible to plan for. That’s why the last two parts of your business continuity plan – incident response and recovery – are important, as they can be used after both foreseeable and unforeseeable events. Also, depending on the size of your business, you may choose to have separate risk management, impact analysis, incident response and recovery plans, or a single plan incorporating all of the above elements – known as a business continuity plan. A business continuity plan is a practical blueprint for how your organization will recover or partially restore critical business activities after a change or interruption.

[su_button url=”https://coremarkins.com/reviewrequest/” style=”3d” background=”#33cbfc” color=”#1a1a1a” size=”5″ center=”yes” icon=”https://coremarkins.com/wp-content/uploads/2018/06/checklist-1622517_640.png” desc=”No Cost Review Of Your Business Continuity Plan” title=”Get the Guide”]REQUEST A REVIEW[/su_button]

Related Posts

With health insurance laws in flux, flexible spending accounts can save your workers money.

The Internal Revenue Service is reminding eligible employees that now is the time to begin planning to take full advantage ...

Baseline Health Tests Can Shave Workers’ Comp Claims Costs

More employers are testing new hires in physical jobs to establish a baseline in case they ever file a workers’ ...

New Law AB 2257 Adds Independent Contractor Exemptions

A new law has come to the rescue of a number of freelance professions by exempting them from the onerous ...


For Industry Professionals

Registered representatives can fulfill Continuing Education requirements, view their industry CRD record and perform other compliance tasks.

For Member Firms

Firm compliance professionals can access filings and requests, run reports and submit support tickets.

For Case Participants

Arbitration and mediation case participants and FINRA neutrals can view case information and submit documents through this Dispute Resolution Portal.

Need Help? | Check Systems Status

Log In to other FINRA systems

Business Continuity Planning FAQ

1. What is the purpose of the disclosure requirement in FINRA Rule 4370(e)?

The purpose of the disclosure requirement in FINRA Rule 4370(e) is to assist customers in making educated decisions about whether to place their funds and securities at a specific firm. The disclosure may state that the firm's BCP is subject to modification. Each firm is required to disclose to its customers how its BCP addresses the possibility of a future significant business disruption and how the firm plans to respond to events of varying scope. However, firms are not required to disclose their actual BCP, including any proprietary information, but rather can provide appropriate levels of summary information.

2. Our firm's business consists primarily of selling variable insurance products. Although we sell the product, the customer needs to deal with the insurance company in question if there is a problem. How do we treat this situation in our BCP under FINRA Rule 4370?

A firm that sells variable insurance products cannot defer its regulatory and customer protection responsibilities to a third party. A firm may, however, tailor its BCP to the needs and business of the firm. In tailoring the plan, the firm must consider its customers' needs in the event of a significant business disruption, and plan accordingly. In the situation presented, the plan should, for instance, consider what the firm's primary responsibilities are, but also include information on the entities that customers would need to contact to access their assets and funds. The firm should also provide customers with any needed information regarding assets held away from the firm.

3. Our firm is a market maker that deals solely with other firms, so we have no retail "customers." To whom, if anyone, should we disclose how our BCP addresses the possibility of a future significant business disruption and how we plan to respond to events of varying scope under FINRA Rule 4370?

As we have stated, each firm's BCP must be tailored to meet its specific needs. This underlying principle also applies to disclosure of how a firm plans to address a significant business disruption. Therefore, although there is no obligation to disclose how your BCP addresses the possibility of a future significant business disruption to non-customers, a copy of the disclosure should be made available to any non-customer with which you do business so that these individuals and firms can determine for themselves the efficacy of the firm's BCP.

4. In what manner should our firm disclose to our customers a summary of how our Business Continuity Plan (BCP) addresses the possibility of a future significant business disruption and how we plan to respond under FINRA Rule 4370?

At a minimum, this disclosure must be made in writing to customers at account opening, posted on your website (if you have one), and mailed to customers upon request.

5. How often should our firm review its Business Continuity Plan (BCP) under FINRA Rule 4370?

FINRA Rule 4370 requires each firm to conduct an annual review of its BCP. In addition to an annual review, your firm must update its BCP in the event of any material change to your firm's operations, structure, business, or location.

6. What does FINRA Rule 4370(e) require?

FINRA Rule 4370(e) states:

Each member must disclose to its customers how its business continuity plan addresses the possibility of a future significant business disruption and how the member plans to respond to events of varying scope. At a minimum, such disclosure must be made in writing to customers at account opening, posted on the member's Internet Web site (if the member maintains a Web site), and mailed to customers upon request.

The intent behind this part of the rule is to provide customers and counterparts with appropriate levels of information so that they may make an informed decision about doing business with your firm.

7. Our firm's business is done solely on an RVP/DVP basis. To whom should we disclose how our Business Continuity Plan (BCP) addresses the possibility of a future significant business disruption and how we plan to respond to events of varying scope under FINRA Rule 4370?

BCPs should be reasonably designed to enable a firm to meet its existing obligations to customers and address existing relationships with other broker/dealers and counterparties. To the extent a firm does not have any customers, it should disclose this information to the business constituents or other non-customers that rely on the firm as part of the overall transaction process.

8. My firm is a sole proprietorship. I am the sole registered principal, but I employ two registered representatives. I will register myself as the first emergency contact person, but who should be the second emergency contact person under FINRA Rule 4370?

The second emergency contact person should be one of the registered representatives at your firm who is a member of senior management and has knowledge of your firm's business operations.

9. Under FINRA Rule 4370, how do I register the names of my firm's two emergency contact persons?

This is done electronically through the FINRA Contact System (FCS) .

10. What kind of information should be disclosed to customers, as required by Rule 4370?

FINRA Rule 4370(e) does not require firms to disclose their entire BCPs to their customers. Under this rule, members are required only to summarize the manner in which their BCPs address the possibility of significant business disruptions. Firms are not required to disclose the specific location of any back-up facilities, any proprietary information contained in the BCP, or the parties with whom the firm has back-up arrangements. Instead, the disclosure should address how the firm would react to events of varying scope. For example, the disclosure should provide:

  11. Our firm is a member of the Securities Investor Protection Corporation (SIPC). Won't SIPC take care of my customers, with respect to access to their funds and securities, in the event of a significant business disruption?

FINRA's BCP requirements do not conflict with SIPC rules or with a firm's obligation under such rules. FINRA Rule 4370(c)(10) requires firms' BCPs to state how the firm will assure customers prompt access to their funds and securities in the event that the firm determines that it is unable to continue its business. If you believe that SIPC rules might affect your response to this requirement, you should address it in your BCP. You cannot, however, rely on SIPC membership, by itself, to satisfy your obligations under FINRA Rule 4370(c)(10).

12. Should disclosure statements be updated? If so, should updated disclosure statements be communicated to the firm's customers?

NASD Notice to Members 04-37 states in the Disclosure Requirements section that "Members may use cautionary language in their business continuity plans indicating that such plans are subject to modification, that updated plans will be promptly posted on the member's Web site, and that customers may alternatively obtain updated plans by requesting a written copy of the plan by mail." This section is referring to disclosure statements, not BCPs. Disclosure statements should only be updated and communicated to customers when changes to a firm's BCP materially change the firm's response to a significant business disruption.

13. How often should our firm update our emergency contact information under FINRA Rule 4370?

FINRA Rule 4370(f) requires each firm to promptly update its emergency contact information in the event of a material change. In addition firms must review and, if necessary, update its emergency contact information. This update must include any change to the designation of the two emergency contact persons.

Each firm must review and, if necessary, update its emergency contact information in the manner prescribed by NASD Rule 1160 . NASD Rule 1160 requires firms, via the FINRA Contact System (FCS) , to update designated contact information promptly upon any material change (but no later than 30 days following the change) and verify such information within 17 business days after the end of each calendar year.

14. FINRA Rule 4370 require firms to disclose their BCPs to their customers?

No. Disclosure statements and BCPs are separate documents. Firms are required to prepare and give their customers a disclosure statement that describes how the firm intends to respond to a significant business disruption, but firms are not required to disclose their BCPs to their customers.

15. Would my firm be required to stay in business in the event of a significant business disruption?

No. However, under FINRA Rule 4370(c)(10) , your BCP must address how you will assure customers' prompt access to their funds and securities in the event that you determine that your firm is unable to continue its business.

16. My business is not located in an earthquake or hurricane zone. I do not believe we are at risk for a flood. What other types of disruptions should we consider for our BCP?

As the question notes, firms have varying and often unique types and levels of exposure to potential business disruptions. Some potential disruptions, like hurricanes, only occur in certain geographic areas while others, like a pandemic, could impact all firms. Each firm needs to conduct their own risk analysis to determine where critical impact points and exposures exist within the firm and with its counterparties and suppliers. The extent to which any member needs to prepare for various types of disruptions depends on, among other things, the size of the firm, its office locations, its counterparty and service provider relationships, and the nature of its business. Firms should also look beyond potential disruptions relating only to meteorological or geological events. Firms should consider their susceptibility to evolving risks and disruptions. Such potential disruptions may result from an infectious pandemic , as noted above, or from a technology-related disruption such as technology viruses, large-scale or targeted brokerage account intrusions, denial of service attacks, or other cyber attacks.

17. My firm is a sole proprietorship with no other personnel. I will register myself as the first emergency contact person, but who should be the second emergency contact person under FINRA Rule 4370?

The second emergency contact person should be an individual, either registered with another firm or nonregistered, who has knowledge of the member's business operations (e.g., the member's attorney, accountant, or clearing firm contact).

18. Is my firm required to test its BCP?

The required annual review may include testing of specific functions or functionality. For example, a firm may test the functionality of back-up technology or of a designated "emergency personnel team" in a simulated business disruption. Testing in such a manner would help a firm better determine whether it has met the "reasonably designed" threshold of FINRA Rule 4370(a) . See Notice to Members 06-74 regarding the importance of effective and appropriate BCP testing as it related to Hurricanes Katrina and Rita in 2005. Additionally, the importance of testing was also highlighted in Regulatory Notice 09-59 which addresses pandemic preparedness. Assuming no changes in operations, structure, business or location, a firm may decide to rely on initial or prior due diligence work or testing performed by internal personnel or a vendor when conducting its annual BCP review. For example, one year a firm tests a back-up server that is part of its BCP. The following year during the firm's annual BCP review, the firm may determine not to conduct a new server test but rather to rely on the previous year's test, since there were no material changes in conditions.

If a firm relies on initial or prior due diligence or testing for its annual BCP review, it should consider whether changes in the firm's operations, structure, business or location make such information out-dated or unreliable.

when should a business continuity plan be reviewed

How Testing Your Business Continuity Plan Identifies Gaps

Satellite Dish

Testing your business continuity plan allows you and your workforce to exercise how to approach an incident and find gaps in the plan to address where it needs improvement. Even though a developed business continuity plan provides your organization with the tools to predict, drafting a plan is only half the battle.

Businesses face myriad threats , from a rodent infestation to a planned renovation. A developed business continuity plan provides your organization with the tools to predict, prevent, and respond to risk efficiently. The strategy ensures that the organization and its clients will remain operational with minimal to no downtime or threat to operations.

However, drafting a plan is half the battle. What’s most important is ensuring your business continuity strategy is sound, useful, and practical. This is where testing your plan comes into play. Testing business continuity allows you and your workforce to exercise how to approach an emergency and find gaps in the plan to address where it needs improvement.

Types of Business Continuity Tests

Plan review.

A plan review is much like an audit of the BCP. The BCP team and the C-level management or department heads get together to review the plan and decide if any components are missing or need revision. This type of test is beneficial for training new members of the BCP team or in regular onboarding. Among other aspects reviewed during a meeting are contact information, the validity of recovery contracts, and coverage of applicable business continuity and disaster recovery scenarios. A plan review may also include training new managers on plan details so they can pass that knowledge down to their teams.

Tabletop Test

This is a more involved way of reviewing and testing a BCP. Employees participate in an actual exercise during a tabletop—a scenario-based, role-playing exercise. Everyone involved practices their roles and responsibilities during an emergency, such as an earthquake, hurricane, or active shooter.

Walk-Though/Simulation Test

A BCP simulation test is a more hands-on type of tabletop exercise. While a tabletop test, as the name suggests, typically consists of discussing plan details around a table, a simulation test combines real recovery actions. It can be data loss and restoring backups, live testing of redundant systems, network outage, physical recovery, emergency notification, and other relevant processes. In addition to critical personnel, all employees would be involved in this BCP event testing process.

Frequency of Business Continuity Plan Testing

The frequency of testing your BCP depends on your company.

We recommend evaluating each of your emergency preparedness plans, such as business continuity, disaster recovery, incident response, and other plans, during a year. Testing would typically include an annual tabletop exercise or a walk-through test of all individual EPP plans, including testing various scenarios for threats that are a high risk to your organization. Make sure to continually test those scenarios of higher priority to your organization.

Many factors can help you determine how often your organization needs to test its EPP plans.

The size, location, and how often your company goes through changes are typically the most significant factors in determining how often you should test your BCP. Enterprise companies and employees who experience regular turnover should be updating and testing their BCPs twice a year. For small to mid-sized organizations, it is recommended to do a run-through test once a year to make sure that the plan is still effective and all staff is refreshed on what to do in the event of an emergency.

Involving Vendors in Your BC Testing

In the course of your testing process, whether you’re doing a plan review, tabletop test, or simulation test, you need to make sure your critical vendor partners are included in your testing. Verifying that your vendors are prepared for the unexpected and have a contingency plan is essential, as it allows for greater accuracy and usability of your strategy. It also allows your vendors to provide feedback that may be valuable to your plans or testing process.

Document the Testing Process

Finally, it’s necessary to document the results of any testing conducted, along with any actionable findings from those tests. Doing so will help your workforce learn what can and should be improved and visualize progress that's been made. Following up on these items and consolidating recommendations from tests is the most crucial process in the BCP testing lifecycle. Testing, registering your testing results, and executing methods to improve your BCP is the most reliable way to strengthen your organization’s response processes.

Exercise Your Plan

Build muscle memory, find gaps in your plan, and produce audit-ready reports with Incident Manager's Exercise Manager module.


Subscribe to Our Newsletter

Get the latest business continuity news and insights

Put your plan to the test.

Using a controlled environment guided by our team of experts, you can strengthen your plans, build business resilience, clarify organizational responsibilities, and guarantee your resources meet your recovery needs.

Latest Articles

Manufacturing business continuity

Business Continuity for the Manufacturing Industry

Exercising with Exercise Manager

Exercising Your Plans with Exercise Manager

Exercise Manager

Introducing Exercise Manager: Streamline Your Organization’s Business Continuity Exercises

Get the Latest Business Continuity Insights

By clicking the "Subscribe" button you agree to the  Terms of Use  and  Privacy Policy

Texaport IT Support

0330 122 2345

[email protected], managed it services.

Explore our Managed IT services to find out how your business can benefit 

Sharepoint Migration

Business continuity, cloud services, connectivity, data cabling.

Texaport provides best in-class, certified cyber security services to protect businesses from online threats.

Managed Cyber Security

Cyber Security Training

Incident response center.

If you are currently experiencing a cyber attack, contact our response desk immediately.

Texaport is a  Managed Service Provider  delivering a complete portfolio of IT solutions to support our clients’ operations across the UK and throughout the globe. 

Articles, News & Case Studies

Case studies, bidding on government contracts why cyber essentials is a requirement.

Cyber essentials are well known as the first basic step that businesses take to improve their protective measures in the cyber security sector. There are…

How To Create An IT Growth Strategy With The Help of Your Outsourced IT Support

Growing a business requires a lot of research and resources. Investing in technology is a vital part of expanding any modern company, but it can…

When Should a Business Continuity Plan be Reviewed?

Business Continuity review

A business continuity plan is essential to any organization’s risk management strategy. But how often should a business continuity plan be reviewed?

The answer depends on a few factors, including the size and complexity of your organization, the nature of your business, and the level of risk you’re comfortable with. However, there are a few best practices that all organizations should follow when reviewing their business continuity plans.

In this blog post, we’ll explore when you should review your business continuity plan and what factors you should consider in making that determination. We’ll also provide some tips for conducting an effective review process.

The Importance of Reviewing Business Continuity Plans

IT Consultancy services understand the importance of regularly reviewing business continuity plans to ensure successful implementation during unexpected disruptions.

In addition, reviewing business continuity plans identifies potential risks and areas for improvement, allowing IT teams to plan appropriately and create comprehensive strategies for dealing with IT-related issues.

IT consultants can work with you to carefully refine your existing plans or create new ones if necessary. In addition, having reliable IT-related policies and procedures can protect businesses and allow their IT infrastructure to function in unpredictable circumstances.

Reviewing business continuity plans is essential, and IT consultancy should be engaged early in the process.

Why You Should Review Your Business Continuity Plan Regularly

Keeping your business continuity plan up-to-date and reviewed regularly is essential for ensuring the longevity of your company. While it may be easy to overlook examining your plan, the consequences can be far-reaching, from financial losses due to downtime to damaged reputation from unpaid orders or poor customer service.

Regular reviews of your business continuity plan will help you identify changes within the business structure that need to be addressed and potential risks associated with a new product rollout or an expansion in another location.

Such careful inspection should also include feedback from relevant stakeholders and evaluating external threats to ensure the most appropriate mitigation strategies are employed. Reviewing your current business continuity procedure can positively impact efficiency in responding to unexpected events and ultimately provide your business with greater protection and a stronger bottom line.

How Often should you Review your Business Continuity Plan?

It is essential for business owners to make reviewing their business continuity plan a priority. Information that could impact an organization may change quickly, and organizations must stay aware of these changes to maintain an adapted plan.

Reviewing your business continuity plan every six months, or even sooner if pressing events or drastic shifts occur in business operations, is essential.

An up-to-date program not only helps you anticipate potential disruptions but also gives a clear direction on how to prepare and respond to the various types of disasters that may happen. Taking the time now could save your business countless resources in the future.

What to do When you Review your Business Continuity Plan

Reviewing your business continuity plan can be a daunting task. An IT consultant is important to help you through the process and ensure you are following best practices. The IT consultant can review the document, evaluate it against industry standards, and recommend plan changes.

It’s also good practice to conduct a walkthrough of each step, so everyone involved understands what needs to happen during an emergency.

Lastly, make sure to test the plan periodically to ensure it will work when it needs to. A little bit of preparation goes a long way in helping you weather any storms that may come your way.

Why it’s Important to Have a Business Continuity Plan in the First Place

When running a business, it is essential to be prepared for unexpected disruptions. A business continuity plan , provides a roadmap of what to do when the unexpected occurs.

The plan includes detailed instructions for restoring operations and minimizing loss following an emergency. It also involves planning for resources and personnel needed during the recovery period.

A continuous process can be implemented quickly in an emergency, ensuring smooth operations and retention of customers even during difficult times. Therefore, an effective Business continuity plan is a major asset, saving time, money and effort while keeping your business moving forward.

If you wish to learn more on the importance of a business continuity plan, read more below:

The Importance of a Business Continuity Plan

Although we may not be able to predict when something unexpected will happen, it is important to ensure that you have an effective business continuity plan.

Firstly, assess your current plan and review it regularly to ensure you are constantly preparing for potential disruptions.

You should also update contacts, procedures and protocols as needed. Finally, it’s essential to understand the importance of having a good business continuity plan in the first place – to guarantee minimal impact on your business when something goes wrong.

At Texaport, we understand the importance of these advancements, and we work with our clients to put a reliable system in place to improve their business efficiency. Our team has a wide range of IT knowledge and remains acquainted with the movements in the IT industry. Find out more here .

IT Support

IT Support, Case Study

Read our Reviews

Google rating, more articles, should your team take a cybersecurity course.

Cyber security is something that you will hear more and…

How IT Support is Revolutionizing the Way Charities Operate

In recent years, Charity IT Support has revolutionised the way…

IT Services

Your IT Support issues are resolved immediately at the first point of contact so you can get on with what's important


We hold Cyber Essentials Certification and Microsoft Silver Competency, reinforcing our commitment to quality

Secure your business from within. Enabling you to create a security-focused culture with automated training within your business

Keep your team connected with Texaport's suite of business grade connectivity and information communication solutions

Managed Services

Outsource your Managed IT Services , improve your operations and cut your expenses

Providing the lifelines to your communications with structured cabling design and instalation

Take your business higher with Texaport's Cloud Consulting, Cloud Migration and Cloud Management

Tap Into our strategic experience with our project management and IT Consulting services

Texaport IT Support

World-class IT Support UK and Cybersecurity built on vast expertise, cutting-edge technology and strong client relationships working with clients throughout the UK and across the globe.

Silver Microsoft Partner Logo

Useful Links

Built By Texaport

Copyright © 2012-2023 Texaport Limited | All Rights Reserved

Co No. SC434356  |  VAT No. GB 150609137

Would you like to leave us a Google review?

Contact us for more information.


  1. 7 Free Business Continuity Plan Templates

    when should a business continuity plan be reviewed

  2. How often should Business Continuity Plans be tested?

    when should a business continuity plan be reviewed

  3. Business Continuity Plan

    when should a business continuity plan be reviewed

  4. How Often Should a Business Continuity Plan Be Reviewed?

    when should a business continuity plan be reviewed

  5. A Business Continuity Plan Is A Disaster Management Plan

    when should a business continuity plan be reviewed

  6. Business Continuity Plan

    when should a business continuity plan be reviewed


  1. Mock Review: Soles TV Continuity (Saturday 28 November 2009)

  2. D&V Philippines

  3. Introduction to Business Continuity Planning

  4. SHE in 5 Minutes

  5. Should Business Owners Learn Facebook Ads Themselves?

  6. On-Demand Webinar


  1. How Often Should a Business Continuity Plan Be Reviewed?

    Establish a Schedule to Test Different Parts of the Business Continuity Plan · Checklist Test—Twice a Year · Emergency Drill—Once a Year · Tabletop Review—Every

  2. How Often Should a Business Continuity Plan ...

    Comprehensive review: Every other year ... This stage should include a close look at the organization's risk assessments, business impact analysis, and recovery

  3. Business Continuity Plan Maintenance: How To Review, Test and

    However you test your plan, it should be rigorous - CIO suggests that '''you try to break it' to ensure that it's fit for purpose. And whatever

  4. How Often Should A BCP Be Reviewed & Tested In 2022

    The process of developing, finalizing, and communicating your initial business continuity plan (BCP) is no small feat.

  5. How often should a business continuity plan be reviewed?

    Maintaining your business continuity plan (BCP) can be challenging and each business continuity plan is different (because all organisations are different).

  6. Why You Need to Review, Update Your Business Continuity Plans

    If you set aside time once or twice a year to review your plans, you can identify new risks and monitor the effectiveness of your current risk

  7. How often should you review your companies' business continuity

    You should plan to review along with their strategic and financial plans on a yearly basis. If they have been written efficiently, you probably will only need

  8. Business Continuity Planning FAQ

    FINRA Rule 4370 requires each firm to conduct an annual review of its BCP. In addition to an annual review, your firm must update its BCP in the event of any

  9. How Testing Your Business Continuity Plan Identifies Gaps

    The size, location, and how often your company goes through changes are typically the most significant factors in determining how often you

  10. When Should a Business Continuity Plan be Reviewed?

    Reviewing your business continuity plan every six months, or even sooner if pressing events or drastic shifts occur in business operations, is