Business continuity plans (BCP) and disaster recovery (DR) are typically designed and performed on critical functions and systems within each organizational silo, whereas operational resilience is focused on the continuity and recovery of critical business processes spanning them all. Therefore, BCP and DR forms a critical part of operational resilience.
During a crisis, an organization must activate their BCP to ensure that critical departments and systems can continue to operate, while concurrently implementing DR plans to restore operations back to a business as usual (BAU) state.
A review of the critical business processes should focus on the actions taken in the aftermath of a crisis and include the following steps:
- Review the BCP plan and compare against the actions undertaken in response to the crisis (i.e. determine which of the response actions were planned and which had to be created “on the fly”). Understand the impact of these decisions on your operating model, risk and control framework, and ongoing business continuity planning.
- For any deviations from the previously prepared BCP, ensure that there is appropriate approved documentation. This documentation should outline the reasons why the BCP differed from the actions taken during the crisis response, such as the type of disruption being unforeseen (e.g., the BCP only dealt with physical disasters and not pandemics).
- Assess if the DR actions taken during the crisis will restore operations back to the original state or if a “new normal” is required. For example, if remote working was successfully applied to all employees, then the DR plan could be altered to allow for less reliance on physical locations, and servers and data centers redeployed to support remote access.
The best laid BCP and DR plans can often go awry, so it is important to not only learn the lessons from the crisis response and how it deviated from the plan, but also use positive outcomes of the actions taken to possibly frame a new BAU state going forward. It is essential to have a robust supporting operational resilience program to provide oversight of the impact and synergies across organizational silos.
Now that your organization has reassessed your BCP and DR function, we will next discuss performing a post-crisis reassessment of the third-party risk management operation.