Audit Your Own BCP/BRP

By Guy Robertson

You’ve been working from home for the past 18 months, and a lot has changed – including your office’s risk profile. If you’re like many others, your business resumption plan (BRP or BCP) lives in an “out of sight, out of mind” state, perhaps sitting in binders gathering dust on the shelf or buried in SharePoint or in a corner of a website. It’s time to blow off the dust and audit it. Here’s how to do that yourself.?

Planning Materials

Review your disaster planning materials to identify out-of-date, incorrect or incomplete information:

·?risk assessments and analyses

·?mitigation measures

·?personal safety procedures

·?data back-up and recovery processes

·?security technology (building access, etc.)

·?strategic alliances

·?orientation and training

·?emergency supplies and equipment.

Discuss your current plan with department representatives and request their ideas for updating of the plan and adding new material.

Pay particular attention to the ways in which pandemic management and wildfire problems have been addressed. Just because your office is in an urban area you are not necessarily protected from wildfires. They can occur in a tree-lined median or nearby park.

Compliance

Review the list of your office’s compliance requirements. These might include federal, provincial and municipal?government legislation, guidelines, and regulations. These regulations will include your regional and local Fire, Building, Safety and Emergency Management Codes, industry-specific regulations, and may include PCI and ISO standards for credit card processing and IT security.

Privacy

Review the list of your office’s privacy requirements. This would include provincial and federal legislation. Consider the implications of insufficient information security and unsuitable storage. Make sure that you have completed privacy impact assessments (PIAs) for your computer applications.

Head Office

·?Look for contradictions between your office’s disaster plan and that of your head office; confirm that any discrepancies are warranted.

·?Identify opportunities to derive useful information from your head office’s disaster planning materials.

·?Identify opportunities to cooperate with head office in the development and delivery of orientation and training programs.

The Final Step

When you have updated your BRP, set a date for testing it with a tabletop exercise. Convene in a meeting room or in your Emergency Operations Centre with or without a test facilitator. Attendees will open an envelope explaining the disaster with instructions of how they need to use your BRP to resume operations.

By the end of the exercise they will understand where the BRP failed to help them reach their objectives.?Incorporate what they’ve learned into your updated plan. Schedule your next exercise.

If you’d like to comment on this article or explore these ideas further, contact me at [email protected].

This article is reproduced from the August 2021 edition of The TMC Advisor.?advdoc.php (tmcconsulting.ca)