242 8.1 How to Maintain the Business Continuity Plan
Attend strategic planning meetings
Coordinate plan maintenance
Assist in establishing audit program for the business continuity plan
A BCP is a “living” document, changing in concert with changes in the
business activities it supports. The plan should be reviewed by senior man-
agement, the planning team or coordinator, team members, internal audit,
and the executive management team at least annually. As part of that review
process, the team, or coordinator should contact business unit managers
throughout the institution at regular intervals to assess the nature and scope
of any changes to the institution’s business, structure, systems, software,
hardware, personnel, or facilities. It is to be expected that some changes will
have occurred since the last plan update. Software applications are commer-
cially available to assist the BCP coordinator in identifying and tracking
these organizational changes so the BCP can be updated.
All such organizational changes should be analyzed to determine how
they may affect the existing continuity plan, and what revisions to the plan
may be necessary to accommodate these changes. The agencies expect that
BCP updates will be documented to show that the plan reflects the institu-
tion as it currently exists. Lastly, the financial institution should ensure the
revised BCP is distributed throughout the organization.
The plan itself is always changing to reflect changing conditions in the
business, the environment, and the community itself. It is necessary for the
BCP updating process to be properly structured and controlled. As a living
document, the organization should implement a change control process for
managing the BCP. Periodic reviews should be conducted and the responsi-
bilities for maintenance of each part of the plan should be clearly delin-
eated. Whenever any change is made to the plan, it is important to test that
change to ensure it adequately satisfies all requirements. Also, when changes
are made, it is important to notify the training group of those changes so
they can be reflected in future training. Whenever changes are made to the
BCP they should be fully tested. This will usually involve the use of formal-
ized change control procedures under the control of the BCP Team Leader.
Four areas need to be addressed in this process:
1. Use change control procedures for updating the plan
2. Assign responsibilities for maintenance of each part of the plan