Updating Business Continuity Plan and Test Program
After the test results are executed, evaluated by management, independently assessed, and reported to the board, it may be necessary to update the BCP and test program. As part of this process, the BCP and test program should be reviewed by senior management, the planning team or coordinator, team members, and the board at least annually. The team or coordinator should contact business unit managers throughout the financial institution at regular intervals to assess the nature and scope of any changes to the institution's business, structure, systems, software, hardware, personnel, or facilities. If significant changes have occurred in the business environment, or if audit findings warrant changes to the BCP or test program, the business continuity policy guidelines and program requirements should be updated accordingly. In addition, an independent assessment of the revised BCP and test program should be performed by an auditor to ensure that both are comprehensive and updated based on the institution's risk profile and test results.
The process of updating the BCP and the test program requires management to document, track, and ultimately resolve any necessary changes by revising the BCP, the test program, or conducting additional tests, if deemed necessary.
Issue Tracking, Resolution and Continuity Update
Test owners, typically business line or support management, should assign responsibility for resolution of material business continuity problems identified during testing and should track issues to ensure that they are effectively addressed in a timely manner. Issues requiring resolution may stem from a number of factors, including changes in internal or external dependencies involving staff, technology, facilities, and third parties. Test results and issues should be periodically analyzed to determine whether problems encountered during testing could be traced to a common source, such as inadequate change control procedures. Software applications are commercially available to assist the BCP coordinator in identifying and tracking changes so that the BCP can be appropriately updated. Once the BCP is updated, the financial institution should ensure that the revised BCP is distributed throughout the organization.
Updating Test Program and Re-Testing
Once tests have been completed, documented, and assessed, the test program should be updated to address any gaps identified during the tests. Suggestions for improving test scenarios, plans, or scripts provided by test participants should be incorporated into the testing cycle. In the event that tests do not succeed in meeting their required objectives, management should determine whether it is necessary to re-test prior to the next scheduled test. Failure to meet significant test objectives for critical business functions requires management to address re-testing based on the risk to the institution.
Execution, Evaluation, Independent Assessment, and Reporting of Test Results
Other Policies, Standards and Processes