The programme should ensure that any changes (internal or external) which impact the organisation are reviewed in relation to BCM. It should also identify any new products and services and their dependent activities which need to be included in the BCM maintenance programme.
If there are any major business changes, a revision of the BIA ought to be undertaken. The other components of the BCM programme may be amended to take account of these changes.
The organisation’s top management should, at intervals that it deems appropriate, review the organisation’s BCM capability to ensure its continuing suitability, adequacy and effectiveness. This review should be documented and should ensure that within the BCM programme:
- All key products and services and their supporting critical activities and resources have been identified and included in the BCM strategy;
- The BCM policy, strategies, framework and plans accurately reflect priorities and requirements;
- The BCM competence and capability are effective and fit for purpose and will allow management command, control and co-ordination of an incident;
- The BCM solutions are effective, fit for purpose and appropriate to the level of risk faced by the organisation;
- BCM strategies and plans incorporate improvements identified during incidents and exercises as well as in the maintenance programme;
- The organisation has an ongoing programme for BCM awareness and training;
- BCM procedures have been effectively communicated to relevant staff, who understand their roles and responsibilities;
- The BCM maintenance and exercising programmes have been effectively implemented;
- Change control processes are in place and operate effectively.
Details of the review periods and frequency of testing and training may be included in a separate Maintenance and Review document. This document specifies how and when the BCP will be reviewed and tested and the process for maintaining the plan. The intervals between tests and reviews will depend on the organisation, its complexity and rate of change. A training schedule may also be included.
The organisation should provide for the independent audit of its BCM competence and capability to identify actual and potential shortcomings. Independent audits can be conducted by competent external or internal persons.
The BCP may contain sensitive information (e.g. Executive contact numbers or location of vital records) which should be appropriately protected. Copies of the BCP should be stored in a remote location, at a sufficient distance to escape any damage from an incident at the main site. Management should ensure that copies of the BCP are up to date and protected with the same level of security as applied at the main site [ISO 27002].
Once BCM has been embedded into the organisation as an ongoing management process it enters an iterative cycle; being reviewed at regular intervals and updated when necessary.