In today's wireless world, change is rapid and inevitable. Look at your personal life to see how rapidly technology impacts your relationships, home life, recreation and communications. On a business level, the pace of change can be even greater. Organizations shift their business focus, launch (and withdraw) new products, explore new markets and change investment strategies quicker than you or I change mobile devices.
Yet many organizations mandate that Business Continuity Plans and IT Disaster Recovery Plans get updated 'at least annually'. Is that frequent enough?
Think of the typical Business Continuity process (after all, BCM is a process, not a project):
That's a 7-12 month period from the collection of BIA data to the final update. Those original BIA results are already old; in today's fast-changing world, so old that they may be useless. Yet we based our Plan updates on them. If that information is no longer valid -neither is the Plan.
Sound extreme? In the case of IT Disaster Recovery Plans, the contents of the Plan are almost always outdated before they are completed. That's the reason so many DR Plans lack detail - and simply list links to online reference documents. In today's wireless world, it can be difficult keeping a Contact List up-to-date. Tracking and strategizing for changes to business operations can be a much bigger task.
From this we could infer that assuring a Plan is up-to-date is fruitless. Maybe perfection is - but that's no excuse for relying on a Business Continuity Plan that is two or three years old! Even a Plan that gets updated at least once a year is better than one that just sits on a shelf collecting dust. Witness the major oil companies. When called before the US Congress (after the Deepwater Horizon incident) their "Plans" were shown to contain references to individuals who hadn't been in their employ for years! Was that neglect or simply a failure to put a process in place to assure those Plans were updated regularly?
Could you want to face the same scrutiny from your Senior Management, or Board or Directors - or the public? If you don't make an effort to keep Business Continuity Plans up-to-date, you must accept the consequences. Recovering yesterday's critical products and services today is a plan for failure.