The other day my friend’s basement flooded.
It was a rainy night, the kind where television programs are interrupted by an emergency alert warning of a flash flood, but he wasn’t worried. He was in for the night. His roof was solid. His gutters were clean. He’d lived in his house over a decade and had never had a problem so why would things be any different this time?
Well, things change. In this case, the drain at the bottom of the stairwell leading to his basement had had its fill. While my friend was always careful to make sure leaves and debris never covered the drain, he hadn’t thought much about erosion and the gunk that flowed through the drain over the years until the slots the water was supposed to travel through were totally clogged. With water unable to enter the drain it had nowhere to go but the basement.
He was in for a soggy surprise the next morning.
My friend’s story made me think about how often we ignore potential threats because of a false sense of security. We have plans and protections in place, but those can become outdated in time. New threats can emerge. Old defenses can fall apart.
Business continuity plans face the same problem. The plan you have in place today may have been absolutely perfect in 2015, but now it may have flaws that leave your institution vulnerable. That’s why it’s important to these three things.
- Test your business continuity plan. Don’t wait for a disaster to find out if there are weaknesses in your plan. You don’t have to go full Leslie Knope, but simulated tests, including those with critical vendors, can show you where your plan shines and where it falls short. Training is also essential so employees know what to do.
- Regularly review and update your business continuity plan. Pay particular attention to changes to the institution’s risk assessment, the products, programs, vendors, and systems used, and regulatory expectations.
- Treat vendor business continuity plans as though they were your own. That’s because they are. If your vendor’s system goes down, so do yours. Make sure contracts with critical vendors include provisions to require those vendors to share BCP plans and test results so you can be confident that your vendor is prepared and that you are meeting regulatory expectations (see Appendix J).
Don’t get complacent. We can never coast when it comes to disasters and business continuity planning.