BCM Readiness Checklist

In today’s environment, it is imperative to have a business continuity management program that is up-to-date, reflective of the current business operating environment, and available during adverse events.

Use this Business Continuity Readiness Checklist to assist you in evaluating whether your organization’s business continuity program demonstrates the ability to meet your business continuity objectives, including the ability to recover, resume, and maintain operations after disruptions, ranging from minor outages to full-scale disasters or pandemics.

☐ Designate key personnel to act during a crisis or emergency situation.

☐ Identify and inventory all business functions. 

☐ Identify and inventory all critical assets and infrastructure which the business functions depend on, including single points of failure. Critical assets and infrastructure include, but are not limited to:

• • People
  • Hardware
  • Software
  • Cash reserves
  • Supporting activities (e.g., technology support, payroll)
  • Supporting software (e.g., email, office productivity suites)
  • Network connectivity
  • Communications lines
  • Facilities
  • Utilities
  • Infrastructure and services provided by third-party service providers

☐ Conduct interdependency analysis and prioritize business functions based on operational and financial impacts of a disruption.

☐ Estimate recovery point objective (RPO), recovery time objective (RTO), and maximum tolerable downtime (MTD).

☐ Identify all reasonably foreseeable vulnerabilities and threats to the continuity and resilience of your organization, including cybersecurity and information security risks. E.g., natural disasters, technological or operational disasters, and malicious or human-caused disasters.

☐ Identify interconnectivity points between your organization and third-party service providers (i.e., supply chain).

☐ Determine the impact and likelihood of potential disruptive events, including worst-case scenarios.

☐ Identify and analyze gaps between risk exposure and the risk appetite, and document any controls implemented to mitigate the residual risk.

☐ Evaluate strategies and resource needs to achieve resilience. 

☐ Implement data and cyber resilience measures to maintain the confidentiality, integrity, and availability of customer data and backup, replication, and production environments.

☐ Implement resilience measures for personnel, third-party service providers, telecommunications, and power.

☐ Plan for and prepare multiple mechanisms to communicate with personnel, customers, and other stakeholders while maintaining appropriate controls to safeguard customer information.

☐ Establish a business continuity plan that:

• • Outlines roles and responsibilities for personnel and third-party providers.
  • Defines the types of foreseeable disruptions, including those from cyber threats.
  • Defines threshold escalation triggers.
  • Outlines immediate steps to protect personnel and customers and minimize damage.
  • Establishes prioritization and protocols for operation continuity and system recovery.
  • Outlines critical information protection, including procedures to address fraud and other suspicious activities.
  • Provides a comprehensive framework of facilities, systems, or procedures that allow for the continuation of critical operations in the event that large numbers of personnel are unavailable for prolonged periods.
  • Identifies alternatives for core operations, facilities, infrastructure systems, suppliers, utilities, interdependent business partners, and key personnel.
  • Addresses potential cash and liquidity needs.
  • Incorporates a documented strategy for scaling pandemic efforts consistent with the effects of the phases of a pandemic outbreak.

☐ Implement a training program consistent that aligns with your business continuity strategy and is updated as significant changes occur.

☐ Implement an exercise and testing program to confirm the effectiveness of your business continuity program.

☐ Participate in critical third-party service providers’ exercise and test program(s).

☐ Review and update the business continuity program to reflect the current environment.

☐ Document, analyze, and review lessons learned from adverse events.