Image no found Image no found
Image no found
Image no found

Assessment and evaluation of your business continuity plan during and post COVID 19

06 July 2020 | Girish Krishnamoorthy & Shivani Jariwala

Following on with our first blog about “Crisis Management Essentials for those that do not have a Business Continuity Plan for COVID-19” , we are moving to discuss organisational business continuity planning. More importantly, how organisations verify the plan’s effectiveness as its business model changes during a pandemic or crisis.

As per ISACA’s Covid-19 study ( that was performed in Q1 2020, we can see that:

  • 92% say threat actors will increase cyberattacks on individuals
  • 87% say the rapid shift to work from home increased risk of data privacy and protection issues
  • 58% say threat actors will take advantage of the pandemic to disrupt organizations
  • only 51% ARE HIGHLY CONFIDENT in their security team’s ability to detect and respond to these cyber threats during the pandemic.

Based on the above statistics, before starting to update your existing business continuity plan, there are critical questions that an organization’s leadership team needs to ask themselves:

  • What is the potential impact on the revenue stream?
  • What is the potential impact on the supply chain?
  • What is the potential impact on customers?
  • What is the potential impact on the employees?
  • What are the delegations of authority and leadership contingency plans?

If answers to the above questions need to be identified, then organizations have to assess their existing business continuity plan. Below we have addressed a few key steps that can help an organization to effectively assess, update the plan, and efficiently use it to continue the business during this pandemic situation.

Business Continuity Management – Refresher

Business continuity management (BCM) is a holistic process to ensure uninterrupted availability of all essential business resources required to support critical business activities, whether manual or IT-enabled, in the event of business disruption. Business continuity planning (BCP) involves planning and procedural aspects, encompassing emergency response, crisis communications, business continuity and disaster recovery.

An effective BCM program protects the interests of the organization’s stakeholders and reputation. The main BCM assets are the six organizational resources— people, premises, technology, information, supplies and stakeholders—for which continuity strategies may be required.

As shown in the below diagram, any change to the Business Continuity Plan shall trigger a shift in the Organization design of its strategic plan. Therefore it is essential that an effective assessment of the Business Continuity Plan is conducted. The steps not necessarily begin by directly reviewing the business continuity plan itself ; instead, it starts by understanding and analyzing the business priorities and objectives.

Image Not Found

Assessment and Evaluation of the Business Continuity Plan

Step 1 - Set the context for risk management by proactive risk identification of organisational functions, business units or other organisational elements. Scenario analysis is helpful in this step of the process because it allows transparent brainstorming, discussion and assumptions about risk scenarios. Another useful analysis technique in this phase is the development of organisation-specific impact criteria. Impact criteria should, at a minimum, include financial, productivity, business interruption tolerances, tangible losses, physical security, life, health and safety, fines, and legal penalties.

Step 2 - Identify threats, conditions, and areas of concern or known risk to business or objectives. Often there is not a proactive risk identification process in an organisation, which means there is no way to elevate concerns for organisational decision-making.

Perform an assessment (qualitative/ quantitative) on the threat, condition or concern to decide on a course of action. Threats, conditions or concerns that are assessed or analysed to have a significant impact on the business if realised potentially may also be evaluated for the probability of occurrence.

Analysis in this phase of the process is to identify the maximum foreseeable loss (MFL) or the maximum probable loss (MPL). These methods can help management understand the total financial impact on the enterprise should the risk be realized. MFL and MPL are best coupled with a thorough set of relevant risk scenarios with well-stated assumptions.

Step 3 –Develop and Monitor business continuity risk register based on risk tolerance. If a risk is out of tolerance with the impact criterion (developed previously), the risk is added to the risk register, and a plan of action for a next step or response can be determined. This step in the risk management process often requires further analysis of the risk factors to determine an effective course of action or cost-justification for a plan of remediation. In addition to this, it is also recommended to develop key risk indicators. Risk indicators will act as prediction points for the enterprise to foresee which factors can lead them to a potential business continuity risk.

Step 4- Develop a Business Continuity Maturity Model. BCMM is a tool that is used to measure and evaluate the performance and effectiveness of organizational capabilities based on the business continuity elements. BCMM will evaluate the business continuity of the organization in terms of the conditions, processes or application targets. BCMM can be used in assuring stakeholders and giving confidence to the investor of the organization’s ability to continue operating during and after a disaster. Other than that, Business continuity maturity model can also be used as a benchmark against the performance of other organizations.

Step 5- BCM Self-Assessment. BCM Self-Assessment is a set of questions which is used as a guide to know where the organizations stand in related to BCM. Employees will answer a self-assessment questionnaire and based on the answers given a score will calculated, which will help evaluate the relationship between the organization and its BCM.

Step 6 – Continual improvement. Once the business continuity plan is assessed and risks identified and treated, there needs to be continuous improvement based on the changes to the organization. As previously mentioned, developing key business continuity indicators can enable the organization to identify any changes proactively. During this phase, the employees, support staff, and supplier can be educated about leading practices about business continuity management and steps to be followed during a crisis.


Evaluating a BCP requires a level of subjectivity that cannot be obtained from checklists alone. Like disasters themselves, BCP assessments shall come in all shapes and sizes. Untested BCPs are unreliable and vulnerable, and the same goes for untested individual components of your overall BCP. To effectively validate the BCP, we must assess it against realistic conditions and parameters, truly stressing organizational strategies and plans, and uncovering weaknesses requiring remediation.

At Digital 14, we have Business Continuity experts who can provide broad industrial knowledge. They can assist and support your organization to survive through this, and other crises, ensuring that your prioritized business objectives and financial goals are achieved. We help organizations continuously monitor the performance of their business continuity management system and plan to make sure that any potential deviations can be indicated with right set expertise in a timely manner.

References: (Evaluating your business continuity plan to effectively manage risks) (Evaluation of Business Continuity Plan Maturity Level in Healthcare Organization) (Seven Key Elements of Business Continuity Planning)

We Are Digital14

Connect with us

© Digital14. All rights reserved.