A business continuity plan is a critical part of your SOC 2 preparation and risk management program. It’s so critical in fact that one of the SOC compliance requirements is to perform a “tabletop exercise” to test, at least annually, your business continuity plan in the event of a crisis.
Certainly not a tabletop exercise, the COVID-19 pandemic does present a real-life opportunity to test your business continuity plan and evaluate its effectiveness, especially with respect to the functioning of mission-critical systems and processes, availability of key personnel, access to physical continuity site location(s) and remote access capabilities to systems. This is a high-impact crisis testing every thread of your organizational resiliency.
If you haven’t already, below are some key areas in which you may experience difficulties during this real-life test of your business continuity plan:
It is too early to perform a full assessment of the impact this pandemic will have and the adjustments needed in your plan; however, it is important for your business continuity coordinator to maintain documentation of the challenges experienced during this crisis.
Good documentation includes details on the problems encountered, actions taken and lessons learned. Capturing this detailed information will not only demonstrate during your next SOC examination that you met the compliance requirement, but it will offer an opportunity to learn about and identify weaknesses in your plan and make important modifications to the plan for the future.
One thing we can learn from the COVID-19 global pandemic is that business continuity planning is not a “set it and forget it” exercise. The plan should be a living and breathing document with procedures that are reasonably designed to enable companies to meet their obligations to customers and counterparties during an emergency or significant business disruption. It should be reviewed and updated regularly for changes to operations, structure, personnel, locations and more.
Contact a member of your service team to discuss this topic further.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.
Receive insights from our specialists in a variety of areas and timely information on upcoming events directly to your inbox as they go live in our online Knowledge Center.