A business continuity plan is a critical part of your SOC 2 preparation and risk management program. It’s so critical in fact that one of the SOC compliance requirements is to perform a “tabletop exercise” to test, at least annually, your business continuity plan in the event of a crisis.
Certainly not a tabletop exercise, the COVID-19 pandemic does present a real-life opportunity to test your business continuity plan and evaluate its effectiveness, especially with respect to the functioning of mission-critical systems and processes, availability of key personnel, access to physical continuity site location(s) and remote access capabilities to systems. This is a high-impact crisis testing every thread of your organizational resiliency.
Key Areas to Evaluate
If you haven’t already, below are some key areas in which you may experience difficulties during this real-life test of your business continuity plan:
- Overreliance on your SaaS. It is common for companies to migrate all or a large portion of their infrastructure and other critical assets to SaaS. You are ultimately responsible for creating a failover plan and having a redundant solution in place should you experience a failure. Also consider whether you need to make updates to your vendor contracts if promises were made as to availability of services but didn’t hold up during this crisis.
- Proper identification of critical assets and data. Did you know how vast your network is? You should have an inventory of all assets — physical devices, software and data — that are critical to operations and understand the impact this disruption has had on each.
- Understanding your “business as usual” requirements. Your service level agreements may define or imply certain commitments as to the speed and quality of your operations. This pandemic creates a unique environment for evaluating how your recovery time and communication plan during the disruption can impact your reputation and survival.
- Strict adherence to the original plan. Your plan should be flexible as the day-to-day information and circumstances surrounding this disruption are extremely fluid. The execution plan set in motion two weeks ago is probably different than what is required today given the performance of your systems, changes in personnel availability and productivity, and other factors affecting your supply chain, cash flow, etc. Recognition that this is fluid disruption with near constant modification and having a strong communication strategy among your executive team, risk management, HR, IT and key operations personnel will play a key component in the ongoing success of your business continuity plan.
Document Your Challenges
It is too early to perform a full assessment of the impact this pandemic will have and the adjustments needed in your plan; however, it is important for your business continuity coordinator to maintain documentation of the challenges experienced during this crisis.
Good documentation includes details on the problems encountered, actions taken and lessons learned. Capturing this detailed information will not only demonstrate during your next SOC examination that you met the compliance requirement, but it will offer an opportunity to learn about and identify weaknesses in your plan and make important modifications to the plan for the future.
One thing we can learn from the COVID-19 global pandemic is that business continuity planning is not a “set it and forget it” exercise. The plan should be a living and breathing document with procedures that are reasonably designed to enable companies to meet their obligations to customers and counterparties during an emergency or significant business disruption. It should be reviewed and updated regularly for changes to operations, structure, personnel, locations and more.
Contact a member of your service team to discuss this topic further.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.