Eventually, We Have to Go Back – BCP Post-Mortem

Eventually, We Have to Go Back – BCP Post-Mortem

We don’t know when, but at some point we will have to put on shoes, get a haircut and return to the office. As compliance professionals, we are trained to look ahead and should be planning our action steps for when we return.

Gather Firm Records and Other Property. You should have a good sense of any records removed from the office, as well as any new records generated by your employees while working remotely.  Obviously, this is a bigger challenge if your firm is traditionally paper-intensive. Further, determine if there are any electronic records that have been created and stored on an employee’s personal computer or email account. We suggest a review of your records retention policy to identify required records and their location throughout the cycle.

With respect to other property, such as computers, monitors and other hardware, determine whether such items were inventoried prior to being deployed and ensure that they are checked back in. Consider an attestation for employees to certify that all firm records and property have been returned.

Conduct a Post-Mortem Review of the BCP. Firms of all sizes quickly implemented a work from home model with little time to plan. Even if your business continuity plan contemplated a pandemic response, it’s never been deployed like it is now. Gather representation from across the organization and assess what worked, what didn’t and what changes should be made to the BCP. Some things to consider:

From this review, identify and prioritize your action items.  Finally, consider engaging a third-party to update your BCP or provide an independent post-mortem review.

Review Policies and Procedures. Chances are you bent a policy or modified a procedure or two while the team was working remotely. Review your policies and procedures to identify those exceptions and make sure that they are properly documented, as well as any effort to mitigate the impact of the exception. It’s also likely that you found a better way of doing some things that you may want to keep doing, or that ongoing social distancing requirements will continue to impact your business. To the extent that you modify your policies and procedures going forward, make sure you memorialize those changes and note their effective date.

Let CSS’s team of compliance and regulatory experts assist in developing and updating business continuity and cybersecurity plans. Email us at: info@cssregtech.com for an assessment and retrospective on your firm’s current BCP plan.