Do you need to develop document retention schedule or standards and procedures for your Business Continuity Program? If you want to ensure compliance with standards and best practices, yes, you do.
Generally speaking, if there is a standard that requires the creation of a certain type of documentation, there will be some corresponding requirement to retain those records for a period of time, even if that requirement is not expressly stated.
The standards require recordkeeping to provide evidence of the effective operation and implementation of your program, the competency of your personnel, and audit requirements and results.
Documentation should cover these aspects of your program:
- The scope and objectives of the program and procedures
- The BCM policy
- The provision of resources
- The competency of BCM personnel and associated training records
- The business impact analysis
- The risk assessment
- The business continuity strategy
- The incident response structure
- Business continuity plans and incident management plans
- BCM exercising
- The maintenance and review of BCM arrangements
- Internal audit
- Management review of the program
- Preventive and corrective actions
- Continual improvement
So where do you start? First, determine if your organization has a records and information management program and/or a records retention schedule. If so, you must work with your company’s records professional to determine what records you have and how long you should retain those records. It is not unusual to find that a company has little to no reference to business continuity documentation in the schedule. But you can use what the schedule says about other documents (like risk assessments, other company policies/procedures, audit or other assessment reports, etc.) as a guideline to develop retention periods.
Regardless of whether you are working with a records professional, use the list above as a starting point and determine:
- What specific documentation do you keep in each category?
- What does your maintenance schedule say about the documentation? How often do you create/supersede it (quarterly, annually)?
- Is there a legal or compliance based rationale to retain the documentation once it is no longer active or in use (e.g., to prove that training or testing took place and what the results were)?
- Is there a legal or compliance requirement to retain the document for a specified period of time?
- Does lasting value exist in old versions of the document?
Using this information, you might use the following sample guidelines:
- Plans: retain for one year after superseded (replaced).
- Governance related documents (e.g., Policy, Standards, Charter): retain based upon the maintenance schedule.
- If you update Standards annually, keep them on file for one year after you update them.
- Retention schedules should take into consideration what we would consider “exception” documentation – when documents need to be kept for a longer period of time in response to an item from an exercise, the Steering Committee, and/or an Auditor.
- Retention schedules should take into consideration that a legal/litigation hold issued in response to actual or pending litigation may suspend destruction of certain information until that hold is released.
Katherine Jonelis, Consultant, MHA Consulting