Connect With NXTsoft Virtually As We Share Our Knowledge To Assist Financial Institutions!

NXTsoft's webinar series titled Pausing the Pandemic Panic: Ideas and Solutions for Financial Institutions in these Uncertain Times is designed for bank and credit unions to address topics that are affecting financial institutions in these uncertain times. 

Couldn't Join Us For The Live Webinar Recording? No Problem! Check Out The Webinar Recording & Transcript Below.

'Using The Coronavirus to Test your Disaster Recovery Plan and Business Impact Analysis Plan' with Bart Hall, Chief Assurance Officer at NXTsoft.

HubSpot Video

Welcome to NXTsoft Pausing the Pandemic Panic webinar series. I'm Bart Hall, Chief Assurance Officer. Today we'll be talking about Using The Coronavirus to Test your Disaster Recovery Plan and Business Impact Analysis Plan.

In February, 2015, the FFIEC replaced Business Continuity Planning booklet with the Business Continuity Management booklet. It is one of a series of booklets that comprise the Federal Financial Institutions Examination Council, FFIEC, information technology examination handbook. The change from Business Continuity Planning to Business Continuity Management reflects the changes in customer and industry expectations for the resilience of operations. The book we discuss is BCM governance and its related components, including resilience strategies and plan development, training and awareness, exercises and test, maintenance and improvement, and reporting for all levels of management, including the board of directors. For our presentation today, we'll focus on the exercises and tests components of the booklet.

Business Continuity Management is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services. Disruptions such as cyber events, natural disasters, or manmade events can interrupt an entity's operations, can have a broader impact on the financial sector. Resilience incorporates proactive measures to mitigate disruptive events and evaluate an entity's recovery capabilities. Through the BIA process. Management should evaluate the potential impact of disruptive events including operational, financial, and reputational impacts.

What better way to evaluate the impact of an event than a real live test? We've been given an opportunity with the pandemic to do just that. We will cover the FFIEC's requirements for exercises and tests, so you'll see that with proper documentation, the actions you take will meet the requirements of a BCP test or exercise.

The board and senior management should provide for appropriate exercises and tests to verify that business continuity procedures support business continuity objectives. Exercises and tests should be used to validate one or more aspects of the entity's BCP. Exercises and tests help ensure that business continuity procedures support business continuity objectives.

An exercise is a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures. There are many different types of exercises depending on the intended goals and objectives. Exercises may include scenario driven simulations of BCP elements. For example, exercises may include performing duties in a simulated environment, basically a functional test, or be discussion-based. You've heard tabletop. With the pandemic, almost every organization has adopted a work from home program. Boy, that's surely a better exercise than a simulated alternate work environment. We'll get a lot better results this way.

A test is a type of exercise intended to verify the quality, performance, or reliability of a system's resilience in an operational environment. Tests are evaluation tools that use quantifiable metrics to validate the operability of an IT system or system component in an operational environment. For example, what happens as a result of removing power from a system or system component? We'll cover metrics a little later in the presentation.Prepared for the new FDIC and OCC Cybersecurity Regulations?Tests may focus on backup and recovery options of systems. The degree of testing can vary from individual system components up to comprehensive test of all system components that support business operations. Effectively, distinction between the two is that exercises address people, processes, and systems, whereas tests address specific aspects of a system.

According to the FFIEC, exercise and testing plans should include: provisions for exercises and tests occurring at appropriate intervals, and when significant changes affect the entity's operating environment. Appropriate intervals, typically annually, qualifies for that. Comprehensive program objectives and plans of exercises and tests to validate the ability to restore critical business functions in a timely manner. You'll have to determine what the timely manner is. An exercise and test process that provides assurance for the continuity and resilience of critical business functions without compromising production environments. Authorities and control over exercises and test. Exercise and test policies, expectations, and strategies that demonstrate the entity's ability to use alternate facilities.

Exercise and test objectives for resilience, system monitoring, and recovery of business processes and critical system components. Exercise and test scenarios, including exercise and test assumptions, objectives, expectations, and assessment metrics. Types of exercises, for example, full-scale, limited-scale, or tabletop. Exercises and tests related to interaction with third parties, industry-wide testing, and core and significant firms. Documentation of issues identified through exercises and tests, and action plans and target dates for resolution. Board expectations for overall business continuity capabilities, including guidelines to achieve defined business continuity objectives.

Now let's talk about the exercise and test program itself, some of the things you should be looking for. Management should develop a comprehensive exercise and testing program, including the objectives and plans to validate the entity's ability to restore critical business functions. The entity risk profile should influence the frequency, objectives, and documentation of the overall exercise schedule. Management should designate personnel with the authority to control the exercise or test and confirm milestones are met. You have to have somebody in charge. Business line management should retain ownership and accountability for testing resilience of business operations, including applications and processes, both internal and external.

While the business line managers should be responsible for testing its specific business processes and related interdependencies, managers should coordinate with personnel involved in the enterprise-wide business continuity process and support areas such as IT and facilities management. Results should be reported to the board and senior management for inclusion in enterprise-wide business continuity process.

Exercises and tests should occur either at appropriate intervals when new risks are identified, or when significant changes affect the entity's operating environment. A key objective for management should be to develop a testing process that validates the effectiveness of the entity's business continuity program and identifies any deficiencies that may exist. Therefore, the exercise and test program should incorporate the following.

A policy that includes strategies and expectations for exercising and test planning. Roles and responsibilities for implementation. Sufficient personnel to perform the exercise or test, provide oversight, and document the results. Precautions to safeguard production data such as performing a backup before performing a test in a test environment, or testing during non-peak hours.

 Download NXTsoft's Pandemic Planning Readiness Self-Assessment ChecklistProvisions for emergency stops, that is managed authority to stop an exercise if real life event occurs, and concluding exercises and test. Verification of continuity and resilience process assumptions and the ability to process a sufficient volume of work during adverse operating conditions. Activities commensurate with the importance of the business process as well as to critical financial markets. Result comparison against the BCP to identify gaps between the exercise or test process and recovery guidelines, with revisions incorporated where appropriate. Independent review of business continuity program and exercises and tests, internal and external. Okay.

Now let's talk about the exercise and test policy. Hopefully you already have a policy in place, but if not, now's a great time to take a look at what you're actually doing and put it in policy. The entity's policies should define exercise and testing expectations and strategies. The policy should: identify key roles and responsibilities. Establish minimum frequency, scope, and reporting requirements. Define documentation expectations that are consistent across business processes. Include a process for correcting deficiencies identified during exercises or test. Address testing of communication and connectivity between the entity and third party service providers. Detailed participation with critical third party service providers to confirm that entity personnel understand integration with recovery processes.

Hopefully you already have exercise and test strategies in place, but if not, let's talk about what you should have. Management should develop exercise and testing strategies that demonstrate the entity's ability to support connectivity, functionality, volume, and capacity using alternate facilities. The strategy should include expectations for individual business lines and use of exercise and testing methodologies and scenarios. Testing strategy should encompass internal and external dependencies, including activities outsourced to domestic and foreign based third party service providers. Management should test all aspects of the entity's BCP.

Lessons learned from natural disasters and other events show that for critical business functions, testing strategy should include transaction processing and functional testing to assess the recoverability of infrastructure, capacity, and data integrity. Regardless of the recovery strategy used, management should regularly test recovery provisions commensurate with the risk to the entity, and where applicable, the overall financial service sector.

So, what are our objectives here? The exercise and testing objectives should include resilience, system monitoring, and the recovery of business processes and critical system components. Tasks can range from recovering a single file to a full-scale failover to another data center. Tests should include physical security, critical systems, multiple departments, and third party relationships. Exercises should be sufficiently thorough to test dependencies and interrelationships amongst systems and third party service providers. As the exercise and test process matures, it should become increasingly complex up to and including full-scale recovery exercises.

Exercises and any associated test should accomplish the following objectives: build confidence that resilience and recovery strategies meet business requirements. Demonstrate that critical services can be recovered with the agreed upon recovery objectives, RTOs and RPOs, including customer SLAs, with MTDs. We'll talk about those acronyms here in a minute. Establish that critical services can be restored in the event of an incident at the recovery location. Familiarize staff with recovery processes. Verify that personnel are adequately trained and knowledgeable of recovery plans and procedures. Confirm exercise and test plans remain compatible with the BCP and the entity's infrastructure. Identify gaps and deficiencies.

Prepared for the new FDIC and OCC Cybersecurity Regulations?Within your BCP, you should have an exercise and test plan. Plans address the objectives and expectations of the exercise or test and outline the scenario in any assumptions or constraints that may exist. Exercises and test plans should include metrics to assess whether objectives are met. Again, we'll talk about metrics a little later in the presentation. Plans should identify roles and responsibility for participants, support personnel and observers. Exercise and test plans should be commensurate with the nature, scale, and complexity of the recovery objectives. Management should receive and review third party service provider exercise results, regardless of the entity's extent or participation. Management should consider the scope and results of these exercises and entity's BCP. Management should evaluate third party service providers, resilience, and ability to recover critical services used by the entity if an event occurs.

Test plans generally include the following: roles and responsibility for all test participants including support personnel. A consolidated exercise and test scheduled that encompasses all objectives. A specific description of objectives and methods. Identification of decision makers and succession plans. Exercise and test locations. Exercise and test escalation procedures and the ability to adjust for simulated scenarios. Contact information. Metrics to measure the success or failure of the exercise or test. Management should review the exercise and test results, update the BCP where appropriate, and report the results to the board or board designated committee. Okay.

Let's talk about exercise and test scenarios. Management should develop realistic exercise and test scenarios based on risk, which simulate disruptions in business functions and help management determine the ability to meet both business requirements and customer expectations. The goal should not be to execute perfect exercises without issues. Instead, it should be to continuously strengthen the business continuity program and validate the BCP. Management should identify and document assumptions used in developing each scenario. The scenario should include threats that could affect third party service providers and others such as significant business partners.

Exercises and tests should include communication processes with applicable stakeholders. Exercises demonstrate not only the ability to failover to an alternate site, but also validate recovery objectives. Management should consider all reasonably foreseeable risks to connectivity and service level agreements between the entities, facilities, third party service provider facilities, and with any applicable counterparties, i.e., entities on the other side of a financial transaction, with whom they transact significant or critical business.

Scenarios may include: simultaneous attacks affecting both the entity and a third party service provider. Cyber-related events, for example, isolated malware attack, DDoS attack, data corruption, or a full-scale data center outage. Use of mirrored sites to demonstrate that alternate sites can effectively support customer specific requirements, work volumes, and site specific processes. Processing a full day's work at peak volumes. To the extent possible, scenarios should include only resources that would be available during an event. For example, backup files or equipment at the alternate site. Considering data and systems help us management verify the integrity of data backups, including access to encrypted data, and the adequacy of offsite system supplies, such as workstations and procedures manual.

Management should develop exercise and test scripts to guide participants and meet objectives. Each script should document the procedures, which may include: applications, business processes, systems, or facilities reviewed. Sequential steps for employees or external parties to perform. Procedures to guide manual work around processes. A detailed schedule for completion. Methods for participants to record results, quantifiable metrics, and any issues. Okay.

Now let's talk about three specific exercise and test methods. Exercises and tests help management validate continuity and resilience of technology components, including systems, networks, applications, and data that support critical business functions. The type or combination of methods that should be determined by the entity's size and complexity, and the nature of its business. Rigorous exercises, methods, and increased frequency help provide greater confidence in the continuity and resilience of business functions. While comprehensive exercises involve greater investments of time, resources, and coordination, the benefit is a more accurate assessment of recovery capabilities if a disaster occurs. These assist management in assessing the resilience of systems and responsiveness of the individuals involved in recovery process.

Comprehensive testing of all critical functions and applications allows the management to identify potential problems. Therefore, management should use one of the more thorough testing methods discussed in this section to verify the BCP's viability. While names for exercises and tests may be different, or used interchangeably, the most common are full-scale, limited-scale, and tabletop exercises.

Full-scale exercises, sometimes called a full interruption or a comprehensive exercise, help management validate internal and external interdependencies between critical business functions, information systems, and networks. For example, for critical functions, exercises should include transaction processing and functional testing. Integrated exercises move beyond comprehensive exercises to include testing with internal and external parties, and the supporting system's processes and resources. The management should periodically reassess and update exercise and test plans to reflect changes in the business and operating environment.

A full-scale exercise simulates full use of available resources, personnel, and systems, prompting a full recovery of business processes. The goal of a full-scale exercise is to determine whether all critical systems can be recovered at the alternate processing site, and whether personnel can implement the procedures defined in the BCP.

For example, a full recovery exercise might simulate the complete loss of primary facilities. Features of a full-scale exercise may include the following: engaging personnel from all business units to participate and interact with internal and external management response teams. Validating the crisis or emergency management processes operating as designed. Verifying personnel, knowledge, and skills. Validating management response and decision making capability. Coordinating participants and decision makers. Validating communication protocols. Conducting activities at alternate locations or facilities. Processing data using backup media or alternative methods. Completing actual transactional volumes or an illustrative subset. Performing recovery exercises over a sufficient length of time to allow issues to unfold as they would in a crisis. Well, I guess the pandemic's going to cover that. It's going to be here for a while it looks like.

A limited-scale exercise is a simulation involving applicable resources, personnel, and systems to recover targeted business processes. The goal of a limited-scale exercise is to determine whether targeted systems can be recovered and whether personnel understand their responsibilities as defined in the plan. Features of a limited-scale exercise are very similar to a full-scale, but there's a little difference. Implementing a plan appropriate to the scenario. Verifying personnel knowledge and skills. Validating management response and decision making capabilities. Executing on-the-scene coordination decision making roles. Verifying whether participants can connect to alternate systems. Conducting activities at alternate locations or facilities. Testing communication and remote access capability. For example, switching to alternate equipment or telecommuting.

While limited scope exercises are important, they often have limited participation, for example departmental personnel only, or scope and do not necessarily allow management to gauge interconnectivity and how systems and capacity would support daily activities and workloads.

A tabletop exercise, sometimes referred to as a walk-through, is a discussion during which personnel review their BCP defined roles and discuss their responses during an adverse event simulation. I think we're way past tabletop with the pandemic and the actions you've put into place. So we'll just skip this one and move on.

As we move on, let's talk about tests. Management uses tests to verify the quantifiable performance and reliability of system resilience. The goal of testing is to determine whether system resilience conforms to the BCP and the stated recovery objectives. Test methodologies and frequencies should align with the risk associated with the business function as well as the entity's testing strategies and objectives. Management should clearly define the characteristics of a successful test, which may include: validating RPOs, RTOs, and MTDs. Demonstrating recoverability at peak volumes. Confirming that systems can support critical business processes. For example, transfer to alternate sites, increased workloads, manual work arounds, and communication. Integrating technologies that support critical business activities including data replication, recovery, and offsite storage. Testing backup data to assess integrity and availability. Certifying facility controls, for example, environmental backup power and physical security. Verifying workspace restoration, for example, network connectivity and communications.

So what about the industry as a whole? Given the potential for and nature of widespread and systemic disruptive events, public and private sector groups conduct exercises with their members to verify resilience across the financial industry. These exercises simulate significant regional or industry-wide emergencies and members are encouraged to use backup sites and test their recovery capabilities. In addition to financial institutions, these coordinated tests often include participation by third party service providers and government agencies. There are several methods for entities of all sizes to participate such as through third party service provider user groups or industry initiatives. For example, industry initiatives include the US Department of Treasury's Hamilton Series, National and Regional Series, and the FS-ISACs Cyber-Attack Against Payment Systems, or CAPS. The results of these exercises are usually available to members of industry and regulatory groups, and some reason may be available to the public. Okay.

What about third party testing? Third party service providers deliver critical services to many entities and should be included in the enterprise-wide exercise and testing program. The extent of inclusion in the entity's programs should be based on the criticality of the third party service provider and the business function. Management should obtain assurance that third party service providers are resilient and have adequate infrastructure and personnel to restore critical services consistent with business and contractual requirements. The right to perform or participate in testing with third party service providers should be included in the contract governing the entity's relationship with the third party. Management should actively participate in the entity's third party service provider's testing programs and should verify that testing strategies include likely significant disruptive events.

Third party service providers should be transparent about testing parameters and results because not all clients can participate in every testing activity. For example, when there's a large client volume. And some exercises and tests may not be relevant to the services provided to a specific customer. Management should request and receive test results and reports, remediation action plans, and status reports upon their completion, and related analysis or modeling. Management should track and resolve any issues identified during the exercise in a timely manner according to the severity of the issues. Any test results that affect the entity should be presented to its board.

Don't forget your core provider. Management at core and significant firms should develop verification strategies and execute exercise and testing activities to validate that the entity implemented sound recovery practice is consistent with the entity's role in the industry. Identification of external interdependencies is important given the sector's reliance on core and significant firms. Internal testing activities should include systems that support critical market activities in which these firms are core or significant. Exercise and testing activities should confirm that such critical clearing and settlement activities could be recovered within RTOs. Industry standard timeframes are continually adjusted based on available technology, pertinent risk, and industry initiatives.

Management should adjust its RTO to be in line with industry standard timeframes. Furthermore, management should design testing activities to demonstrate the ability to perform the following activities if a wide-scale disruption affects the accessibility of key personnel. Complete pending material payments and transactions. Access funding. Manage material open risk positions. Make related entries to books and records. Validate internal and external communication protocols. Ensure connectivity, functionality, and volume capacity.

Management should test with the relevant core firms from their alternate sites and meet testing standards the core firms established specifically for significant firms and for participants more generally. Management at core and significant firms should perform testing to assess the effectiveness of their recovery strategies. Management is also encouraged to the extent practical to participate in pertinent market-wide and cross-market tests that validate connectivity from alternate sites and include transactions, settlement, and payment processes.

CyberAttacks Webinar Recording - Watch Now!So once the crisis is over, what do we do? Let's talk about our post-exercise and post-test actions. Management should document issues identified during exercises and tests and create action plans with target dates for resolving issues. Exercise and test results should be analyzed and compared with the objectives and success criteria in the exercise and test plans and report it to appropriate levels of management. For those items not remediated, management should document decisions to accept risks identified during the exercises. Additionally, management should test corrective actions implemented as a result of a failed recovery objective or address major issues encountered. Business line management should update the BCP based on test results and adjusted BCM process, including exercise and testing program. Finally, management should submit regular reports to the board on the exercise and testing activities and whether the BCP meets the entity's recovery and resilience objectives.

Exercise and test results should include documentation for: dates and locations. An executive summary comparing objectives and results. Material deviations from the plans, including whether intended participation was achieved. Problems identified and lessons learned. Assignment of responsibility for timely resolutions of issues identified. The management should periodically analyze results and issues to determine whether problems can be traced to a common source, such as inadequate change control procedures. Fixing the root cause of the problem may help resolve many underlying issues.

So, how do we improve? How do we get better? Because risk and technology often change, management should regularly review and update the business continuity program to reflect the current environment. Periodic reviews allow management to align the business continuity process with business objectives. Management should use this information to prioritize and focus on system and process corrections and enhancements. When updating the business continuity program, management should document, track, and resolve any changes. Management should document, analyze, and review lessons learned from adverse events. Again, the pandemic is an adverse event. We'll repeat that. Management should document, analyze, and review lessons learned from adverse events. Understanding these lessons allows management to prepare for future adverse events.

Documented procedures for incorporating lessons learned should include: identifying the failures. Determining the cause. Evaluating potential solutions. Implementing timely corrective actions as appropriate. Recording and reviewing corrective actions taken.

As part of the maintenance and improvement process, management should maintain version control of key business continuity documents and ensure that the latest versions are readily available to appropriate personnel. The level of detail and documentation should be commensurate with the nature of the entity's operations. This information should be accessible during the event and can be maintained by BCM program management and personnel. The BCM documentation should include evidence substantiating periodic updates of the BIA, risk assessment, and BCP.

Business continuity document management processes may include: roles and responsibilities, document control, version control, storage and disposal. Management should follow the entity's information security standards for confidential or sensitive information contained within business continuity documentation. Additionally, management should maintain backup copies of relevant business continuity documentation in the event that the primary repository becomes inaccessible. Management should establish recovery objectives after determining a disruption's impact. Common measurements include recovery point objective, RPO, recovery time objective, RTO, and maximum tolerable downtime, MTD.

Where applicable, these measurements should be evaluated for alignment with third party service providers' contracted recovery expectations. The RPO represents the point in time before disruption, to which data can be recovered, given the most recent backup copy of the data, after an outage.

The RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on the other system resources and business processes. Determining the RTO is important for selecting appropriate technologies and strategies. When it is not feasible to meet an RTO, management should verify whether the RTO is realistic, initiate an action plan and milestone to document the situation, and when appropriate, plan for its mitigation. Management should consider interrelated RTOs for each business function to determine the total downtime caused by disruption. Establishing realistic RTOs assists management in determining a critical path and hierarchy for recovery. For example, a process with a shorter RTO that is depended upon a process with a longer RTO may indicate a gap that should be analyzed further.

Whether driven by customer expectations or technological advancement, previously established RTOs that were a few hours in duration may now require near realtime recovery. Therefore, it may be appropriate for management to reevaluate currently acceptable RTOs.

The MTD represents the total amount of time the system owner or authorizing official is willing to accept for a business process disruption and includes all impact considerations. The MTD is important for contingency planners when selecting an appropriate recovery method and developing the scope and depth of recovery procedures. Examiners may encounter other terminology to describe MTD, for example, maximum allowable downtime.

Failure to meet established metrics such as RPO, RTO, and MTD may have operational impacts including discontinued or reduced service levels, inability to meet security requirements, workflow disruptions, supply chain disruptions, and delays of business initiatives. The financial impact could include the loss of revenue, increased cost, or fines and penalties.

With the pandemic, our biggest impact has been personnel. So let's talk about that. Resilience is dependent upon personnel availability to maintain critical business processes. Personnel could be unavailable or distracted during such events as natural disasters, severe weather events, or pandemics. While any one employee's role may not be designated as mission critical, management should plan for mass absenteeism during an event or disruption. Previous catastrophic events, for example, Hurricane Katrina, demonstrate that personnel availability affects timely recovery. Management should plan for events during which personnel may not be able to access facilities, and critical personnel may not be available immediately after the disruption.

Public infrastructure and transportation systems may not be operating. Telecommunication systems may be overburdened and unavailable. Therefore, management should consider staffing and skills needed to operate critical function related to business continuity. Lodging arrangements for displaced employees and their families. Basic necessities and services for displaced employees, including water, food, clothing, childcare, transportation, and cash. On-site medical support and mobile command centers. Secure telecommunication options if employees work from an alternative location. Designated emergency personnel including critical business process level employees.

We're almost done. Let's talk about managing the event. The BCP may define various situations as events, disruptions, or triggers. An event is an occurrence or change in circumstances that may affect operations. An event can be physical, cyber, or a combination of both. A disruption is either an anticipated or unplanned event that causes operations to degrade or fail for an unacceptable length of time. For example, a minor or extended power outage and extended unavailable network, or equipment, or facility damage or destruction. A trigger is an event that prompts management's response. Predefined threshold escalation triggers are a key element of a BCP and responses should be designed to mitigate the impact from adverse events.

New call-to-actionThe BCP should include event management procedures that detail reasonably foreseeable event types and provide thresholds and responses. Procedures should describe how to report an event to management in situations that warrant notification to those who address events. Management should consider establishing a team or teams to address events. Individuals managing the event may change depending on the nature of the event and team member availability. While the team should manage the event and communicate with stakeholders, event monitoring is an entity-wide responsibility. For example, boards, senior management, and other personnel.

Responses may include activities, programs, or systems that protect life and property, meet basic human needs, and preserve the entity's operational capability. Examples of event responses include: switching operations to a backup facility after a software upgrade and subsequent rollback fail. Rerouting personnel to a safer location or authorizing telecommunicating when the local area becomes unsafe. Authorizing telecommuting when an event causes disruptions to operations. Invoking disaster recovery procedures once management has identified a significant cyber attack. Activating emergency response procedures once a hurricane threatens the local region. Okay. We've covered most of the points I want to cover, but in closing, here's a few remarks.

As you evaluate your own situation, you will find that with proper documentation and observance, many of the actions and responses you implemented will check the box for most of the guidelines identified by the FFIEC for disaster testing and business continuity planning. Not only will it check the box, but it will give you real data to help design a better BCM program going forward. In lieu of a simulated disaster test, this real live COVID-19 pandemic response can serve as your annual disaster test. Whether you define it as a full-scale or limited-scale exercise, either will qualify as your annual testing, and if done right, the results you gather for this real live event will be far superior to a simulated test or exercise.

The full impacts of the COVID-19 pandemic won't be known until long after the event has ended, but we are already smarter than we were and will be better prepared for the next time. Treating this event as a test or exercise and documenting results will go a long way toward preparing for the worst and strengthening the BCP program. Organizations that learn from this experience to enhance their BCP strategies and expand their testing capabilities will see immediate benefit from increased operational efficiency, improved quality, and faster time to market for new products and services. They will also be much better prepared to weather the storms that have increasingly become a part of the world we live in today. Thank you and stay safe.

If you have any questions or comments, please email us at We'll compile any questions and distribute those back out to our attendees via email. Thank you.

Thanks for joining us for our webinar series! Please feel free to reach out if NXTsoft can help with anything!