3.8 Business continuity management testing and improvement (Validation)


A port’s BCP should be regularly tested, at least annually, with varying options for testing. At the end of a significant incident, the port, led by its core business continuity team, should conduct an after-action review (AAR). An AAR is a structured approach for obtaining feedback, lessons learned and identifying areas for improvement.

An AAR presents an opportunity to fine-tune the BCP or overall ERM process. An AAR helps ports to understand what was expected to happen rather than what occurred. It also helps clarify , how the port responded, what went well and not so well, and whether things could be improved.

The AAR should be completed as soon as possible after the port has fully returned to normal operations. Ports should encourage candid feedback from those involved in the process, and discussion insights should be documented.

A port should pay special attention to how its BCM system or programme interacts with its HR department and staff onboarding activities to ensure greater port awareness on its BCM and ERM-related activities and programmes in periods of staff turnover. Ports should strongly consider embedding knowledge that can benefit port workers/employees on some issues, such as best practices in cybersecurity, within their training programmes, especially for new employees. Visual guides or videos can facilitate this process and make it more scalable. Similarly, if a port has an annual training programme on, for example, health and safety or compliance training, it can incorporate training modules for staff directly engaged in working on the port’s BCM system and responsible for its implementation and execution. Leveraging training and knowledge sharing is a straightforward, cost-effective way to enhance the port's readiness in the face of future disruptions.

When available, a ports' internal or external audit resources can help determine whether:

  • BCM system plans are updated.
  • All critical business operations, functions, and systems have been covered and considered, for example, the new critical IT application or the new port terminal.
  • Plans are based on the identified risks and their potential impact.
  • Plans under the BCM programme are fully documented.
  • Functional responsibilities have been assigned.
  • The port is capable of and prepared to implement the BCPs.
  • BCPs are tested and revised accordingly.
  • Plans under the BCM programme are correctly and safely stored, and the storage location is known.
  • The location of alternate facilities (back-up sites) is known to the ports' employees.
  • Plans calling for coordination with local emergency services and other parties, contain appropriate contacts and details.