If you’ve been following along in this series on designing and implementing an effective Business Continuity Management (BCM) program, we’ve worked our way through the first five steps to answer the following four questions:
- What are our “critical” business functions?
- What’s our exposure to “serious incidents or disasters”?
- What can be done to mitigate the risk?
- What’s our plan to respond and recover?
That brings us to our next step, testing and exercising our response plan. You will recall that in article four, we discussed three areas of focus: Crisis Management, Disaster Recovery, and Business Continuity.
Crisis Management–also known as incident management or emergency response–is focused on managing the disaster (emergency procedures, crisis communications, etc.). This starts with the safety of personnel (staff, families, and guests). Next priority is the security of data, and the protection of assets.
Disaster Recovery–also known as the IT contingency plan–is focused on getting the technical infrastructure and facilities up and running within a timeframe that is acceptable to the organization and is aligned with recovery time and recovery point objectives (RTO/RPO). Equipped with the information provided by the business impact analysis, the IT contingency plan is arranged with a prioritized recovery for those technical resources that support the organization’s most critical business functions.
Business Continuity–also known as business recovery and resumption–is focused on serving the members during the recovery effort and getting business back to normal operations. With the complexity inherent to most organizations today, this will likely require a coordinated effort among all departments as well as outsourced vendors and technology service providers.
Breaking these strategies into the three areas listed above is helpful when designing your training and awareness program (see article five) and for the topic of this article: designing your testing and exercising program. Breaking your Business Continuity Plan into these manageable categories will allow you to test more frequently, achieve better results and progress, control the cost of investment, and maintain engagement with your team.
Testing and exercising
Testing and exercising your response plans should be coordinated with your awareness and training program. While all staff are required to have a level of awareness of procedures to follow for emergency response (e.g. building evacuation or seeking safe shelter), staff with specific roles and responsibilities are going to need the ability to practice strengthening skills and validate procedures.
“Is it a test or an exercise, or both?”
I’m often asked what the difference is between testing and exercising and when each is the appropriate method. When I call something a test, think “pass or fail” or as a method of measuring how long an activity takes. Don’t think failure as final, but as “we’re not there yet.” Exercising is the opportunity to practice so as to become proficient. To ask questions, perform research if needed, and maybe even to start over again. Practice to become familiar, to improve, to become an expert. There is no failing, only progress. You can see how beneficial regular exercise with occasional testing is to your program.
When building your testing program, think long-term (three to five years), set goals for each year (where you want the program to be), and reassess the program on an annual basis. Develop metrics to measure the success of each exercise and test to document your progress in a report to the team and to senior management.
Purposes for testing and exercising
There are many benefits to testing and exercising your business continuity plan, in addition to those mentioned earlier.
- To verify completeness and accuracy of the plan
- To identify areas within the plan that should be enhanced or updated to improve effectiveness
- To provide training for recovery teams
- To demonstrate the ability to recover and build confidence
Like good physical health, our goal for resilience requires developing good habits and exercising our procedural muscles.
Start with the exercise and test policy
To ensure that your exercise and testing program is aligned with business goals and objectives, begin by defining the policy. The policy helps set the expectations and strategies. According to the FFIEC, the policy should include but not be limited to the following components:
- Identify key roles and responsibilities
- Establish minimum frequency, scope, and reporting requirements
- Define expectations that are consistent across business processes
- Include a process for correcting deficiencies identified during exercises or test
- Address testing of data communication and network connectivity with third-party technology providers
- Detail participation with critical third-party vendors to confirm the understanding of integration with recovery services
Types of tests and exercises
There are multiple types or methods of testing and exercising. The methods listed below increase with level of difficulty and complexity (least to greatest):
- Life safety exercises: Examples include building evacuation and shelter-in-place drills
- Plan walk-through or tabletop review: Review recovery plan with response team in a conference room
- Scenario-based tabletop exercise: Facilitate a scenario-based tabletop exercise with specified goals and objectives
- Alternate site test or exercise: Test recovery procedures at a designated site (cold/warm/hot-site)
- Standalone test or exercise: Test restoration of a single business unit or process
- Full end-to-end functional test or exercise: Test restoration of a business unit functional area
- Comprehensive test or exercise: Test (offline) restoration for the entire organization
- Integrated test or exercise: Test (online) restoration of some or all systems parallel to production
At the conclusion of each test or exercise, notes from participants should be collected and a report generated. Contents of the report should include the specifics of the test or exercise (when, where, what, who, etc.), what was successful and what was not (what did we learn?), what changes and action items are recommended for future improvements.
Identify and address skills gaps
Testing and exercising response plans helps management identify areas (skills, experience, knowledge) where personnel deficiencies exist that may prevent the organization form reaching recovery time objectives in an actual disaster scenario. Addressing the skills gaps includes looking for opportunities to further train and educate internal staff and establish relationships with external vendors for support. External vendors and technology services providers should participate in recovery tests where applicable to achieve the most accurate results when measuring the capability to meet objectives.
The untapped value of the tabletop exercise
One of the most overlooked tools available for measuring the capability of your response team is the tabletop exercise. Getting the full value out of this method requires an organization to become experts at facilitating them or outsourcing to a professional vendor or consultant. The process of conducting the exercise is just as important as the recovery scenario itself.
Tips for conducting an effective tabletop exercise include:
- Setting clear and achievable objectives
- Engaging participants by using probing questions and encouraging those who tend to be reserved to interact
- Promoting in-depth problem solving (resolving problems or making plans as a group; accept real solutions, not superficialities)
- Remembering that the purpose of the tabletop exercise is to encourage discussion among participants and to develop recognition of coordination and planning requirements
- The goal of the exercise for a specific scenario is not to be mistake free, but to identify potential problem areas
- Success depends on feedback from participants and the impact this feedback has on the evaluation and revision of policies, plans, and procedures
In the next article, we will wrap up our Continuity at the Core series and look at how an organization should review and update the Business Continuity plan. If you have any questions about building a Business Continuity Management program at your organization, I can be reached at my contact information below.