Best Practices for Business Continuity Plan Testing
The business continuity plan (BCP) is critical to business resilience. Indeed, the insurance brokerage, Gallagher estimates that more than 70% of companies without a comprehensive BCP fail to recover from a significant business interruption.
Given the data, experts advice testing the BCP at least yearly – if not more often – and certainly updating continuity plans after any disruption.
But not all business continuity testing is created equal. Knowing how exactly to test your BCP is a science in and of itself.
We explain the science of business continuity testing in the following article, providing a set of best practices to get your exercise management program up and running.
The importance of business continuity testing
Why test at all, though? Isn’t just having the BCP enough?
For one, the pace of business change is staggering. And the risk environment around us is in wild flux.
As a result, organizations need to know whether the procedures they’ve put in place to withstand disruption will work. The only place to figure that out is in the controlled, risk managed environment of exercises and testing.
That’s not all.
Business continuity management (BCM) itself often suffers from a lack of senior leadership buy-in. A comprehensive exercise management program, based on best-practice business continuity planning principles, helps signal to higher ups the importance of BCM. That, in turn, helps garner sponsorship and resourcing for the program.
Other reasons to test your BCP regularly include:
- Helps identify gaps and areas for improvement in the business continuity management system (BCMS)
- Ensures compliance with regulatory requirements
- Improves the quality of the plan itself by introducing new, relevant information
- Demonstrates commitment to BC to clients, which might help secure new business and/or deepen existing relationships
- Ultimately reduces recovery time and costs
Challenges to business continuity testing
If the benefits are so clear, why don’t we all test? That’s a complicated question.
Like with all tests, we’re afraid to fail. Of course, there’s no actual failing in business continuity testing. Still, less than optimal results might seem highly embarrassing.
There’s also the issue of executive buy-in again. Business continuity programs without buy-in find it hard to implement exercise management capabilities because of generalized indifference.
Getting started with business continuity testing
So, how then do you implement a best-practice business continuity testing capability at your organization? Well, the best place to start is at the beginning.
And at the beginning is the needs and gap analysis. The purpose of this analysis is to establish the need for exercises and testing in the first place.
This pre-testing analysis also has the dual purpose of effectively signalling the role of exercises and testing in managing business risks. This helps stakeholders (including senior leaders) understand that conducting exercises and testing is needed to manage risks.
What questions should organizations ask to get started with this planning stage of the business testing process? Common questions include:
- Does the exercises and testing plan address requirements for exercises and testing?
- Can this plan promote consensus with interested parties?
- Does the plan offer an opportunity to reach and interact with its target group(s) and potentially address their interests?
- Does this plan provide an opportunity to address multiple issues in depth?
- Does this plan focus on key issues?
- Does the plan provide information tailored to the target group(s)?
- Is this plan practical and relatively easy to implement?
- Does the plan provide for information transfer at relatively low cost?
- Is this plan easy to update?
- Is the effectiveness of this plan measurable?
- Is this plan a good vehicle for education?
- Is this plan creating a constructive and supportive atmosphere?
- Is this plan an effective way to get publicity or increase public awareness?
- Does the plan conform to the organization’s constraints?
Types of business continuity exercises
Going through this planning stage helps organizations move away from generic exercises and toward a more customized testing program. The latter will be better suited to address specific business risks.
In that regard, the gap analysis not only helps make the case for a best-practice testing program, but it also indicates what kind of exercise (out of the many available options) that that program should be using.
According to international exercise management standard ISO 22398, the most common types of exercises are:
The purpose of an alert exercise is to test the organization by alerting the involved participants and getting them to arrive at a designated place within a certain time. It can also be used to test an alert mechanism. This type of exercise is primarily applied to internal staff.
Building upon the alert exercise, the start exercise tests how fast an organization can be activated and start carrying out its tasks. A start exercise is therefore a means to test and develop the ability to get started with resilience processes.
A decision exercise is primarily used to exercise decision-making processes within an organization, e.g., the ability to make fast and clear decisions on actions and to initiate cooperation between those responsible and stakeholders, under time pressure.
This type of exercise is a combination of alert exercise, start exercise, staff exercise, decision exercise, and system exercise. The focus is often on the roles, organization, SOPs, etc.
A type of exercise where coordination and cooperation between management levels is exercised. A cooperation exercise can be carried out both, in large and small scales.
This kind of exercise may consist of: “Vertical” coordination (between national, regional, and local levels); “Horizontal” coordination in a sector where public and private stakeholders participate.
Crisis management exercise
A crisis management exercise simulates crisis conditions and gives personnel the opportunity to practice and gain proficiency in their plan roles.
A strategic exercise refers to comprehensive exercise activities at a strategic level (e.g., inter-ministerial crisis staff, political-administrative staff, cross-sector and cross-departmental management staff, crisis management organization of corporate management).
Aims of strategic exercising include improving the integrated crisis reaction ability in exceptional threat and danger situations (crisis situations) and developing a comprehensive coordination and decision culture.
An exercise campaign is a series of recurrent exercises with a common generic organizational structure.
Different business continuity testing methodologies
That’s not all. These exercises can be further subdivided based on their methodology. That means how BC professionals go about conducting them.
The most common testing methodologies are:
Discussion-based exercises tend to be structured events where participants can explore relevant issues and examine plans.
A pre-planned storyline that drives a time-limited exercise, scenarios are usually conducted in a table-top environment. Here, participants are expected to be familiar with the plans being exercised.
The exercise itself is likely to involve a practical rehearsal of relevant response activities, e.g., completing assessment checklists, using log sheets, or writing media release statements.
These are imitations meant to be representative of the functioning of one system or process. In a simulation, participants will be given information in a way that simulates an actual incident.
As a result, simulation exercises tend to be operations-based, i.e., designed to be more realistic. They are also more likely to be elaborate, involving strategic, tactical, or operational teams.
These are exercises carried out in the normal operational environment, alternative premises, or command centers. Like simulations, live exercises are designed to include everyone likely to be involved in the response as if it were real.
Parameters for business continuity testing
Of course, knowing what kind of exercise to conduct is only half the battle.
Business continuity testing should be consistent with the broader scope and objectives of the BCMS. And specific tests should also be based on appropriate scenarios. Meanwhile, those scenarios should be planned out well in advance with clearly defined aims and objectives.
What are the other parameters of business continuity testing? According to international BCMS standard ISO 22301, business continuity testing should fulfill the following criteria:
- Validate business continuity arrangements, involving relevant interested parties
- Minimize the risk of disruption of operations
- Produce formalized post-exercise reports that contain outcomes, recommendations, and actions to implement improvements
- Be reviewed within the context of promoting continual improvement
- Be conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operate
Methods and techniques of business continuity testing
Once you’ve decided upon the kind of test you’ll undertake and the parameters around that exercise, you’ll have to define the resources and systems you need. These considerations will then inform the budget for the end-to-end exercise management program.
Required resources will likely include personnel and facilities. Due diligence will suggest business continuity professionals should check on resource availability before exercises begin.
BC professionals should also identify any training requirements for those participants or planners ahead of time and integrate relevant requirements into the exercise management program.
Beyond that, it’s prudent to create a testing schedule which includes validating the BC arrangements of relevant parties. That schedule should then be submitted to senior management for approval.
The stages of business continuity testing
Once scheduled, exercises are likely to start with an initial run through to ensure that all members of the exercise team receive the same initial information.
This review should be brief and contain only information that ensures participants can perform as planned during the conduct of the exercise.
The lead evaluator should be a participant in the run through.
It’s also advised to conduct a similar review with the control team, so that that team remains synchronized with scenario changes and that the exercise director’s guidance gets implemented as the exercise proceeds.
From there, according to BCI’s Good Practice Business Guidelines, the following stages are likely to unfurl:
The business should organize a start-up briefing, an integral part of the exercise hazard control. If a hazard is identified and cannot be eliminated, the first technique in hazard control is awareness. The start-up briefing should be used to avoid confusion between simulated and actual events.
The organization should then check the communications that will be used to launch, stop (temporary), and terminate exercises and testing prior to the scheduled launch. The methods for communicating launch, stop, and terminate exercises and testing should be explained during the start-up briefing.
The organization should use the same communications for launching and temporary stop at the end of the exercises and testing. The start-up briefing should be used to ensure clear communication with the intent of avoiding confusion between simulated and actual events.
The business should organize a post exercise briefing to gather information from actual exercises and testing. Critique of actual incidents and near-incidents will provide valuable information concerning the following:
- The validity of the plan
- The resources that were available
- How the resources were used
- The transfer of behavior learned in training.
Further, every actual incident should be subjected to a critique and a review by key decisionmakers. The same format for the critique of an exercise or test will be used for an actual incident. During the post-exercise debriefing, special attention should be given to the functioning of the exercise organization and the exercise planning process.
The evaluators of the exercise should have knowledge of the expected performance. They should have prepared observation forms, which should contain the exercise performance objective and allow for notes to be taken during the exercise.
And once exercises are finished?
Exercises should yield an after-action report. Remember, their primary purpose is to inform stakeholders which practices are working as planned and which are not.
Most organizations would have heard of the after-action report, a staple of post-crisis analysis. The post-testing after-action report is similar, in that it:
- Gives organizations an overview of the exercises and testing performed
- Reports on any successes against performance objectives
- Elucidates what went well
- Lays out the issues identified
- Lists subsequent remediation actions to be taken and by whom.
Business continuity software to help improve the quality of business continuity testing
Another resource to consider in business continuity testing is business continuity software.
Why? These comprehensive platforms help businesses to:
- Better anticipate and identify trends
- Prevent situations that may generate an interruption
- Respond more efficiently to disruptions that do arise.
They also work to better fuse the planning and exercise management competencies together within the greater business continuity management program.
Well, the platforms in question function as plans. That means when customers need to develop their continuity and resilience plans, all the data they have previously entered seamlessly comes together.
This way continuity and resilience managers don’t have to go sifting through documents to find the data they need, eliminating the risk of someone referencing an out-of-date plan during a crisis.
This also helps because now multiple stakeholders can collaborate on the development and updating of the plan, enabling better engagement.
All data associated with building plan will be managed centrally, in a controlled way. Data points will only need be captured once and updated, reducing the risk of duplication.
The platform as plan approach leads to more efficient exercise management, too. But the platforms in question also come with enhanced exercise management capabilities. Those include:
- Exercise dashboards navigate users and their teams through each phase of an exercise, ensuring everyone understands what needs to be completed and when.
- The platform’s automation capabilities ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.
- Once the exercise is activated, all users can easily see what type of exercise is being completed.
- Recovery strategies. Based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.
- Built-in communication and collaboration tools, e.g., chat, email, SMS, and voice messages, then, make it easy to collaborate in real time, better coordinate responses, and keep everyone informed.
- The platforms provide the capability to record meetings, minutes, and action items.
Seventy-five percent of companies without a BCP fail three years after a disaster. But having a BCP itself isn’t enough to guarantee resilience.
Organizations will have to build a rigorous business continuity testing program around that BCP, as well.
To supplement that program, they should procure comprehensive business continuity software with enhanced exercise management functionality.
Integrated resilience workspaces like Noggin deliver such streamlined, integrated, and automated business continuity management that facilitates engagement and collaboration across all stakeholders and ensures a unified approach to resilience.
But don’t just take our word for it. See how Noggin can help your organization through a tailored demonstration.