Testing your business continuity (BC) plan is the only way to prove it will work when needed. Testing highlights any dangerous false assumptions, outdated information or omissions in the plan so you can rectify these shortcomings
before you need to rely on your plans in a real-life incident.
The exercise programme is the final phase of the process, when companies conduct tests to validate that their BC strategies, plans and capabilities can meet defined objectives for recovery of business activities. As well as being a key requirement of ISO 22301, conducting regular tests proves that the plans will work when needed. Familiarity with the plan will also ensure that every member of the organisation knows their roles and responsibilities in the event of a disruption.
Types of business continuity management exercisesThere are many different types of tests and exercises, from simple call tree notification tests to more elaborate exercises that include relocating personnel to alternate locations.
- Plan walkthrough or desk check
The simplest option, this method involves walking through the contents of a BC plan. It can involve just one or two people who are fully conversant with the organisation's key business processes. As the name suggests, they will quite literally walk through the plan to gauge whether it will work as intended. They will challenge any assumptions and highlight any gaps.
- Business continuity management exercises
This is an extended desk check that typically involves one or two plan owners walking through their plans to identify any interdependencies and testing assumptions that one team has prioritised an activity that is being relied on by another.
- Technical testing
This is a test of equipment, recovery, procedures or technology and aims to establish whether all the relevant equipment, infrastructure, services and security controls will perform as expected when needed.
- Simulation exercise
This incorporates a carefully thought-through exercise simulation to put many aspects of a BC plan to the test and identify any gaps or shortcomings. Typically centred around a realistic scenario, the exercise could include a building evacuation and internal and external communications. As well as a cross-section of staff, there may be value in involving key suppliers. With this kind of exercise, the more relevant it is to your organisation the better. For example, if your organisation is heavily dependent on its IT, a ransomware scenario might be a good idea. If your premises are at high risk of flooding, you might benefit from testing an extreme weather scenario.
- Testing critical activities
This is where controlled testing is conducted for specific activities, ensuring they can be recovered as planned. Such testing is usually conducted at a departmental, divisional or business area level.
- Testing of individual department or business unit plans
This is like a test of critical activities but can be widened to include additional elements such as employee welfare and reputational damage. It can be a real-world exercise, rather than a simulation. For instance, closing an office to test the performance of your recovery location or the effectiveness of your work from home strategy.
- Full BC exercise
Commonly referred to as a global exercise, this is the most thorough type of exercising and tests the entire organisation's plans. It requires considerable commitment from the highest level of the organisation and meticulous planning to prevent the exercise itself causing a disruption.
Whichever type of exercise is right for your organisation, Resilience Guard can plan and implement tests that check whether your business continuity plans are fit-for-purpose.
Contact us to discuss how we could help your organisation.