6 Business Continuity Plan Testing Best Practices

The insurance brokerage, Gallagher estimates that more than 70% of companies without a comprehensive business continuity plan (BCP) fail to recover from a significant business interruption. 

Given the data, experts advice testing the BCP at least yearly – if not more often – and certainly updating continuity plans after any disruption.

But not all business continuity testing is created equal. Knowing how exactly to test your BCP and what business continuity software to use to do it is a science in and of itself.

So, how to do it right? In the following, we provide the six business continuity plan testing best practices you should follow.

The importance of business continuity plan testing

Why test at all, though?

Because having a business continuity plan isn’t enough. And the risk environment around us is in wild flux.

As a result, organizations need to know whether the procedures and business continuity software they have in place to withstand disruption will work.

The only place to figure that out is in the controlled, risk managed environment of exercises and testing.

That’s not all. Other reasons to test your BCP regularly include:

• Helps identify gaps and areas for improvement in the business continuity management system (BCMS)
• Ensures compliance with regulatory requirements
• Improves the quality of the plan itself by introducing new, relevant information
• Demonstrates commitment to BC to clients, which might help secure new business and/or deepen existing relationships
• Ultimately reduces recovery time and costs

Challenges to business continuity testing

If the benefits are so clear, why don’t we all test? That’s a complicated question.

Like with all tests, we’re afraid to fail. Of course, there’s no actual failing in business continuity plan testing. Still, less than optimal results might seem highly embarrassing.

There’s also the issue of executive buy-in again. Business continuity programs without buy-in find it hard to implement exercise management capabilities because of generalized indifference.

Business continuity plan testing best practices

So, how then do you implement a best-practice business continuity testing capability at your organization? Well, we recommend following the following six business continuity plan testing best practices:

1. Conduct a needs and gap analysis

The first place to begin is the needs and gap analysis. The purpose of this analysis is to establish the need for exercises and testing in the first place.

This pre-testing analysis also has the dual purpose of effectively signaling the role of exercises and testing in managing business risks. This helps stakeholders (including senior leaders) understand that conducting exercises and testing is needed to manage risks.

The analysis itself involves asking the following questions:

• Does the exercises and testing plan address requirements for exercises and testing?
• Can this plan promote consensus with interested parties?
• Does the plan offer an opportunity to reach and interact with its target group(s) and potentially address their interests?
• Does this plan provide an opportunity to address multiple issues in depth?
• Does this plan focus on key issues?
• Does the plan provide information tailored to the target group(s)?
• Is this plan practical and relatively easy to implement?
• Does the plan provide for information transfer at relatively low cost?
• Is this plan easy to update?
• Is the effectiveness of this plan measurable?
• Is this plan a good vehicle for education?
• Is this plan creating a constructive and supportive atmosphere?
• Is this plan an effective way to get publicity or increase public awareness?
• Does the plan conform to the organization’s constraints?

2. Pick the correct business continuity plan exercise

The analysis helps organizations move toward a more customized business continuity testing program – one more suited to address specific business risks.

To that end, the gap analysis indicates what kind of exercise (out of the many available options) that that program should be using.

What are the options? They include:

Alert exercise

The purpose of an alert exercise is to test the organization by alerting the involved participants and getting them to arrive at a designated place within a certain time. It can also be used to test an alert mechanism. This type of exercise is primarily applied to internal staff.

Start exercise

Building upon the alert exercise, the start exercise tests how fast an organization can be activated and start carrying out its tasks. A start exercise is therefore a means to test and develop the ability to get started with resilience processes.

Decision exercise

A decision exercise is primarily used to exercise decision-making processes within an organization, e.g., the ability to make fast and clear decisions on actions and to initiate cooperation between those responsible and stakeholders, under time pressure.      

Management exercise

This type of exercise is a combination of alert exercise, start exercise, staff exercise, decision exercise, and system exercise. The focus is often on the roles, organization, SOPs, etc.

Cooperation exercise

A type of exercise where coordination and cooperation between management levels is exercised. A cooperation exercise can be carried out both, in large and small scales.

This kind of exercise may consist of: “Vertical” coordination (between national, regional, and local levels); “Horizontal” coordination in a sector where public and private stakeholders participate.

Crisis management exercise

A crisis management exercise simulates crisis conditions and gives personnel the opportunity to practice and gain proficiency in their plan roles.

Strategic exercise

A strategic exercise refers to comprehensive exercise activities at a strategic level (e.g., inter-ministerial crisis staff, political-administrative staff, cross-sector and cross-departmental management staff, crisis management organization of corporate management).

Aims of strategic exercising include improving the integrated crisis reaction ability in exceptional threat and danger situations (crisis situations) and developing a comprehensive coordination and decision culture.

Exercise campaign

An exercise campaign is a series of recurrent exercises with a common generic organizational structure.

3. Determine the right business continuity plan testing methodology

Business continuity plan exercises can be further subdivided based on methodology. That means how BC professionals go about conducting them.

The most common testing methodologies are:

Discussion-based

Discussion-based exercises tend to be structured events where participants can explore relevant issues and examine plans.

Scenario

A pre-planned storyline that drives a time-limited exercise, scenarios are usually conducted in a table-top environment. Here, participants are expected to be familiar with the plans being exercised.

The exercise itself is likely to involve a practical rehearsal of relevant response activities, e.g., completing assessment checklists, using log sheets, or writing media release statements.

Simulation

These are imitations meant to be representative of the functioning of one system or process. In a simulation, participants will be given information in a way that simulates an actual incident.

As a result, simulation exercises tend to be operations-based, i.e., designed to be more realistic. They are also more likely to be elaborate, involving strategic, tactical, or operational teams.

Live

These are exercises carried out in the normal operational environment, alternative premises, or command centers. Like simulations, live exercises are designed to include everyone likely to be involved in the response as if it were real.

4. Know what you want to accomplish with the business continuity plan test

Of course, business continuity plan testing should be consistent with the broader scope and objectives of the business continuity management system.

What’s more, tests should also be based on appropriate scenarios. And those scenarios should be planned out well in advance with clearly defined aims and objectives.

What are the other parameters of business continuity testing? According to international BCMS standard ISO 22301, business continuity testing should fulfill the following criteria:

• Validate business continuity arrangements, involving relevant interested parties
• Minimize the risk of disruption of operations
• Produce formalized post-exercise reports that contain outcomes, recommendations, and actions to implement improvements
• Be reviewed within the context of promoting continual improvement
• Be conducted at planned intervals and when there are significant changes within the organization or to the environment in which it operate

5. Solidify a budget for business continuity plan testing

Once you’ve decided upon the kind of test you’ll undertake and the parameters around that exercise, you’ll have to define the resources and systems you need. These considerations will then inform the budget for business continuity plan testing.

Required resources will likely include personnel and facilities. Due diligence will suggest business continuity professionals should check on resource availability before exercises begin.

BC professionals should also identify any training requirements for those participants or planners ahead of time and integrate relevant requirements into the exercise management program.

Beyond that, it’s prudent to create a testing schedule which includes validating the BC arrangements of relevant parties. That schedule should then be submitted to senior management for approval.

6. Run the test from beginning to end

Once scheduled, exercises are likely to start with an initial run through to ensure that all members of the exercise team receive the same initial information.

From there, according to BCI’s Good Practice Business Guidelines, the exercise will move to a start-up briefing then launch. For the launch, the organization should check the communications that will be used to launch, stop (temporarily), and terminate exercises and testing prior to the scheduled launch.

Organizations should wrap things up with a post exercise briefing to gather information from actual exercises and testing. Critique of actual incidents and near-incidents will provide valuable information concerning the following:

1. The validity of the plan
2. The resources that were available
3. How the resources were used
4. The transfer of behavior learned in training.

Business continuity plan tests aren’t complete without an after-action report. Remember, their primary purpose is to inform stakeholders which practices are working as planned and which are not.

Business continuity software to help improve the quality of business continuity plan testing

Another resource to consider in business continuity testing is business continuity software.

Well, the platforms in question function as plans. That means when customers need to develop their continuity and resilience plans, all the data they have previously entered seamlessly comes together.

This way continuity and resilience managers don’t have to go sifting through documents to find the data they need, eliminating the risk of someone referencing an out-of-date plan during a crisis.

This also helps because now multiple stakeholders can collaborate on the development and updating of the plan, enabling better engagement.

All data associated with building plan will be managed centrally, in a controlled way. Data points will only need be captured once and updated, reducing the risk of duplication.

The platform as plan approach leads to more efficient exercise management, too. But the platforms in question also come with enhanced exercise management capabilities. Those include:

• Dashboards. Exercise dashboards navigate users and their teams through each phase of an exercise, ensuring everyone understands what needs to be completed and when.
• Automation. The platform’s automation capabilities ensure the correct teams and/or personnel are invited to participate in the exercise and receive regular updates via automated notifications throughout the exercise.
• Visibility. Once the exercise is activated, all users can easily see what type of exercise is being completed.
• Recovery strategies. Based upon the affected assets/activities, the recovery strategies required for the affected assets will automatically be populated for the team.
• Collaboration. Built-in communication and collaboration tools, e.g., chat, email, SMS, and voice messages, then, make it easy to collaborate in real time, better coordinate responses, and keep everyone informed.
• Meetings. The platforms provide the capability to record meetings, minutes, and action items.

Finally, a staggering 75% of companies without a BCP fail three years after a disaster. But having a BCP itself isn’t enough to guarantee resilience.

Organizations will have to build a rigorous business continuity plan testing program around that BCP, as well.

To supplement that program, they should procure comprehensive business continuity software with enhanced exercise management functionality like Noggin.

Why Noggin? We deliver streamlined, integrated, and automated business continuity management that facilitates engagement and collaboration across all stakeholders and ensures a unified approach to resilience.

But don’t just take our word for it. Request a demonstration to see Noggin in action for yourself.