The insurance brokerage, Gallagher estimates that more than 70% of companies without a comprehensive business continuity plan (BCP) fail to recover from a significant business interruption.
Given the data, experts advice testing the BCP at least yearly – if not more often – and certainly updating continuity plans after any disruption.
But not all business continuity testing is created equal. Knowing how exactly to test your BCP and what business continuity software to use to do it is a science in and of itself.
So, how to do it right? In the following, we provide the six business continuity plan testing best practices you should follow.
Why test at all, though?
Because having a business continuity plan isn’t enough. And the risk environment around us is in wild flux.
As a result, organizations need to know whether the procedures and business continuity software they have in place to withstand disruption will work.
The only place to figure that out is in the controlled, risk managed environment of exercises and testing.
That’s not all. Other reasons to test your BCP regularly include:
If the benefits are so clear, why don’t we all test? That’s a complicated question.
Like with all tests, we’re afraid to fail. Of course, there’s no actual failing in business continuity plan testing. Still, less than optimal results might seem highly embarrassing.
There’s also the issue of executive buy-in again. Business continuity programs without buy-in find it hard to implement exercise management capabilities because of generalized indifference.
So, how then do you implement a best-practice business continuity testing capability at your organization? Well, we recommend following the following six business continuity plan testing best practices:
The first place to begin is the needs and gap analysis. The purpose of this analysis is to establish the need for exercises and testing in the first place.
This pre-testing analysis also has the dual purpose of effectively signaling the role of exercises and testing in managing business risks. This helps stakeholders (including senior leaders) understand that conducting exercises and testing is needed to manage risks.
The analysis itself involves asking the following questions:
The analysis helps organizations move toward a more customized business continuity testing program – one more suited to address specific business risks.
To that end, the gap analysis indicates what kind of exercise (out of the many available options) that that program should be using.
What are the options? They include:
The purpose of an alert exercise is to test the organization by alerting the involved participants and getting them to arrive at a designated place within a certain time. It can also be used to test an alert mechanism. This type of exercise is primarily applied to internal staff.
Building upon the alert exercise, the start exercise tests how fast an organization can be activated and start carrying out its tasks. A start exercise is therefore a means to test and develop the ability to get started with resilience processes.
A decision exercise is primarily used to exercise decision-making processes within an organization, e.g., the ability to make fast and clear decisions on actions and to initiate cooperation between those responsible and stakeholders, under time pressure.
This type of exercise is a combination of alert exercise, start exercise, staff exercise, decision exercise, and system exercise. The focus is often on the roles, organization, SOPs, etc.
A type of exercise where coordination and cooperation between management levels is exercised. A cooperation exercise can be carried out both, in large and small scales.
This kind of exercise may consist of: “Vertical” coordination (between national, regional, and local levels); “Horizontal” coordination in a sector where public and private stakeholders participate.
A crisis management exercise simulates crisis conditions and gives personnel the opportunity to practice and gain proficiency in their plan roles.
A strategic exercise refers to comprehensive exercise activities at a strategic level (e.g., inter-ministerial crisis staff, political-administrative staff, cross-sector and cross-departmental management staff, crisis management organization of corporate management).
Aims of strategic exercising include improving the integrated crisis reaction ability in exceptional threat and danger situations (crisis situations) and developing a comprehensive coordination and decision culture.
An exercise campaign is a series of recurrent exercises with a common generic organizational structure.
Business continuity plan exercises can be further subdivided based on methodology. That means how BC professionals go about conducting them.
The most common testing methodologies are:
Discussion-based exercises tend to be structured events where participants can explore relevant issues and examine plans.
A pre-planned storyline that drives a time-limited exercise, scenarios are usually conducted in a table-top environment. Here, participants are expected to be familiar with the plans being exercised.
The exercise itself is likely to involve a practical rehearsal of relevant response activities, e.g., completing assessment checklists, using log sheets, or writing media release statements.
These are imitations meant to be representative of the functioning of one system or process. In a simulation, participants will be given information in a way that simulates an actual incident.
As a result, simulation exercises tend to be operations-based, i.e., designed to be more realistic. They are also more likely to be elaborate, involving strategic, tactical, or operational teams.
These are exercises carried out in the normal operational environment, alternative premises, or command centers. Like simulations, live exercises are designed to include everyone likely to be involved in the response as if it were real.
Of course, business continuity plan testing should be consistent with the broader scope and objectives of the business continuity management system.
What’s more, tests should also be based on appropriate scenarios. And those scenarios should be planned out well in advance with clearly defined aims and objectives.
What are the other parameters of business continuity testing? According to international BCMS standard ISO 22301, business continuity testing should fulfill the following criteria:
Once you’ve decided upon the kind of test you’ll undertake and the parameters around that exercise, you’ll have to define the resources and systems you need. These considerations will then inform the budget for business continuity plan testing.
Required resources will likely include personnel and facilities. Due diligence will suggest business continuity professionals should check on resource availability before exercises begin.
BC professionals should also identify any training requirements for those participants or planners ahead of time and integrate relevant requirements into the exercise management program.
Beyond that, it’s prudent to create a testing schedule which includes validating the BC arrangements of relevant parties. That schedule should then be submitted to senior management for approval.
Once scheduled, exercises are likely to start with an initial run through to ensure that all members of the exercise team receive the same initial information.
From there, according to BCI’s Good Practice Business Guidelines, the exercise will move to a start-up briefing then launch. For the launch, the organization should check the communications that will be used to launch, stop (temporarily), and terminate exercises and testing prior to the scheduled launch.
Organizations should wrap things up with a post exercise briefing to gather information from actual exercises and testing. Critique of actual incidents and near-incidents will provide valuable information concerning the following:
Business continuity plan tests aren’t complete without an after-action report. Remember, their primary purpose is to inform stakeholders which practices are working as planned and which are not.
Another resource to consider in business continuity testing is business continuity software.
Well, the platforms in question function as plans. That means when customers need to develop their continuity and resilience plans, all the data they have previously entered seamlessly comes together.
This way continuity and resilience managers don’t have to go sifting through documents to find the data they need, eliminating the risk of someone referencing an out-of-date plan during a crisis.
This also helps because now multiple stakeholders can collaborate on the development and updating of the plan, enabling better engagement.
All data associated with building plan will be managed centrally, in a controlled way. Data points will only need be captured once and updated, reducing the risk of duplication.
The platform as plan approach leads to more efficient exercise management, too. But the platforms in question also come with enhanced exercise management capabilities. Those include:
Finally, a staggering 75% of companies without a BCP fail three years after a disaster. But having a BCP itself isn’t enough to guarantee resilience.
Organizations will have to build a rigorous business continuity plan testing program around that BCP, as well.
To supplement that program, they should procure comprehensive business continuity software with enhanced exercise management functionality like Noggin.
Why Noggin? We deliver streamlined, integrated, and automated business continuity management that facilitates engagement and collaboration across all stakeholders and ensures a unified approach to resilience.
But don’t just take our word for it. Request a demonstration to see Noggin in action for yourself.