| The testing conundrum… Business continuity research often seems to throw up widely differing results from survey to survey, but at least one area produces consistent results: that testing and exercising of business continuity plans is a weak link in many business continuity processes. Three recent surveys highlight this: * AT&T found that just less than half of companies had tested their business continuity plan in the past 12 months, with 26 percent never having tested it. * The Chartered Management Institute, in conjunction with the Continuity Forum and VERITAS Software, found that only 52 percent of organisations rehearse their BCP once or more per year * Synstar found that just 12 percent of companies test business continuity procedures twice a year. Some 35 percent of companies haven’t tested procedures in the last two years, while 38 percent of business continuity managers state that they test procedures once a year. It is clear that regular testing and exercising is an extremely important aspect of the business continuity lifecycle, both to ensure that a newly developed business continuity plan will actually work as anticipated; and to ensure that a more mature plan is still relevant and up-to-date, and that the crisis management team will be able to use the plan effectively during an incident. Most authorities seem to accept that testing and exercising should be carried out at least once a year; more frequently for businesses which are growing and developing rapidly. So, why the discrepancy? Why is there such a consistently poor level of testing and exercising reported by survey after survey? The following may provide some clues: Lack of knowledge Lack of understanding Lack of commitment Lack of budget Lack of corporate buy-in Complacency Continuity Central would like to explore this issue further and would very much welcome your input: If you test and exercise regularly please e-mail editor@continuitycentral.com with a brief account of your experiences: how you went about establishing a strong testing and exercises regime; how you achieved corporate buy-in; what are your preferred testing and exercising techniques etc If you don’t test and exercise regularly please e-mail editor@continuitycentral.com and tell us what the barriers are in your organisation. Responses will be complied into a further article, hopefully producing a much-needed repository of practical good practice information. David Honour is editor of Continuity Central. READER COMMENTS TO DATE: We work with clients in helping them establish business continuity plans. In selling the engagement, we stress the need to look at business continuity with three basic assumptions: 1) Business continuity planning is an opportunity for improving business processes, 2) The business continuity process begins with the first version of the business continuity plan, and 3) Business continuity applies to more areas of your business than just your IT resources. We have developed our own metrics to measure effectiveness of business continuity planning in three areas: prevention, retention and continuation. These metrics establish an initial benchmark identifying potential threats and actual resources available to respond to these threats. The business continuity plan is tailored to address the needs identified by these metrics – both in the plan document as well as changes to business processes which need to occur. Each year these issues are revisited and progress is measured to determine how effective the work done in the previous year has been in minimising threats, protecting assets from loss, and being able to continue operations following a disaster event. The BCP is then modified to meet newly identified areas of focus for the coming year. Central to the continuation evaluation is the effectiveness of the two disaster event simulations each year. By getting executive management buy in on these three basic assumptions, executing tests a couple times a year becomes an expected part of the process. Further, it is becomes an integral part of measuring effectiveness of a business process improvement program. Failure to regularly test a business continuity plan is evidence of executive management’s perception of the value achieved from business continuity planning. They have not bought into the opportunity and the results seen within the business are not tangible. Want to increase the importance of continuity planning? Deliver results from the process which are measurable and deliver value today – not just when the disaster event strikes. David B. Mertz, Director of Compliance Services, GSI I work for a large multinational company, whose responsibility is far reaching in a providing a constant service to the operating companies. Last year we conducted over 120 tests for our operating companies, however, the tests are always focused on the IT recovery, be it using fail over to standby nodes, dedicated warm standby equipment, or ship to site tape recoveries. How many of us can say that during any test rehearsal that the crisis management team (CMT) are engaged, command and control centres are set-up, key personnel are re-located, and operate from the fallback facility? Probably none of us. To move forward and have confidence in your BCP, I believe all major stakeholders have to be engaged, crisis management team to be invoked and work within the test window, it is not only about ‘IT recovery’ but perhaps more importantly to test the response, effectiveness and command and control ability of both the major stakeholders and crisis management team. There can be no substitute for experience. After all, in a real event, they will be calling the shots. Martin Gilmour MBCI, MInstLM, LCGI, Disaster recovery planner, Unilever Europe I.T As a consultant, I observe barriers to many things, but in the more narrowly defined area of IT infrastructure recovery, the cost of labor to support hotsite testing is surprisingly significant. For example, while the subscription for five small servers was quoted at just over 10,800USD, the estimated labor (and travel) costs were an additional 47,500USD. Assumptions included hours spent in pre-test preparation meetings, test conduct post-test follow-up and plan updating for two NT techs, four applications programmers, four DBAs and a DR project manager. This was a typical case, so that if a company's IT department was facing a particularly tight year, budget-wise, the choice to skip testing would be an easy one. And frankly, I don't recall any years in recent memory when CIOs were strolling about wondering where they could spend all this surplus budget. Gregg Jacobsen, CBCP, President, Los Angeles Chapter Association of Contingency Planners, Westlake Village, CA USA Our BCP is based on recovery at a remote hot site where we test restoration of our critical IT systems twice a year. This practice has been going on for 7 years. The IT personnel responsible for the system restoration have become quite proficient. However, we do lack in testing the other components of the plan departments and personnel. Our president and CEO belongs to a local management group that stresses the importance of BCP which helps in maintaining visibility. H. Gene Lohman, SR Business Continuity Planning Manager, Peak Technologies, US We do test and exercise our plans, maybe not regularly yet, but at least once per year for most units, other more critical areas do additional testing. As our plans progress, I plan to implement additional or more in depth/varied testing. This will help our testing program become stronger and benefit us more. So we started off small when I started in this new position, and most of the employees were not familiar with BCP or what it was when I started it in Jan 2004. It is tough to get employee buy-in on testing but eventually I believe they will become more accustomed to it and aware. Regular updates and information keeps people informed via email, internal websites, newsletters, etc. One of the main problems we have is that we are going through a second merger and integration in less than 2 years which makes it hard to keep things consistent. I did have a lot of help from our banking parent in Canada which has a strong program of testing, and a lot of information I adapted for our business in the US, and our needs. Corporate buy-in was mandated by our parent in Canada, but local executive buy in has been good mainly from one of our operating executives and not as much from the others. I hope to have all the executives’ buy in eventually. Our preferred testing techniques, are basic call tree tests, desktop/scenario testing - round table discussions at this point in time. Then we take what we learn in these to further our current plans. Looking to do additional alternate site testing, and have employees test from a different site doing normal activities possibly. Michael Schneider, RBC Mortgage. Business Continuity Planning Coordinator, Houston, Tx
•Date: 10th June 2005 •Region: World •Type:
Article •Topic: Testing and exercising |
