Denis Goulet, MBCI & Paul Kirvan, FBCI provide some advice for those new to the subject.
After you have completed all the necessary activities associated with a developing business continuity plan, you may think you’re finished. In reality business continuity plans are useless until you exercise them. Fortunately, many types of exercises are possible, ranging from simple to very complex. The key is to incorporate exercising as part of the overall business continuity management process.
Three fundamental exercise types can be defined: the plan review, table-top exercise, and simulation exercise. Let’s examine each briefly.
In a plan review, the business continuity plan owner and business continuity team discuss the business continuity plan. They look for missing elements and inconsistencies within the plan or with the organization. This type of exercise is comparable to plan auditing, and is useful to train new members of a team, including the business function owner.
In a table-top exercise, participants gather in a room to execute documented plan activities in a stress-free environment. Table-top exercises can effectively demonstrate whether team members know their duties in an emergency and if they need training. Documentation errors, missing information and inconsistencies across business continuity plans can be identified in a table-top exercise.
To determine if business continuity management procedures and resources work in a realistic situation, a simulation exercise is desirable. This exercise uses established business continuity resources, such as the recovery site, backup equipment, services from recovery vendors and transportation. It can require sending teams to alternate sites to restart technology as well as business functions. Errors, omissions, missing or insufficient resources, incomplete coverage, and limited vendor capabilities may surface in this exercise. Simulations may also uncover staff issues regarding the nature and the size of their tasks. The use of a scenario is highly recommended for simulations.
Why exercise in the first place? The primary objective is to ensure that the plan works when it’s needed. But it’s not enough to exercise parts of a plan. Ideally all elements of business continuity plans should be exercised at least once a year. Each exercise may have different objectives, beside the primary one.
Main exercise objectives include identifying weaknesses and shortcomings, verifying recovery objectives and procedures, validating global efficiency of plans, verifying the adequacy of emergency operations centers (EOCs) and alternate sites, and achieving specific recovery time objectives (RTOs) and recovery point objectives (RPO).
How much should you exercise?
As mentioned earlier, exercises can be simple or complex. A table-top exercise can establish a plan performance baseline. A specialized exercise, such as one which focuses on crisis management procedures at an EOC, provides valuable information about specific activities. At a higher level, an integrated exercise can address multiple business continuity plans or plan components. Finally, an entire plan, with all components, can be exercised. It is far better to err on the side of exercising too much, rather than not enough.
Managing human resources
Exercises present human resource issues. Should employees participate in business continuity exercises? Clearly exercises are important for validating team member expertise and identifying training opportunities. Conversely, people could refuse to work overnight, weekends or be away from home even a few days. Be sure to discuss and resolve these issues with human resources management.
During business continuity exercises, it is good practice to treat team members well, especially when they are away from home or working difficult hours. Be sure to budget for appropriate hotel accommodations and food, while managing costs.
Effective exercise strategies
The exercise options described in this article will help improve business continuity plans and train your staff. But no matter how often you exercise plans, when reality strikes, your response capability could be much different than in the exercises.
Key strategies for exercising include starting simple; raising the bar in terms of difficulty; involving vendors and stakeholders in exercises; making objectives increasingly difficult to achieve; and launching surprise exercises. When launching an exercise program, start with plan reviews and table-tops. This will help staff get comfortable with the exercise process. As they improve, increase the level of exercise complexity. Remember that if an exercise “fails”, it is not a failure; rather, it is a success. It is far better to identify systems and procedures that may fail, and rectify them, before a real incident occurs. Finally, a true test is to launch a surprise incident. This will truly test how well prepared the organisation is to address a real incident.
What is a successful exercise?
The primary reason to exercise is to identify limitations of business continuity plans. Recognizing that most organizations change frequently, even mature business continuity plans may be inappropriate in a given situation or at a given time. Exercises that appear to be ‘successful’ and uncover no problem should be suspect. Maybe the objectives were too easy or the situation was unrealistic. Exercises present opportunities to fix problems before a disaster happens.
Ideally, a successful exercise uncovers and documents problems. Once the problems have been fixed, consider running a follow-up exercise to ensure the repairs work. Measuring the success of business continuity exercises means having relevant objectives that will help uncover problems. Exercise is your chance to ‘push’ your business continuity plans increasingly closer to the reality of a disaster.
This article was first published in BCM Now, the online newsletter of the Business Continuity Institute. To read the rest of the newsletter and to sign-up to future editions go to http://bcmnow.com/Summerpg1.html
•Date: 27th August 2009• Region: US/World •Type: Article •Topic: BC testing
Rate this article or make a comment - click here