WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Enough is enough...

Why is testing still a weak area in some business continuity management systems? David Honour comments.

Recently Continuity Central highlighted a report from the Australian National Audit Office which found that over 25 percent of 26 critical Australian government agencies did not test business continuity plans as part of normal business practice.

Business continuity managers should be shocked by such a failure, since an untested business continuity plan or strategy may be worthless. It may not be: but until it is tested its efficacy is unknown. Similarly an unexercised business continuity plan is significantly degraded simply because it is unexercised. Efficiency is gained through practice. If a plan is not exercised, time will be lost and mistakes will be made as people attempt to understand their role and initiate unfamiliar actions.

However, I suspect that far from being shocked most business continuity managers will be unsurprised. I have been reporting on the business continuity profession since 1992 and all through that time survey after survey and report after report has found that one of the biggest difficulties that business continuity managers face is testing and exercising.

The reasons for this are many, and include:

Cost: there may be a view in the organization that time taken up in business continuity testing and exercising is unproductive time and therefore an unnecessary cost that can be avoided. There may also be reluctance to invest in external consultants to help facilitate tests.

Administrative: getting a group of busy executives and managers to commit their time is a difficulty in its own right; but getting all the required participants to agree on a convenient time and date can be an administrative nightmare.

Lack of top-management buy in to the business continuity process. If top-managers view business continuity as a box-ticking exercise, or if they simply don’t fully understand the importance of a fully tested and well exercised business continuity plan, then senior management will probably not provide the arm-twisting support that business continuity managers need to get tests off the ground.

Inadequate regulations. Many regulations stipulate that compliance requires a business continuity plan to be in existence. But they don’t often include proof of testing and exercising activities within the scope of the regulations. This is an area where improvement could bring large benefits. Similarly when contracting organizations ask suppliers to provide evidence of business continuity plans, they don’t often ask to see details of the tests and exercises that are carried out. Doing so would help testing and exercising move up the priority ladder.

Burnt fingers from badly executed previous tests and exercises. If an organization runs tests and exercises which are badly structured, boring or ‘over-scenarioed’ (meteorite landing on head office at the same time as a bubonic plague outbreak etc) then participation in subsequent tests and exercises will plummet.

Perception of difficulty: reports of testing and exercising sometimes being difficult to achieve create a perception that it will *always* be difficult to achieve. This results in the area being shelved in the ‘one day’ tray rather than on the ‘must do’ list.

Fear of failure. One of the points of business continuity tests is to discover weak areas in plans and strategies. However, if an organization has a blame culture then it may be perceived that the business continuity manager has failed because the plan is shown not to be perfect. Who would want to place themselves under such a harsh spotlight?

While the above are all valid reasons for why tests and exercises are not carried out, it’s time to stop using them as excuses and start seeing them as difficulties that must (not should) be overcome. Testing and exercising of business continuity plans are not optional extras: they are both crucial elements that make the difference between success and failure; between hitting recovery time objectives and missing them.

Author: David Honour is editor of Continuity Central.

Make a comment

Reader comments

I quite agree with these points. At the same time, because this is an area you develop as a skill over time, people tend to avoid it in case the outcome is meaningless. However, plan testing -if well done with relevant scenarios – is a means of winning over the executives, because they can then see the cost of not doing anything.

Joshua Subair, SBCI

Performing exercises can be one of the most beneficial ways to determine any gaps or shortcomings in a business continuity programme. You will notice I used the phrase exercise because as I say to all, “you pass or fail a test, you learn from an exercise”. I find that when you make it a learning experience and establish that all are there to learn from each other there is a better chance of not playing the “blame game”.

Exercises are also the most economical way to add or modify a scenario. Yes it is costly to put together a senior team for a few hours but what they learn from working together is immeasurable. I have found in many of my exercises with senior managers, they tend only to see their own area of responsibility. All other aspects will “be there” or will be in readiness. They have little or no idea of what another area does. So a marketing executive does not know what the CIO needs to do to get the systems environment available, or what the operations folks need to do to get product ready for sale. In an exercise they should all learn how other parts of the organization go about their own business.

There are two key factors in successful exercises, the design including the scripts of the participants, and the facilitator or exercise organizer. Weakness in either of these key components will cause an exercise to fall short. To a slightly lesser extent lack of follow up will doom the results if an exercise. Create the after action report with not only issues that arose during the exercise, but a timeline with assigned responsibilities to ensure resolution.

If we as practitioners make the exercises beneficial to the organization and present the subjects as learning experiences, and follow up by truly designing the exercise to meet this criteria, I believe that we can make exercises more palatable to management and thus successful.

Harvey Betan

I think there are two perspectives worth exploring here. Enterprise risk management (ERM)might point us to highlighting an incomplete programme that requires a proportionate response – i.e some sort of test or exercise. Sounds simple enough! However, effective ERM requires certain behaviours from managers that enable them to recognise things like bias, over/under confidence and the need for some emotional literacy. If these behaviours are absent at any management level then, at some point, things could get pretty tough. The current moral panic in the media world may bear this out. The dynamics of ERM should mean that the need for testing and exercising is coming from different quarters in an organisation not just the BC manager.

Turning now to the specifics of the term exercise/testing. Perhaps we are looking at this in a very process driven way? ‘It’s part of the programme, so we need to test the plan etc ... and that involves lots of time and effort because the standard says XYZ’. Should we more incremental and less ambitious in our approach? Perhaps a series of 10 minute slots at senior management meetings – ‘what would happen if…?’ may start to raise the profile. Similarly, should the BC target audience be more selective but none-the-less distributed? How many people need to know exactly what to do in a crisis (as well as recognise one)? In simple terms, should BC managers be a little less precious about process and a little more pragmatic. Perhaps start to influence thinking and behaviours rather than big chunks of the chief execs diary?

Alan Pawsey, director, Arc Risk and Resilience Ltd.

I have 2 thoughts on BC sustainability.

Some industries have a real for need for a managed BC programme and we should do more on an industry basis in addition to ‘pushing each pebble up the hill’. Large industry ‘movers’ set the tone for their suppliers and it then becomes a ‘commercial need’, not a project or certification requirement. And perhaps, in some industries, where alternatives abound or impacts are not significant; we can ‘let the water find its level’. My feel is that we have not spent sufficient effort to improve resilience on a systems (perhaps HRO: High Reliability Organizations, installations, national infrastructure, and significant economic organizations) basis such that resilience is part of the ‘risk-reward’ consideration at ‘design’ or ‘business start-up’ phase to make it sustainable. An industry approach (for example: industry wide exercises in the FI) would provide the quantum leap for next stage BCM.

The other key area is stock market investor education. Markets will improve long term yields and have enhanced stability if each component listed organization incorporate BC in their life-cycle plans. Investors would consider BC (as a key extension of risk) initiatives as one of the many imperatives to value an organization’s share price. For example; there is nothing stopping organizations listing BCM programmes as a key value imperative for market listing but none are actually doing it (as it impacts listing efficiency). I suspect value based investors will increasingly consider BCM as a valuation imperative; especially at start-up phase.

Clifford Seow, regional director, CRISISASIA

I think that you have identified many of the proximate causes of failure to adequately test continuity plans.  But I think that the fundamental reason grows directly from the history of the profession.  Despite the progress made since the early days, many firms are still looking to create a ‘plan’ as a project (and as often recommended by auditors) – and after that, they are finished, and the plan sits on the shelf.  Often the work is sold as a one-time project by vendors and consultants and by people within the organization as well: when in fact what is needed is an ongoing permanent program.  Often the testing requirements even from regulations are ridiculously small – one test per year, for example.  So the responsibility is shared among a number of parties:  BC consultants and vendors, regulators, BC practitioners within the organization, as well as the always popular senior management (also middle management). 

Kathleen Lucey, FBCI

•Date: 30th June 2011 • Region: World •Type: Article • Topic: BC testing and exercising
UPDATED 25th AUGUST 2011

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here