top of page

Business Continuity Testing

Getting to Grips With Business Continuity Testing

Business continuity plan testing is a wide ranging topic but has one key objective - establishing whether or not you can trust your plan and the competence of those who have a major role in it. Business continuity plans can be tested using methods that give a high degree of confidence that they will work when required, others provide lower levels of confidence.  Practicalities often dictate which methods can be used to obtain the optimal level of assurance. For instance:

  • Recovering an organisations basic infrastructure give it a fighting chance of recovering from a major operational disruption. It's infrastructure (such as information systems & workplace or other fundamentals such as supply chain substitution and / or equipment replacement require a high degree of confidence.  If these aspects of business continuity are based on flawed or unproven assumptions, an organisation can quickly face an existential crisis.

  • Some parts of the BCP can only be assessed under hypothetical situations -this is the traditional desktop / table top exercise. These types of test can be augmented by role play or social media sand boxes to simulate likely situations that might occur - but for obvious reasons cannot be tested with the same veracity as actually performing the IT recovery plan.

 

When we work with organisations who need our help with establishing a holistic approach to business continuity testing, we help them to establish a comprehensive business continuity testing framework that creates as series of tests  based around the most effective testing methods that provide the optimum level of trust.  The image below shows an example of a testing framework that can be applied to any organisation looking to get to grips with business continuity plan testing. To help organisations with their business continuity plan testing we provide a comprehensive template to help Develop Business Continuity Plan tests

BCP Testing - where do you start?

Business Continuity Plan test

Planning and performing a business continuity plan test for your organisation can be a daunting task - especially if this is the first business continuity plan test your organisation has undertaken.  It's useful to understand the things that you need to consider before diving into detail.  Our guide to getting started with business continuity testing will help you with a quick overview of prepering for different types of business continuity test. Once you have that "big picture" you'll find the content below more helpful.  

The overarching purpose of a BCP test plan is to provide reasonable assurance that your business continuity plan, or specific aspects of it, will work as expected during a real crisis. 

 

Creating and conducting an effective BCP test requires an amount of preparation and planning to ensure that the test is meaningful and covers the appropriate scope. Any BCP test will require that the following are in place

Why perform a Business Continuity Plan Test

A business continuity plan test will provide important assurances of several aspects of the effectiveness your organisation's business continuity plan 

Test Objectives

BCP test objectives - these will  define the aim of the test and the specific assurances to be obtained

BCP Test Scenario

A BCP test scenario or type of incident. Except for the most simple of reviews it is helpful for a BCP test to be based on a particular type of incident or scenario, such as a failure of IT systems or unavailability of the work place. Basing the BCP test on a specific type of scenario adds a level of reality and focus to the activity

Scope of the Business Continuity Plan Test

Within the overall context of the type of test and the scenario chosen the scope of the Business Continuity Test should identify the what parts of the business continuity plan are to be confirmed 

Types of BCP Test

There are different types of BCP test which differ in both scope and level of realism that you want to achieve. These types of BCP test range from straightforward plan reviews, desktop walkthroughs to incident simulations

Disaster Recovery Test

A disaster recovery plan test which ensures that you can effectively restore specific operational capabilities after a particular type of incident (a power failure, for instance)

Incident Simulation

For more advanced BCP tests, incident simulation can make the BCP test scenario "come alive", providing the most meaningful approach to BCP testing

BCP Test Schedule

A BCP test is not an ad hoc activity. Each type of BCP test has its merits and  an organisation's business continuity plan should be supported by a formal BCP testing schedule covering all types of test. 

Developing BCP Simulation Tests

The most rigorous BCP tests attempt to recreate the incident environment. They require detailed scenario planning  

BCP Test Feedback & Actions

Capturing the results of a BCP test are just as important as the the test itself. This gives you the opportunity to log issues about the plan, decide who is responsible for fixing them and when.  

Why perform a BCP test?

Regardless of which of the various types of BCP test you conduct (although every business continuity plan should be subject to more than one type of test) – every test  sets out to ensure that the business continuity plan remains relevant to the organisation and continues to support a set of common assumptions:

 

Structure & Competence of Incident and Recovery Management Teams

Are the response and recovery team(s)  complete and intact?  Are the members of the response teams still present within the organisation, do they understand their roles and responsibilities?

 

People will remember what to do

If there are specialised resources in place to support incident management and recovery management, are those responsible for operating them proficient in their use?

 

Communication works as expected

Fast and accurate communication is crucial to effective incident and recovery management. During a major operational disruption there will be significant and intense interaction both internally and externally. A BCP test will help to ensure that contact lists are up to date and that communication plans accurately reflect how the organization will communicate during a crisis.

 

Alternative workplace approaches remain relevant

‘Work from home’, is a popular solution. However, employees must be able to work from the location for an extended and possibly indeterminate period of time. We need to ensure that the circumstances of those who are designated to work from home have not changed. Have they moved to an area of reduced internet performance/availability, does the organisation have sufficient licenses for remote access software? Likewise, if a Work Area Recovery facility is used, any BCP test should ensure that it's facilities and accommodation capacity remain fit for purpose.

 

IT Infrastructure and applications recovery capabilities continue to work as planned.

Can we recover our critical applications and services within the required timeframe in terms of re-instatement of IT infrastructure and restoration of data?  A BCP test should also establish that recovery instructions and procedures remain relevant and effective.

 

Decisions are straightforward and are made in possession of perfect information

Business Continuity plans are often developed under the assumption that that perfect information is available at the time that incident is encountered.  This is rarely the case – information (and often, dis-information) comes through in a sporadic "drip-feed".  A BCP test should cater for this – but not all types of BCP test are suitable for this approach to testing.  Reviews and walkthroughs, for instance, cannot reproduce this type of situation with any degree of realism – incident impact assessment and subsequent decision making are best evaluated during an incident simulation

  • Steve Dance Managing Partner
  • Linkedin

Follow or connect with Steve,  RiskCentric's owner & founder via LinkedIn

bottom of page