Developing and Delivering a BCP Test
The overarching purpose of a BCP test plan is to provide reasonable assurance that your business continuity plan, or specific aspects of it, will work as expected during a real crisis.
Creating and conducting an effective BCP test requires an amount of preparation and planning to ensure that the test is meaningful and covers the appropriate scope. Any BCP test will require that the following are in place
BCP test objectives - these will define the aim of the test and the specific assurances to be obtained
There are different types of BCP test which differ in both scope and level of realism that you want to achieve. These types of BCP test range from straightforward plan reviews, desktop walkthroughs to incident simulations
Types of BCP Test
BCP Test Scenario
A BCP test scenario or type of incident. Except for the most simple of reviews it is helpful for a BCP test to be based on a particular type of incident or scenario, such as a failure of IT systems or unavailability of the work place. Basing the BCP test on a specific type of scenario adds a level of reality and focus to the activity
Disaster Recovery Test
A disaster recovery plan test which ensures that you can effectively restore specific operational capabilities after a particular type of incident (a power failure, for instance)
BCP Test Plan
A BCP test plan which coordinates all activities prior to, during and after the BCP test
For more advanced BCP tests a method of incident simulation to make the BCP test scenario "come alive"
BCP Test Feedback & Actions
On completion of any BCP test an approach to capturing results, lessons learned and logging corrective actions will ensure that issues highlighted by the test are acted upon. A formal report summarising BCP test results and any remediation actions required is normally the final deliverable.
BCP Test Schedule
A BCP test is not an ad hoc activity. Each type of BCP test has its merits and an organisation's business continuity plan should be supported by a formal BCP testing schedule covering all types of test.
We provide a range of services for testing and exercising business continuity plans. Click the link for further details of our BCP test services
Why perform a BCP test?
Regardless of which of the various types of BCP test you conduct (although every business continuity plan should be subject to more than one type of test) – every test sets out to ensure that the business continuity plan remains relevant to the organisation and continues to support a set of common assumptions:
Structure & Competence of Incident and Recovery Management Teams
Are the response and recovery team(s) complete and intact? Are the members of the response teams still present within the organisation, do they understand their roles and responsibilities?
People will remember what to do
If there are specialised resources in place to support incident management and recovery management, are those responsible for operating them proficient in their use?
Communication works as expected
Fast and accurate communication is crucial to effective incident and recovery management. During a major operational disruption there will be significant and intense interaction both internally and externally. A BCP test will help to ensure that contact lists are up to date and that communication plans accurately reflect how the organization will communicate during a crisis.
Alternative workplace approaches remain relevant
‘Work from home’, is a popular solution. However, employees must be able to work from the location for an extended and possibly indeterminate period of time. We need to ensure that the circumstances of those who are designated to work from home have not changed. Have they moved to an area of reduced internet performance/availability, does the organisation have sufficient licenses for remote access software? Likewise, if a Work Area Recovery facility is used, any BCP test should ensure that it's facilities and accommodation capacity remain fit for purpose.
IT Infrastructure and applications recovery capabilities continue to work as planned.
Can we recover our critical applications and services within the required timeframe in terms of re-instatement of IT infrastructure and restoration of data? A BCP test should also establish that recovery instructions and procedures remain relevant and effective.
Decisions are straightforward and are made in possession of perfect information
Business Continuity plans are often developed under the assumption that that perfect information is available at the time that incident is encountered. This is rarely the case – information (and often, dis-information) comes through in a sporadic "drip-feed". A BCP test should cater for this – but not all types of BCP test are suitable for this approach to testing. Reviews and walkthroughs, for instance, cannot reproduce this type of situation with any degree of realism – incident impact assessment and subsequent decision making are best evaluated during an incident simulation