Our BCP Test Services
Our services for business continuity and incident management testing ensure that your plans are fit for purpose and can be relied upon when needed.
Types of BCP test: There are different ways to test your BCP. these range from high level walkthroughs to high impact rehearsals based a specific scenario with pre-planned impacts. We have provided some further information on the various BCP testing types to help you decide what is most appropriate for you
BCP test scenarios: what type of incident and impacts do you want to test. There are many threats that might impact your organisation and they will have different consequences. For your guidance we have provided some information on BCP testing scenarios.
Incident Simulation: Simulating an incident adds realism to the BCP test, but requires more detailed planning at the outset. The nature and type of the incident simulation will be different according to the specific impacts that have been designed into the overall BCP test.
When we work with you to develop a BCP Test, we follow a proven process that ensures your BCP test is realistic, focussed on specific risks and impacts and provides you with the necessary feedback to make improvements where necessary. A brief overview of our approach is outlined below:
BCP Testing Services - BCP Audit
A BCP Audit focusses on the processes and the organisation that are in place to support and maintain your business continuity plan – these are often referred to as a “Business Continuity Management System” or “BCMS”. When we perform a BCP Audit, we take a view that business continuity is an ongoing programme. We’ll evaluate all aspects of your BCMS to ensure that that you have a robust approach to business continuity management that aligns to accepted best practice and standards.
A review of your BCMS will cover
Business Continuity Policy
Process for establishing risks and priorities
BCM organisation, covering the organisation that’s in place to monitor, measure and continually improve the overall business continuity programme.
The assurance framework for BCP testing and third-party monitoring
Process for maintaining of core capabilities and their alignment with recovery objectives including premises, equipment and information technology continuity strategies
Awareness and training programme
Compliance with relevant industry guidelines and regulatory requirements
BCP Testing Services - Review & Walkthrough
A walkthrough based BCP test is generally conducted with one or more business continuity plan owners. A high-level scenario may be introduced to create focus on specific parts of the plan. Our role in a walkthrough-based test is to provide challenge to plan owners as they use their plan and associated responses.
Our approach to providing BCP test facilitations services for a business continuity plan walkthrough or review is as follows
BCP Walkthrough Test Objectives: We will work with you to establish a clear set of BCP test objectives that are relevant to the type of test being conducted and your specific assurance requirements. From this we may suggest a specific scenario that will bring these objectives into focus
Orientation: We will then familiarise ourselves with your business continuity plan, so that we can create challenges for business continuity plan owners at relevant points. These challenges are designed to make participants think about “what-ifs” that may not be covered by their plans.
Feedback: On completion of the walkthrough we will facilitate feedback session which enable your team to capture any lessons learned and identify any areas of their plans that may require correction and/or remediation
During our facilitation activities we will also be observing and evaluating performance related to:
Focus on defined recovery priorities
Actions taken related to impact assessment, invocation and escalation
Knowledge of interdependencies and relationships with other parts of the response and recovery organisation
When the walkthrough is complete our observations in the above areas will be presented and discussed during the feedbacl session
BCP Testing Services - Incident Simulation
Stage 1 – Scope, objectives & synopsis
At this stage RiskCentric will work with you to ensure that the exercise meets their requirements.
Scope: What aspects of the contingency plan are to be tested. Do you want to test specific aspects of your contingency plan or all of it?
Assurance Objectives: what is that you looking to achieve from the test
Participants: Which parts of the organisation and which members of staff will be taking part in the contingency plan exercise? Will any third parties be involved or take part? Do we need input from others to assist with the planning and execution of the exercise?
Test/Exercise Type: Should the exercise be a desktop walkthrough, a rehearsal or stress test?
Reference Point: Will the exercise be conducted around a specific reference points such as just prior to posting financial results, month end or some other significant date?
Stage 2 – Detailed Planning
During the stage a detailed framework for executing the agreed contingency plan test is created
RiskCentric work with the designated client team to produce an exercise time line and a project plan for the delivery of this part of the exercise. The timeline identifies main events that will occur during the exercise and injects (such as social media posts, calls from the media/public) to drive the exercise forward and test exercise participants.
On completion of the detailed timeline RiskCentric prepare a brief to go out to all participating staff and agencies, giving details of the exercise, what preparation they should do in advance and what is required of them on the day
Stage 3 – Execution
A RiskCentric act as your exercise director, taking responsibility for the overall conduct of the exercise, orchestrating inserts and ensuring that the exercise timeline is followed.
Stage 4 – Feedback & Reporting
As soon as the exercise is finished a ‘hot debrief’ will be conducted. This involves all exercise participants who complete written feedback forms based on predetermined evaluation criteria. RiskCentric include this feedback in their overall feedback report which is produced soon after completion of the exercise.
If required a formal presentation of results, lessons learned and corrective actions can also be provide by RiskCentric
Advanced Testing Approaches for Incident Simulation
Business continuity and incident management plan tests can be performed in several ways: these range from the traditional desktop walkthrough and scenario tests to stress tests which create a realistic simulation of incident environment and impacts. To provide clients who want to go "the extra mile" and integrate live simulations into their business continuity and incident management plan exercises, we have developed tools to create a realistic reproduction of a live incident simulation. These tools introduce increased levels of spontaneity and realism into exercises by simulating randomness and uncertainty and allow participants to experience social media activity as it might occur in a live situation.
1. Stress Testing Business Continuity Plans
This type of stress testing introduces a further level of rigour into a contingency plan exercise by simulating random events that occur in live incidents. Imagine an exercise where the overarching scenario is loss of staff availability, widespread supply chain failure or servers “going dark": it’s difficult to realistically simulate that level of unpredictability by trying to plan it advance using the traditional approach of exercise "inserts". By using our stress testing tools a client can choose an impact scenario (say, 25% of staff unable to work). Using from a list of staff members, our impact simulator will process a list of staff, randomly selecting names up to the pre-determined impact level. Details of absentees are then gradually fed into the exercise for assess potential consequences and responses. Using this information exercise participants are required to respond and adapt "on-the-fly" to mitigate the impacts.
Using this tool we can bring realism to your business continuity and incident management plan exercises by simulating impacts such as:
- Staff unavailability
- Supply chain failure
- Infrastructure Cyber attack
- End-point device corruption
2. Simulating Social Media and Messaging activity
Our social media simulator simulates incident alert and sociial media comments and posts to create a realistic simulation of tofay's media environment. Operating in a self contained messaging environment, ensuring that messages do not “escape” into the real world, allows users to simulate incident notification and social media handling processes
For further information on contingency plan exercising, testing & simulations please contact us