Creating Confidence in your BCP with a Testing Framework
- Steve Dance
- Aug 27
- 3 min read
Why do we test business continuity plans? For compliance - perhaps, to keep auditors off our back - maybe. The real point of a business continuity test is to establish trust in our business continuity plan- to answer that fundamental question, "can we trust our plan to work?". Before we even think about what types of business continuity test to perform, we need to answer the question "how can we most effectively establish trust in our plan?"
There are several different approaches to testing business business continuity plans but, as with so many things in life, one size does not fit all. Different aspects of a business continuity plan can and should be tested in different ways. In this article we will look at how we select a testing method to establish the highest level of trust in a business continuity plan. In essence, we are trying to establish a framework for establishing confidence in each aspect of the plan ranging from recovering the organisations infrastructure (such as IT, workplace, plant & equipment etc.), proving the intended approach to re-establishing organisational processes and how the effectiveness of stakeholder communications can be assessed. Some can be tested by walkthrough, some by a form of role play or rehearsal and others by actually performing the intended recovery process. The business continuity testing framework is shaped by practicality and the significance of dependency on a particular part of the plan:
Practicality - what type of tests can reasonably be performed. Some parts of the BCP can only be rehearsed under hypothetical situations (this is the traditional desktop / table top exercise or a simulation (where role play comes into focus)
Dependence - things that are absolutely essential for the plan to have a fighting chance of working. For an organisation to have a chance of recovering it must be able to recover it's infrastructure or other fundamentals such as supply chain substitution and / or equipment replacement. If these are based on flawed or unproven assumptions an organisation can quickly face an existential crisis.
So, to be in a position where an organisation has trust and confidence in it's business continuity capabilities, a testing framework needs to be in place that takes into account the practicalities and imperatives of the levels of trust that the organisation needs to establish in order to achieve confidence its plans can be relied on to work. The table below shows an example business continuity plan testing framework.
Plan Section | Available Methods of Testing & Trust Level | ||
Limited Desktop Walkthrough | Better Rehearsal or Simulation | High Live Test | |
Incident Team Mobilisation | Y Discuss with team members process of incident notification, mobilisation and team communication | Y Get the team to create a physical or virtual incident room and use designated comms technologies with simulation support | N Potential “leakage” by using live contact details and messaging channels |
Information Systems Recovery | Y Discuss with team members recovery procedures and timelines | Y Ensure team members are familiar with recovery procedures, run books under specific scenarios | Y Establish an environment where the complete IT recovery plan can be performed and evaluated |
Working virtually | Y Discuss with team members remote working protocols and communication with remote workers | Y Repeat desktop approach but with under the challenges of a specific scenario | Y By normal “work from home” arrangements. |
Organisational process recovery | Y Discuss with team members process recovery plan | Y Discuss with team members process recovery plan with specific scenario-based considerations | Y As part of an IT live test, confirming accuracy & completeness of recovery |
Plant & equipment | Y Discuss with relevant team members arrangements for replacement and installation | Y Discuss with relevant team members replacement and installation plan under specific scenario-based considerations | N Live procurement and installation unlikely to be practical |
Supply Chain | Y Discuss with relevant team members arrangements for options for supplier substitution | Y Discuss with relevant team members arrangements for options for supplier substitution under specific scenario considerations | N Live substitution unlikely to be practical |
Some aspects of Business Continuity tests can be further augmented to simulate issues that might occur in a real-life incident. Options include:
Simulating social media activity and responses - giving participants the opportunity to handle negative publicity.
Role play exercises - these can particularly important for dealing with mainstream media interactions
Practicing the operation of tools and resources used for incident communication
Contact us to discuss how we can enable your organisation to trust their business continuity plans with a BCP testing framework
Comments