Principles and techniques for testing Business Continuity Plans

The Business Continuity Plan significantly increases the chances of an organization surviving a crisis event. However, only its systematic and organized testing actually strengthens the company’s ability. How is the best way to conduct Business Continuity Plan tests?

A well-built Business Continuity Plan is a solid foundation for an organization’s resilience. It should be based on business processes, include risk analysis, and be consistent with the continuity of operations policy and strategy.

What does a spare tire have to do with a Business Continuity Plan?

Opponents argue that testing Business Continuity Plans is costly, time-consuming, and above all unnecessary, because only a real crisis verifies the completeness and usefulness of the plans. While it is not possible to achieve 100% certainty that our plan will work in a real-life event, this does not invalidate the purpose of verifying the entire continuity management system.

Let’s think about the spare tire in our car. If we have a meeting with a client (goal) and we puncture a tire (incident) during the drive (business process), we should stop and replace it with a spare (backup solution). In theory, it’s very simple. But who regularly checks the pressure in the spare tire? Do we check if the jack works and if we’re able to unscrew the bolts when buying a new car? In a sense, this is a business continuity solution.

Why test Business Continuity Plans?

Testing the Business Continuity Plan shows the organization’s real ability to continue and restore critical business processes. It is also an excellent opportunity to verify and improve the continuity of operations management system.

Often, only during the test, when there are real interactions between crisis teams, gaps are revealed, or we notice opportunities to optimize procedures. For example, one of the teams cannot perform its tasks because another crisis team lacks people responsible for providing essential information.

Conducting tests involving a larger number of employees is a significant event that contributes to increasing awareness of threats and the existence of the BCM program. Tests are also necessary if the organization intends to certify its continuity of operations management system.

How to test Business Continuity Plans?

Some guidelines on testing are included in the BS 25999 standard. The document describes the context of the entire testing program, including establishing its objectives, assumptions, expected results and evaluation criteria, as well as preparing the business justification. It emphasizes the need for the involvement and preparation of the testing team. We recommend reading it to everyone who is planning tests or wants to make sure they are doing it right.

Read also: 3 methods of strategic analysis that every risk manager should know

The most popular testing techniques for Business Continuity Plans

• • Exercises

coordinated, supervised actions, usually carried out to check individual operations, procedures or functions. They are relatively easy to prepare and carry out, so they can be repeated frequently. Their disadvantage is a narrow area of verification. However, they are an ideal solution for organizations at the early stages of building a business continuity management system.

Typical exercises include: verification of procedures for restoring a specific process, incident management, notification, restoration of a specific system or server, evacuation, activation of backup locations, etc.

• • Seminar

its participants are divided into groups and given questions related to a selected test scenario. The groups discuss methods of action and reaction to the event, and then present their arguments to the other participants. Finally, during a moderated discussion, final methods of action are established, which can be evaluated by the test conductor.

An example of a seminar is a walk-through workshop, during which procedures are reviewed and their completeness and coherence between different teams are verified.

• • Table-top/Paper-test

participants play specific roles. They receive messages about events that have occurred outside and inside the organization (i.e., information feeds), and based on them, they make decisions and simulate the actions of a unit or group of people.

• • Simulation

a group of people (usually representing decision-makers: management, middle-level managers, crisis management team) must respond to simulated events. These people receive messages on which they make decisions that are essential for the course of the emergency action.

This exercise is very flexible and can be easily adapted to the requirements and maturity of a specific organization. Depending on the readiness level, it can use (or not) real backup locations, existing emergency teams (or backup teams), etc.

Simulation usually requires the participation of a coordinator and observers who record the actions taken by the test participants. This exercise is often used to improve managerial skills in crisis response and decision-making in a specific (often very short) RTO time.

• • Operational test

this is the most complex (and therefore most risky) exercise, which simulates a real event and the participants’ reactions in a way similar to real conditions (although safely). Such a test verifies many aspects of the plan: the course of procedures, their logistics (connections and dependencies between procedures), time dependencies (in particular, the possibility of restoring processes within the assumed time), administrative issues (ease of maintaining documentation), and human issues (whether the involved people have the appropriate skills, experience, etc.).

An example of an operational test is an exercise in which rescue and security units participate, in which business teams are transferred to backup locations (where they verify available equipment) and key IT systems are switched to the backup center.

What factors affect the effectiveness of BCP tests?

When testing Business Continuity Plans, it is important to use a project approach. The exercise should be well-organized, with clearly defined objectives and scope. We expect to achieve specific, measurable, achievable, relevant, and time-bound results.

During the planning phase of the test, evaluation criteria and a realistic scenario must be developed. The entire exercise should be embedded in the context of previously prepared documents, such as BCM policies and strategies, the plan itself, and its procedures. It may also be necessary to consider additional obligations imposed by legal regulations, guidelines from the group capital, audit cells, or company clients.

Above all, the test must be safe and cannot introduce additional risks of interrupting critical business processes.

Common mistakes in testing Business Continuity Plans

As with any project, there are several universal risks that can affect the implementation of the initiative.

• • Incorrect scenario

The primary threat is the preparation of an incorrect scenario. It may, for example, be based on an unrealistic or contradictory event to the plan’s assumptions (if the plan assumes the availability of half of the employees, the scenario should not assume a passenger plane crash in the middle of the workday at the only company headquarters, if it is located far from air corridors). In such a case, it is difficult to expect the test results to be realistic (according to the garbage-in-garbage-out principle).

An incorrect scenario may result from a lack of preparation or experience of those responsible for conducting the test. During the initial tests, there is also a dangerous tendency to prepare a less ambitious scenario, the so-called happy path, which is the basic, well-known path of process execution that does not consider any problems or deviations. The solution to the problem may be to involve more experienced people in preparing the test.

• • Incomplete test

Another threat is an incomplete test. A well-conducted exercise completes the entire planned scenario and ends with the development of a report. This document should include, among other things, recommendations for improving the plan or the entire business continuity management system. Ending the test prematurely (e.g., due to errors made by an inexperienced coordinator) is a risk of omitting significant parts of the procedures (e.g., recovery procedures).

It is also common for organizations to forget to implement the recommendations of the testing team, thus losing valuable experience and opportunities for development and improvement. A design approach and embedding tests within a broader program can help by requiring the results of the exercise to be passed on to the next stage (implementation of test recommendations).

• • Engaging the wrong people in tests

The basis of most tests is the involvement of the right people, including those at high levels of the organizational structure. In the early stages of the BCM program, it happens that its leader is not recognized or acknowledged. This person cannot convince the management, members of the crisis management team, or the spokesperson to participate in the test.

Of course, people who have never practiced a simulated crisis situation are unlikely to cope with a real event as well. One way to increase the involvement of directors and CEOs (in addition to strong leadership in the BCM program) may be to prepare a scenario that includes events of strategic significance, such as those requiring high financial decision-making, signifying a total market collapse, or the collapse of a key client/supplier.

• • Disruption of critical business processes

The most serious risk associated with testing business continuity plans is introducing a threat that BCM must primarily prevent: the disruption of critical business processes. Organizations that conduct operational tests are the most vulnerable to this risk.

Unidentified individual failure points (one unprotected telecommunications network element is enough), hasty and superficial test preparation, choosing the wrong day – these are the recipes for realizing the worst nightmare of a BCM manager and interrupting business processes as a result of the test.

Read also: What is a business emergency plan and how to create it in a few steps?

Testing Business Continuity Plans – a peaceful sleep for managers

A well-conducted test can bring significant benefits to an organization. It certainly increases the visibility of the BCM program and raises its importance. Under the most favorable circumstances, it can result in increased budget and greater involvement of people in the next stages of work (further BIA analysis, risk analysis, procedure updates).

The immediate result of the test is “binary” information about the ability to restore critical business processes: it was successful/unsuccessful. This means increased confidence in the success of a real crisis response.

Testing reveals gaps and opportunities for improvement, especially at the points of contact between procedures and organizational units. Therefore, it is an excellent opportunity to increase the effectiveness of the plan and the entire BCM system. There are also cases where a test is conducted according to a scenario that becomes a reality several months later.

Do you want to conduct a Business Continuity Plan test in your organization? Trust our experience.

We will prepare and conduct necessary exercises and tests of implemented solutions. Contact us at [email protected].

Check out all our BCM services