When you do a test, you aim to pass it but when designing exercises, it’s best to fail them so you learn the maximum amount—especially what is wrong…
Testing business continuity plans is vital because, clearly, that’s the only way to ensure that a business continuity plan works in reality as well as on paper. However, as Peter Frielinghaus, Senior Advisor at ContinuitySA points out, validating the business continuity plan is itself a process more than an event: “That’s why the ISO 22301 standard requires exercising and testing of business continuity procedures to ensure they meet your objectives and are reliable,” says Mr. Frielinghaus. “To my mind, the exercising is where the most value lies because it helps the organization assess where it is and where it needs to improve, whereas a test simply delivers a pass or fail.”
“When you do a test, you aim to pass it but when designing exercises, it’s best to fail them so you learn the maximum amount—especially what is wrong,”
Exercises allow organizations to rehearse plans, verify information in plans and train all relevant personnel, including their deputies,
Frielinghaus notes. He goes on to say that aside from being robust, exercises need to be carefully constructed to be realistic in regard to likely threats and a company’s business.
“To give an extreme example, doing an exercise focused on tsunamic damage for a company that is based inland would reduce buy-in from employees,” he says. “It’s also good advice to begin gradually with fairly simple exercises, building up in complexity as the teams become more proficient and your sense of the organization’s actual level of business continuity maturity becomes more exact.”
Following this approach will enable the organization to confirm whether its business continuity capability reflects its scale and complexity; that its business continuity plan works; and that its business continuity management programme meets its policy objectives. Perhaps most important of all, Frielinghaus says, an ongoing programme of exercises would ensure that the organization’s business continuity capability is continually being improved.
As a guide, Frielinghaus says that over a 12-month cycle, the exercises should test whether the equipment required by the plan works, that procedures and plans are correct and dovetail with each other, and that procedures are manageable. In addition, the exercises should be designed to reveal whether the required recovery time objective for business process can be met, and whether the personnel involved have the skills, authority and experience needed.
Key elements for the success of any exercise are that every participant undertakes to document his or her experience and recommendations for review, and that problems are highlighted.
“Remember that the exercise is testing the plan and not the participants, and that it is not testing what caused the disruption in the first place, or the measures put in place to mitigate risks,” Frielinghaus concludes. “It’s particularly important to remember that an exercise is not a test, and thus that it’s preferable to fail in order to learn as much as possible.”