If you aren’t testing your business continuity plan, you’re in trouble
Fires, tornados, floods, power outages, computer hardware failures, sabotage by a disgruntled employee – these are examples of disruptive events that can hit a business at any time. And when they do, the effect can be devastating. According to Douglas Barnett, Risk Control Strategy Manager at AXA Insurance, “80% of businesses affected by a major incident either never re-open or close within 18 months.” That’s why testing your business continuity plan is so important.
To avoid that fate, it is essential that a company have an effective Business Continuity Plan (BCP) in place. The purpose of a BCP is to lay out specific steps the company will take when a disruption occurs in order to keep the business running, or to restore its operations as soon as possible. Without such a plan, adequate preparations won’t be made, and employees may have no idea how they should respond to the emergency.
Yet, a survey conducted by The Disaster Recovery Preparedness Council found that more than 60 percent of companies don’t have a fully documented business continuity or disaster recovery plan. And even among those that do have such a plan, 23 percent have never tested it.
That latter point is crucially important. An untested BCP is essentially useless, since the first time the deficiencies of the plan are likely to be revealed is in the midst of an actual emergency. At that point it may be extremely difficult or even impossible to correct issues that were overlooked or inadequately addressed in the original plan.
Creating and Testing Your BCP
If your business doesn’t yet have a written BCP in place, that’s the place to start. You should immediately appoint an ongoing business continuity planning team to think through, document, and regularly update the steps your organization will take when a disaster or disruption occurs. The team should include representatives of each critical functional area of the organization. As an integral part of the BCP itself, the team should specify when and how the plan will be tested.
Most BC experts recommend a test procedure consisting of three major steps: a plan review, a tabletop test, and then an actual disaster simulation that stress-tests the plan. Here’s a brief breakdown of what’s involved in each phase.
Phase 1: BC Plan Review
Once the initial version of the BCP has been created, the team should come together to do a thorough overview of the plan. The team members will examine the plan in detail at a conceptual level, attempting to identify inconsistencies or issues that were overlooked.
Phase 2: Tabletop Test
The tabletop test is a role-playing exercise in which the members of the BC team act out the functions they would perform in the event of an actual emergency. Its purpose is to test not only the plan itself, but also how well team members understand the roles they would be expected to play as part of the organization’s disaster response effort.
During the tabletop test, which normally occurs in a conference room, participants walk through the plan, step-by-step, with representatives from each of the organization’s critical functional areas acting out their designated responsibilities.
Part of the purpose of the tabletop test is to gain insight into how resilient the plan may be in the chaos of a real disaster. To that end, the tabletop exercise should throw in one or more unexpected scenarios to test the response of the team and the adequacy of the plan when things don’t go as anticipated.
Phase 3: Simulation
The final step in validating the BCP is to simulate an actual emergency. To allow the simulation to be as realistic as possible without disrupting the normal operations of the company, it is often conducted over a weekend.
The point of the simulation is to cause an actual controlled disruption to test whether the procedures specified in the BCP allow employees to effectively respond under realistic emergency conditions. For example, a server may be suddenly taken off-line, or power may be unexpectedly shut down in the facility. How do the various functional areas of the business respond when the lights go out in the building or the phones don’t work?
An important part of your simulation should be an exercise to insure that your data backups can actually be recovered.
Testing your business continuity plan . . .AND failing is a good thing!
Each phase of the BCP test should be followed by a clear-eyed review. Remember that if portions of the plan were revealed as inadequate, that’s exactly what you are looking for. If your test reveals no deficiencies at all, there’s probably something wrong with the test!
Finally, keep testing. Organizations, people, and technology all change over time. That means your BCP testing can’t be a one-and-done proposition. A regular testing schedule should be included in the BCP itself.
Creating and testing a good BCP can be a complex endeavor. It helps to have partners who are knowledgeable and experienced in the process. If you’d like to know more about how to insure that your company is prepared for whatever disruptions may occur, we here at Invenio IT would be glad to help. Please contact us.