While in 2006 we enjoyed a quiet season here in Cayman and with the memory of Hurricane Ivan fading in to the past it is easy to become complacent with regard to contingency planning.
Two, nearly three years on from Ivan, has provided sufficient time for the plan to become stale and out of date. This is especially true if the plan has not been maintained or exercised on a regular basis.
The benefits of exercising BCM plans on a regular basis are numerous and can have a significant impact to the organisation on a variety of levels. Plan exercise or testing scenarios are an effective and constructive means to validate the contents of a BCM plan as it provides for the most realistic training method possible.
Process recovery procedures, manual workarounds, server build procedures, resource listings and call trees cannot be counted upon until tested and proven complete and accurate in an environment created to simulate a real life disastrous or disruptive event.
In addition to the validation of documentation and processes, the most important and valuable aspect of business continuity exercises is the ability to instil confidence in all stakeholders including management, employees, the public, and customers alike.
By publicising or showcasing exercise and testing events, management can gain advantage by viewing its business continuity capability as a market differentiator, and the goodwill generated by a visible plan exercising procedure will instil the public with a sense of confidence regarding the organisations sense of social responsibility. Employees will feel secure that their company is protecting them, and the key customers will recognize that their supplier will be available to serve their needs should disruption to the business occur.
Due to recent events including hurricanes, power outages, pandemic threats and terrorist attacks to name a few, a growing number of regulatory bodies across a variety of industries including financial services, insurance, energy, and healthcare, are implementing requirements not only necessitating organisations to develop business continuity plans, but they now mandate regular exercise and testing of the plans.
BCM experts recommend exercising and testing plans as often as possible, but also indicate that most conscientious organizations test at least once or twice a year. However exercise and testing may be more frequent depending on the regulatory requirement, if changes occur in business processes, technology, BCM team membership, or if they anticipate events which may result in a potential business interruption.
Regardless of the number of testing events in any one year, they should be scheduled well in advance to ensure maximum participation and as with any other business activity, the likelihood of a successful BCM exercise and test will increase only if planned properly. For example, test scenarios, objectives, assumptions and evaluation criteria should be formally developed and published prior to test execution.
It is also important to realize that BCM exercise and testing activities can be conducted in a variety of different forms. Conducting the same type of exercise time after time will eventually lead to stagnant outcomes and bored participants therefore it is important to incorporate a variety of testing formats.
This may include: table top testing, full scale simulation exercises, procedure verification/business function testing, communications testing, or IT environment walk-throughs.
Actual data should be incorporated and real-world conditions should be simulated whenever possible. The testing exercises should be kept small and simple if the organisation is new to BCM testing, however as the business continuity process matures the testing will increase in size and complexity.
Exercise and testing procedures mark the completion of the business continuity plan and determine whether or not the plan can be relied upon following a business disruption or disaster. However, things can go wrong during even the most effective exercise and testing procedures. Companies should not be intimidated by making such mistakes, but rather identify and correct each of them in a logical manner reflecting the key business objectives. It is best to make the mistakes in a testing scenario rather than during an actual business interruption.
Julia Plumley, BA, ABCP, is a risk specialist and DRC coordinator at Deloitte. She is professionally certified to practice business continuity by both the Disaster Recovery International Institute and the Business Continuity Institute, for which Deloitte (Cayman) act as Caribbean regional representatives. She is a Bachelor of Arts, and Bachelor Physical and Health Education, from Queen’s University, Kingston, Ontario, Canada. She can be contacted at [email protected] or via + 1 (345) 814-3484.
Related Videos
