Disruptions are by their nature unexpected. But your organisation’s response to hitting pause on normal business operations doesn’t have to be equally as unexpected.
A comprehensive business continuity plan maps out every stage of your business’ response to relevant risks that could affect business-as-usual. This could be a powercut, a cyber-attack or a supply failure. Whatever the disruption, the right continuity plan can ensure that your business minimises downtime and recovers as quickly as possible, reducing the risk of lost revenue or reputation.
However, even the most detailed plan can become ineffective if it is not regularly tested. Businesses rarely stand still, and this means your plan may have to adapt to new circumstances. Lack of knowledge, communication and practice can also compromise your business’ response, which could extend your recovery.
So, how should you test your business continuity plan, and how often should it be put in practice?
How often should a business continuity plan be tested?
There is no hard and fast rule that governs how often your business should test its plan.
It really depends on the complexity of your business and the number, scale and likelihood of the risks it faces. These should be identified as part of a Business Impact Assessment (BIA), which will inform your business’ response.
If your business has high risks for revenue loss, a damaged reputation or the possibility of lengthy downtime, then testing should be carried out more regularly and more areas of the plan should be tested.
The regularity of the testing is also dependent on the type of test being performed.
How can a business continuity plan be tested?
There are three main ways of testing your business continuity plan: checklist or walkthrough exercises, desktop scenarios or simulations.
Checklist or walkthrough exercises
A checklist or walkthrough exercise is one of the easiest forms of test. It consists of a desktop exercise in which senior managers determine if the plan remains current by checking off or ‘walking through’ each step.
When going through the plan they should also ask key questions, such as does the business have the right supplies to cope? Are copies of the plan known by key personnel? Do key personnel know what their roles are?
To make this test as valuable as possible, an emphasis must be placed on any weak areas. The mission is not to find fault or assign blame, but to promote improvement, which will make your plan more effective if the worst should happen.
A desktop scenario test is a little more specific than the checklist. Using a scenario relevant to the business, this test can help you to establish all the processes of your business’ response to a specific disruption. For example, you can check the processes of your plan in the event of sudden data loss.
Simulations are full re-enactments of business continuity procedures and could involve most, if not all, of your workforce. They also tend to take place on site in the relevant business areas.
In this test, each employee involved will need to physically demonstrate the steps needed in order to react to the disruption and recover from it. This could involve driving to a back-up location, making phone calls, completing communication templates or visiting server rooms. These kinds of tests are good for establishing staff safety, asset management, leadership response, relocation protocols and any loss recovery procedures.
Due to the large scale of a full simulation, these kinds of tests may be limited to annual occurrences. They may also need to be moved to quieter business days or even non-operational days so that disruption to normal work is minimised.
Organising a test
Before beginning a test, you will need to set out a clear objective as well as define exactly what is being tested. For example, you may want to check your continuity plans in the event of a power outage.
For a desktop exercise, you need to ensure that key personnel or top management are available to participate. A venue also needs to be arranged, but this doesn’t necessarily have to be in a key location unless you are planning a simulation.
Before the test, circulate the testing plan along with the objective to everyone involved. This team should also familiarise themselves with the current business continuity plan.
Assign some people within the team to record the test’s performance and any shortcomings that are identified. After the test, feedback should also be sought. These findings then need to be formally recorded and used to update the business continuity plan. Once finalised, the revised plan should be shared among the workforce.
Remember that testing a business continuity plan is not about passing or failing – it is about improving processes to give your business the best possible chance of dealing with disruption. Regular testing asserts the effectiveness of your processes, trains your staff in what to do for faster, more confident responses and highlights areas that need strengthening.
Solution for disruption
Business continuity plans give your business a blueprint for disruption survival, but only if they are fit for purpose.
An internationally recognised mark of best practice, ISO 22301 will enable you to implement, maintain and improve a business continuity management system, which will support your business before, during and after disruption.
To find out more, visit our dedicated webpage for ISO 22301.
You can also get in touch on 0333 259 0445 or by emailing [email protected].