It is common to hear organisations talk about the availability of plans to mitigate the impact of disasters in the event they occur. However, there is a sharp difference between validating information and stress testing. It’s one thing for an organisation to “have a plan or set of plans”. However, it’s a different thing to say with confidence that they have been tested and can support or not support the organisation’s growth.
|The ISO 22301-2019 (Clause 3.4) of the Security and resilience-Business continuity management systems-Requirements refers to business continuity plan as “documented procedures that guide organisations to respond to a disruption and resume, recover and restore the delivery of products and services consistent with its business continuity objectives.|
Source: ISO 22301 Standard
Plans must be tested with SMART objectives and clear success criteria defined. For an organisation to be resilient, robust and be able to manoeuvre through constant growth paths, there must be a clear time tested program of activity, outlining its plan testing regimes, schedules etc. Crisis management and Business continuity managers should obtain sign- off from top management who opt-out from testing plans.
According to international best practice guidelines, crisis and business continuity managers must ensure that tests are carried in a real setting. Telling everyone that you are running a test at 10 am on Thursday is not a reflection of real-life and allows individuals to prepare and have copies of the business continuity plans at hand, which might not be the case in a real incident.
This goes to underscore the fact that organisations are increasingly faced with threats of disasters which could be natural or man-made, therefore it’s only those who have tested plans that can navigate their ways out and remain competitive in the industry and environment for that matter. Those who are unable to stand these disasters easily go into hibernation and others collapsed.
Plan testing should not be seen just as an activity for staff in Crisis and Business continuity management units of organisations, but a cross sectional and shared responsibility with an overarching support, participation and involvement of Top Management in organisations.
In the financial services industry, commercial banks, savings and loans companies, credit unions, etc. are required to develop compliant business continuity plans that identify business processes and interdependencies that could provide the needed resilience to and recover from all potential threats to the organisation. Business Continuity Management (BCM) is designed to help organisations, regardless of their size, locations or activities, minimise the impact of disruptions of any kind, natural or man-made, including cyber and its related disruptions.
Organisations, especially in the financial services industry, are implored to develop – robust BCM plans that could stand the test of time and withstand today’s ever-changing and challenging global business disruptions that come in all forms ranging from human physical attacks to natural hazards.
Exercises and tests are important parts of the processes. The BCM is said not to be complete until the plans developed has been put through rigorous testing regimes. The standard makes an important distinction between exercises and tests of the BCM processes, defining an exercise as “a task or activity involving people and processes that is designed to validate one or more aspects of the BCMS or related procedures’’ whilst test is usually carried “to verify the quality, performance or reliability of systems resistance in an operational environment.” It further emphasised the relevance of carrying out both exercises and tests to demonstrate organisational resilience and recovery capabilities.
The majority of financial service players, rely on third-party service providers to conduct their businesses on a daily basis. Organisations that outsourced key functions to third-party service providers create a reliance on that service provider, thereby exposing the organisations to the risk of not being able to resume operations within pre-defined recovery time objectives (RTO) in the event of a disruption.
As a result, the standard requires in clause 8.6 (c) “Conduct evaluations of the business continuity capabilities of relevant parties and suppliers”. The Bank of Ghana (BOG), the sector’s regulator, expects critical third-party vendors to be active participants in their support of Business Continuity Management programs in organisations they support.
In effect, plan testing and exercising verify the plan’s effectiveness by validating all recovery time objectives (RTO), help train the team on what to do in a real disaster situation, and identify areas where the plan needs to be strengthened.
Apart from Top Management and Information security roles clearly defined in the plans, the testing teams must also include key department heads with detailed knowledge and understanding of the processes and functions impacted by the scenarios. In addition, all departmental specialists should be included in the exercises and testing programs. Their participation is to ensure that they are familiar with alternative procedures in emergency situations and ensure that the organisation develops backups and successors to the primary recovery resources.
Types of Testing Regimes
Business Continuity Plan Review
This type of test typically involves top management and department heads, a BC plan review consists of largely analysing the Business Continuity Plan and discussing ways of improvements, as well ensuring contact information is up-to-date, recovery contracts are updated, in place, effective, and applicable business continuity and disaster recovery scenarios are appropriately covered. This exercises could sometimes include training new managers on plan details so they can disseminate the plan details to their teams.
Table Top Exercise
A BCP Table Top Test is a mostly a scenario-based role-playing exercise. The essence is to ensure all mission critical personnel in the organization are aware of and familiar with the relevant portions of the BCP, as well as their roles and responsibilities especially in an event of an emergency. Table Top testing typically includes discussion of one or more disaster scenarios, during which the potential response procedures will be reviewed, responsibilities outlined, and process improvements reported
Evacuation Drills / Simulation Test
Also referred to as Walkthrough Drill/Simulation Test. This test type is more of hands-on version of the table top exercise previously discussed. Whereas a Table Top Test usually consists of staff or testing teams sitting around a table and discussing plan details, the Walk-Through/Evacuation Drills incorporates actual recovery actions such as restoring backups, live testing of redundant systems, and any other relevant processes.
In addition to critical personnel, any employees that would be involved in a BCP event should now be involved in the testing process. A Walk-Through Test may also include validation of response processes/systems, a simulated response at alternate locations, and varying degrees of actual notification and resource mobilization.
The test also comes along with evacuation drills to ensure that employees and users of an organization’s facilities are aware of the evacuation routes from the building, accustom to assembly areas and their responsibilities.
This test prepares employees to stand in readiness especially when faced with threats that warrant the exit of all employees out of the organization’s premises. Examples of such incidents include but are not limited to fire, earthquake, electrical power failures, and acts of terrorism, etc. which might require the evacuation of the building or floor.
Functional/Process Recovery Test
A BCP Functional/Recovery Test involves a complete process of spinning up an organization’s backup systems and processing transactions or data, although the Functional Recovery Test scope can vary from parallel testing (running live and backup systems in conjunction) to a full failover test (completely transitioning operations to the backup systems).
This test is mostly simulated as similarly to a “real-life” disaster situation. It could also take a form of full-blown exercise of critical business processes encompasses recovery from a crisis which may include enabler failures to business-like loss of people, technology, applications, and sites
Benefits of Testing & Exercising BCM Plans from different perspectives.
At Employee Level
- Ensures that all staff that took part in the test understood the roles and responsibilities expected of them.
- Develops staff teamwork and acclimatize participants to the organization’s alternate work location and Disaster Recovery Centre.
- Increases the responsiveness of those involved in the test.
- Testing also serves as a means of raising awareness and training in the organization
Enterprise & Logistics
- Testing verifies if decision-makers identified in the BC plans are appropriate in respect of the various scenarios developed.
- Verify if documentation concerning the tests & exercises has been communicated to appropriate stakeholders and interested parties.
- Confirm how robust and viable the organization’s supply chain remains.
- Identify gaps in the procedures and plans and initiate steps to fix them
From the Systems and Information Technology angle
- Testing enables the team verify the recovery time objectives (RTOs) during failover, resumption of services and applications
- Verify the availability of network re-routing
- Confirm Service Level Agreement (SLA) of various third party providers for every service.
- Identify and fix technical difficulties
From the Organization’s Perspective
- Confirm the organization’s ability to meet obligations and honour commitments as they fall due
- Confirm the ability to process its operations in compliance with regulatory authorities as defined in (BC) strategy.
Business Continuity Management is a critical process for the financial services sector. The regulator (BOG) does not take kindly too, regardless of the size, location, etc. The plan is the pivot to the effort. To streamline the BCP processes in an organisation, financial institutions should properly integrate Business Continuity and its plans to all critical business decisions, ensure they conduct periodic reviews of their plans, and ultimately conduct regular testing.
The writer is a Certified PECB ISO 22301 Lead Implementer & Auditor and Business Continuity Partner-Operations