Planning and conducting business continuity (BC) plan exercises is one of the most important activities in a business continuity program.
Conducting one or more BC plan exercises annually is a key component of a business continuity management system (BCMS). Exercises should be scheduled and integrated with other BCMS activities, such as plan updating, emergency team training, policy reviews and audits, business impact analyses (BIAs), risk assessments (RAs), and awareness programs.
A BC plan exercise is not the same as a disaster recovery test. For instance, you don't actually failover in a BC plan exercise. That's what you do in a typical technology disaster recovery test, which addresses the recovery of IT systems, data, databases and so on. This is strictly business continuity.
When planning a BC exercise, the following are priorities:
- Decide specifically what you plan to exercise, e.g., the entire plan or parts of the plan such as incident response procedures or the evacuation plan.
- Secure a location to conduct the test that is away from any possible interruptions, and encourage exercise participants to turn off their mobile devices if possible so they can concentrate on the exercise. If possible, conduct the exercise outside the participants' offices in a less conspicuous location. If this is not possible, it may make sense to schedule the exercise outside of normal work hours or perhaps over a weekend.
- It may be useful to invite participants other than the exercise developer(s) and representatives of the department(s) or activity being exercised, such as staff from IT, operations, risk management, human resources, legal, quality assurance and internal audit, but this is not mandatory. A corollary to this is to have the "right" participants in the exercise. This means inviting people who have a true stake in protecting their department, as well as the company. Inviting senior management to an exercise is often avoided because the fear is that a senior manager may get too involved (e.g., try to take over the exercise) and other exercise participants may reduce their level of participation in deference to the executive.
- It's not necessary to complete a "successful" exercise. Completing a successful exercise doesn't necessarily mean that the plan ran perfectly, the emergency team is fully prepared or that employees are ready to respond. It's far better to identify flaws in the exercise logic and supporting activities now, rather than later (e.g., during an incident), when the flaws could result in serious consequences.
You should also assign someone as a timekeeper and scribe, so that a record of the exercise can be produced. This is important from an audit perspective and also for regulated organizations like banks or firms that are scrutinized by government agencies, such pharmaceutical companies and the U.S. Food and Drug Administration (FDA). And, it's a good practice for all exercises.
While not usually a priority, consider launching a surprise exercise in addition to scheduled exercises. This is perhaps the best way to determine if your emergency teams are really prepared to respond to a business-threatening incident. Some advance planning (e.g., warning) is advised, especially if your exercise affects other departments, such as IT or facilities. Also, if other departments, such as IT, have scheduled exercises the same time as your surprise event, it may be prudent to reschedule. Of course, in real life, there will be no advance warnings or courtesy calls alerting you and others of an impending disaster.
Well-planned and conducted BC exercises are important investments in a company's long-term success and survival. Knowledge of regularly scheduled exercises can also enhance the firm's reputation and competitive position, especially since more organizations today require data about a prospective vendor/partner's business continuity and disaster recovery activities.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant/auditor and is secretary of the Business Continuity Institute USA chapter and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.