Planning and conducting business continuity (BC) plan exercises is one of the most important activities in a business continuity program.

Conducting one or

    Requires Free Membership to View

more BC plan exercises annually is a key component of a business continuity management system (BCMS). Exercises should be scheduled and integrated with other BCMS activities, such as plan updating, emergency team training, policy reviews and audits, business impact analyses (BIAs), risk assessments (RAs), and awareness programs.

A BC plan exercise is not the same as a disaster recovery test. For instance, you don't actually failover in a BC plan exercise. That's what you do in a typical technology disaster recovery test, which addresses the recovery of IT systems, data, databases and so on. This is strictly business continuity.

When planning a BC exercise, the following are priorities:

  1. Decide specifically what you plan to exercise, e.g., the entire plan or parts of the plan such as incident response procedures or the evacuation plan.
  2. Secure a location to conduct the test that is away from any possible interruptions, and encourage exercise participants to turn off their mobile devices if possible so they can concentrate on the exercise. If possible, conduct the exercise outside the participants' offices in a less conspicuous location. If this is not possible, it may make sense to schedule the exercise outside of normal work hours or perhaps over a weekend.
  3. It may be useful to invite participants other than the exercise developer(s) and representatives of the department(s) or activity being exercised, such as staff from IT, operations, risk management, human resources, legal, quality assurance and internal audit, but this is not mandatory. A corollary to this is to have the "right" participants in the exercise. This means inviting people who have a true stake in protecting their department, as well as the company. Inviting senior management to an exercise is often avoided because the fear is that a senior manager may get too involved (e.g., try to take over the exercise) and other exercise participants may reduce their level of participation in deference to the executive.
  4. It's not necessary to complete a "successful" exercise. Completing a successful exercise doesn't necessarily mean that the plan ran perfectly, the emergency team is fully prepared or that employees are ready to respond. It's far better to identify flaws in the exercise logic and supporting activities now, rather than later (e.g., during an incident), when the flaws could result in serious consequences.

You should also assign someone as a timekeeper and scribe, so that a record of the exercise can be produced. This is important from an audit perspective and also for regulated organizations like banks or firms that are scrutinized by government agencies, such pharmaceutical companies and the U.S. Food and Drug Administration (FDA). And, it's a good practice for all exercises.

While not usually a priority, consider launching a surprise exercise in addition to scheduled exercises. This is perhaps the best way to determine if your emergency teams are really prepared to respond to a business-threatening incident. Some advance planning (e.g., warning) is advised, especially if your exercise affects other departments, such as IT or facilities. Also, if other departments, such as IT, have scheduled exercises the same time as your surprise event, it may be prudent to reschedule. Of course, in real life, there will be no advance warnings or courtesy calls alerting you and others of an impending disaster.

Summary

Well-planned and conducted BC exercises are important investments in a company's long-term success and survival. Knowledge of regularly scheduled exercises can also enhance the firm's reputation and competitive position, especially since more organizations today require data about a prospective vendor/partner's business continuity and disaster recovery activities.

About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant/auditor and is secretary of the Business Continuity Institute USA chapter and member of the BCI Global Membership Council. He can be reached at pkirvan@msn.com.

This was first published in March 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.