Benefits of Business Continuity Testing

madunixExecutive Information Technology Director
CERTIFIED EXPERT
Executive IT Director. My primary purpose in life is that of learning, creating, and sharing.
Published:
Edited by: Andrew Leniart
BCP must be kept updated with a well-established communication method, regularly reviewed, and re-tested. BCP should be clear and detailed enough that employees can follow it step by step.

 

 

1. Business Continuity Plan (BCP):

 

Most organizations lack the implementation of even basic guidelines to create a BCP as outlined by government regulations. It isn't easy to know what challenges tomorrow will bring for your operations. Both your business and the environment in which you operate changes over time.

 

Business Continuity Plans (BCP) minimize the effect of disasters and help to quickly get your business up and running again. The BCP must be kept updated with well-established communication methods that are regularly reviewed and re-tested. The BCP should be clear and detailed enough so that employees can follow it step by step (Table 1).

 

The goal of Business Continuity Planning (BCP) is not to create a set of instructions that sits on a shelf. The goal is to make sure everyone on your team knows what to do and how to do it, so staff will be capable of acting accordingly in a real-life situation. It is therefore essential to repeat this process periodically, keeping your plans up to date, and to keep them fresh in your team members' minds. 

 

The relevant terminology in Business Continuity Plans (BCP) has been explained in my previous articles (follow the links from the References list at the end of this document).

 


Business Continuity Plan (BCP)

Focuses on preparing/preserving and sustaining an organization's business processes during and after a disruption.


Business Impact Analysis (BIA)

Refers to a document that identifies present organizational risks and determines the impact of ongoing, business-critical operations if such risks actualize. 


Recovery Time Objective (RTO)  

The amount of time allowed for the recovery of a business function or resource after a disaster occurs. It helps in planning the frequency of backups and sets expectations of restoring data/services and how much data is an acceptable loss.


Recovery Point Objective (RPO)

Describes the acceptable amount of data loss measured in time. It is the point in time to which the organization must recover its data as defined by the policy. 


Recovery Strategy (RS)

Refers to a process to resume the minimum set of critical services identified in the Business Impact Analysis (BIA).


Business Continuity Management (BCM)

Includes:

• Understanding your organization.

• Defining your Business Continuity (BC) Strategy.

• Choosing and Implementing Business Continuity (BC) Solutions.

• Testing, Maintaining and Reviewing Business Continuity (BC) Arrangements.

• Developing Business Continuity Culture. (See Figure 1)

Table 1

 

2. Testing Business Continuity Solution (BCS):

 

Testing Business Continuity Solution (BCS) ensures that the Business Continuity Plan is adopted by the whole organization and is viable and workable. Testing verifies that the plan meets its objectives while training allows staff involved in the business recovery to gain experience in their roles. 

 

3. BCP Testing Exercises:

 

Exercise is an activity that consists of assessing the effectiveness of all or part of a Business Continuity Solution (BCS), and the procedures and plans that make up a BCP, according to an established scenario, objectives, and measurement criteria.

 

The test is carried out in a dedicated test environment with data destroyed at the end of the test. The business players simulate the execution of their activities. There must be no impact on production.

 

In contrast to a test, an exercise is carried out, at least partially, in production, using real data and returning to the normal business situation. During an exercise, business players really execute all or part of their activities.


Figure 1 


4. Benefits of Business Continuity Testing:

 

Whatever the type of test/exercise, we can expect numerous benefits:

 

4.1 At the human level

  • Check that all various personnel that were involved in the test understood their roles and played their part in the proceedings.
  • Develop the ability to work as a team and familiarize staff with the Disaster Recovery (DR) site.
  • Increase the responsiveness of those involved in the test.
  • Raise employee awareness.

 

4.2 At the organizational and logistical level

  • Check whether the decision-makers identified in the procedures and plans are appropriate concerning the scenario's challenges.
  • Check whether the documentation concerning the tests/exercises has been communicated to those involved and if the information level corresponds to requirements.
  • Check supply chain robustness.
  • Identify anomalies in the procedures and plans.
  • Identify logistical failures.

 

4.3 At the technical level

  • Check the switchover end resumption of services/applications.
  • Check the presence of the required data.
  • Check Call re-routing.
  • Check Network re-routing.
  • Check the Service Level Agreement (SLA) for every service.
  • Identify any technical anomalies.

 

4.4 For the business level

  • Validate business ability to meet obligations and honor commitments.
  • Check the ability to process its operations in compliance with deadlines and volumes defined in the Business Continuity (BC) strategy.
  • Ensure suppliers can provide a service within the contractually defined requirements.

 

Executive management must carefully supervise the organization of the BCP so that the tests and exercises can contribute to the ongoing improvement of Business Continuity (BC). Therefore, the definition of a test program is a preliminary stage to the execution of these tests and exercises.

 

5. The reasons for having a Test Program:

 

In most cases, it is difficult or impossible to test all of the solutions put in place by an organization in a single test. As the solutions are designed to cover different reference scenarios, they are not always compatible with each other. As tests and exercises are performed to check that a BCP is operational, a testing program for all recovery solutions must be put in place over one or several years according to the scope to be tested.

 

Establishing this program aims to define a test schedule, thus ensuring that the planned tests cover the entire scope of an organization's BCP.

 

Consolidating the various test program allows:

  • Ascertaining the risk of the impact of testing in production and, consequently, makes it possible to reduce the exposure to risks to a level that is acceptable for the executive managers of the organization concerned.
  • Focusing attention on tests carried out on related perimeters or between interdependent organizations, thus testing the operation of the BCPs.

 

6. Principle for defining a program and its content:

 

The organization must consider its level of maturity concerning the Business Continuity Management (BCM) (See Figure 1) process and thus determine the scope and level of complexity of the tests and exercises within the program. For example, carrying out exercises without first having performed tests presents a risk.

 

The executive management of the organization must validate the test program. The planned tests/exercises (Table 2) must cover all the activities included in the Business Continuity (BC) strategy.

 

The testing program includes the following information:

  • the Core Business System (CBS) or Functional Division (FD)
  • the organization's acronym 
  • the name of the test
  • the test date
  • the test objective
  • a very brief description of the test scenario 
  • the measurement criteria proposed to participants
  • the possible impact of the test/exercise
  • the categories of resources (human, facility, and technical) concerned

 

Different types of tests/exercises:

 

 

Type of Test/Exercise*

 

Definition

 

Examples

 

 

According to whether users participate or not

 


Technical Test/Exercise


Categories of test/exercise validating a technical solution without involving end-users. It applies to technical infrastructure and technical aspects of the working environment. It tests the RTO/RPO of these categories of resources.


  • Restoring the technical infrastructure (Data Center, Access Control, Networks, Routing, and Switching).
  • Re-routing Network Traffic.
  • Restoring the working environment at a user's Disaster Recovery (DR) site.
  • Restoring Hardware and Software (Systems and Services/Applications restoration).
  • Organizing Support for Services/Applications and System/Servers.
  • Monitoring all essential components (Daemons, Disk space, Network connectivity for each point, Disk errors, Memory errors, CPU errors, Segmentation faults, Node failures, and Sub-component failovers).


User Test/Exercise


Category of tests/exercises validating the achievement of objectives for BCS. Allow users to test access to their applications and make sure that they work properly. These tests validate or invalidate compliance with the RTO/RPO for business needs.


  • Failback to the user's Disaster Recovery (DR) site.
  • Split operations.
  • Cross backup between production (PROD) and Disaster Recovery (DR) sites.

 

 

According to the volume tested

 


Unit Test/Exercise


Test conducted across a limited perimeter to check that a solution is operational without taking into account interdependencies.


  • Efficacy test at a user's Disaster Recovery (DR) site to provide recovery for one of the organization's new activities at its site.
  • Testing part of an Application/Service.


Volume Test/Exercise


Test for validation of the capacity to cope with volume (ability to process a specific volume of data or business transactions).



  • Testing the capacity of a Server/System to support the expected volume.

 

 

According to the area tested

 

 


End-to-End Test/Exercise


Test covering the entire execution of a process (either operational or technical) from its initiation until its outcome.



  • Testing the management of access rights from the request until closure.


Across Test/Excersice


Test carried out between at least two separate/different entities to check the ability to ensure the process's continuity.


  • Processing a transaction between the organization and third-party cloud providers or two different organizations or headquarter and branch.

Table 2

 

(*) Note that this list should not be considered comprehensive.

 

References:

https://csrc.nist.gov/glossary/term/business_continuity_plan

https://www.experts-exchange.com/articles/34731/The-Importance-Of-Business-Continuity-Planning.html

https://www.experts-exchange.com/articles/33973/Introduction-to-Business-Continuity-Management-BCM.html

https://www.asisonline.org/security-management-magazine/latest-news/online-exclusives/2020/Implementing-Split-Operations-to-Improve-Resilience-During-a-Disease-Outbreak/

https://www2.deloitte.com/content/dam/Deloitte/ru/Documents/risk/business-continuity-eng.pdf

https://www2.deloitte.com/content/dam/Deloitte/au/Documents/strategy/deloitte-au-con-realising-value-scenario-testing.pdf



3
536 Views
madunixExecutive Information Technology Director
CERTIFIED EXPERT
Executive IT Director. My primary purpose in life is that of learning, creating, and sharing.

Comments (1)

Evelyn LeeMobile App Developer

Commented:
Very nice comprehensive list, thank you for the efforts...it’s great!

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
Continue Growing Your Skills and Your Career
  • Interact with leading experts on your specific technology problems.
  • Receive the guidance of experienced professionals.
  • Learn from troubleshooting others have experienced.
  • Gain knowledge from a library of courses, all included.