1. Business Continuity Plan (BCP):
Most organizations lack the implementation of even basic guidelines to create a BCP as outlined by government regulations. It isn't easy to know what challenges tomorrow will bring for your operations. Both your business and the environment in which you operate changes over time.
Business Continuity Plans (BCP) minimize the effect of disasters and help to quickly get your business up and running again. The BCP must be kept updated with well-established communication methods that are regularly reviewed and re-tested. The BCP should be clear and detailed enough so that employees can follow it step by step (Table 1).
The goal of Business Continuity Planning (BCP) is not to create a set of instructions that sits on a shelf. The goal is to make sure everyone on your team knows what to do and how to do it, so staff will be capable of acting accordingly in a real-life situation. It is therefore essential to repeat this process periodically, keeping your plans up to date, and to keep them fresh in your team members' minds.
The relevant terminology in Business Continuity Plans (BCP) has been explained in my previous articles (follow the links from the References list at the end of this document).
Business Continuity Plan (BCP) |
Focuses on preparing/preserving and sustaining an organization's business processes during and after a disruption. |
Business Impact Analysis (BIA) |
Refers to a document that identifies present organizational risks and determines the impact of ongoing, business-critical operations if such risks actualize. |
Recovery Time Objective (RTO) |
The amount of time allowed for the recovery of a business function or resource after a disaster occurs. It helps in planning the frequency of backups and sets expectations of restoring data/services and how much data is an acceptable loss. |
Recovery Point Objective (RPO) |
Describes the acceptable amount of data loss measured in time. It is the point in time to which the organization must recover its data as defined by the policy. |
Recovery Strategy (RS) |
Refers to a process to resume the minimum set of critical services identified in the Business Impact Analysis (BIA). |
Business Continuity Management (BCM) |
Includes: • Understanding your organization. • Defining your Business Continuity (BC) Strategy. • Choosing and Implementing Business Continuity (BC) Solutions. • Testing, Maintaining and Reviewing Business Continuity (BC) Arrangements. • Developing Business Continuity Culture. (See Figure 1) |
Table 1
2. Testing Business Continuity Solution (BCS):
Testing Business Continuity Solution (BCS) ensures that the Business Continuity Plan is adopted by the whole organization and is viable and workable. Testing verifies that the plan meets its objectives while training allows staff involved in the business recovery to gain experience in their roles.
3. BCP Testing Exercises:
Exercise is an activity that consists of assessing the effectiveness of all or part of a Business Continuity Solution (BCS), and the procedures and plans that make up a BCP, according to an established scenario, objectives, and measurement criteria.
The test is carried out in a dedicated test environment with data destroyed at the end of the test. The business players simulate the execution of their activities. There must be no impact on production.
In contrast to a test, an exercise is carried out, at least partially, in production, using real data and returning to the normal business situation. During an exercise, business players really execute all or part of their activities.
Figure 1
4. Benefits of Business Continuity Testing:
Whatever the type of test/exercise, we can expect numerous benefits:
4.1 At the human level
4.2 At the organizational and logistical level
4.3 At the technical level
4.4 For the business level
Executive management must carefully supervise the organization of the BCP so that the tests and exercises can contribute to the ongoing improvement of Business Continuity (BC). Therefore, the definition of a test program is a preliminary stage to the execution of these tests and exercises.
5. The reasons for having a Test Program:
In most cases, it is difficult or impossible to test all of the solutions put in place by an organization in a single test. As the solutions are designed to cover different reference scenarios, they are not always compatible with each other. As tests and exercises are performed to check that a BCP is operational, a testing program for all recovery solutions must be put in place over one or several years according to the scope to be tested.
Establishing this program aims to define a test schedule, thus ensuring that the planned tests cover the entire scope of an organization's BCP.
Consolidating the various test program allows:
6. Principle for defining a program and its content:
The organization must consider its level of maturity concerning the Business Continuity Management (BCM) (See Figure 1) process and thus determine the scope and level of complexity of the tests and exercises within the program. For example, carrying out exercises without first having performed tests presents a risk.
The executive management of the organization must validate the test program. The planned tests/exercises (Table 2) must cover all the activities included in the Business Continuity (BC) strategy.
The testing program includes the following information:
Different types of tests/exercises:
Type of Test/Exercise* |
Definition |
Examples
|
According to whether users participate or not
|
||
Technical Test/Exercise |
Categories of test/exercise validating a technical solution without involving end-users. It applies to technical infrastructure and technical aspects of the working environment. It tests the RTO/RPO of these categories of resources. |
|
User Test/Exercise |
Category of tests/exercises validating the achievement of objectives for BCS. Allow users to test access to their applications and make sure that they work properly. These tests validate or invalidate compliance with the RTO/RPO for business needs. |
|
|
According to the volume tested
|
|
Unit Test/Exercise |
Test conducted across a limited perimeter to check that a solution is operational without taking into account interdependencies. |
|
Volume Test/Exercise |
Test for validation of the capacity to cope with volume (ability to process a specific volume of data or business transactions). |
|
|
According to the area tested
|
|
End-to-End Test/Exercise |
Test covering the entire execution of a process (either operational or technical) from its initiation until its outcome. |
|
Across Test/Excersice |
Test carried out between at least two separate/different entities to check the ability to ensure the process's continuity. |
|
Table 2
(*) Note that this list should not be considered comprehensive.
References:
https://csrc.nist.gov/glossary/term/business_continuity_plan
https://www.experts-exchange.com/articles/34731/The-Importance-Of-Business-Continuity-Planning.html
https://www2.deloitte.com/content/dam/Deloitte/ru/Documents/risk/business-continuity-eng.pdf
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (1)
Commented: