Exercising Business Continuity or Disaster Recovery Plans is necessary and should be completed on a regularly scheduled basis and whenever a BC or DR plan has had significant changes made to it. This is essential for ensuring that your plan is current, fully functional and addresses your current operational processes and procedures.
An exercise and testing program is necessary to ensure that all staff have a good understanding of their responsibilities as defined in the Business Continuity or Disaster Recovery Plan.
Exercise and Test plans consist of:
- Training for Managers, Supervisors Team members and the general public
- Roles and Responsibilities of all personnel during an interruption event
- Corporate and local Communications Plan Exercising, and
- Testing all procedure and processes included in existing plans.
- Testing new processes and procedures
A BC exercise is a focused, practice activity within the ‘Exercise, Maintain and Review’ stage of the business continuity management system lifecycle. The aim is to ensure your Business Continuity Plan (BCP) and arrangements are continually maintained, reviewed and quality-assured so you can keep your promise of service reliability to those who depend on it.
Exercises also allow training of recovery teams and evaluate their capability to effectively implement the plan. Exercises will be conducted and documented in accordance with the Business Continuity Exercise and Reporting Templates.
Why exercise in the first place? The primary objective is to ensure that the plan works when it’s needed. But it’s not enough to exercise parts of a plan. Ideally all elements of business continuity plans should be exercised on regularly scheduled basis (at least annually). Each exercise may have different objectives, beside the primary one. Main exercise objectives include identifying weaknesses and shortcomings, verifying recovery objectives and procedures, validating global efficiency of plans, verifying the adequacy of emergency operations centers (EOCs) and alternate sites, and achieving specific recovery time objectives (RTOs) and recovery point objectives (RPO).
Exercises can be simple or complex. A tabletop exercise can establish a plan performance baseline. A specialized exercise, such as one, which focuses on crisis management procedures at an EOC, provides valuable information about specific activities. At a higher level, an integrated exercise can address multiple business continuity plans or plan components. Finally, an entire plan, with all components, can be exercised. It is far better to err on the side of exercising too much, rather than not enough.
Initial Exercise – Once the Business Continuity Plan is completed, the initial exercise (usually a table top) will be used to validate usability. The results will be documented and maintained as a baseline for ongoing exercises.
Ongoing exercises should be planned and scheduled as needed to ensure freshness of plans and training for personnel. At least 1 exercise should be held annually, but more is better!
The exercise and testing program must also be planned in accordance with the overall organizational Emergency Management and Business Continuity program and in association with local authorities.
The exercise options described will help improve business continuity plans and train your staff. But no matter how often you exercise plans, when reality strikes, your response capability could be much different than in the exercises.
Key strategies for exercising include starting simple; raising the bar in terms of difficulty; involving vendors and stakeholders in exercises; making objectives increasingly difficult to achieve; and launching surprise exercises. When launching an exercise program, start with plan reviews and tabletops. This will help staff get comfortable with the exercise process. As they improve, increase the level of exercise complexity. Remember, an exercise CANNOT “fail”, it can only succeed in providing information on where your organizational plan needs improvement, so no matter what happens it is a success. We exercise because; it is far better to identify systems and procedures that may fail, and rectify them, before a real incident occurs. Finally, a true test is to launch a surprise incident. This will truly test how well prepared the organization is to address a real incident.
The primary reason to exercise is to identify limitations of emergency plans, business continuity plans and disaster recovery plans. Recognizing that most organizations change frequently, even mature business continuity plans may be inappropriate in a given situation or at a given time. Exercises that appear to be ‘successful’ and uncover no problem should be suspect. Maybe the objectives were too easy or the situation was unrealistic. Exercises present opportunities to fix problems before a disaster happens. Ideally, a successful exercise uncovers and documents problems. Once the problems have been fixed, consider running a follow-up exercise to ensure the repairs work. Measuring the success of business continuity exercises means having relevant objectives that will help uncover problems. Exercise is your chance to ‘push’ your business continuity plans increasingly closer to the reality of a disaster. Keeping these things in mind an organisations exercise and testing program strives to ensure all exercises are practical and prudent. We hope to be successful but maintain the mantra that an exercises primary goal is to tell us what areas we need to improve not to tell us how good we are.
The scenario comes last unless there is a specific new, emerging or rare threat scenario management wants to test their arrangements against.
- Clarify which plan(s) is being tested, and when it was last tested;
- Review weak points or risks highlighted for the plan(s) being tested;
- Work with management to find out what they want to achieve;
- Identify who needs to be involved in the exercise;
- Work out how you will capture learning as a baseline for ongoing exercises;
- Base the scope and duration of the exercise on exercise objectives;
- Select a realistic story (scenario) – start simple and then raise the bar.
At the end of this session the learner will be able to:
- Discuss the reasons for conducting a Business Continuity Exercise
- Identify the components of the BC exercise
- Describe the key strategies for the BC exercise
- State the goals/objectives of a BC exercise scenario