Even if your organisation has coped well with Covid disruptions there will inevitably be more unpredictable major challenges to come, including unknown unknowns, and it is important to test your Business Continuity Plan effectively and at least once a year against different scenarios. Adopting a Business Continuity Plan without testing is like expecting to be able to drive a car by just reading the manual. However, a recent survey we conducted shows that one in five organisations have yet to test their plans with a Business Continuity exercise. As well as testing the robustness of the Business Continuity Plan, a Business Continuity exercise provides the opportunity for people to practice their Business Continuity roles in a safe environment. They will be much better prepared should a real major incident occur. Another benefit of testing Business Continuity Plans with an exercise is that it can provide answers to a number of pertinent questions:
- How quickly can the Major Incident Management Team (aka the Crisis Management Team be mobilised?
- Have all key players needed on the team been identified?
- How easy is the Business Continuity documentation to use in the heat of an incident?
- Is all the key information needed readily accessible?
- Have the communication mechanisms been properly thought through?
Even if you have tested your Business Continuity Plans in the past year there are good reasons why you should plan to run a Business Continuity exercise this year.
A Business Continuity exercise checklist
In our fast-changing world, a lot can happen in a year that justifies running a new exercise. Within the last twelve months many organisations will have implemented new IT systems, new ways of working, relocated their offices or restructured their organisation. New staff may have been taken on, who need to understand how Business Continuity works in the organisation, especially if they are a key part of the Crisis Management Team. Against this background, we identify below a number of factors to determine the focus and frequency of Business Continuity exercises.
Thoroughness of tests
There is a range of methods for reviewing and testing Business Continuity Plans. Walkthrough and tabletop discussions are suitable for familiariasation or where the organisations Business Continuity planning is at an early stage, but they risk complacency and can lead to unrealistic ‘easy answers’, which do not reflect the challenges of an actual incident. Exercises, where people perform their roles in a simulated operational environment, are a dynamic way of testing plans and are much more effective.
Range of scenarios
Have your exercises covered loss of people, property and/or IT resources? Have you tested a range of scenarios that could impact your ability to operate? e.g. fire, flu pandemic, cyberattack, ransomware, terrorist incident, adverse weather such as flood, snow, product recall, failure of key suppliers?
Has everyone had the opportunity to rehearse their Business Continuity role?
Did key people miss the last exercise through illness, holiday or other reasons? Have people in a deputy role been given the opportunity to participate in an exercise? Are there new people in Business Continuity roles, through recruitment, promotions or restructuring?
Have all component plans been tested?
The full suite of Business Continuity documentation includes Crisis/Major Incident Management Plans, Business Continuity & Recovery Plans, Business Continuity Communication plans including telephone trees, IT Disaster Recovery Plans, and suppliers plans where they are part of your organisation's response.
Have all parts of the organisation been tested?
- Have divisional and departmental plans been tested?
- Have subsidiary companies been tested?
- Have all offices, factories and distribution facilities located away from head office been tested?
- Have key processes been tested in sufficient detail?
Setting the right expectations for Business Continuity exercises
You should also challenge resilience measures in place e.g. did the planned mitigations work as expected, reduce the impact, or provide the protection expected?
It should be expected that gaps and shortcomings will be uncovered; this is a normal and healthy part of testing. Indeed, if you have not found any problems, then your test approach needs to be reviewed and developed to make exercises more stretching. During a real incident, even with the best-developed plans, it’s almost guaranteed that some things will not go smoothly. This is due to the ‘unknown unknowns’. The idea of exercising is to expose as many of the potential issues as possible.
Finding gaps and problems in your planning during a test does not mean the exercise has failed. As long as you fix the gaps and address lessons learned, it means you have a healthy attitude to testing. It is important that the Business Continuity sponsor and senior management understand this principle, and do not berate anyone for sending them a post-exercise report showing issues. What they should be saying is ‘That’s great we’ve found these issues. What can we do to address them? What do you need from us to support you? When shall we be in a position to re-test?’
Who knows what this year will bring, best to start preparing now!
Julie Goddard has many years experience of implementing BC in a variety of organisations in the private and public sectors. She also has significant practical experience in managing live incidents.