3 Ways to Test Your Business Continuity Plan
You’re a positive person. We think that’s spectacular. And though remaining positive is great in principle, sadly it isn’t always a smart risk management mindset. The companies that subscribe to Murphy’s Law are generally best equipped to mitigate risk and handle the unknowns – whether that’s economic downturns, natural disasters, data breaches or server failures. Regardless of risk appetite, smart companies plan against interruptions to business with what’s known as a Business Continuity Plan or BCP. A Business Continuity Plan evaluates how your company will sustain operations, communicate to personnel and clients, and generally weather the storm in the event of a business interruption. If the Murphy Law mantra feels negative, then just stack the deck and consider it a smart wager instead, since it is FAR better to be ready for a disaster that may never come than be caught unprepared and risk your business collapsing.
We’ve discussed the value of Disaster Recovery Plans (DRPs) and Business Continuity Plans (BCPs) in previous articles, so today we turn this topic toward a vital and often overlooked component of risk mitigation and continuity assurance….Testing.
Even the best plans fall apart without proper implementation. Success in plan execution increases exponentially with testing. Consider testing your Business Continuity Plan annually at a minimum so that all employees and stakeholders are knowledgeable and primed for continuity measures in case of an emergency. Here’s our suggestions for three (3) things you can consistently do to ensure your Business Continuity Plan is tested and your organization is better prepared should disaster strike.
It’s not just for the compulsive personalities like project managers and analysts. Creating a checklist not only defines the successive order in which key operational and administrative procedures should be carried out, it also naturally comes in the form of a quick-reference guide (also known as a QRG). When confusion increases and communication deteriorates, a continuity plan checklist at either a high-level or multiple checklists across your more granular functional areas are an easy and comforting distillation of the business continuity plan that ensures two key components for successful plan implementation: 1) that steps are conducted in the right order, and 2) that no steps are missed.
Two sets of checklists should be made. The first set encompasses those key procedures, contacts, communications, and steps that should be done at the moment of business interruption and throughout any disaster in order to successfully execute on the Business Continuity Plan. The second set of checklists – your BCP Audit Lists – are the items and key information that should be tested and verified on the previous set. Using both in tandem during annual or periodic testing greatly increases the quality of your Business Continuity Plan testing and also the likelihood of successful plan implementation if a disaster occurs.
Common things to include on your BCP Audit List include your employee’s contact details. Much of business downtime and conversely a company’s speed in operations getting back up and running is contingent on internal communications. Having an outdated phone number is a painfully avoidable mistake that can carry considerable cost to your company. At testing time, validate all internal and external contact information to be sure details are current and accurate. If you maintain an offsite cache of emergency supplies, check to ensure that you have the appropriate types and volumes of supplies and backup equipment to last you until normal operations can be restored. Work with your analysts or external business consultation partners to help you determine which supplies, equipment and quantities are appropriate at varying levels and types of business interruption. In addition, be sure to review and secure copies of all required and supplemental documents for personnel, processes and operations (especially emergency forms, contact info, and the Business Continuity Plan itself).
One BCP Audit List item to include should be an evaluation of the overall plan for validity and appropriateness based on the current state of the company. Testing helps business continuity plans stay up to date and provides for more continual adaptation and updating, but your company’s key strategic leadership should periodically evaluate the current state of the company in light of new strategies, technologies, or capabilities and determine whether the existing Business Continuity Plan still covers all of the current needs, strategy and direction. New strategies/technologies may now exist that are more practical and efficient than the ones currently in your plan from last year, and company direction and capabilities may reveal a need to overhaul the business continuity plan or at least amend it.
A walk-through or run-through promotes both procedural and muscle memory. Recall the fire drills and tornado drills of your elementary school days. Drills were conducted as a live activity rather than a verbal this-is-what-we-would-do review. The reason for this may be intuitive but studies show that active practice facilitates more efficient internalization of procedures, and (as instructional gurus will tell you) key process components have a much higher likelihood of cognitive transfer from working to long-term memory. What that boils down to is simply that your employees will care about it more and remember it longer.
Consider a structured walk-through with department heads to make sure that key points of command and delegation points to internal teams know precisely what to do in an emergency. Elect a team leader from each department and have each form their own testing team which should have extra duties and responsibilities (like making sure the building is clear) and will likely require extra rehearsal. After testing, department team leaders should discuss findings and then draft a unified report on plan efficacy and suggestions for improvement.
Walk-throughs are not just for the human parts of the plan. Kick off boot sequences, scripted and automated contingencies, data replication tasks, stand-by server switch-overs, cloud backup and data validation – whatever key technical components fall into your operations and continuity plan procedures. And then measure key continuity performance indicators (KCPIs) to report and leverage in your plan’s overall evaluation, such as quality or viability and speed to accessibility.
Simulation testing methods address the recovery and restoration aspects of the plan through seemingly real-life scenarios. Build your continuity simulation by creating scenarios that feel real and address key components of the Business Continuity Plan. Form testing teams and assign each a specific scenario that its members will enact using the facilities, equipment, and supplies available to them. If you can create cascading scenarios – ones that overlap and require inputs from or depend on processes to be completed by other testing teams – your simulation will be a better true-to-life representation of a business-interruption event or disaster.
Members of the company’s disaster response team should evaluate overall company response performance based on the simulation, determine how well teams were able to effectively carry out critical functions of the Business Continuity Plan, and identify key improvements and lessons learned to incorporate in the Business Continuity Plan and implementation procedures.
Don’t have a disaster response team? Assemble one as soon as possible.
Use the results from your checklists, walk-throughs and simulations to identify your Business Continuity Plan’s strengths and weaknesses, signal gaps between your plan and company’s current state of strategy and capability, determine how well your personnel can comply with the plan, and assess how ready you are for a disaster now that you’ve done the work of creating the BCP.
If testing your plan feels daunting, you aren’t alone. Many BCPs are constructed and then are shelved due to hesitation around the critical component of testing. The journey of a thousand tests begins with a single checklist, so start planning your Business Continuity Plan testing today. And as always, if you have questions about testing your Business Continuity Plan, need help with any of the techniques mentioned above, or need help constructing your Business Continuity Plan, let us help. Dynamic Quest offers business consultation services with a focus on disaster recovery, business continuity, plan testing, data analysis, and more. Just click the orange “Ask an Expert” button below to inquire about Dynamic Quest’s services or ask one of our experts a question.
Curious to learn more? Contact Dynamic Quest, your managed IT service provider?