This 15 minute video will guide you through the process of developing a business continuity plan test and show how the Business Continuity Plan Test Templates help the development and performance of business continuity plan tests.
Business Continuity Plan Testing Templates
There are many definitions of what constitutes a BCP test and it is helpful to know understand the differences so that you can select the most appropriate option for your needs
The most basic form of testing is a review of the plan to ensure the basic integrity of its content. This entails ensuring contact numbers, roles and resource requirements as defined in the plan remain consistent with current needs. The purpose of this activity is to ensure that the plans content and relevance have not been undermined by organisational changes since the plan was last updated,
A tabletop or walkthrough test is generally performed as a group discussion, where plans are subjected to challenge by “walking through” each plan according to a specific incident scenario. In this case the test facilitator will challenge participants at various stages asking several “what-if” questions designed to stretch participants in their responses.
A rehearsal raises the bar further by creating a scenario with a timeline and requires that each participant adopts the roles and takes the actions that they would be expected to in a real-life situation. This type of test may include using incident messaging tools, generating responses to outside stimuli. The facilitator introduces inserts which are delivered as incident updates as the chosen scenarios develops with predetermined twists & turns
Simulations - the most intense form of testing, requires the use of purpose-built tools to simulate dynamic social media activity, casualty, missing person and absentee lists and third-party interruptions.
Developing a Business Continuity Plan Test
1. Developing the Business Continuity Test Objectives & Synopsis
It's a good first step to decide on what it is you want to achieve from the test. Are you testing just part of your plan to get assurance of one aspects of it (incident notification for instance) or are you wanting to get some assurance of the overall organisations capability to handle a specific type of incident such as a cyber attack or significant storm damage? Your assurance objectives are an important part of ensuring that your business continuity plan test is focussed on issues that will lead to a meaningful evaluation of whether or nor the organisation is likely to respond effectively in a particular incident situation.
Let’s first take the scenario or event. This could be a physical event such as bad weather causing damage to our organisation's physical premises or it could be some problem with our IT systems that significantly impairs the organisations' ability to operate effectively. Either way we want to know that the business continuity plan and associated arrangements are sufficiently robust to enable the organisation to respond and recover effectively. Bear in mind that different scenarios will cause different impacts and will therefore place emphasis on different parts of the plan.
It’s also helpful to bear in mind that it is not always practical to test the whole plan in a single exercise. For instance, testing IT recovery is often performed separately from operational response. This is done for several reasons: mainly because of time constraints (IT recoveries can take hours) and it’s unrealistic to expect other participants to wait around until the IT recovery activities have taken place before than then move on to proving operational responses.
Most organisations tend to test their IT recovery capabilities separately to other aspects of business continuity – the reliable recovery of IT systems is often fundamental to enabling other parts of the organisation to recover. This also helps operational parts of the organisation to test their plans in the knowledge that the IT recovery is based on firm and proven assumptions.
Finally, who will be responsible for test delivery. There are two key roles here. The facilitator who orchestrates the test and generally maintains it’s momentum and at least one observer who will focus on how well participants respond during the exercise and evaluating their proficiency in their incident response roles
The final consideration will be the participants in the test. This should include relevant members of the response organisation including senior management.
Bringing all these things together gives us the test synopsis – the first step in developing our business continuity plan test. The template for this is included in the Business Continuity Plan template pack
2. Developing the Business Continuity Test Timeline & Inserts
In this stage we look at expanding the test into a structured timeline that reflects the impacts of the incident, its likely duration and the events that could occur at various stages of discovery, response, business recovery and, where applicable “long-tail” events that may persist even when the immediate incident has been dealt with.
The BCP test timeline provides a "script" that enables the test facilitator to orchestrate the progress and timing of each stage of the test. It should contain:
-
An indication of the stage of the incident and it’s expected real-life duration;
-
The “dwell time” indicating how long we expect to spend on each stage of the BCP test and helps the facilitator to keep the test moving along within the allotted time for each stage
-
The expected action to be taken by the appropriate participant or team based on the content of the plan
-
Facilitator inserts to challenge and develop the scenario. Note that inserts relevant to both tabletop/walkthroughs and rehearsals are included.
-
Space for observer notes made during the test, which can be used for feedback and evaluation.
Facilitator inserts provide guidance and challenges during the test. These inserts are designed to encourage participants to consider challenges that can come out of “left field” during an incident and may stretch the assumptions contained in their plans. Inserts can take two forms, depending on the nature of the test. In a full organisation wide test these would take the form of an announcement such as “this has happened…..” if the test is a walkthrough test the insert is most effectively presented as a question “have we considered the effect of…… in our plans”.
Our scenario-based templates include facilitator insert options for both tabletop/walkthrough and rehearsal BCP test
3. Business Continuity Test Evaluation & Feedback
The evaluation and feedback stage of the BCP test focusses on assessing the results of the test based on the observations made by the facilitator(s) observers and participants. Issues such as achieving objectives, the overall effectiveness of plans and capturing lessons learned is the primary focus of this stage. The BCP Test Results would normally result in a formal BCP Test Report together with any remediation activities required. The BCP Test Template includes a BCP Test Report template to capture this information