How to Test Your Business Continuity Plan

There are several business continuity management techniques that can help in planning and improve the availability of organizations’ critical business processes. Unfortunately, these methodologies usually contain only the theoretical foundations of business continuity and do not answer the main question: "How can you verify that your Business Continuity Plan will work when a real threat occurs?"
3 min read
By Denis Krivov
BCP/DRP Compliance Officer
How to Test Your Business Continuity Plan

When thinking about security, businesses should assume that at some point things may get bad. That is why, it is important to review and test business continuity planning (BCP) procedures on a regular basis to ensure they meet current business needs and can operate during a disaster.

When creating a system for a customer, software development firms should always include instructions on how to respond to various scenarios. It is not necessarily a hacker attack. It could be a problem with the cloud or something else. The recent situation with the COVID-19 outbreak showed that not every company is ready to continue its usual business operations remotely. Many companies were not sure how to connect to corporate networks, protect laptops, or encrypt hard drives. The situation could have been better if there was a list of reference controls with the statuses of their implementation and an indication of the ones that are always on, and which ones are enabled in the disaster recovery mode.

BCP Testing: Tabletop Exercise

One of the most effective ways of BCP testing is a tabletop exercise. This informal brainstorming session brings business leaders and other key employees together and should reflect real life situations and attacks. When choosing scenarios for a business continuity tabletop exercise, the secret is to avoid including all possible threats, while making these scenarios specific to your business.

It is important to pay attention to communication protocols since in the case of most disruptive events, your employees need to know who should call whom and how. Alternative communication channels must be established prior to failure, tested for security and compliance, and known for employees. In the case of a disaster, it is possible to use backup telephone and audio-conferencing channels, Yammer groups, Teams groups, internal service health dashboards, and internal incident management software.

The tabletop scenarios can vary from «data center out of service» to «political conflict» and «office intrusion.» Tabletop exercises can be customized to your organization’s needs, geography, and industry. Each team member is focused on the response and recovery skills. They review their planned steps for each disaster scenario and identify possible weaknesses and ways to correct them. Afterward, the updated plan is circulated to the appropriate staff. At each stage of the tabletop exercise, several new employees are invited into the testing team to identify gaps that experienced team members may have missed. It is always a good idea to ask for employees’ feedback on the business continuity plan before conducting a review.

It is worth noting that the tabletop exercise for a business continuity plan should be actively supported by the company’s management. Unfortunately, that is not always the case. There are several arguments that can help motivate top management at a company to participate in testing:

  • The test scenario should correspond to the level of the manager’s tasks. These events include those affecting VIP clients, appearing on the pages of the media, decrease of the company’s income, changes in legislation, and government decisions.
  • Good preparation and good preliminary analysis are essential in management testing. The scenario and behaviors must be realistic. In a real incident, information is never presented in its final form. The scenario should also be unexpected: for example, it is clear how to act in the event of a fire, but the response to a confidential data leak is more unexpected. That means that the second option should get more attention.
  • Top management prefers facts and numbers. They will be interested in two types of stories: ones with negative outcomes for the businesses that have not ensured business continuity, or facts about competitors that went out of business due to the lack of a well-tested plan.
  • Finally, the approach «I will wait while others are fighting the crisis» is unacceptable for a leader. With this attitude, it is hard to expect enthusiasm or a good response from employees.

All in all, comprehensive business continuity scenarios help protect data, engage customers, and reduce overall operating costs. A well-tested business continuity plan minimizes downtime and improves corporate crisis management capabilities.

Sign Up for Updates!

Subscribe now to receive industry-related articles and updates

Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
Sign Up for Updates!
Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
We are glad you found us
Please explore our services and find out how we can support your business goals.
Get in Touch Envelope