Tuesday, 9 April 2013

Exercising, maintaining and reviewing BC

John Bartlett CBCI, DBCI
Once you have established your business continuity requirements and put in place plans, facilities and resilience to defend the organisation against disruptions and incidents, these need to be proven and kept current as the organisation changes. This is the hardest aspect of most business continuity programmes and where most organisations fail to protect their investment in establishing this level of organisation protection.
Exercising (or testing) plans and facilities is an essential aspect to ensure they meet the organisation requirements and work as required. Therefore exercises should be conducted on a regular basis, at least annually and should be based upon realistic scenarios, incidents and disruptions. The main benefits and reasons for exercising include:
  • Validation of business continuity plans;
  • Providing education, training and awareness to those with business continuity roles and responsibilities
  • Confirmation that the required RTOs and RPOs can be achieved;
  • Identifyting preparation or resresilience aspects that require enhancement or improvement (due to changes, such as facilities, technology, information or communication links);
  • Providing reassurance that the plans and facilities work as required and demonstrating resilience or recovery capability
There are international standards (such as ISO 22398) which provide guidance on conducting exercising and testing. However, prior to conducting any exercises it is important for the organisation to consider a number of aspects such as the cost of the exercise, any potential disruption to normal activities, any risks that the exercising may introduce to the organisation and the type of exercise that should be conducted (desktop check, simulation, unit or system test, partial rehearsal or full rehearsal).

The simplest process follows the Plan Do check Act (PDCA) model. Whereby the exercising is:

PlannedThe scope is defined, resources identified, risks evaluated, scheduled and communicated in preparation;
DoneThe exercising is conducted in accordance with the plan, preferable with some independent evaluation and notes are taken on timing and any issues or observations to make improvements; 
CheckedThe results of the exercise are reviewed and checked to ensure business continuity, RTO/RPO and resilience requirements were met, any actions identified for follow up and an exercise report produced;
ActedThe actions from the exercise are followed up, tracked and validated to ensure they are addressed and any issues/risks identified are addressed.

An important part of conducting exercising is to ensure the right people are involved and there is suitable business engagement to plan and conduct the exercises. For IT disaster recovery tests this is vital as any testing may introduce risks to production systems and recovery should be validated and verified by the business to ensure it provides the required functionality and data in the required timeframe. Ensuring exercising is conducted correctly and at the right frequency will help ensure the business continuity environment requires minimal amendments, configuration and purchases upon invocation and therefore avoids delays upon invocation.


Organisations constantly change, whether it is people, technology, processes or products and services. Therefore business continuity information, plans and facilities also need to be changed (to ensure they also remain current). Any change within the organisation should be assessed and evaluated to identify whether it affects the organisations ability to continue or recover.

Often organisations do not realise that by changing business priorities or implementing business strategy (e.g. introducing new products or services, or implementing projects to improve performance, processes or reduce costs) that they may alter the Business Impact analysis, continuity requirements and RTOs/RPOs as dependencies and priorities within the organisation may change, thereby invalidating the business continuity facilities, plans and capability that has been implemented. 

Therefore, the easiest and best method for ensuring a continued capability for business continuity and resilience is by including a business continuity impact evaluation as part of any change. This requires a strict change control and change management processes within the organisation, whereby all changes are recorded and evaluated, and the change processes are strictly adhered. This should include all projects, programs and strategic initiatives and will then also help to identify the true cost of these, rather than identifying additional (separate) business continuity costs later. 

In addition to maintenance and review as part of a strict change process, organisations should also regularly review (at least annually) business continuity information, plans and facilities to ensure these remain current, and review these as a matter of course after conducting exercises. It is very easy for information such as staff telephone numbers and supplier contact details to get out-of-date very quickly. 


Conducting a review of your organisations business continuity arrangements is essential to ensure it has been implemented correctly and appropriately. There are two kinds of reviews that can be conducted, either assessments or audits.

Audits – Verify the business continuity process has been followed correctly, not that the solutions adopted are necessarily the correct ones. Audits can be conducted internally or externally.

Assessments – Review the process to ensure it has been defined and adopted correctly, that it has been applied in an appropriate way within the organisation and (normally) that the solutions adopted and implemented meet the requirements identified. Either self-assessments can be conducted (if the necessary skilled, experienced and qualified people exist internally) or can be conducted by an independent business continuity professional (recommended).

Audits and assessments should be conducted against recognised industry practices and if appropriate, industry standards and will normally ensure:
  • Business continuity policy is defined and contains sufficient appropriate detail;
  • The business continuity policy is being implemented;
  • Sufficient resources and budget have been allocated for implementation and on-going management;
  • Appropriate business impacts, recovery requirements and strategies have been identified;
  • Risks have been identified, recorded and are being addressed;
  • All processes, products and services have been considered and assessed;
  • Ensure the right (defined) facilities, technologies and information is available in the required timeframe upon invocation;
  • Plans, facilities and technology for recovery are being maintained in-line with organisation changes;
  • Roles and responsibilities have been communicated and are being discharged;
  • Suitable and appropriate monitoring and measuring is in place, such as Key Performance Indicators (KPIs);
  • Suitable mechanisms are in place to identify/report incidents and invoke business continuity arrangements;
  • Appropriate business continuity governance and reporting is in place and involves the right people. 


BCI Physical Workshop
Would you like to find out more about how to plan and run an exercise programme or how you can invigorate or  inject new life into an existing programme? 
The BCI is running a workshop dedicated to this topic in Manchester this month:

BCM Exercising Planning Workshops

Wednesday, 24th April 2013: Planning and Running an Exercise
Thursday, 25th April 2013:Invigorating your Exercise Programme
Type: Physical (Delegates can choose to attend both or just one of the sessions)

BCI Member Rates apply.

No comments:

Post a Comment