Are you testing your Business Continuity Plan?

3 Aug, 2020

So, you’ve got your Business Continuity Plan in place but have you tested it? Leaving it until a real-life incident could have devastating consequences to your organisation.

Why Test?

If you don’t regularly test your Business Continuity Plan (BCP) how do you know it will withstand a real-life incident? Regular testing will help you to:

• Identify gaps and weaknesses in your BCP
• Evaluate your response to events
• Improve your systems and processes
• Update your BCP plan accordingly

How Often Should You Test?

This really depends on your business and what risks are involved.  Those businesses whose risks are higher will clearly require more testing than those whose risks are lower.  As a rule of thumb, we would always recommend reviewing your BCP at least quarterly.

Performing a Test

In order to test your BCP you first need to create a fake scenario that could affect your business, whether that’s a data breach, setting the fire alarm off or planning for another global pandemic.

You can then test your plan using one of the following exercises:

• Call Tree: send out a test message quarterly to ensure your communication processes are working.
• Desk Check: the most basic check is conducted by auditing, validating and verifying your BCP. We would recommend reviewing one scenario per month.
• Planned Walkthrough: a more detailed exercise in which the team participate in a role-playing exercise, ensuring everyone knows their personal responsibilities. You should act as though this scenario is genuine and complete the BCP step by step, monitoring the time it takes and identifying any areas of improvement.
• Limited Rehearsal: on a quarterly basis, ask a specific business unit to respond to an incident.
• Simulation Testing: pose an incident quarterly and ask for theoretical responses. Alternatively, you could create a realistic test whereby physical testing is carried out with real resources in a controlled environment.  This could be with the help of an external company for example for penetration testing.  Only once you have seen your BCP through to the end you should review your actions and identify areas of improvement.
• Full exercise: test your organisations complete BCP arrangements on an annual basis.

What Should I Test?

• Data loss / Breach: the Cyber Security Breaches Survey 2020 found that cyber-attacks have evolved and become for frequent with 46% of businesses and 26% of charities reporting cyber security breaches or attacks in the last 12 months.
• Data Recovery: your data is invaluable and loosing it will have major impacts to both your finances and reputation.
• On-Site Threats: it’s likely that you are already conducting a fire drill but what about a bomb threat, terrorist attack or a gas leak?
• A Power or Network Outage: after the coronavirus pandemic, it’s likely that your team have remote access to your systems. As things begin to return to ‘normal’, don’t forget to continue these checks in case of other disasters like a power or network outage.
• Lottery Syndicates: whilst this may seem an unlikely event, it could still happen! How would you cope if the team won the lottery the weekend (and you weren’t in it), leaving the office empty on Monday.

Don’t have a BCP?

No problem! We are giving away a FREE BCP and Business Continuity Risk Assessment template for you.  Complete our contact form to request your copy today.

ISO 22301 – Protecting You From Disruption

Implementing an ISO 22301 Business Continuity Management System ensures you are assessing your potential risks on a regular basis.  This allows your business to be agile and adapt to any situation which poses a disruption to operations.  Having a properly laid out plan for the business to follow during a major or minor incident, reduces the time it takes to get back to ‘business as usual’.

Find out more about ISO 22301.