OFFICIAL PUBLICATION OF THE NEBRASKA BANKERS ASSOCIATION

Pub. 17 2022-2023 Issue 5

Tech Talk: Four Steps to Better Business Continuity Plan Testing

This story appears in the
Nebraska Banker Magazine Pub. 17 2022-2023 Issue 5

Business continuity planning is a process that is vital to your organization. There is always the possibility that your organization’s critical business processes could be negatively affected for reasons that are often beyond your control, so it’s best to be prepared. If a disruption occurs, it’s essential that your organization has a plan to address any potential issues and ensure that your organization can still serve your customers.

However, if you’ve never enacted your plan, it’s hard to be confident that your plan will be sufficient. Testing your business continuity plan (BCP) helps to continuously improve your ability to recover successfully from various scenarios, whether it be a natural disaster or a communications failure. The good news is that there’s not just one way to test your BCP. Here are four steps to help you build a better business continuity plan testing program and ensure you are prepared for any situation that may come your way.

Step One: Incorporate Different BCP Testing Methods

You can utilize various methods to test the usability and effectiveness of your business continuity plan. Some of the possible test methods provided by the FFIEC include:

  • Tabletop Exercise: A tabletop exercise (sometimes referred to as a walk-through) is a discussion during which personnel review their BCP-defined roles and discuss their responses during an adverse event simulation. The goal of a tabletop exercise is to determine whether targeted plans and procedures are reasonable, if personnel understand their responsibilities, and if different departmental or business unit plans are compatible with each other.
  • Limited-Scale Exercise: A limited-scale exercise is a simulation involving applicable resources (personnel and systems) to recover targeted business processes. The goal of a limited-scale exercise is to determine whether targeted systems can be recovered and whether personnel understand their responsibilities as defined in the plan.
  • Full-Scale Exercise: A full-scale exercise simulates the full use of available resources (personnel and systems), prompting a full recovery of business processes. The goal of a full-scale exercise is to determine whether all critical systems can be recovered at the alternate processing site and whether personnel can implement the procedures defined in the BCP. For example, a full-recovery exercise might simulate the complete loss of primary facilities.

Step Two: Understand How Often to Test

Although there is no hard-and-fast standard for determining how often to test your business continuity plan, some general guidelines are typically recommended. Note that each of these timeframes will depend on your organization’s industry, size, personnel, available resources, and current BCP maturity levels. Don’t take these timelines as gospel, as they are strictly that: guidelines.

SBS recommends reviewing each of your emergency preparedness plans (business continuity, disaster recovery, incident response, and pandemic preparedness) throughout the course of a given year. Testing would typically include an annual tabletop test of all four individual EPP plans, testing multiple scenarios for threats you identify as a higher risk to your organization. Be sure to test the scenarios you believe to be the highest risk to your organization most frequently. You can use your business continuity risk assessment to help identify which threats are particularly impactful/probable to the organization.

Additionally, a limited-scale exercise is recommended at least annually, but such a test is largely dependent on the size and complexity of your organization and the maturity of your failover procedures.

However, if your organization has any significant changes in processes, systems, or plan details, you may want to perform these tests more frequently. To reiterate, these timelines are highly dependent on your organization; it may not be feasible or logical to perform some of these tests at a particular frequency. Base this decision on your organization and its specific needs.
If you are looking for somewhere to start and what should be prioritized for testing, refer to your business impact analysis. This is an excellent way to identify your most critical processes and the assets/systems you rely on the most. Systems that you rely on to keep your most critical processes functioning should be tested more frequently, allowing you to validate proper recoverability and the timeframes of that recovery. Most organizations benefit greatly by having a testing schedule that documents their plans. This allows for a strategic approach to testing involving the organization’s processes, systems, and vendors to be deemed necessary.

Step Three: Include Your Vendors

During your testing cycle, you’ll want to ensure your critical vendor partners are included in the testing process to any extent possible. Involving your vendors in this process not only allows you to test to a greater degree of accuracy and usability but also allows your vendors a chance to provide feedback that may be valuable to your plans or testing process.

Step Four: Document Your Testing

Finally, be sure to document the results of any testing performed, along with any actionable findings from those tests. Following up on these items and incorporating recommendations is the most important process in the BCP testing lifecycle.

Testing, documenting the results of your testing, and implementing processes to improve your BCP are the best ways to strengthen your organization’s response processes.

Resources and Testing Options

Numerous additional resources that your organization may use or participate in to continue maturing your BCP testing program are widely available.

Click the link below for a list of organizations and resources to help you perform such testing on your own organization’s BCP:

https://sbscyber.com/resources/four-steps-to-better-business-continuity-plan-testing

For more information, contact Robb Nielsen at 605-251-7375 or robb.nielsen@sbscyber.com. SBS helps business leaders identify and understand cybersecurity risks to make more informed and proactive business decisions. Learn more at sbscyber.com.