Yes, I was able to check the box on my audit that asked if we have a Business Continuity Plan (BCP). I was even able to say it was approved by our Board within the past 12 months. My compliance checklist is clean, but how do I know if the plan will really help during a disaster?
This is a question posed by many. An enormous amount of time and energy is spent conducting a business impact analysis and documenting MTD, RTO, and RPO, but how can you know if it will all be worth the effort in a crisis? Is the plan just for a compliance checklist or can it actually be useful during a business disruption?
Let's examine three ways you can analyze and evaluate your plan to ensure it is ready during a disaster.
Ensure a robust exercise and testing plan is in place
A strong, functional BCP should have a robust testing plan. An exercise and test plan [RH5] is a critical way to evaluate the effectiveness of an organization's BCP, and it can help identify deficiencies that may exist.
A mature exercise and testing plan will consist of a variety of methods, including:
- Full-Scale Exercise.
- These are sometimes called a "full interruption" or "comprehensive" exercise. The goal of this exercise is to determine if full recovery of people, processes, and technology can occur. For example, a full-scale exercise might simulate the complete loss of a primary facility or datacenter. This is the most comprehensive type of exercise
- Limited -Scale Exercise.
- Limited-scale exercises are much like a full-scale exercise; however, they focus on a specific application, department, or business process. While these types of exercises are easier to coordinate as compared to full-scale, they cannot offer the same level of evaluation due to limited participation and scope
- Tabletop Exercise.
- Tabletop is sometimes also referred to as a "structured walk-through" test. This type of exercise involves gathering a group of individuals together to review and discuss the plan. In many cases, the discussion revolves around roles, responsibilities, and processes specific to an adverse event occurring. This kind of simulation is effective in evaluating plan effectiveness and training relevant personnel.
- Management can use a variety of functional tests to verify system resilience and evaluate stated recovery objectives. For example, you may schedule regular tests of your backup and recovery of key systems to ensure backups are functioning as expected and you can recover the system within the stated RTO. Testing methodologies and frequencies should align with the size, complexity, and risk associated with the organization and are a critical part of an overall testing strategy.
Confirm employees are trained on the BCP
Your organization may have spent an enormous amount of time and energy to develop an excellent BCP, but if employees do not know where to find the plan, how to use the plan, or your expectations for them, then the plan will be useless during a disaster. It is imperative for training to be included as an integral part of business continuity.
A strong training program will include a variety of instructive activities tailored to each target audience to address the specific needs of that audience. For example, the Board will not need the level of detail in training as frontline employees. Cross-training is important for key functions to ensure gaps do not exist in the event of absenteeism or operational disruptions. Training can be integrated into the exercise and testing plan through activities such as tabletop exercises and tests. When possible, it is also important to include critical third parties in training to ensure they are aware of the organization's plans and expectations.
Verify emergency checklists or scenario recoveries are documented
While it is impossible to foresee all adverse actions or disasters, it is prudent to prepare for all reasonably foreseeable events. To that end, emergency or recovery checklists should be developed with predefined foreseeable events in mind. These checklists should be clear, concise, and easy to implement in an emergency. They should guide the reader step-by-step on what to do, how to do it, and who is responsible. In many cases, these short checklists can include references to other areas of the BCP with additional descriptive details or procedures.
As a manager, you can review your risk assessment to determine what reasonably foreseeable threats your organization is facing and determine if there are appropriate checklists or procedures in your BCP to addresses these potential events.
How can Tandem Business Continuity Plan software help?
Tandem BCP software is an online solution designed to help organizations develop and maintain their business continuity plan. Tandem comes complete with the ability to conduct a business impact analysis, develop business process recovery plans, define preparedness controls, construct emergency checklists, send employee alert messages, and test the plan. The solution gives users a strong start with a template, checklists, controls, test scenarios, and more. To learn more visit https://conetrix.com/tandem/business-continuity-planning-and-disaster-recovery-software.