Testing, Testing, Testing..



Similar documents
Business Continuity Planning and Disaster Recovery Planning

How To Understand The State Of Business Continuity Preparedness

The State Of Business Continuity Preparedness

BUSINESS CONTINUITY PLAN

WHY BUSINESS CONTINUITY PLANS FAIL

BUSINESS CONTINUITY TABLETOP EXERCISE (TTEX) GUIDE

BUSINESS CONTINUITY PLANNING GUIDELINES

Business Continuity and Disaster Recovery for Law Firms CAROLINE POYNTON

Business Continuity and Disaster Planning

BCP and DR. P K Patel AGM, MoF

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

CISM Certified Information Security Manager

Business Continuity Planning (800)

Building a strong business continuity plan

NAVIGATING THROUGH A CATASTROPHIC DISASTER:

The 9 Ugliest Mistakes Made with Data Backup and How to Avoid Them

Disaster Recovery. 1.1 Introduction. 1.2 Reasons for Disaster Recovery. EKAM Solutions Ltd Disaster Recovery

Business Continuity Planning

ESKITP6033 IT Disaster Recovery Level 3 Role

ESKITP6034 IT Disaster Recovery Level 4 Role

Business Continuity and Disaster Recovery Planning

EVALUATING YOUR DISASTER READINESS?

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

GLASGOW LIFE Review of Business Continuity Planning. Final Report

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

Notice to Members. Business Continuity Planning. Executive Summary. Questions/Further Information

Statement of Guidance

Coping with a major business disruption. Some practical advice

Guide Antivirus. You wouldn t leave the door to your premises open at night. So why risk doing the same with your network?

for Human Service Providers Scott Ellis Scott Elliott Erin Sember-Chase 1

White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

HOME BUYERS GUIDE P1 GUIDE

The more recent Scotiabank survey reconfirms the lack of planning on the part of SME owners for their exit from their business.

Internal Audit Report Disaster Recovery / Business Continuity Planning

How To Manage A Business Continuity Strategy

CFAM&LBB2 Develop, maintain and evaluate business continuity plans and arrangements

LEAD CONVERSION SECRETS OF TOP ADVISORS

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

Supervisory Policy Manual

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Special Report For Small Business Owners...

The purpose of this white paper is to outline the 5 steps required to prepare small-to-medium businesses for these disasters.

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

The handouts and presentations attached are copyright and trademark protected and provided for individual use only.

Business Continuity Plan

" # $% "%&$& Lesley Fayers Exercising the BCP workbook.doc Page 1 of 12

Free Guide: THE FACILITY MANAGER S DISASTER RECOVERY & RESPONSE ROADMAP

Principles for BCM requirements for the Dutch financial sector and its providers.

Midsize Enterprise Summit Business Continuity Questions

a Disaster Recovery Plan

Developing a Business Continuity Plan... More Than Disaster

What is Penetration Testing?

10 STEPS TO BUSINESS CONTINUITY

Disaster Recovery Strategy in the Modern Market A PRACTICAL GUIDE FOR BUSINESS. Your Proven Partner in Communications Solutions

Overview TECHIS Manage information security business resilience activities

EMERGENCY PREPAREDNESS PLAN Business Continuity Plan

Disaster Recovery. July Specialists in IT Outsourcing and Consultancy

Business Continuity Planning advice for Businesses with over 250 employees

POLICY. 1) Business Continuity Management 2) Disaster Recovery 3) Critical Incident Management 4) Risk Management

SCHEDULE 25. Business Continuity

Information Security Awareness Training

IT Service Continuity Management PinkVERIFY

Information Technology Security Review April 16, 2012

Disaster Recovery. Tips for business survival. A Guide for businesses looking for disaster recovery November 2005

By. Mr. Chomnaphas Tangsook Business Director BSI Group ( Thailand) Co., Ltd

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

Making business simple...

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

:: market pulse :::: market pulse :::: market pulse :::: market pulse :::: market

2013 IT OPERATIONS OQ REPORT IMPROVING YOUR IT OPERATIONS QUOTIENT (OQ)

Audit of Business Continuity Planning

Putting all of your pieces in place. Continuity Planning for Nonprofit Organizations

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

Bankrate s Best Practices for Rate Table Advertisers

Applied Software Project Management

Business Continuity and Risk Management. Ken Kaberia Principal BCM Officer, Enterprise Risk Safaricom Limited

Copyright 1

Overview of how to test a. Business Continuity Plan

5 costly mistakes you should avoid when developing new products

Top 5 reasons incident response is failing. kpmg.com

SPECIAL REPORT. How To. Sell Your Home. In 9 Days Or Less. No Commissions! No Fees!

BUSINESS CONTINUITY POLICY

Information Security Management: Business Continuity Planning. Presentation by Stanislav Nurilov March 9th, 2005 CS 996: Info. Sec. Mgmt.

Planning for and Surviving a Data Disaster

Five keys to a more secure data environment

ESKITP6036 IT Disaster Recovery Level 5 Role

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Why Crisis Response and Business Continuity Plans Fail

TABLETOP EXERCISE FACILITATOR S GUIDE:

Why Should Companies Take a Closer Look at Business Continuity Planning?

CISM ITEM DEVELOPMENT GUIDE

Attachment N CPIC Vendor Resiliency Business Continuity Planning Questionnaire

State of Cloud Survey SOUTH AFRICA FINDINGS

Business Continuity Training and Testing: Narrowing the Gaps

Guideline on Business Continuity Management

Education Campaign Plan Worksheet

2012 Business Continuity Conference Friday, November 9, 2012

1 Introduction. 2 What is Cloud Computing?

Transcription:

Testing, Testing, Testing.. The adage that, No campaign plan survives first contact with the enemy, is all too true; yet apart from not even bothering to plan in the first place, the biggest mistake a business can make is not testing whether or not their plan will even work. After all, there s many a slip twixt the cup and the lip, and it s making the shot when it counts that remains the single most important factor when deciding outcomes of force majeure events. Testing and exercising of business continuity plans are not optional extras: they are both crucial elements that make the difference between success and failure; between hitting recovery time objectives and missing them. up to 90% of businesses never fully test their plans There have been a whole range of surveys and reports about testing BCPs and, depending on which one you read, up to 90% of businesses never fully test their plans or, for that matter, believe that testing should be part of normal business practice. Before looking at why that might be, let s examine why you should test. The goal is to ensure that your BCP works when it s needed, with the main objectives being identifying weaknesses and shortcomings, verifying procedures, checking the adequacy of your emergency management location (EML) and workplace recovery sites, whether you hit your recovery time objectives and if your IT and telecoms failovers kick in as planned. In addition, you ll want to see how your crisis management team operates under pressure. So how much should you exercise? Exercises can be simple or complex, ranging from a table-top exercise to establish a plan performance baseline all the way through to snap scenario based simulations where only the top team know in advance what s going to happen. A specialised exercise, such as one which focuses on crisis management procedures at an EML, provides valuable information about specific activities. At a higher level, an integrated exercise can address multiple business continuity plans or plan components. Finally, an entire plan, with all components, can be exercised. It is far better to err on the side of exercising too much, rather than not enough. In overall terms, your BCP should be exercised at least annually. Managing human resources Clearly, exercises are important for validating team member expertise and identifying training opportunities; yet they present particular human resource issues, especially if those nominated to be on the crisis management team are unfamiliar with the kind of pressures often present during a major disruption. Extended exercises present their own problems; people could refuse to work overnight or at weekends, or don t want to be away from home even a few days. One point to watch out for, is that your current employment contracts may not provide for employees having to work from an alternative location, which could be a serious problem if you have to invoke your BCP for real. Effective exercise strategies You should remember that no matter how often you exercise your BCP, when reality strikes, your response capability could be much different than in the exercises. In which regard, key strategies for exercising include starting simple; involving vendors and stakeholders in exercises; making objectives increasingly difficult to achieve; and launching surprise exercises.

When launching an exercise program, start with plan reviews and table-top exercises. This will help staff get comfortable with the process. As they improve, increase the level of complexity. Don t worry about an exercise failing. It is far better to identify systems and procedures that may fail, and rectify them, before a real incident occurs. Finally, a true test is to launch a surprise incident. This will truly test how well prepared the organisation is to address a real incident. Exercise types In broad terms, there are three types of exercise, being plan review, table-top, and simulation. Plan Review In a plan review, the BCP owner and crisis management team discuss the Plan itself. They look for missing elements and inconsistencies within it and the organisation. This type of exercise is comparable to plan auditing, and is useful to train new members of a team, including business function owners. Table-Top Here, participants gather in a room to execute documented BCP activities in a stress-free environment. Tabletop exercises can effectively demonstrate whether team members know their duties in an emergency and whether they need training. As with a plan review, table-top exercises can throw up documentation errors, missing information and inconsistencies. Simulation The best way to determine if business continuity management procedures and resources work in a realistic situation is to carry out as realistic scenario based simulation as you can. For example, an exercise that simulates an executive kidnap or threat against their family, employees or similar involving the emergency services, is a highly effective way of finding out how well people perform. Of course, it doesn t have to be as extreme as that, simulation a bomb scare, product recall, transport infrastructure or IT/telecoms failure can be just as effective. A simulation involving established business continuity resources, such as the recovery site, backup equipment, services from recovery vendors and transportation, sending teams to alternate sites to restart technology as well as business functions, will undoubtedly uncover errors, omissions, missing or insufficient resources, incomplete coverage, and limited vendor capabilities; thus giving you a chance to iron out the wrinkles before you have toy use your BCP for real. What is a successful exercise? The primary reason to exercise is to identify limitations within your BCP. Remember that most organisations change frequently, and even mature business continuity plans may be inappropriate in a given situation or at a given time. Exercises that appear to be successful and uncover no problem should be suspect; maybe the objectives were too easy or the situation was unrealistic. Exercises present opportunities to fix problems before a disaster happens and represent your chance to push your business continuity plans increasingly closer to the reality of a disaster. So why don t people test? Cost: There may be a view that time taken up in business continuity testing and exercising is unproductive time and therefore an unnecessary cost that can be avoided. There may also be reluctance to invest in external consultants to help facilitate tests. Administrative: Getting busy executives and managers to commit their time is a difficulty in its own right; but getting all the required participants to agree on a convenient time and date can be an administrative nightmare. Lack of top-management buy in: If top-managers view business continuity as a box-ticking exercise, or if they simply don t fully understand the importance of a fully tested and well exercised BCP, then senior

management will probably not provide the arm-twisting support that business continuity managers need to get tests off the ground. Inadequate regulations: Many regulations stipulate that compliance requires a business continuity plan to be in existence, but all too often they don t include proof of testing and exercising activities. Fear of failure: One of the points of business continuity tests is to discover weak areas in plans and strategies. However, if an organisation has a blame culture then it may be perceived that the business continuity manager has failed because the plan is shown not to be perfect and who would want to place themselves under such a harsh spotlight? For further advice, help or to request our free testing scenarios, please contact us: Visit: www.aicontrolpoint.com Call: 0844 579 0841 Email: info@aicontrolpoint.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information