NOVEMBER 2024CIOAPPLICATIONS.COM9· Validate that business and IT recovery procedures are sufficient.· Assess the capability of recovery team members.· Identify improvements to the plan.Challenges· Without testing, BCM leaders will not have sufficient knowledge to develop strategies.· Priority of primary job functions trumps the availability of resources to test. · Lack of leadership support for time, resources, and budget.WHAT TO TESTYou are typically testing a plan, such as a Business Continuity Plan, Crisis Management Plan, Supplier Contingency Plan, a Disaster Recovery Plan, etc.Test Types· BCP/Recovery plans. · Emergency Evacuation.· Emergency Notification. · Work Area/Alternate Site.· Crisis Management.· IT Disaster Recovery.Test Methods· Walk-through: Assesses the viability of any type of recovery plan. A plan review is done internally with the plan author and stakeholders.· Tabletop: One or multiple recovery teams review plans. These exercises are facilitated and include outage scenarios.· Component: Evaluates the ability to recover one or more components of a recovery strategy.· Functional Rehearsal: This type exercises all parts of a plan and may include recovery tasks, crisis communication, leadership response, and relocation.· Cutover: Moves operations from production to recovery for an extended period of time, ranging from weeks to months.ScenariosScenarios are a great way to set expectations up front and identify what you are testing so everyone is on the same page. You can find scenarios everywhere--look at current headlines, past experiences and the outcome of risk assessments. However, the outcome of risk assessment scenarios should be realistic, or you risk that the test participants don't take the test seriously.TEST CHECKLISTThere are several items to plan in advance, often documented in a Test Plan, as well as steps to take after the test. These include:Prior to the Test· Establish the exercise format. · Determine the duration required based on the type of exercise.· Identify success criteria and evaluation metrics. · Creation of an issues log and recording action items or issues during the exercise.· Develop script templates and complete them during the exercise.· Identify the roles participating in the exercise ­ this will vary, but you most always need:· Scribe ­ someone to take notes and write post-exercise tasks and minutes.· Observer(s) ­ helpful to get independent feedback.After the Test· Collect all exercise scripts from the participants.· Collect all notes from the scribe/observer.· Gather feedback from the exercise participants.· Host a `post-mortem' session with all stakeholders.· Identify training opportunities resulting from lessons learned.· Write a post-exercise report within three weeks.· Update recovery plans with any changes or contingencies identified.Post-exercise reports are a good way to show your auditors and regulators evidence that you are testing your plans. Additionally, these reports provide senior leaders with insights into how prepared your team is or isn't in the event of an incident.If you have never conducted tests and exercises before, start small with a tabletop exercise of a Business Continuity Plan with a few scenarios. In this way you will know if your Business Continuity Plan is solid or needs to be updated. As your program matures, tests should increase in complexity and scope. The more mature an organization is in its exercise management practices, the greater its success in recovering from a disaster
< Page 8 | Page 10 >