Insights

Filter by Category
Filter by Category

Put Your Business Continuity Plan to the Test

Most organizations have a Business Continuity Plan (BCP) in place to address planned procedures in the wake of man-made or natural disasters.  But having a documented plan is only a piece of the overall puzzle.  The bigger question is, “How will your business perform when a disaster does strike, and how can you prepare and test this response?”  Consider the following:

  • When a cable fire blazed under the pavement in London's Kingsway in April 2015, several businesses lost gas, electric and broadband services.  According to the London Chamber of Commerce, 5,000 employees had to evacuate their offices, and more than half experienced disruption for several days.  The estimated cost to London's economy was £40 million.
  • A recent study by CenturyLink revealed that, on average, businesses lose $84,000 an hour during a power or service outage.  
  • In fact, power failures accounted for nearly half of the declared disasters reported in a recent survey.  The key is to ensure this type of unforeseeable minor event does not escalate into major business disruption and lost revenue

 

So, how should an organization manage their Business Continuity Plan? What considerations are needed in order to ensure an organization has thought through all critical business process work streams, important data, and just as important, organizational buy-in?

1. Executive Sponsorship- Leadership buy-in is integral to the success of any Business Continuity Plan.  This doesn’t mean they need to write the plan, but the board and senior management should do the following:
  • Allocate sufficient resources to develop and test the BCP
  • Ensure critical business areas (including IT, cybersecurity, finance, etc.) have sufficient protocols that align with strategic objectives of their organization
  • Review BCP test results
  • Review and approve the overall BCP annually
  • Ensure that the BCP is maintained and employees are trained and aware of their roles in its implementation.

 

2. Employee Awareness- Training, live and scenario based events are all effective ways to communicate important Business Continuity Plan materials to ensure staff are knowledgeable and prepared.  An excellent way to increase employee awareness is to conduct Tabletop Exercises, whereby BCP procedures and protocols are tested in a collaborative discussion-based session situated around a particular realistic disaster scenario.  These learning-based exercises are meant to drive the conversation and gain insights from key business areas in order to further hone the BCP. 


3. Tabletop Exercise Considerations

  • First, the organization should select a realistic scenario that is appropriately scoped to their organization and objectives. It is a good idea for an organization in its first year of exercising their plan to consider taking a measured approach over time, increasing complexity as they mature.  
  • Next, they should consider establishing their success criteria. What does it mean for the exercise to be a success?  (i.e., 100% success rate, meaningful discussion, completion of all protocols, etc.). Consider that an organization testing their plan for the first time may want to gradually increase expectations in subsequent exercises.
  • Another key step is to conduct a Gap Analysisof the existing plan(s).  Mapping each step in the Business Continuity Plan to the disaster scenario is a great way to determine if there are any missing or misaligned elements within the existing plan(s). The team can either decide to update the plan or include the needed updates upon conclusion of the exercise.
  • Once the gap analysis is complete, a Test Plan can be a valuable document to map the BCP documentation to the scenario, as well as track responses, issues, feedback and necessary updates throughout the BCP tabletop exercise.  
  • Guided Materials for Collaborative Discussion may be drafted, which should tailor the BCP documentation and disaster scenario to the timeline, attendees, and objectives and include some critical questions and visuals to aid in discussion.  Depending on the organization's culture, the guided materials can contain humor, statistics, visuals, comics as well as other enhancements to make them user friendly.  Scripted guides may also be valuable to an organization going through their first exercise as a group.  
  • Facilitated Sessions are important for tabletop exercises as a facilitator guides participants through the exercise.  This person can be an internal stakeholder, as part of the BCP, or a consultant.  Business Continuity Plan consultants can utilize their experience and leading practices learned while supporting other leading organizations in order to enhance existing plans and exercises and assisting with lessons learned.  
  • Finally, a Debrief or Hot Wash is a leading practice for BCP tabletop exercises to request feedback, consensus and any additional thoughts, ideas or concerns that were not captured as part of the session.  Questions may include:
    • What are the strengths/weaknesses of the existing Business Continuity Plan?
    • What updates might be needed to the BCP document?
    • What did you gain from the exercise?
    • How can we improve future exercises and tests?

 

4. Lessons Learned– Information gathered during the BCP and tabletop exercise enhances an organization’s ability to improve their plans, knowledge and overall emergency preparedness.  Now that the gap analysis exists, and the BCP review and tabletop exercise are complete, the lessons learned should be compiled and assessed by the team for inclusion in future versions of the BCP.

 

5. Update the BCP- Gather information and feedback from the previous steps and update the plan with stakeholder buy-in.  It is also a good time to consider objectives for follow-on tabletop exercises.

It is not enough to simply have a Business Continuity Plan.  Given the impact and high cost of downtime, it is essential that organizations are prepared for longer outages and wider-ranging impacts.  Not only should your organization maintain their Business Continuity Plan, but they should consider collaborative tabletop exercises on a recurring basis to ensure that business areas and key processes are adequately prepared for a disaster. 

Learn More about Protecting Your Business

Commercial Real Estate Lending – How to Stay Prudent
Beyond the 5-Steps: A Comprehensive Look at Implementing the New Revenue Recognition Guidance - Part 2

About Author

Cameron Over
Cameron Over

Cameron has approximately 15 years of experience leading organizations through cybersecurity technical and regulatory compliance requirements. She has led many cybersecurity technical and regulatory projects for both federal and commercial clients, assisting them in the secure configuration, network monitoring, design, and remediation of their most trusted information systems. Cameron is a Certified Information Systems Security Professional (CISSP). Click here to read Cameron's full bio.

Related Posts
Why non-public companies need a strong internal control environment
Why non-public companies need a strong internal control environment
Innovate with Your Head in The Clouds: Balancing Cloud Risk with Innovation
Innovate with Your Head in The Clouds: Balancing Cloud Risk with Innovation
Why Details Matter When Internal Audit Assesses Corporate Culture
Why Details Matter When Internal Audit Assesses Corporate Culture

Comment