Business Continuity Planning: Testing, documenting and operationalizing
In Part 13 of our Business Continuity Planning series, we discussed how to design a business recovery strategy. This article will cover the final stages of building a BCP. You will learn:
how to conduct awareness workshops
how to test your recovery strategy
how to document your BCP how to operationalize your BCP
Figure 01: The steps involved in testing, documenting and operationalizing the BCP
Presenting the strategy
Once you have designed the business recovery strategy, you need to present it to the stakeholders of the business continuity program and the members of your BCP organization structure, to get their input. Break up the above recovery strategy stakeholders into focus groups that will participate in awareness and testing workshops. It is not required to formally document the strategy as the official plan at this point, but putting the strategy into a presentation will help you reduce the amount of work you need to do during the documentation stage.
Once you’ve designed your recovery strategy, you should do your best to avoid revisiting and redesigning previous stages of your BCP, such as Business Impact Analysis or Risk Assessment unless you face a scenario where you deem it absolutely necessary, such as your organization’s board deciding to add to the scope of your plan. Usually most of the suggestions you’ll receive during these presentation meetings will be related to manpower requirements, your recovery site, information systems and prioritization of the key business processes. Accept all relevant feedback from your focus groups and when a suggestion isn’t viable, make sure to explain why.
In this meeting you may want to inform participants about the next steps, which are generating awareness, conducting workshops and testing. Provide all BCP stakeholders with the estimated timeline to complete these activities, before operationalizing the plan.
Awareness
Once your entire business continuity strategy has been accepted, it’s time to educate the rest of the organization about it. Refer to your organization’s Training and Awareness plan to determine what materials you will need for your campaign. While there are countless possible awareness tactics that could work, one particularly effective approach is to distribute an infographic over email. Keep things visual and keep the text to a minimum. Below are some of the content we recommend you share and the appropriate group to share it with:
Continue this awareness campaign for the next few weeks, in parallel to the workshops and testing of the strategy.
Conduct workshops
You will have to provide a general in-person (or virtual) awareness session for all of your organization’s staff, broken down into multiple groups. It’s not necessary for every staff member to know all the details of your organization’s recovery strategy. Instead, prepare presentations tailored to each focus group, so that everyone knows their specific role during an incident.
At the end of each workshop, ensure you take attendance and collect participant feedback, so that you can improve your content. This will help you test how much they’ve learned in your sessions.. If it is possible, you could conduct a quick quiz at the end of each workshop and provide a token reward for answering enough questions correctly.
Preparing and testing your recovery strategy
There are many tests and exercises to choose from, and each has different objectives. You can test your staff’s overall knowledge about the recovery strategy with a simple quiz during your awareness workshops.
If you have identified the vendors who support you during an incident, you need to make them aware of your organization’s recovery strategy as well. You could tailor a structured walkthrough for them (refer to the exercise scenarios that we have recommended), if required. However, limit the scope of the testing or education to general information that they need to know, such as:
What will happen when a disaster is declared and the business is moved to the recovery site or remote working
What the announcement will look like and how they would receive it
Whom they should contact and coordinate with, during a disaster
For all of the above groups, and anyone else you would like to further test and educate on your organization's recovery strategy, here are some exercises we recommend:
Structured walkthrough - Develop a few simple scenarios and then outline how the plan would be executed in response. Alternatively, you can go through the critical aspects of the plan, such as the organization structure, initiation processes, priorities, technical support, recovery site and stand down processes. The second option is more high-level and therefore typically more appropriate for your organization’s senior leadership.
Tabletop exercise - Ask the participants to get into groups with people who are part of their team (i.e. have IT staff form one group together and communications staff form another group). Then, outline an incident scenario and ask each group to describe their corresponding roles and responsibilities.
Simulation test - Prepare a scenario modelled after a real disaster that is common to your location. Then explain the scenario and ask the teams to respond. Ensure the appropriate extended teams are present during the simulation. If your test scenario is to test the IT Disaster recovery, then choose a scenario that affects one or two particular IT teams and conduct the exercise to test their knowledge and fill any gaps.
Functional or real time drill - This involves acting out a real response in a fictitious scenario/drill. In this drill variant, the date is announced to staff ahead of time.
Full fledged exercise - This involves designing a real life scenario on a real time basis and then testing them, unannounced, on a particular day. This kind of testing is only recommended after you have used other scenarios to test your strategy for at least two years.
Once you decide on the type of testing you want to execute and the teams that must be involved, it is time to prepare the content. For a real life scenario, you could include videos and images to make it more visually appealing. Again, if your continuity strategy has just been developed, it is not recommended to conduct a full fledged exercise or real time drill. Start with something small and let everyone gain some confidence.
Conduct at least one type of testing with each member of the business continuity organization. You do not have to test every scenario at this time, as this may be overwhelming. Your staff is still learning, so slowly present additional tests. Once the strategy is documented as the Business continuity plan (BCP) and it is operationalized, you can increase the number of scenarios you test in the following year, prior to revising the BCP.
During the testing, observe how each team responds and take notes. Remember that the objective of the testing is to know whether the members have enough awareness and also to find knowledge gaps. It’s better to find gaps at this stage, instead of in a real scenario.
Make changes and document
After each test is complete, analyze the gaps you identified and address them. If the changes are minor, you can describe the change in a steering committee meeting and proceed documenting the plan. If the change is major and it affects all the staff in your organization, you may want to repeat the awareness cycle with everyone.
Once the strategy is tested and accepted as final, it is time to document it. The documenting of the strategy is the Business Continuity Plan. When it comes to documenting the strategy as the official BCP, there is no standard template for everyone. It largely depends on the organization. Pick a template that your organization is very familiar with, such as a crisis management plan or a corporate standard document. Ensure the below sections are documented at a minimum:
Scope of the BCP
Assumptions
Framework used
Scenarios considered
Categorization of the scenario
Classification of the incidents
Organization structure during a disaster
Teams and their responsibilities
Initiation and stand down processes
General guidelines
Activities for the business continuity team based on the events
Recovery tasks that are common to everyone
Departmental recovery tasks
Resource requirements
Sub Plans for the disaster categories
Templates
Appendixes such as definitions
You may have additional sections, depending on your compliance requirements, nature of the business or the volatility of the operating environment. However, if the above sections are well designed and tested, you will be able to regroup after an incident, manage a declared crisis and recover the business.
Closure
After documenting your plan, although it is not a mandatory requirement, you should get it signed by your organization’s directors or appropriate senior leadership. Once this has been done, let all your staff know that the business continuity plan has been approved.
Generally, things such as duration and the process to update contacts, maintenance of the plans, yearly awareness and testing should be part of the overall Business continuity management system — we will cover this in a future series. Hand over the plan to the respective owners and close the program with the relevant documentation, as per the program management framework you follow.
Conclusion
Once you have designed your business continuity strategy in collaboration with the many members of your organization, present it to stakeholders like the board of directors or steering committee for a final review. Make changes based on their feedback and kick off your training and awareness for the different stakeholder groups. Once you have educated them about the BCPe, test the plan using one of the simplest testing techniques we have discussed. Finally, document the latest strategy, present it to the directors (or an appropriate executive) and get their approval. Once the plan has been approved, you can hand it over to the operational team and close the business continuity program.