Testing Business Continuity Plans – Do You Do Enough?
Many more companies have come to realize that the development and implementation of a Business Continuity Program is now a good business practice. The existence of this program gives the executives, the staff, the Board of Directors and shareholders a feeling of confidence in the effective and quick recovery of the business operations in the event of a disaster.
Every year the plan gets that Auditor’s tick mark and people point to the report and says that they are covered should a disaster occur. And every year the plan gets put back into the binder and put back on the shelf only to be dusted off next year.
So could you really recover using your plan documentation?
Do you know what is in your plan? Has your plan been updated with all of the technology and business changes that have occurred this year? Has it been tested? An untested plan is not any better than not having a plan. If the plan has not been kept up-to-date then it is best left in the binder during a disaster because it will only hinder your recovery not help it take place.
Testing can be passive for business plans and crisis management plans and active for technology recovery plans. You need to implement a comprehensive testing program for all of your company’s recovery plans. Each test should have objectives and the results should be documented and any discrepancies between expectations and actual results addressed.
No finger pointing is allowed. Take an objective look at why the plan did not work as expected. Was a critical update missed? Were the objectives set too high for the level of experience of your test team and testing program? There is no sense in trying to recover your complete company during the first or second exercise. You need to take small gradual steps to develop your team’s confidence in their capability to properly execute the instructions in the plan. Too fast and they will become disheartened, to slow and they will become bored.
Once you have implemented your testing program and your team has gained confidence in their capability then you can start to set harder to reach goals.
Along with the testing program, you also need to implement a proper maintenance program for the plan documents. Once you have put these programs in place only then can you and those people who rely on your company be sure that the company could be recovered quickly and fully after a disaster event.