Once you have established your business-continuity requirements and put in place plans, facilities, and a framework of resilience to defend the organisation against disruptions and incidents, these need to be proven and kept current as the organisation changes. This is the hardest aspect of most business-continuity programmes and where most organisations fail to protect their investment in establishing this level of organisation protection.
Exercising (or testing) plans and facilities is essential to ensure they meet the organisation's requirements and that they work as intended. Therefore, exercises should be conducted on a regular basis—at least annually—and should be based upon realistic scenarios, incidents, and disruptions. The main benefits and reasons for exercising include:
n Validation of business-continuity plans
n Provision of education and training and increasing awareness amongst those who have business-continuity roles and responsibilities;
n Confirmation that the required RTOs and RPOs can be achieved;
n Identification of preparation or resilience aspects that require enhancement or improvement (due to changes in facilities, technology, information, or communication links);
n Provision of reassurance that the plans and facilities work as intended and demonstrate resilience or recovery capability.
There are international standards (such as ISO 22398) that provide guidance on conducting exercising and testing. However, prior to conducting any exercises, it is important for the organisation to consider aspects such as the cost of the exercise, any potential disruption to normal activities, any risks that the exercising may introduce to the organisation, and the type of exercise that should be conducted (desktop check, simulation, unit or system test, or partial rehearsal or full rehearsal). The simplest process follows the Plan Do Check Act (PDCA) model
Planned: The scope is defined; resources are identified; and risks are evaluated, scheduled, and communicated in preparation
Done: The exercising is conducted in accordance with the plan, preferably with independent evaluation, and notes are taken on timing and any issues that arise or observations that are made to assist improvements
Checked: The results of the exercise are reviewed and checked to ensure business continuity, RTO/RPO, and resilience requirements were met; follow-up actions are identified; and an exercise report is produced
Acted: The actions from the exercise are followed up, tracked, and validated to ensure they have been addressed, and any issues/risks identified are also addressed.
An important part of conducting exercises is to ensure the right people are involved and that there is suitable business engagement to plan and conduct the exercises.
For IT disaster recovery tests, this action is vital since any testing may introduce risks to production systems, and recovery should be validated and verified by the business to ensure it provides the required functionality and data in the required timeframe. Ensuring exercises are conducted correctly and at the right frequency will help ensure the business-continuity environment requires minimal amendments, configuration, and purchases upon invocation and therefore avoids delays upon invocation.
Organisations constantly change, whether it is people, technology, processes, or products and services. Therefore, business-continuity information, plans, and facilities also need to be changed (to ensure they remain current). Any change within the organisation should be assessed and evaluated to identify whether it affects the organisation's ability to continue or recover.
Often, organisations do not realise that by changing business priorities or implementing business strategies (e.g., introducing new products or services or implementing projects to improve performance and processes or to reduce costs) they may alter the Business Impact analysis, continuity requirements, and RTOs/RPOs since dependencies and priorities within the organisation may change, thereby invalidating the business-continuity facilities, plans, and capabilities that have been implemented.
Therefore, the easiest and best method for ensuring continued capability for business continuity and resilience is by including a business-continuity impact evaluation as part of any change. This requires strict change-control and change-management processes within the organisation, whereby all changes are recorded and evaluated, and the change processes are strictly followed.
This should include all projects, programs, and strategic initiatives and will then also help to identify the true cost of these, rather than identifying additional (separate) business-continuity costs later.
In addition to maintenance and review as part of a strict change process, organisations should also regularly review (at least annually) business-continuity information, plans, and facilities to ensure these remain current. Organisations should review these as a matter of course after conducting exercises. It is very easy for information such as staff telephone numbers and supplier contact details to get outdated very quickly.
Conducting a review of your organisation's business-continuity arrangements is essential to ensure it has been implemented correctly and appropriately. There are two kinds of reviews that can be conducted: assessments or audits.
Audits: Verifies that the business-continuity process has been followed correctly but will not check whether the solutions adopted are necessarily the correct ones. Audits can be conducted internally or externally.
Assessments: Reviews the process to ensure it has been defined and adopted correctly, that it has been applied in an appropriate way within the organisation, and (typically) that the solutions adopted and implemented meet the requirements identified. Self-assessments can be conducted if the necessary skilled, experienced, and qualified people exist internally, or assessments can be conducted by an independent business-continuity professional (recommended).
Audits and assessments should be conducted against recognised industry practices and, if appropriate, industry standards. They usually ensure that
n The business-continuity policy is defined and contains sufficient and appropriate detail;
n The business-continuity policy is being implemented;
n Sufficient resources and an appropriate budget have been allocated for implementation and ongoing management;
n Appropriate business impacts, recovery requirements, and strategies have been identified;
n Risks have been identified and recorded and are being addressed;
n All processes, products, and services have been considered and assessed;
n The right (defined) facilities, technologies, and information are available in the required timeframe upon invocation;
n Plans, facilities, and technology for recovery are being maintained in line with changes in the organisation;
n Roles and responsibilities have been communicated and are being discharged;
n Suitable monitoring processes and measurements are in place, such as key performance indicators;
n Suitable mechanisms are in place to identify/report incidents and invoke business-continuity arrangements;
n Appropriate business-continuity governance and reporting are in place and involve the right people.
*The author, who has over twenty-five years
experience in business continuity, information security and risk management, is the General Manager of Al Mamlakah Services United LLC. This article is the eighth in a series of 10 weekly articles on aspects of business continuity, which will be carried on Monday's edition of Times of Oman.