Does your business continuity plan actually work?

All organisations need a Business Continuity Plan to ensure that if the worst happens (or even something slightly bad) there are clear steps to take to get operations back up and running as quickly as possible.

We’ve worked with a number of companies who have developed their own business continuity plans but have never tested them. When asked, ‘does your business continuity plan work?’ they’re not 100% sure.

Other business owners are certain that the disaster recovery plans they’ve put in place are up to the job. However, when asked when was the last time they were reviewed, and what has changed in the business since then, they begin to question whether they really are as resilient as they thought. Technology is driving rapid change in businesses today and therefore disaster recovery and business continuity plans all need to be aligned and updated regularly.

How to prove your business continuity plan works

The only way to prove your BCP works is to test it. This may cause a bit of aggravation but just like fire drills, you can only be sure everything works if you test it. There are various ways to test your business continuity and disaster recovery plans, starting with a plan review that looks at the documents themselves, progressing to a tabletop test where all key team members walk through the plan together, and finally the ultimate test – a disaster simulation.

In all cases it is necessary to prepare for common disasters that might affect your business. Top threats to business continuity identified by the Business Continuity Institute (BCI), in association with the British Standards Institution (BSI) include:

  1. Unplanned IT and telecom outages
  2. Cyber attack
  3. Data breach
  4. Adverse weather
  5. Interruption to utility supply
  6. Fire
  7. Security incident
  8. Health & safety incident
  9. Act of terrorism
  10. New laws or regulations

Your disaster recovery response may be the same for some or all of the threats above, however it is important to ensure that each threat is addressed at the planning stage. If the response to a specific threat is different to that of another it will be necessary to have procedures in place for that eventuality – and test them.

Our advice is to do the following:

Quarterly: Conduct a plan review with key members of staff who have a role to play in the business continuity plan. Make sure any new members of the team have received training. Look to see whether there are ways the plan can be improved. Address any changes either to the business or the threat landscape.

Two to three times a year: Conduct a tabletop test using a specific threat to role-play the execution of your business continuity plan with key members of staff. Use this test to identify inconsistencies and errors in the plan, and to help find better ways of executing the plan.

Once a year: Simulate a disaster scenario and include all relevant employees in this BCP test. This may include business leaders, partners, vendors, management and staff. Look at test data recovery, staff safety, asset management, leadership response, relocation protocols and loss recovery procedures.

All year round: Keep communicating the importance of your business continuity plan to all members of staff, and ensure participation in reviews and testing.

By Bruce Penson, managing director, Pro Drive IT