Strengthen a business continuity plan with testing exercises

Business continuity exercise types

Business continuity exercises are designed to make sure that the procedures outlined in a BC plan will work when needed.

While organizations can run some of these exercises with a single department or team, more complex plans require multiple teams to execute the exercise. When different departments participate, each team can focus on the responsibilities of various parts of the organization.

For example, an organization might run an exercise where a business-focused team works with a technology team. The business team needs to recover specific business processes and partners with the technology team to be sure that the necessary resources are in place.

There are three typical business continuity exercise types an organization might use: BC plan walk-through, facilitated discussion and full-scale exercise.

1. Business continuity plan walk-through

This exercise is usually conducted in a conference room, making it a type of tabletop exercise. In a plan walk-through, each participant has a copy of the organization's BC plan. A facilitator within the organization presents a scenario to the group, and the participants work together using the plan to mitigate the situation.

2. Facilitated discussion

Similar to a walk-through, this type of test is also run in a conference room environment. A nonemployee third party, such as a consultant, facilitates the complete exercise. The consultant shares their insights with the participants after the exercise, and either prepares or contributes to the exercise after-action report.

3. Full-scale exercise

This type of exercise goes beyond a conference room environment and initiates a real-world test. For example, the team might be given a scenario where an important server is unplugged. Team members must collaborate to locate the problem and launch procedures to recover or replace the failed server, reinstate systems running on the server, and restore it to production status. Full-scale exercises require significant time and input from multiple departments, so they are both the most effective and most difficult exercises to run.

Benefits of business continuity exercises

In addition to verifying that BC procedures and activities work as needed, running test exercises has several benefits. BC exercises provide hands-on experience for participants, encourage discussion and information sharing among different teams, and create an opportunity to identify and validate vulnerabilities, all while encouraging creative fixes to different scenarios.

Important considerations when planning exercises

Regardless of the type of exercise an organization runs, careful planning and execution are essential. Selection of the exercise participants is also critical so that the most knowledgeable people are present.

The following are additional considerations to make when planning an exercise.

Remote or hybrid workforces

Employees should be able to participate on-site or remotely. Conference technology helps make sure that all parties in a hybrid work model can interact and collaborate. For participants working remotely, such as from home, procedures for the exercise must consider the effect of remote users on enacting the plan -- especially those working in a different time zone or country.

Exercises that address work-from-home disruptions will need a different mix of local and remote employees. Someone from the IT remote access team should be invited to the exercise, especially if it addresses a loss of remote connectivity.

When running exercises for remote offices, considerations should be made for testing backup power systems, remote connectivity and availability of another office to serve as a backup for the affected office staff.

Participation and scope

Inviting the right participants is a key consideration. Be sure that all the necessary departments are represented when choosing participants in an exercise.

Assign someone as a timekeeper and scribe, tracking the time for each part of the exercise and keeping notes of what happened at specific times. Documenting exercises is an important audit activity.

Determine specifically what the group will be working on. Is the exercise running through the full plan or specific sections of a plan, such as incident response procedures, technologies and cloud services? These factors will indicate not only how long the exercise should take, but also which parties must be present.

Scheduling

Consider scheduling BC exercises with other BCDR and resilience activities, such as DR plan updating, emergency team training, policy reviews and audits, business impact analyses, risk assessments and awareness programs. This will ensure consistency across interrelated processes and strategies.

Secure a location to conduct the exercise away from possible interruptions. Encourage exercise participants to turn off their mobile devices if possible so that they can concentrate on the exercise. Try to conduct the exercise away from the participants' offices and schedule the exercise outside normal work hours. In real life, disasters do not operate on a schedule, so it might make sense for some organizations to consider a surprise exercise.

Standards and good practices for BC exercising

Before embarking on a BC exercise, it can help to review guidance documents addressing the challenges of testing and exercising. The following is a partial list of relevant standards and guidance for running BC exercises:

• ISO 22398:2013 -- Societal security -- Guidelines for exercises.
• NIST SP 800-84:2006 -- Guide to Test, Training and Exercise Programs for IT Plans and Capabilities.
• Federal Financial Institutions Examination Council's Business Continuity Management.
• Homeland Security Exercise and Evaluation Program.
• National Incident Management System Fact Sheet for Private Sector Organizations.
• Business Continuity Institute's Good Practice Guidelines.

Preparing an after-action report

Documenting an exercise is an important audit activity. Sometimes referred to as a "hotwash" or debrief, an after-action report enables organizations to determine how effective the exercise was and identify areas of improvement.

The included report template covers several aspects of a BC exercise, including the scenario, goals, participants, methodology and findings. After conducting a business continuity exercise, use this template to decide if the test was a success and help determine next steps in the business continuity planning process.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.