How often should a business continuity plan be tested?
There is no magic number; each organisation must consider this question and adapt the answer to its needs based on several points: the risk exposure of the company’s industry, the maturity of the organisation and the type of tests to be carried out. The human factor is also key, as experience and the repetition of regular exercises enable individuals to learn the right reflexes and to be ready in the event of an emergency. Apart from these considerations, the specifics vary from one company to another. Yet, we may give 3 main recommendations:
- Define a testing schedule with clear objectives considering the required frequency per risks: quarterly, bi-annual, annual, biennial (every 2 years), triennial, etc.
- Depending on the test results, the frequency may be modified. Other parameters are involved in these choices, such as the available time, the potential impact of the test on the business and its cost. ISO 22301 certification requires regular tests, and the frequency of which is decided by the regulation.
- Your company’s risk aversion or management will influence the level of testing in a proportional way to reinforce resilience, and will often be the ultimate decision-maker in this regard.
Do recovery objectives also influence the frequency of testing?
This is indeed the case. Indicators such as the Recovery Time Objective (RTO), the Recovery Point Objective (RPO), the Maximum Acceptable Outage (MAO) and the Minimum Business Continuity Objective (MBCO) will also determine the frequency of testing. For example, at EBRC, our tests take place at different frequencies depending on the RTO of the different technical IT systems: every year if it is less than 4 hours, every two years if it is between 4 and 24 hours, every 3 years if it is between 24 and 72 hours and occasionally if it is beyond 72 hours depending on the incidents that occurred.
Do risk scenarios only concern IT services?
Absolutely not. Business interruption risks are not limited to IT systems. For example, staff may be unable to enter a production site following a fire, flood or long power cut. At EBRC, we regularly test our back-up solution, which consists of transferring our staff to special areas in one of our data centers. This solution has proven itself effective in a real-life crisis that EBRC suffered. Tried and tested on many occasions, this solution is also a service which we have been offering our clients for many years.
The recent COVID-19 pandemic also enabled us to make our solutions more robust in case of staff unavailability. Our remote working capacity was increased and a plan defined during the H1N1 flu crisis in 2009 enabled our teams to remain operational throughout the lockdown period. If such a health crisis were to occur again in the future, we would be able to react even faster thanks to the experience we gained.
Who are business continuity plan tests intended for?
There are tests for each department or level in the response chain. For example, we hold role-playing exercises with the guards working at our data centers and analyse their ability to react in different situations: a parcel bomb, a fire or a major water leak. We regularly organize evacuation and relocation exercises for our staff. We also periodically involve our technical teams in scenarios where viruses or cyber-attacks directly impact our data centers. The members of the management committee are also prepared through crisis simulation exercises. The frequency of these exercises depends on the level of criticality we defined: once a quarter for the data center guards and technical teams, and once a year for the staff and the management committee.
In addition to the employees, the technical infrastructure is also be assessed, with or without the intervention of the technical teams. In the event of a power cut in the data centers, do the back-up facilities take over smoothly? Do the redundancy solutions implemented to cope with a server outage, whether physical or virtual, run normally? Are backup restorations carried out as planned?
How many tests does EBRC perform per year?
Our business continuity plan is spread over three years and undergoes between 40 and 50 tests per year. Over the years, our tests improve as we gain experience in risk management so that we can implement more sophisticated solutions. There are several reasons for this. New threats emerge, such as climate change, which last summer forced several UK data centers to shut down, or shortages of IT components. Our status as a Professional of the Financial Sector (PFS) and the fact that we are ISO 22301 certified - business continuity management system - means that we have to carry out annual tests. Our certifications are maintained by independent auditors. These audits give us the opportunity to identify new improvement areas, enrich our knowledge and raise our level of expertise.
For most of EBRC's service offerings, our motto is "We practice what we preach": a differentiation criterion that sets us apart from companies that purely focus on consulting without user experience.
To conclude, what are the important points to consider when defining the frequency of testing?
I would say there are three main points:
The first involves identifying the requirements for business continuity testing that are defined by industry regulations, accreditations/certifications and customer expectations.
The second is the frequency is intrinsically linked to the issue of test coverage (what should be tested?). It is important to define what needs to be tested and then deduce a frequency that is both necessary and financially acceptable. To do this, the elements to be taken into consideration are:
- Identifying and prioritising risks
- Identifying and prioritising services and activities
- Identifying the elements of the response chain to be tested (detection, escalation, technical systems, communication, etc.)
- Separating the components of the production chain that need to be individually tested to limit the business impact and those that can be chain tested.
Finally, opting for a multi-year approach. The frequency and coverage of tests should be reconsidered each year according to the degree of maturity of the response plans and the tests already carried out.
This yearly review is necessary to get the context, the risk development, the adequation of the response means, the scenarios, the scopes and the objectives so that the plan and the frequency of the tests can be updated accordingly.
A short glossary of business continuity terms
BCP (Business Continuity Plan):
A company plan aimed at implementing all the processes, human, material and technological resources to enable the company to remain operational after an unforeseen event.
DRP (Disaster Recovery Plan):
A company plan aimed at implementing all the processes, human, material and technological resources to enable the company to restart as quickly as possible.
MAO (Maximum Acceptable Outage):
The time required for the adverse impacts that may result from the non-provision of a product/service or the non-performance of an activity to become unacceptable.
MNBCO (Minimum Business Continuity Objective):
The minimum level of services and/or products acceptable to the organisation to meet its business objectives during a disruption.
RPO (Recovery Point Objective):
The point at which the information used by a business must be restored to allow it to function upon recovery.
RTO (Recovery Time Objective):
A series of actions that determine the duration of the restart process from incident detection to recovery of resources.