If You’re Not Testing, You’re Planning for Failure

Test Exercises

The daily task of running an organization requires the continual focus of those who are responsible. The responsibility and accountability for the strategic risk planning required to address current events and to analyze the threats and vulnerabilities of the future sits squarely on the shoulders of the senior executives and the board of directors. Knowing what these exposures are and how to manage them is critical. Having an actionable, up-to-date Business Continuity Plan, which includes a Crisis Management Plan, Communications Plan, Security Plan, and Communicable Illness/Pandemic Plan, will empower management to exceed expectations in the time of a crisis.

Plans cannot be expected to work properly unless they have been tested prior to their actual implementation in an emergency. Practicing emergency response helps assure that the response can proceed predictably during a crisis or disaster. Everyone has a role in a crisis. Some are strategic. Some are tactical. How decisions are made in a crisis is critical to the outcome. For this reason, the success of any Emergency or Continuity Plan depends upon its routine testing, audits and updates.

Why Test?

By test exercising plans and their procedures, problems or weaknesses can be identified and used to stimulate necessary and appropriate changes. Errors committed and experience gained during testing will provide valuable insights and lessons learned that can be factored into the planning/updating process. Test exercises serve several purposes. They:

• Allow management to use and assess plans and procedures to determine their feasibility and determine whether they will work under actual conditions;
• Assess and measure the degree to which personnel understand their emergency response functions and duties;
• Identify areas for improvement;
• Enhance coordination, communication, and proficiency among response staff; and
• Enhance the ability of management and staff to respond to emergencies.
• In addition, there may be regulatory requirements that call for periodic testing of Emergency Plans. Testing is also likely to enhance the public image of an organization since, when it tests, it is acting responsibly. Inviting the fire department or other first responders to a well-planned exercise is one example of corporate responsibility in action. Inviting the news media to a test exercise is a bit more daring, but may demonstrate responsible behavior as well.

Testing Strategies

Testing strategies should detail the conditions and frequency for testing applications and business functions. The frequency and complexity of testing is based on the risks to the organization. The strategy should include test objectives, scripts, and schedules, as well as provide for review and reporting of test results. Even small organizations should participate in tests with their core service providers and test other critical components of their Business Continuity Plans.

Management should evaluate the risks and merits of various types and levels of testing and develop strategies based on identified resumption and recovery needs. The business continuity planning process should evaluate whether the organization is anticipating operating at full or reduced capacity.

Organizations should not assume a reduced demand for services during a disruption. In fact, demand for some services may increase. If the plan is to operate at a reduced capacity at an alternate site, risks should be evaluated and tested for exceeding that capacity and priorities established as to what will or will not be processed.

The test exercise planning process should also evaluate the necessity for enterprise-wide and service provider testing rather than relying solely on isolated business unit testing. Comprehensive testing will require evaluating inter-dependencies between critical business functions and systems, and evaluating the criticality of testing those systems in tandem. Management should test its ability to recover current operations and should include security measures and procedures within the scope of the test. Lastly, management should ensure testing of plans is conducted at least annually, or more frequently, depending on the operating environment and criticality of the applications and business functions.