7 Reasons to Practice Integrated Business Continuity Testing

A business continuity program is no longer considered superfluous. Last year, businesses worldwide learned the importance of integrated business continuity testing and planning, especially when it comes to vendor management. In fact, 74 percent of surveyed organizations have faced a disruptive event with third parties in the past three years. A business continuity plan is a company's roadmap that helps navigate the unknown and unexpected, including natural disasters, communication issues, physical disruption, or other large-scale emergencies. However, having a plan in place is only half the battle. A business continuity strategy also needs to be continuously monitored and tested for gaps or obstacles.

Why Integrated Business Continuity Testing is Critical

Integrated testing moves beyond the testing of individual and isolated components. It includes testing with internal and external parties and supporting systems, processes, and resources.

1. Ensure your plans work

Testing business continuity allows you and your workforce to exercise how to approach an emergency and find gaps in the plan to address where it needs improvement.

2. Expose potential gaps before an incident occurs

Testing your business continuity plan allows you and your team to exercise how to approach an incident and find gaps in the plan to address where it needs improvement. This is a unique opportunity to practice your recovery strategy and update your incident management team on your business's latest changes.

3. Meet rising client expectations

Customer expectations are getting higher, and your business must keep up with the rising demand for impeccable customer service. 

4. Continually validate and improve your plan

Your organization is continuously evolving. So should your business continuity plan. And what's a better way to improve your plan than through testing it?

5. Reduce recovery time objective and cost

With RTOs, costs increase the faster you want to recover your business after a disaster. For instance, recovering your business in 72 hours will be exponentially less expensive than recovering your business within 24 hours.

6. Preserve reputation

Business continuity management is more than just compliance. It is the foundation of a company’s reputation and stability.

7. Satisfy regulators

Regulatory scrutiny is projected to tighten even more in the coming years. Keeping your business compliant with industry regulations is key to its longevity. Besides, disobeying compliance standards will most likely lead to costly fines.

5 Testing Tips to Increase the Effectiveness of Testing

In striving to increase the effectiveness of test scenarios over time, an institution should, as appropriate, consider the following:  

• Perform integrated tests or exercises that incorporate more than one system or application and external dependencies to gauge the effectiveness of continuity plans for a business line or major function.
• Test interdependencies where two or more departments, business lines, processes, functions, and/or third parties support one another.  
• Conduct end-to-end exercises to demonstrate your organization's ability to recover a business process from initiation (e.g., customer contact) through process finalization (e.g., transaction closure).
• Conduct full-scale exercises that involve the recovery of systems and applications in an interactive manner in a recovery environment, including all critical functions and modules.
• Perform exercises that include third-party providers' subcontractors, vendors, or services.  

Core Elements of a Business Continuity Testing Strategy

The test strategy should encompass at least three elements: staffing, technology (data, systems, applications, and telecommunications), and the facilities that house the staff and technology environments.  

1. Testing elements: Staffing

• Testing strategies should include demonstrations of the staff's ability to support business processes, including the processing of transactions, communication with key internal and external stakeholders, and any other industry-specific processes.   

• Strategies may need to address staff's ability to support increased workloads resulting from the transfer of processing to alternate sites for extended periods of time. For institutions that have implemented split processing business models, any aspects of the client relationship model that present challenges or complexities to the transfer of workloads across sites, and related dependencies, should be identified and incorporated into testing strategies.   

• Testing strategies should demonstrate the effectiveness of a company's management succession plans. 

2. Testing elements: Technology

• Testing technology strategies should include the data, systems, applications, networks, and telecommunications necessary for supporting business activities.   

• In the event system recovery depends on retrieving data files, programs, and other items maintained at the backup facility, off-site testing procedures should only include the use of these backup items to properly replicate the loss of any master data files and programs maintained at the main facility.   

• Backup data files should also be tested frequently to assess the integrity of the information, determine if the data is being saved in the correct format, and ensure that applicable files can be retrieved promptly.  Alternatively, institutions may employ other processes for data replication, such as synchronous and asynchronous data replication.  Regardless of the data replication process used, the process for demonstrating data consistency across different processing environments should be included in the testing strategy.   

• Strategies should also test processes to recreate any data lost during a switch to alternate processing facilities, and periodic reviews of telecommunications services should be conducted to determine circuit diversity. 

3. Testing elements: Facilities

• Testing strategies for business functions should encompass environmental controls, workspace recovery, and physical security to ensure continuity of facilities and environmental systems at primary and alternate processing sites.   

• Testing strategies should include the adequacy of backup power generators and heating, ventilation, and air conditioning systems to meet business recovery objectives at operating centers.   

• Workspace recovery test strategies should include assessments of the availability and adequacy of workspace, desktop computers, network connectivity, email access, telephone service, and physical security controls.  For institutions relying on the physical relocation of hardware, software, or data storage devices to recover the technology infrastructure and applications at alternate locations, the facilities testing strategy should address the secure transportation of these items.

Additional Plans for Business Continuity Testing

Test scenarios, plans, and objectives should include the institution's crisis management function to demonstrate your ability to respond effectively to contingency events.  The crisis management program should be tested, with particular emphasis on the institution's capability to gather information about the threat or event, initiate the BCP, and communicate relevant information to the appropriate staff, customers, vendors, service providers, regulators, and other public authorities.  Crisis management test plans should address crisis management team members' abilities and their alternates to carry out their designated responsibilities under various event scenarios. 

Depending on the type of industry, your organization may need to consider testing the following plans:

• Crisis or incident management plans (know how you’ll manage everything) 
• Department continuity plans (maintain priority processes)  
• Pandemic plan (tracking, planning, execution)   
• Life Safety plans (ensure everyone knows what to do)   
• Crisis Communications plans (internal and external) 
• Service provider plans (validate partners and supply chain resilience)
  • Background and risk 
  • Vendor Due diligence 

Reliance on third-party providers, key suppliers, or business partners may expose your organization to points of failure that may prevent the prompt resumption of operations.   

The risks in outsourcing information include threats to the security, availability, integrity of systems and resources, confidentiality of information, and regulatory compliance.  

To ensure timely recovery of operations, management should routinely perform vendor due diligence. As part of this due diligence process, management should inquire about the service provider's physical paths to ensure that system redundancies have been properly implemented.   

Organizations should also review the service provider's BCP and ensure that critical services can be restored within acceptable timeframes based on the business's needs.  The service provider's contract should address the service provider's responsibility for maintenance and testing of disaster recovery and contingency plans.  Management should request a copy of the service provider's BCP test results and audit reports to determine the adequacy of business continuity plans and the testing program's effectiveness.  If possible, the institution should consider participating in the service provider's testing process.  If the service provider fails to perform satisfactorily during a service disruption, management should determine whether the institution has sufficient resources and capacity to perform these processes internally or if alternate vendor arrangements should be considered.