CHAPTER 9
Testing and Maintaining Business Continuity Plans

FOLLOWING THE DEVELOPMENT of plan documents, the next step in the business continuity planning lifecycle is to test and implement plans while continuing the ongoing process of maintaining the program and incorporating business continuity into the day-to-day operations and culture of the organization.

A program of training, exercises, and tests, providing all employees with the appropriate level of education and training, is an integral part of any business continuity program that moves plans beyond the concept stage. A continuity awareness and training program for all employees underpins any organization’s capability to manage disasters and helps ensure that all employees understand what the organization is prepared to do and are aware of the part they must play.

A plan is not a plan until it has been tested; it is only theory, paper in a binder. Exercises and tests provide the best possible reality check for your plans other than an actual disaster.

To ensure that the plan is workable, doable, and provides the necessary guidance, personnel must be trained and the plan’s strategies must be tested. Staff assigned to business continuity teams need tailored, detailed training that focuses on their particular roles. This can be accomplished through tabletop and simulation exercises and specialized live (field) tests. Think of exercises and tests as disaster rehearsals, an opportunity to learn critically important lessons before an actual disaster occurs. It is through ongoing tests and exercises that we work out the kinks, enhance strategies, and help ensure a successful return to normal business operations.

By its very nature, the supply chain in every organization is changing and adapting almost continually to meet the demands of today’s fast-paced global business environment. It is essential to regularly test, review, and revise the program and plan documents to maintain the capability to successfully respond to the dynamic and ever changing nature of risk and the requirements of conducting business today.

Training, Exercises, and Tests: The Key to Workable Plans

The business continuity plan should assign responsibility for maintaining a comprehensive training program and outline the requisite goals and objectives for the program. Good teamwork must involve those who manage business continuity and other related programs, such as disaster recovery and emergency preparedness and response, as well as representatives from human resources and security. Such teamwork helps make certain that the necessary training is delivered without gaps, redundancies, or overlaps and reinforces working relationships among the business units. When practical, continuity training should be combined with disaster recovery, emergency response, safety, and security training.

In the event the organization does not have a formal training and testing program, an individual business unit can unilaterally conduct training and exercises. While this is not as efficient as an enterprise-wide program, such limited training is a must in preparing the department and its employees to respond when disasters occur.

A big-picture approach can be used to develop an annual program of orientation sessions, drills, training, exercises, and tests that fulfills the requirements outlined in the plan. This all-inclusive method of long-range planning and scheduling gets these training opportunities on everyone’s calendar well ahead of scheduled dates, which helps to ensure the availability of people and training facilities. A curriculum outline should be developed for each training component. The outline should include to whom the training is directed, how often it is to be conducted and by whom, content overview, and the length of time required for the training.

Once there is adequate knowledge of the organization’s existing policies, plans, and procedures and a basic understanding of the overall approach to addressing disasters and threats, a more complete picture of the organization’s programs begins to emerge.

Remember to include primary and all alternate team members in training sessions and exercises. And once your plan is mature, consider including suppliers, contractors, and even customers in exercises. Doing so increases the realism, expands learning, and provides opportunities for partnering in business continuity planning.

Training

Employees are an organization’s greatest asset, and every individual makes a contribution to the organization every day and will continue doing so in the wake of a disaster. All employees, from the mail room to the executive offices, are critical to the success of first-rate business continuity and related programs, and all need to receive the appropriate level of business continuity education and training. For most, this entails the basics—what programs exist, the purpose of each, what it means for the employees, what they can expect from the organization when disaster strikes, and what the organization expects of them.

All employees are responsible for following business continuity policies and procedures, yet it is often the employees not assigned to continuity teams who fall between the cracks and do not receive sufficient training. Remember that for each of us, our perception is our reality. The perception of employees who are not aware of programs and plans for managing disasters is that the programs and plans do not exist, and for them, that is the reality.

Establish a comprehensive program that includes the necessary level of training for all employees. Start with orientation and basic training in continuity. For newly hired employees, this should begin with their orientation; for older employees, it can start at their annual review. Every employee should be made aware of the mutual expectations—what they are to do, what the organization will do, and how the organization’s disaster communications procedures work. In the case of a business continuity program, it is possible that when a disaster happens, some employees are simply to wait to receive instructions for when and where to report. While this sounds simple, employees who do not know this is the case can create confusion and extra unnecessary work when a disaster strikes.

Orientation and refresher training should include a review of the organization’s disaster-related policies. For example, if there is a policy that employees are not to make statements to the media, be sure they know that is the case and provide them with the name and contact information of the person to whom media representatives are to be referred. Also, periodically survey employees to determine their level of awareness and in what areas they need further training.

Training can be classroom, computer-based, or exercise-based. Articles in organization newsletters and on the intranet and announcements at department and other work group meetings can help reinforce the training and provide an avenue to update employees on simple revisions to plans and procedures.

Awareness and training programs are critical for embedding business continuity management into the culture of the organization. As a further step in making continuity part of core business practices, some organizations are tying participation in continuity training and exercises to annual performance reviews and compensation.

For those with specific business continuity responsibilities, training provides an opportunity to develop practical knowledge of the plan and its procedures. Continuity team members also gain a more complete understanding of their roles: what to do, why it is being done, and where it fits in the bigger continuity picture.

For assigned team members, training must go well beyond handing someone a plan document or checklist of actions and assuming there is complete understanding of the assigned duties. Individuals involved in carrying out plans must not only understand what to do. They should also have a firm understanding of the importance of their role. Tailored, detailed training that focuses on team members’ specific roles results in an in-depth understanding of how the actions each team member takes fit in the overall picture. This level of understanding has been shown to be the largest factor contributing to employee compliance with established policies and preparedness activities prior to an event and to following continuity procedures following a disaster.

Training should result in every employee in every department possessing an understanding of the organization’s approach to business continuity management and how his or her department is integrated in the total program. Training should also result in all employees knowing what they would need to do to continue critical operations and where the equipment, supplies, and people needed to get it done are located.

Exercises and Tests

There are only two reasons for conducting exercises and tests: We need to test plans, and we need to train people. (While “exercise” is the preferred business continuity terminology, “test” is more commonly used in disaster recovery.)

Beyond basic business continuity orientation and detailed training, exercises and tests provide continuity team members with advanced training. They also offer an opportunity to identify needed improvements to strategies and plans before a disaster occurs. Team building is an additional benefit for continuity team members who do not work together on a regular basis.

Begin by determining the purpose and objectives for the exercise. Choose the best exercise type for the situation and the maturity of the company’s business continuity programs and teams. There are three basic and increasingly challenging exercise categories: tabletop, simulation, and live.

A tabletop exercise (also called a walkthrough or desktop exercise) is nonstressful and slow-paced. It is used to evaluate strategies, plans, and procedures and to provide a training opportunity for team members. In a tabletop exercise, a facilitator presents and continues to develop a disaster scenario. Team members discuss the situation and problem-solve using the plan document, in the process becoming more familiar with their roles. The length of a tabletop exercise is typically two to four hours, including the debriefing process.

A simulation exercise (also called a functional exercise) is designed to give team members a more realistic, hands-on experience in dealing with a disaster situation. It is faster paced and more stressful than a tabletop exercise. It enhances communications and decision-making skills and helps further familiarize team members with the plan, its procedures, and their roles.

A simulation exercise involves two groups. One is the business continuity team; the other is a simulation team. Prior to the exercise, the simulation team—working with an agreed-upon, realistic disaster scenario and scope—develops messages that in the event of a real disaster might be received by the continuity team from anyone, anywhere, inside or outside the organization. This can include employees, customers, suppliers, outsourcing companies, regulatory agencies, stockholders, government agencies, media representatives, and public safety officials. Once the exercise starts, the simulation team begins sending the predeveloped messages to the business continuity team—in writing, by phone, electronically, or in person. The continuity team members must then decide what actions are needed to respond to the messages received. To continue to advance the disaster scenario, the simulation team continues to draft and send new messages based on the actions taken by the continuity team. To be fully effective, test actions must mirror reality. All actions taken by continuity team members must be based on existing plans and procedures and resources that actually exist. Plan on a minimum of half a day for a simulation exercise, though some last for a full business day from opening briefing through the debriefing process.

A simulation exercise provides an excellent opportunity to provide training for primary and backup continuity team members. Start by having the backups serve as members of the simulation team while the primary members participate in the exercise. In subsequent exercises, reverse the roles. You can also combine primary and backup members on both the exercise team and the simulation team. Simulation team members often report that being a member of the simulation team is as valuable a learning experience as is participating in the exercise as a continuity team member.

A live exercise (also called a field or full-scale exercise) is based on a disaster scenario and involves the actual mobilization of business continuity teams and resources. It can be limited to selected parts of an organization or encompass the entire enterprise. This type of exercise adds further integration and coordination components to the simulation. Just as in an actual disaster, the scenario may include inaccessible buildings; the necessity to relocate people and resources, perhaps to an alternate work site; and computer systems being down while the disaster recovery team restores IT operations at an internal or contracted hot site. (A hot site is a remote, alternate, backup computer operations location equipped with compatible hardware and the infrastructure needed to support IT operations.) Live exercises can include actual continuity procedures such as redirecting shipments, activating manual work-around procedures, and functions being fulfilled by cross-trained backup employees. The most realistic of all exercises, a live exercise takes more time and resources to plan and conduct. Exercises can be conducted during regular business hours, though it is not uncommon for live exercises to be held at night or on the weekend. Some extend for two or more days.

When a disaster recovery test—a live exercise conducted by the disaster recovery team—includes testing restoration of supply chain IT support systems, the test provides an excellent opportunity to coordinate with the disaster recovery team. Supply chain business units can assist by determining the level of success in recovering servers and applications related to a wide range of functions, such as receiving advanced shipment notifications, orders, and buyer approvals; generating pick and pack manifests; or tracking shipments. The cooperative effort provides the disaster recovery team with a more realistic test environment and offers the participating supply chain functions an opportunity to exercise their business continuity plans.

Exercise Scenario Selection

In general, exercises raise awareness and provide a team-building opportunity, as well as identifying needed corrections, improvements, and enhancements to plans and strategies. New lessons are learned with every exercise and test, as well as when disasters occur. To be certain that plans incorporate the lessons learned by those who have been impacted by recent actual major disasters, include a broad range of scenarios that incorporate realistic challenges:

image   A critical supplier of components for multiple manufacturing plants or a niche supplier of a critical specialty part suddenly goes out of business.

image   An explosion causes significant damage to an outsourced warehouse facility and its contents.

image   A computer virus infects the e-mail system, requiring a total shutdown of the system for at least thirty-six hours while the situation is corrected and additional safeguards are installed.

image   Attempts to notify key employees who are expected to carry out business continuity responsibilities are unsuccessful.

image   Air transportation in a 250-mile radius of the company’s location is shut down for three days.

image   A long-term electrical power outage is caused by severe winter storms and there is a resulting shortage of fuel for generators.

image   Employees of your primary contracted transport company call a strike and walk off the job.

image   As a result of a workplace violence incident resulting in life-threatening injuries, the police department has declared the building a crime scene and it has been evacuated. It is not known when the investigation will be completed and access to the building allowed.

Make sure the scenario selected is realistic and has a high probability of occurring. Limit the use of worst-case scenarios—the maximum intensity of a specific hazard, coupled with the maximum estimated impact on operations—particularly when testing new plans or training newly named continuity teams. When exercising new teams, a worst-case scenario may be too overwhelming and the resulting high levels of stress can prevent learning. An accompanying outcome can be a failure to identify needed plan improvements. Start with the simple and build to the more complex with a series of increasingly challenging and stressful scenarios.

After teams have exercised with less demanding scenarios such as a power outage, an IT failure, or loss of a supplier, use a likely worst-case scenario that would have the greatest impact on operations, such as loss of a facility due to fire or widespread natural disaster, to fully test plans and provide advanced training.

Once people are comfortable with their roles and responsibilities and plans are more mature, continue to vary the severity and type of event presented in the scenario to ensure covering a wide range of possible disasters that require scaling the response appropriately to match the scenario.

Department and business unit tests and exercises can be conducted separately, with IT in a disaster recovery test, or as part of overarching, organization-wide exercises and tests. Department continuity teams use their plan and any materials documented in their plan that would reasonably be available within the scenario. Some scenarios eliminate resources (such as phone or data communications, a facility, or a sole source supplier), while others remove team members or other key players from the exercise.

Once the business continuity program is in place and a series of exercises and tests have been conducted, consider the value and advisability of including customers, suppliers, or other business partners in the testing process. As an example, if your organization’s plan includes shipping to a customer from a more distant secondary location when the primary location experiences a disaster, ask the customer to participate in a test or exercise. Determine whether the redirecting strategies meet your customer’s requirements or would result in a need for the customer to activate some of its continuity procedures, such as increasing shipments from an alternate supplier. This provides you with an opportunity to test continuity strategies and plans and to partner with your customer in developing improved strategies when necessary.

Capturing the Lessons Learned

While exercises have enormous importance as a training vehicle, the greatest value comes when the lessons to be learned are fully captured and acted upon. During the exercise, have observers note team members’ level of ease in using their plans, executing their tasks, communicating with fellow team members, and meeting the challenges of the scenario. Exercise participants should maintain a log and take notes on issues and challenges that arise during the exercise.

Conduct a debriefing session as soon as possible following the exercise to identify what worked well, what did not work as planned, and what needs to be done to improve strategies, procedures, and the plan document. I prefer to use both a group discussion and a written exercise evaluation form for debriefing. Determine the level of effectiveness of the plan documents and whether team members need additional training and more frequent exercises. Capture and document the lessons learned, outline what needs to happen to resolve problems, and assign responsibility for completion of each identified corrective action item with a specific deliverable date for each assignment. Begin preparations for your next exercise.

The success of an exercise or test can be measured by the level of achievement in reaching the exercise goals and objectives as well as by whether or not the exercise resulted in meeting the established recovery time objectives. The purpose of an exercise is not to reach perfection but to test plans, train people, and identify ways to improve. If there were no issues or challenges and the teams performed perfectly, it is likely that the scenario was not sufficiently challenging.

Plan Reviews and Maintenance

The task of looking for gaps and areas needing improvement in the organization’s business continuity plans should continue throughout the training and testing processes. Based on observations during an exercise and feedback obtained in the debriefing, needed plan enhancements and improvements may include:

image   Providing greater detail in identified sections of the plan

image   Revising notification and activation procedures that did not work as planned

image   Changing the continuity team structure or adding additional team positions

image   Adding more communications equipment in the business continuity center

image   Inserting detailed procedures for improved customer interfaces

image   Improving strategies for meeting all service level agreements

image   Assigning responsibility for meeting applicable regulatory requirements

image   Providing more details about alternate work locations, such as maps and directions for how to get there and security clearance procedures

image   Reviewing more frequently all attachments listing contact information for all internal and external key contacts

image   Enacting better controls to track distribution of the plan to make certain all team members receive all plan revisions and updates

Going Forward

Experience almost always identifies needed changes in plans. The hope is that the experience will be a test or exercise rather than an actual disaster.

A program of training and testing that includes all employees can help ensure that all individuals are aware of the part they play and understand what the organization is prepared to do. Exercises and tests provide the best possible reality check for your plans other than a disaster and are a training opportunity for continuity team members and others who have a role in carrying out continuity plans. Plans must be reviewed and updated frequently to ensure that the information they contain is accurate and current. The overall result is a better prepared organization capable of continuing time-critical operations when future disasters occur.

image   Poll the people in your business unit to determine whether they have received sufficient business continuity training.

image   Work with supply chain business unit managers to develop and schedule regular continuity program refresher briefings for all employees.

image   Develop a scenario and conduct a tabletop exercise for your business unit’s continuity team.

image   Meet with representatives of other supply chain business units to explore conducting joint training and exercises.

image   Volunteer to be a member of the simulation team for the next planned simulation exercise.

image   Ask to be included in the next disaster recovery test of your department’s IT support systems.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.250.247