Testing Business Continuity Plans – It’s not an Option

My wife decided we needed a bench just inside our front door.  She went to various shops and found one – for $400.  Being a relatively handy guy, I thought I’d build my own.  So I downloaded a set of drawings from the Internet, read up on some woodworking techniques and made a list of everything I’d need to complete my project.

So, was I prepared?  Not really.  I hadn’t tried some of those woodworking techniques; and my bench would be made from mahogany – a very expensive wood.  If I had any hope of achieving my goal, I needed some practice.  I could use scrap lumber.  And I wouldn’t have to build the whole bench – as long as I practiced the techniques with which I was unfamiliar.  Otherwise, I’d waste some very expensive wood, cause myself headaches and have to listen to my wife point out my shortcomings.

There’s a direct parallel with a Business Continuity Plan here.  Just because all the relevant information has been catalogued doesn’t mean you can actually recover whatever it is your Plan says you can.

Just because a Plan says that doing A, B, C will lead to a successful recovery doesn’t make it so.  You could write a plan to put men on Mars – but just writing about it doesn’t mean it will work.

Whether or not you can successfully carry out your Business Continuity Plan is unknown unless one of two things happens: either you test it, or you use it.  Do you really want to find out your Plan doesn’t work as the building floods or the backup generator fails?  By then it’s too late.

Then why do so many organizations fail to test their Business Continuity Plans (and they do!)?  I’ve been in the industry more than 20 years.  I’ve heard most of the excuses: no time, no resources, it’s not in the budget, my boss doesn’t care, it’s not in my job description, it’s a waste of time, it doesn’t impact the bottom line½and on, and on, and on.

If you can’t find the time and resources to test your Business Continuity Plan, why would you bother to spend the time and resources to maintain it (or write it in the first place)?  Of course we all know that answer:  to avoid an audit write-up.  So is failure to test the auditor’s fault?

Testing need not be time consuming, nor expensive.  Start with a simple Table Top Exercise.  Notice I called it an Exercise – not a Test.  If no one wants to participate, why dampen their enthusiasm even further (if that’s possible) by announcing you’ll be grading their success or failure!  Don’t.  The point of every Exercise ought to be to find the gaps, weaknesses and useless fluff in the written plan.  The more you find, the greater the success of the Exercise.

When completed, make sure the Plan gets updated to account for those gaps and weaknesses (and gets a thorough de-fluffing).  Then do it again (using a different and more difficult scenario) as soon as practical.  Exercise the Plan together with the Plans for other related functions.  The more you Exercise the more the participants will be prepared to act when something happens.

Testing is the only way to find out how your Business Continuity Plan will perform.  It may not result in a perfect Plan – but that Plan will be worth a lot more than the paper it is printed on.

Related blog:
Residual Risk – A Key Business Continuity Concept

Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…
Threats, Impacts, BCPs

Threats, Impacts, BCPs

Within Business Continuity circles there is ongoing debate about the…
The BCM Challenge: Executive Buy-In

The BCM Challenge: Executive Buy-In

As a Business Continuity Management (BCM) solution provider, the first…
DR Plans – The What, When & Who

DR Plans - The What, When & Who

As a Business Continuity practitioner with more than 20 years…