Skip to main content
Wednesday, May 16, 2012

Maintenance and Exercising

One of the oldest axioms in the field of business continuity or disaster recovery is that a plan that is not tested or maintained is of little value, or in some cases, worse than no plan at all.

As a part of the Business Continuity Plan Development Project, there is a continual need to improve plans and strategies by testing. The aim will be to raise awareness and give the organization confidence that the approach and strategies adopted could be used in the event of a genuine incident.

To ensure that all parties are aware of tests and appreciate the importance of other ongoing business and technology projects, a test schedule needs to be prepared. Plan maintenance inevitably falls behind established schedules as business units view it as an overhead which is rarely of the highest priority. Plans, however, must be maintained to hold credibility and to encourage ownership across the organization. Testing can be used for some of the following reasons:

  • Gaining buy-in across business areas.
  • Proving completed plans and strategies.
  • Proving the adequacy, completeness and accuracy of the recovery plans.
  • Component testing of technical elements.
  • Improving technical or business recovery procedures.
  • Ensuring the plans incorporate all aspects of the business.
  • Ensuring the plans reflect current business priorities.
  • Building inter-departmental teamwork and relationships.
  • Working through scenarios.

Testing the Plan...

Before continuity plans can be signed-off as operational, an understanding of their use and value has to be proven. This can only be accomplished through structured testing. To ensure that solutions are implemented across all business areas, it is necessary to institute a series of tests as the first step in enhancing the continuity plans.

The testing process should be defined so that all parties involved understand the methodology. This means that when a test is being planned, all those involved will know what to expect and what is expected of them. The following items are a suggested process for planning a test. These are not all encompassing but present an overview of a successful operational approach:

  1. The scope of the test is agreed upon and all parties to be involved are informed.
  2. The objectives of the test are agreed upon and published.
  3. A change management request is raised to book time and personnel.
  4. Contracts are raised with external vendors for any necessary support equipment, etc.
  5. Agreements are gained from affected bodies (internal or external).
  6. Briefings of personnel are held on a regular basis to ensure that all aspects of the test are covered.
  7. Independent observers are selected when appropriate.
  8. Preparations and support is put in place (catering, accommodations, travel, etc).
  9. Business areas briefed about the test and the potential impact to those who are left.
  10. Notification of the test to all areas of the business.
  11. The test is executed to a strict project plan with a clear cut-off time.
  12. Detailed notes are taken during the test describing, in detail, the proceedings.
  13. A post review meeting is held to discuss outcome.
  14. A test report is written collating all logs and key findings.
  15. Plans are amended and strategies altered to reflect findings.

When testing is done there is sometimes a drive towards large-scale, multi-platform, multi-user tests, but in most cases this is inappropriate in the early stages of the planning cycle. If fact, best practices have shown that to improve plans and work towards successful testing a three-year cycle should be adopted. The aim in the first two years of the program is to prove the procedures and plans and educate those involved in their roles and responsibilities. Therefore, exercises should be built up in a structured manner. The following graduated structure, starting with auditing and ending with business recovery testing, may be used for a guideline:

  1. Plan audit - The first test to be considered, as it is the least intrusive, is an audit. While it could be argued that an audit is not a test, any process which challenges what is in place and demands proof is testing the credibility of the plan. Some example would include:
    1. Review of BCM process
      1. Scope of the plan (ensure that all areas of the business are accounted for).
      2. Has appropriate level of BIA been carried out (do the priorities of the recovery look correct)?
      3. Has an appropriate level of risk analysis been carried out?
      4. Has the recovery strategy been clearly defined?

  2. Document review:
    1. Is the document in logical sequence?
    2. Document version control to ensure that everyone is working form the same plan.
    3. Document is complete.
    4. Document is accurate.
    5. Plan implementation.
    6. Recovery strategies have been implemented.
    7. Management understands their roles and responsibilities.
    8. Plan maintenance and change control strategy.

[Return to the top]

Walk-Through's...

An integral part of any planning process is to provide an understanding of the plan and its strategies to all key management. A walk-through of the plan should be undertaken and measured against an agreed scenario. The walk-through will bring together all key management for a tabletop exercise using the plan as a baseline to measure events against. Walk-through's identify that:

  • All roles are understood.
  • Assumptions within the plan are accurate.
  • The plan flows logically.

The walk-through is a highly visible exercise across all of the business. This will provide a tremendous opportunity to emphasize the importance of planning and ensure buy-in from management, and should be used as such. On completion of the walk-through, any findings should be presented in a report and plans should be amended. The main objective of this test is to prove the value and completeness of plans and to validate that the appropriate infrastructure is in place to facilitate those plans, while improving and completing plans and educating the users.

Component Testing...

The most effective means of identifying that the plans are complete is through a full test. This, however, costs time and money which could be wasted if components of the plan fail. Experience shows that there are significant benefits in carrying out tests on individual key components of the plan to avoid this. A series of tests should be identified to assess the effectiveness of the various components of the plan. Once completed, amendments can be made to the plans and a complete plan test can be aimed for with confidence. Examples of the component test are:

  • Associates communications test.
  • Audit of off-site data.
  • Recovery of specific technologies.
  • Technology work-around's.
  • Invocation of recovery contacts.

Large Scale Testing...

As confidence in the testing process grows and as the strategic infrastructure is proven and known to be in place, the ability to run larger scale tests improves. Tests of both technical support and business areas will prove that plans and strategies in place are accurate, maintained and can operate across the business. This scale to test moves from the rehearsal, practice type exercise to an actual test of assets in place.


[Return to the top]

Maintenance of the Plan...

Plans and strategies once implemented are a "snap shot in time" and reflect the requirements of the business at that time, but these requirements and recovery timescale's are not constant and as such both components must be maintained. A business continuity change management process covering maintenance and review changes is suggested. Maintenance changes keep plans up to date but do not change the underlying objectives of the strategies and can include staff changes, contact information changes, or the correction of errors. Review changes may affect the strategies in place or may alter the plans objectives and can include business reorganization or the introduction of new business process or systems.

Testing is an excellent process to maintain plans, but in itself is not enough. A regular testing schedule will ensure that plans are current, proven, and maintained by the people needing to use them. However, in addition to this, maintenance schedules of the plan need to be produced, which experience has shown to be time consuming and difficult to implement at times.

Clear ownership of the change management process is essential to ensure the process is accepted and implemented. The ownership of the plans must reside with the management teams that require them and they must take responsibility for their maintenance changes. To assist in this, basic document rules should be adopted and an agreed schedule for reprints should be determined.

It is generally difficult to maintain plans and is unrealistic to expect plan owners to give business continuity a permanent high priority. A proactive approach which includes regular questionnaires and requesting "sign-off" that plans are current and accurate will often achieve better results and gain support from the business and information technology management.


[Return to the top]
Business Continuity Planning
Additional References
Home   |  SORM Rules  |  State of Texas  |   Statewide Search  |   State Auditor's Fraud Hotline
State Link Policy  |  Texas Homeland Security  |  Governor's Committee on People with Disabilities
Site best viewed in IE 6 and NN 7 with Javascript Enabled
For questions about this site: SORM Webmaster     

Page last modified: May 09, 2012 @ 03:08pm C.S.T.