Search
Related Links
Business Continuity Testing
Disaster Recovery is not Business Continuity. Many companies do
not have full business continuity plans. They say they do have
business continuity plans but they really mean that they have a
disaster recovery plan, usually meaning that they have
alternative premises and possibly equipment that can be used in
the case of a full scale disaster. Business continuity covers
far more than just the IT systems. Think of all the paper
records an organisation needs to continue working. Think of the
most important asset of all to most organisations: its staff.
Without its staff these organisation ceases to exist. A business
continuity plan contains information for all staff and their
activities in the case of problems affecting the organisation.
A preliminary to the testing of any plan is to establish some
form of Business Continuity Group consisting of representatives
from each of the main business areas, together with those
responsible for finance, facilities and IT.
Once a business continuity plan exists it needs to be maintained
and tested regularly. Once again, many organisations say their
plan is tested but what happens is that they show that the major
IT systems can be seen to be working on equipment at a disaster
recovery site. Often there is no involvement other than from the
IT Group.
It is essential that business continuity testing follows a risk
based approach. This provides 2 main advantages. Firstly any
business continuity must be aligned to the business and that the
plan should be designed to cope with risks to the business.
Secondly, by following a risk based testing approach to business
continuity, this highlights the areas not to test, by
prioritising the main risks to business and therefore
identifying areas of negligible or zero risk.
Business continuity testing need not be onerous or expensive.
There are a number of ways in which testing can take place; each
is mentioned below.
Business continuity testing can be broken down into 2 main
areas, desktop testing and physical testing.
Desktop testing can be a paper walkthrough where a group of
people work through the plan looking for areas which require
further work. It can also be scenario testing where a group sit
and work through a scenario given to them, such as electrical
failure, fire, bomb threat etc. The scenario is defined by a
different group of people who then monitor the accuracy of the
business continuity plan.
Physical testing means a form of business continuity testing
that happens outside the conference room. This is broken down
into a number of different tests. Firstly a communications test.
Can everyone who needs to be notified during a problem actually
be contacted? Second in physical testing is a disaster recovery
test, where the IT systems are established on a secondary set of
computers, and thirdly, a full relocation test, where the
business areas relocate to another site. All of these tests are
carried out in order to hone the business continuity plan and to
provide assurance that it will be effective when required.
In summary, all business continuity plans need to be tested.
Some companies believe that the testing would be too complex,
time consuming or expensive. It is therefore essential to use a
3rd party group of experts to advise, help carry out and monitor
the tests that are carried out. The 3rd party would also make
suggestions regarding any changes believed necessary to the
existing plan.
Copyright Acutest UK 2005
About the author:
A Streeb is an experienced practitioner of business continuity
testing at Acutest, an independent consultancy specialising in
business continuity assurance and software testing services. For
more information on this topic visit http://www.acutest.co.uk or
send an email to enquires@acutest.co.uk