Part 3: Business Continuity… Is Your OrganizationReady for A Major Event?
As we continue our series on Business Continuity Planning (BCP) we bring all of the preparation with the planning process, impact analysis and the risk assessment together to test the program that has been established. Let’s take a look at the monitoring and testing components of the BCP.
While most of us think of monitoring as a daily report to review, the reference here for BCP is a bit different. Monitoring and testing go hand and hand with the BCP. Monitoring includes ensuring all aspects of the plan are functioning. It includes reviewing testing results and ensuring controls are in place and any necessary BCP revisions are made as a result of testing the plan. A key function of monitoring of the BCP is the implementation of testing results to ensure the BCP is practical, updated and achieves the intended objective of continuity. The program and the testing should be monitored to ensure critical information is periodically updated; including policies and procedures along with the risk assessment(s).
The FFIEC IT Examination Handbook provides great guidance for testing the Business Continuity Program. Appendix H: Testing Program – Governance and Attributes highlights the areas of responsibility, the parties that should be considered in the testing plan and the elements to be considered during testing.
As we discussed in the first article of this series, first and foremost the Board of Directors must play a critical part in the Plan and this responsibility continues with the testing of the program. It should be appropriate for your organization. Resources should be made available to ensure the objective of continued business operations can be achieved.
Guidance recommends the development of a testing plan. Within that plan the Committee or Coordinator of the test should consider:
· Testing Scope
· Test Scenarios
· Test Scripts
· Verification Strategies
· Testing Scope
It is recommended to start with the testing scope; from there build out the other elements of the test, such as the scenarios, scripts and verification strategies.
In addition, there are three (3) elements that are recommended as the minimum when testing the BCP. They include staffing, technology and the necessary facilities for staff and technology to provide continued services and products.
Once the testing has been completed an evaluation of the results should be performed soon after. The Committee or Coordinator should review not only the successes of the test, but failures and determine areas of improvement identified by the testing results.
As mentioned above with respect to the test plan, each element should be thoroughly documented. Document, document, document. We constantly hear that, and you will be glad you did during your next regulatory exam. And don’t forget to report your results to senior management and the Board.
August 22, 2019