Business continuity planning is a critical component of any organization’s risk management strategy. By identifying potential threats and developing plans to mitigate their impact, businesses can ensure that they are able to continue operating even in the face of disruptions.

Business continuity testing is an essential part of this process, as it allows organizations to identify any gaps in their plans and make necessary adjustments. In this blog post, we will explore five popular business continuity testing scenarios: storms and other natural disasters, cyberattacks, workplace violence, pandemics, and winter weather.

Storms and Other Natural Disasters

Free hurricane tabletop exercise template

Storms and natural disasters can wreak havoc on businesses, causing significant disruptions and financial losses. From power outages and flooding to hurricanes , earthquakes , and wildfires , these events can pose a serious threat to organizations of all sizes. Having a robust business continuity plan in place is crucial for mitigating the impact of such disasters and ensuring the continuity of operations.

Key Considerations of a Natural Disaster Test Scenario

• – Monitoring of real-time conditions
• – Communication with employees, both in office and remote (will you need to evacuate?)
• – Communication with customers (will you suspend operations?)
• – Power outages
• – Flooding
• – Supply chain disruption
• – Infrastructure and structural damage (what if your offices are rendered unaccessible?)
• – Loss of data
• – Disruption to essential services, including communications

Given the potential impact of these natural disasters, it's imperative for businesses to conduct thorough business continuity testing to identify vulnerabilities and ensure readiness. By simulating real-life scenarios, organizations can assess their response plans, identify gaps, and make necessary improvements to minimize disruptions and ensure a swift recovery.

Cyberattacks

Free cybersecurity tabletop exercise template

In today's digital age, businesses are increasingly vulnerable to cyberattacks. These attacks can come in many forms, from data breaches and denial-of-service attacks to malware infections, phishing attacks, and ransomware attacks. Regardless of the type of attack, the consequences for businesses can be devastating, leading to financial losses, reputational damage, and even legal liability.

Key Considerations of a Cyberattack Test Scenario

• – Type of cyberattack (e.g., data breach, denial-of-service, malware, ransomware, phishing)
• – Types of sensitive data that may be affected (customer, employee, financial, intellectual property)
• – Where, how, and how often your data is backed up and how it will be recovered
• – Whether your organization will pay a potential ransom
• – Involvement of authorities
• – Measures to prevent cyberattacks (firewalls, intrusion detection systems)
• – Communications with employees, customers, vendors, and regulators
• – Effects on client trust

To protect themselves from cyberattacks, businesses need to have a robust cybersecurity plan in place. This plan should include measures to prevent attacks and measures to respond to attacks. Businesses should also educate their employees about cybersecurity risks and how to protect themselves from attacks.

Active Shooter

Free active shooter tabletop exercise template

Workplace violence, including active shooter scenarios , is a serious issue that can have a devastating impact on businesses. It is important for businesses to have an active shooter response plan in place to mitigate the risk of violence and to ensure the safety of their employees, customers, and visitors.

Key Considerations of an Active Shooter Test Scenario

• – Potential risks and sources of violence
• – Communication with on-site employees and visitors
• – Accounting for all on-site personnel
• – Involvement of and communication with authorities
• – Evacuation and safe room procedures
• – Office security
• – Communication with news media
• – Post-event trauma counseling
• – Return-to-office decisions

By including these steps in a business continuity testing scenario, businesses can help ensure the safety of their employees, customers, and visitors.

Pandemics

Free pandemic tabletop exercise template

Pandemics can disrupt businesses in a number of ways, including employee absenteeism, travel restrictions, government-imposed lockdowns and quarantines, and changes in consumer behavior. These disruptions can lead to lost revenue, increased costs, and even business closures.

Key Considerations of a Pandemic Test Scenario

• – Monitoring of real-time global health updates
• – Infection prevention measures
• – Instructions for employees experiencing symptoms
• – Accommodations for employees with sick family members
• – Potential changes to employee absence and sick leave policies
• – When to activate the crisis team
• – When or if to have employees work from home
• – Communication with employees, customers, and vendors
• – Effects on supply chain, productivity, and ability to meet deadlines
• – When to resume normal business operations

By taking these steps, businesses can help protect themselves from the impact of a pandemic and ensure the continuity of their operations.

Winter Weather

Free winter weather tabletop exercise template

Winter weather may not always fall under the category of natural disasters, but can have serious effects on a business's ability to operate and meet customer expectations. Winter weather can include snowstorms , ice storms, icy roads, poor visibility, frozen and burst pipes, and more.

Key Considerations of a Winter Weather Test Scenario

• – Real-time monitoring of weather conditions
• – Evaluation of how a winter weather event would affect normal operations
• – Work-from-home procedures and potential excusing of non-essential employees
• – Employees who may need to take care of family members
• – Communications with employees, vendors, and customers
• – Ability to maintain continuity in case of transportation disruptions and limitations
• – Power and communication outages that may last several days
• – Damage to physical infrastructure
• – Support for employees who are affected by outages or damage

Winter weather isn't something to take lightly, even if your business is located in a more temperate area. By taking all the above points into consideration, businesses will be better prepared in case of severe winter weather.

Don’t Delay – Test Your Plan Today

We recommend businesses test their business continuity plans at least every six months. We provide a range of testing options to make the process seamless for your organization.

Why Tabletop Exercises?

Even the best-laid plans can go wrong with the simple introduction of the “human factor.” Introduce this in the emergency response planning, when the stakes are high, and even the most thorough plan can begin to fall apart. That is why tabletop exercises can be critical to ensuring the success of your scenario plans when they are put into action. Tabletop exercises are group activities that examine the response of your crisis team to a specific scenario and quickly detect previously undetected gaps in your plan or issues that need to be addressed. Such exercises also remind of small yet crucial details, for example, whose responsibility is to provide comments to the media if the VP of communications is on vacation. These are some of the essential tips for maximizing an outcome of a tabletop exercise:

Before deciding on a scenario, define a reasonable number (3-5) of objectives. For example, if you choose to test your organizational response to an Active Shooter incident, first determine what aspects of the response you need to focus on. Then, develop a scenario that aligns with the objectives.

Choose a Realistic Scenario

A successful tabletop exercise should resemble the real world as closely as possible. This means choosing threats that are viable to the organization, as well as designing a scenario that includes realistic threat behavior. Examples of real-world cybersecurity threats include a network infrastructure breach with data exfiltration, website-hosted malware, denial-of-service (DoS) or distributed-denial-of-service (DDoS) attacks, rogue wireless access points, or something as commonplace as a lost laptop that contains sensitive data or passwords. The type of threat chosen for a tabletop exercise will vary by industry and from one organization to another, but it must mimic a threat that’s likely for that specific environment.

During the Tabletop Exercise: Have Clear Objectives and Follow the Schedule

Make copies of your emergency response and business continuity plans and a whiteboard to track the progress. Before you begin, the moderator needs to review the objectives and scope of the exercise. Note that the crisis leader has the final say if there are conflicting opinions. It’s also important to keep track of time; the moderator needs to set time limits for each action item. Once the imaginary threat has been set into motion, each member of the group should perform – in real time – the actions they would take were that threat actually playing out. These will be based on the organization’s security plan that should be already in place. These actions include sending specific organizations to talk to the press, communicating to employees within the organization, and notifying clients and third parties. They also include making decisions about whether to shut down systems and collecting information and utilizing forensic software to identify the type of threat at play before working to remediate it. After the exercise is complete, review the process to understand what worked and what needs improvement. The rules of any successful meeting or a tabletop are: start on time, finish early, and offer refreshments.

To improve the effectiveness of a tabletop exercise, FEMA recommends for all potential players to complete Incident Command System 100 and National Incident Management Systems 700A-level training, which is a quick, easy and free course.

After the Tabletop Exercise: Act on What Was Learned

In addition to allowing the entire team to practice their response in real time, the value in tabletop exercises is that they can help identify weaknesses and gaps in an organization’s response. Confusion about responsibilities, poor decisions, identifying new vulnerabilities, and finding weak points in the processes don’t indicate failure; rather, these are precisely what tabletop exercises are designed to weed out.

“The tabletop exercises with Agility are always a valued service. By providing fresh insights and opportunities for improvement, Agility has helped us grow and improve our BC Program immensely.”

Robert Behling, IT Systems Administrator, First FarmBank

After each exercise, it’s essential for the team to debrief and discuss any shortcomings in the response. They should also document what worked as well as what didn’t so the organization can identify vulnerabilities and missing links and work to patch and fill them. These recommendations will help the next exercise run more smoothly and ensure a more effective response when an actual threat strikes. Make sure action items are circulated after the exercise is complete and review and update your plans accordingly.

A large part of business continuity planning is defining your organization’s RTO, or recovery time objective. How long can you realistically afford to be nonoperational? Defining your RTO can help your management and crisis teams understand expectations for recovery. Business continuity testing plays a huge part in determining whether you can realistically meet your RTOs and efficiently recover from a disaster.

Test to Know Exactly What Your Company Needs to Recover – and to Leverage the Resources Available to You

If you do not test, how can you know what recovery looks like for your organization and what you will need most urgently? One Agility customer discovered this the hard way. Though the bank had maintained a contract with Agility (previously with Rentsys) for years, they had never opted to schedule any testing with Agility’s customer success team. The bank knew they needed to have a continuity plan and recovery services available for compliance purposes but were unclear about what the recovery process would look like if their physical space were impacted by a disaster. When a hurricane hit their town, the bank’s team assumed they wanted a mobile unit, but did not know what that entailed, such as time for delivery and setup, options and additional cost drivers, or even where the unit could be installed. Agility was able to use Google Maps to estimate a zone where the unit could be installed but needed on-the-ground support to truly understand the layout. It wasn’t until this client saw another bank with an Agility mobile unit set up that they began to understand the capability of Agility’s recovery team, and they reached out to their Agility representative to understand what Agility could provide quickly to get the bank back up and running. Before seeing a recovery environment in person, it was hard for the bank to understand the benefits physical recovery services would bring. In short: By testing, you will identify the needs for your business – and pinpoint what’s needed for optimal response – before disaster strikes to be able to hit the ground running.

Test to Know What to Expect During a Recovery

Hopefully, a disaster like a tornado, hurricane, or even a major power outage is something that happens only once to your business. By testing, you will know what to expect if or when that disaster happens and set expectations among both your leadership and customers. From testing, organizations understand that downed trees, closed roads, and more can delay a recovery, since resources cannot easily get through barriers. Organizations must also often work with local municipalities to secure letters allowing recovery providers to pass through barricades. These things factor into your recovery timeline so you can prepare your customers. Finally, a recovery environment will never be able to completely recreate your office environment. If you test, this will not be a surprise, and you will be ready to dive into work in a modified space. The most important thing is that your business will be back up and running and operational.

Test to Learn What Permits Your Organization Needs

Oftentimes, what delays a recovery is paperwork. At the time of a major interruption, permits will be the last thing on your organization’s mind, but without them, recovery may be impossible. During testing, we encourage customers to incorporate all permitting aspects and involve those entities, so they are not blindsided during a recovery. Each state is different in how they handle permitting – if your business has multiple branches, it must account for different legal requirements. Recovery providers must rely on our clients to investigate permitting; though we cannot do it for businesses, we can help with networking. In fact, we helped one client with a permitting specialist to reduce a 4-6-week turnaround time for permits to just one week. Do not let a visit from the fire inspector be the reason you are unable to serve your customers!

In Conclusion

Defining your RTO is just one step in business continuity planning and disaster preparedness. Agility offers an integrated business continuity solution that helps businesses plan, test, train, alert, and recover – all in one. We offer several types of testing, including virtual tabletops, in-person tabletops, onsite mobile testing, and testing at our facilities throughout the U.S. Reach out to us today to learn more.

A business continuity program is no longer considered superfluous. Last year, businesses worldwide learned the importance of integrated business continuity testing and planning, especially when it comes to vendor management. In fact, 74 percent of surveyed organizations have faced a disruptive event with third parties in the past three years. A business continuity plan is a company's roadmap that helps navigate the unknown and unexpected, including natural disasters, communication issues, physical disruption, or other large-scale emergencies. However, having a plan in place is only half the battle. A business continuity strategy also needs to be continuously monitored and tested for gaps or obstacles.

Why Integrated Business Continuity Testing is Critical

Integrated testing moves beyond the testing of individual and isolated components. It includes testing with internal and external parties and supporting systems, processes, and resources.

1. Ensure your plans work

Testing business continuity allows you and your workforce to exercise how to approach an emergency and find gaps in the plan to address where it needs improvement.

2. Expose potential gaps before an incident occurs

Testing your business continuity plan allows you and your team to exercise how to approach an incident and find gaps in the plan to address where it needs improvement . This is a unique opportunity to practice your recovery strategy and update your incident management team on your business's latest changes.

3. Meet rising client expectations

Customer expectations are getting higher , and your business must keep up with the rising demand for impeccable customer service.

4. Continually validate and improve your plan

Your organization is continuously evolving. So should your business continuity plan. And what's a better way to improve your plan than through testing it?

5. Reduce recovery time objective and cost

With RTOs , costs increase the faster you want to recover your business after a disaster. For instance, recovering your business in 72 hours will be exponentially less expensive than recovering your business within 24 hours.

6. Preserve reputation

Business continuity management is more than just compliance. It is the foundation of a company’s reputation and stability.

7. Satisfy regulators

Regulatory scrutiny is projected to tighten even more in the coming years. Keeping your business compliant with industry regulations is key to its longevity. Besides, disobeying compliance standards will most likely lead to costly fines.

5 Testing Tips to Increase the Effectiveness of Testing

In striving to increase the effectiveness of test scenarios over time, an institution should, as appropriate, consider the following:

• – Perform integrated tests or exercises that incorporate more than one system or application and external dependencies to gauge the effectiveness of continuity plans for a business line or major function.
• – Test interdependencies where two or more departments, business lines, processes, functions, and/or third parties support one another.
• – Conduct end-to-end exercises to demonstrate your organization’s ability to recover a business process from initiation (e.g., customer contact) through process finalization (e.g., transaction closure).
• – Conduct full-scale exercises that involve the recovery of systems and applications in an interactive manner in a recovery environment, including all critical functions and modules.
• – Perform exercises that include third-party providers’ subcontractors, vendors, or services.

Core Elements of a Business Continuity Testing Strategy

The test strategy should encompass at least three elements: staffing, technology (data, systems, applications, and telecommunications), and the facilities that house the staff and technology environments.

1. Testing elements: Staffing

• Testing strategies should include demonstrations of the staff’s ability to support business processes, including the processing of transactions, communication with key internal and external stakeholders, and any other industry-specific processes.
• Strategies may need to address staff’s ability to support increased workloads resulting from the transfer of processing to alternate sites for extended periods of time. For institutions that have implemented split processing business models, any aspects of the client relationship model that present challenges or complexities to the transfer of workloads across sites, and related dependencies, should be identified and incorporated into testing strategies.
• Testing strategies should demonstrate the effectiveness of a company’s management succession plans.

2. Testing elements: Technology

• Testing technology strategies should include the data, systems, applications, networks, and telecommunications necessary for supporting business activities.
• In the event system recovery depends on retrieving data files, programs, and other items maintained at the backup facility, off-site testing procedures should only include the use of these backup items to properly replicate the loss of any master data files and programs maintained at the main facility.
• Backup data files should also be tested frequently to assess the integrity of the information, determine if the data is being saved in the correct format, and ensure that applicable files can be retrieved promptly.  Alternatively, institutions may employ other processes for data replication, such as synchronous and asynchronous data replication.  Regardless of the data replication process used, the process for demonstrating data consistency across different processing environments should be included in the testing strategy.
• Strategies should also test processes to recreate any data lost during a switch to alternate processing facilities, and periodic reviews of telecommunications services should be conducted to determine circuit diversity.

3. Testing elements: Facilities

• Testing strategies for business functions should encompass environmental controls, workspace recovery, and physical security to ensure continuity of facilities and environmental systems at primary and alternate processing sites.
• Testing strategies should include the adequacy of backup power generators and heating, ventilation, and air conditioning systems to meet business recovery objectives at operating centers.
• Workspace recovery test strategies should include assessments of the availability and adequacy of workspace, desktop computers, network connectivity, email access, telephone service, and physical security controls.  For institutions relying on the physical relocation of hardware, software, or data storage devices to recover the technology infrastructure and applications at alternate locations, the facilities testing strategy should address the secure transportation of these items.

Additional Plans for Business Continuity Testing

Test scenarios, plans, and objectives should include the institution's crisis management function to demonstrate your ability to respond effectively to contingency events. The crisis management program should be tested, with particular emphasis on the institution's capability to gather information about the threat or event, initiate the BCP, and communicate relevant information to the appropriate staff, customers, vendors, service providers, regulators, and other public authorities. Crisis management test plans should address crisis management team members' abilities and their alternates to carry out their designated responsibilities under various event scenarios. Depending on the type of industry, your organization may need to consider testing the following plans:

• Crisis or incident management plans (know how you’ll manage everything)
• Department continuity plans (maintain priority processes)
• Pandemic plan (tracking, planning, execution)
• Life Safety plans (ensure everyone knows what to do)
• Crisis Communications plans (internal and external)
• Service provider plans (validate partners and supply chain resilience)
  • Background and risk 
  • Vendor Due diligence 

Reliance on third-party providers, key suppliers, or business partners may expose your organization to points of failure that may prevent the prompt resumption of operations. The risks in outsourcing information include threats to the security, availability, integrity of systems and resources, confidentiality of information, and regulatory compliance. To ensure timely recovery of operations, management should routinely perform vendor due diligence . As part of this due diligence process, management should inquire about the service provider's physical paths to ensure that system redundancies have been properly implemented. Organizations should also review the service provider's BCP and ensure that critical services can be restored within acceptable timeframes based on the business's needs. The service provider's contract should address the service provider's responsibility for maintenance and testing of disaster recovery and contingency plans. Management should request a copy of the service provider's BCP test results and audit reports to determine the adequacy of business continuity plans and the testing program's effectiveness. If possible, the institution should consider participating in the service provider's testing process. If the service provider fails to perform satisfactorily during a service disruption, management should determine whether the institution has sufficient resources and capacity to perform these processes internally or if alternate vendor arrangements should be considered.

Testing business continuity allows you and your workforce to exercise how to approach an emergency and find gaps in the plan to address where it needs improvement. Every company has very targeted and specific ways and types of tests   used to ascertain information in different areas within the department. Our infographic presents some of the most popular and productive ways to test a business continuity plan.

Plan Review

What is a business continuity plan review?

A plan review is much like an audit of the Business Continuity Plan. The BCP team, along with the C-level management or department heads, get together to review the plan and decide if any components are missing or need revision.

What is it best suited for?

Training new members of the BCP team, or in regular onboarding.

Benefits of a plan review

• – Does not require a lot of investment in time or resources
• – Easy to implement
• – A quick way to detect gaps or areas for improvement

Disadvantages of a plan review

• – May not provide an in-depth view into a BC strategy
• – Offers a basic level of preparedness
• – Unlikely to promote organizational buy-in

Tabletop Exercise

What is a tabletop exercise?

A tabletop exercise is a role-playing group exercise that examines the response of your crisis team to a specific scenario.

What is it best suited for?

Updating critical employees on their roles and responsibilities during an emergency.

Benefits of a tabletop test exercise

• – A thorough rehearsal of actions and steps for all team members during an incident
• – Interactive format
• – Promotes cross-departmental and company-wide engagement
• – Allows to quickly detect BCP gaps

Disadvantages of a tabletop test exercise

• – Can be time-consuming
• – Requires thorough documentation as the tabletop unfolds
• – Must be organized and guided by someone with prior experience

Walk-through/Simulation Test

What is a walk-through test?

A walk-through or simulation test is a more hands-on type of testing exercise. While a tabletop test, as the name suggests, typically consists of discussing plan details around a table, a simulation test combines real recovery actions.

What is it best suited for?

A company-wide BCP testing event to locate potential gaps as quickly as possible.

Benefits of a walk-through test

• – Provides a hands-on, real-life emergency environment
• – Can engage everyone in the company
• – Allows everyone involved to practice their plan of actions
• – Quickly identifies BCP gaps
• – Allows to develop detailed documentation for further BCP review and update

Disadvantages of a walk-through test

• – Requires considerable investment to set up and implement
• – It may be cumbersome to coordinate the schedules of all parties involved in the test

There are 8.2 million reasons to do business continuity testing in your organization. That’s because, as of July 2019, the average cost for a data breach or business disruption in the U.S. was $8.2 million per company . Companies have learned that it’s better to perform business continuity testing than being held hostage to disruption of services. Consistent business continuity testing that’s held on a semi-annual or quarterly basis can help gain buy-in throughout the organization   and save you millions of dollars in the long-run. Once your organization decides to proceed with the essential business continuity plan test (BCP), there is an exemplary 5-tier approach to BCP testing that’s worth implementing. Read on to learn how BCP builds resilience in your company and helps establish your organization as a business continuity expert.

What is BCP Testing?

Before you determine the benefits and how often you need to perform BCP testing, let’s understand its core definition, and how it can impact your company. Business Continuity Planning   involves developing a document that gives your company an outline of how the business will continue operating if there’s an unplanned disruption in service. The document is a plan that’s much more comprehensive   than a disaster recovery plan because it contains contingencies that address every aspect of business that may be affected during a disruption. The BCP can even provide a contingency plan for business partners or any other company division that needs to be functioning in case of a disruption of service.

Reasons for Performing BCP Testing

Your business has to be able to respond quickly to interruptions of service so it can minimize the negative impact   the downtime is costing you. When you perform BCP testing, you also create an integral business document that helps your company fix, recover, and continue its day-to-day operations during disruptions. There are specific reasons for doing BCP testing , and all of them help contribute to minimizing the immense damage an interruption of service causes your company. BCP testing helps you identify your company’s interdependencies, as well as gaps and areas for improvements. BCP testing also provides clients with a sense of confidence that you’re a company that demonstrates a commitment to delivering your services even with things seen and unseen happen to your company unexpectedly. BCP testing also allows for your company to have a continual process that helps you validate and improve your day-to-day operational plans, so they meet safety compliance requirements and reduce recovery time and cost.

Barriers to BCP Testing

It’s not always clear why any company wouldn’t perform BCP testing because they gain so much business continuity by having it in place. Some companies have managers in place who are afraid they may fail a BCP test, and other companies, clients, or employees will find out. In this case, one has to remember BCP isn’t about failing or passing. It’s about improving your business continuity plan and process in case of a disruption of service. There are some problems with organizational buy-in that sometimes prevent BCP testing from happening because  executive support or leadership doesn’t  see the value  in performing the test. Such logic needs to change because every company can and will benefit from BCP testing. If the leadership team involves itself with the testing procedures, the BCP test has the best validator of value possible.

What are Some BCP Tests in the Marketplace Today?

Every BCP test in a company has very targeted and specific ways and types of tests   used to ascertain information in different areas within the company. The list below gives you some but not all the information about BCP test types and reasons.

1. Plan Review: Includes a BCP team with c-level management or department heads to see if their current BCP plan needs revisions. The plan review goes over recovery contract validity, business continuity management, and any disaster recovery scenarios that can be shared with other company teams.
2. Tabletop Test: Includes role-playing discussion exercises that are scenario-based, and you usually have employees participate so they can practice their roles and responsibilities in case of any disruptive emergency from an active shooter to a hurricane or tornado.

There’s also the BCP walk-through, which mimics the tabletop test discussions with planned details but takes those details and turns it into a simulation test that combines real recovery actions. The real scenario ranges from data loss backups and restoring to emergency notifications and physical recoveries.

The Five Tiers of BCP Testing

There is one best way to approach testing strategy, and that’s to apply the five tiers of BCP testing to get it done. BC expert Marc Easley devised the five tiers of how he approaches business continuity testing.

1. 1. A tabletop exercise is done with a third party solution working a full day at a test site. The tabletop exercises go over everything from prioritizing disrupting events to analyzing their cause and impact on the business. This includes things like reduced production capacity, severed communication or transportation lines, part shortages, etc.
2. 2. Experienced user participants are an integral part of tier two in the recovery operation because they’re the ones critical to planning actions that treat disruption problems.
3. 3. You’ll need to have a multi-site and multi-day strategy that includes sending some employees to work from home and some—to a mobile recovery unit.
4. 4. There needs to be a dry run event where you shut down the office, send key personnel to the mobile recovery unit, and complete a dry run of the planned activities and solutions.
5. 5. Finally, you need to choose a full-capacity day where there are as many employees as possible working and perform a mock test with no warning given to the employees.

This unannounced mock-up test will send some employees to work from a different location. The challenge in the different location scenarios is not everyone will have their laptops with them yet will still have the same roles and responsibilities. The element of surprise will also allow for testing how secure and fast their connections are at their homes.

The Final Step

The final step in performing and fine-turning your business continuity testing can provide clarity in company and employee responsibilities and locates resources for recovery should the worst happen in a disruption of services. There is only one way a business can do that well, and that’s by learning about BCP testing from the experts.

One of the most important things your business can do is test its business continuity plan. You might assume that because you have a written plan, your company is prepared for a disaster or business interruption, but how do you know your plan works until you test it? Below are four reasons that testing is essential.

1. Testing Your BCP Finds Interdependencies

Performing business continuity tests helps you identify interdependencies and gaps within your system databases and technology. For example, let’s say you were completing a test for a customer. During the test, they were able to recover their main application and network environment. However, they discovered there was a particular database the application made a call to for a subroutine. That specific database was housed in a separate environment and wasn’t being backed up. As a result, the entire system application that relied on that database wouldn’t have been able to operate during a real-world recovery scenario. It would have prevented an entire business unit from functioning. But because they chose to test, they were able to identify that interdependency ahead of time.

2. Testing Validates Compliance Requirements

Many businesses are required to have specific security protocols in place for compliance purposes. They also need to meet specific recovery time objectives (RTOs) driven by business objectives, regulatory requirements, or both. Unfortunately, sometimes when businesses are in the middle of an event, they tend to try to recover as quickly as they can, which can open up security issues. With testing, you can assess your ability to recover within your RTOs while validating that the required security controls are in place.

3. Testing Reveals Expectations vs. Reality

Differences between your current production environment and the recovered environment could cripple your employees’ productivity. People are used to using an application or software in a certain way daily. If an application isn’t configured to allow users to perform the desired functions, it will become ineffective to your employees. Testing will reveal any configuration changes you need to make.

4. Testing Business Continuity Produces Vital Documents

It’s critical for people going through an exercise to document work issues in a recovery scenario . Doing so will ensure the legacy of your work. If other people are involved in a recovery situation in the future, they have a written plan that can expedite recovery, rather than working out logistics that were resolved during a previous test. If you work with a business continuity services provider, that third party can leverage documentation on the customer’s environment to speed up the recovery. After a disaster strikes, people are typically dealing with the effects of the event and making sure their families are taken care of. That’s why key personnel are not always available to initiate the business’s recovery. In our experience, having detailed documentation can cut about six to 12 hours off the recovery process. By proactively identifying weaknesses in your business continuity plan, you can save yourself a lot of headaches down the road.

Active Shooter Statistics

To be able to properly respond to an active shooter situation, one must complete training and practice. Since FBI began releasing their report in 2000, the first seven years demonstrated an average of 6.4 active-shooter incidents, and that figure grew more than twofold to 16.4 the following seven years. The number lingered around 20 incidents every year since then, surging in the last two. Even though the previous year had a lower activity, last year’s results remained consistent with a troubling trend. According to the FBI, there have been 27 active shooter incidents in 2018 . 27 incidents in 16 states. 213 casualties – excluding the shooters. 85 killed: 2 law enforcement officers, 1 unarmed security officer 128 wounded, including 6 law enforcement officers.

Types of locations (2018):

• Sixteen of the 27 incidents took place in areas of commerce and business environment, resulting in 41 killed and 61 wounded.
• Five of the 27 incidents happened in education environments, resulting in 29 killed and 52 wounded.
• Two of the 27 incidents occurred in health care facilities.
• One of the 27 incidents occurred on government property.
• One of the 27 incidents occurred in a house of worship.

How to Respond

1. Run – Have an escape route and plan on where to go. – Leave your belongings behind. – Prevent others from entering the area. – Call 911 when it is safe to do so.
2. Hide – Shelter-in-place in an area out of the shooter’s view. – Block entry to your hiding place and secure the door. – Silence communications devices. – Remain quiet.
3. Fight – As a last resort and only if your life is in danger, attempt to incapacitate the shooter. – Act with physical aggression and throw items at the active shooter. – Commit to your actions.

When Law Enforcement Arrives

• Officers will usually be in teams.
• May be in uniform or tactical gear.
• First responders won’t help victims until the threat is neutralized.
• Remain calm and follow directions.
• Keep hands visible and avoid sudden movements.
• Avoid pointing, screaming, and yelling.
• Expect to be detained.

Get Prepared

• Establish a partnership with local law enforcement and first responders.
• Implement an action plan that addresses active shooter scenarios.
• Designate at least one (two recommended) “safe rooms” on each floor and ensure everyone is aware of the locations.
• Conduct awareness training for personnel to ensure everyone recognizes and understands the warning signs of potential violence.
• Test and drill on your plans.
• And remember, if you see something, say something.

Even the best-laid plans can go terribly wrong with the simple introduction of the “human factor.” Implement this in the emergency response planning, where the stakes are high, and even the most thorough plan can begin to fall apart. The best ways to eliminate the human factor is to test your plans during tabletop exercises.

An Unfortunate Trend

In February 2019, a laid-off employee opened fire inside a factory , killing five of his coworkers. It isn’t the first time it has happened. Sadly, it’s highly unlikely it will be the last time. It’s a common misconception around managers and business owners to assume that an employee becomes disgruntled only in the extreme situations that make headlines. The best way for your business to avoid dealing with a disgruntled-employee-turned-workplace-violence situation is for your business to be proactive. By recognizing the early signs of a disgruntled employee, you will be able to quickly and efficiently respond and mitigate additional issues.

Employee Happiness

A happy employee makes a thriving organization. To put these words into perspective, a study by Social Market Foundation revealed that happy employees are up to 20% more productive than unhappy workers . Years of research demonstrated that happiness positively affects every business and educational aspect, with a boost of sales by 37%, increase of productivity by 31%, and sharp accuracy on tasks by 19%. So, what does it mean to be happy at work? In his book, The Truth About Employee Engagement , Patrick Lencioni talks about three elements: the importance of who you are and that people know your name; the significance of the work you perform; the progression of your performance that contributes to company’s success.

Signs of a Disgruntled Employee

On the other side of the spectrum resides an unhappy employee. Being able to identify the early signs of a disgruntled employee will help you avoid escalated situations and a potential liability to the company. Consider some of the following signs that may indicate you’re dealing with a disgruntled worker:

• – Lack of motivation and involvement
• – Excessive breaks, apparent tardiness
• – Negative attitude
• – An overt pursuit of other work, or unreasonable complaining about the job
• – Negative feedback from teammates
• – Strained workplace relationships, verbal abuse
• – Comments about acts of violence; remarks about issues in personal life or financial issues

Some of these may also be the signs of many serious issues.

The Next Steps

Identifying that you have a disgruntled employee at your business is only half of the battle. It’s essential to address the situation accordingly. There are several tactics that will help you handle a disgruntled employee at your business:

• Act quickly—As a business owner or manager, it is your responsibility to identify and address any issues at your business ASAP. If the behavior warrants termination, you also need to terminate immediately. Have everything organized so that the employee has no reasons to return to the office.
• Approach the situation with empathy—When approaching a disgruntled employee, do so to understand the motive and what caused the distress.
• Be stern—Do not tolerate violent behavior. Discuss all aspects of the situation and clearly communicate any repercussions if the behavior continues.
• Document the behavior—Keep official documentation of the demeanor, conversation, and disciplinary actions. If there is another issue with this employee going forward, it is important that you have documented proof for previous incidents.
• Keep it confidential—Discuss the situation with other members of management and those directly involved.

However, despite your best efforts, a situation may not always be mitigated. In this scenario, you need to develop an Emergency Action Plan (EAP) for your business. Within your EAP, you should have workplace violence training to make sure that all employees have accurate information on how to handle a violent situation. By emphasizing clear communication and honesty, you can consistently strengthen the employee experience.

The importance of testing your business continuity and disaster recovery (BCDR) plan has never been a dry subject for us at Agility. With a wildfire reason around the corner , we wanted to learn a little bit more about the value fire departments find in testing their hydrants, as well as how we can learn from their examples. Here are several similarities we found between testing fire hydrants and BCDR plans.

Compliance

The National Fire Protection Association (NFPA) sets a standard for the minimum water flow that hydrants must meet. Testing hydrants ahead of time not only ensures the codes are satisfied but also maintains quality. If hydrants aren’t regularly maintained, they can rust, causing parts to snap off. If your business is subject to industry regulations like fire hydrants are, it’s important to test your BCDR plan regularly to ensure you’re meeting the compliance requirements . Otherwise, you expose yourself to potential regulatory violations, such as excessive downtime or rusty procedures, endangering you to security breaches.

Maintenance

Facilitating your business growth requires you to revise, modernize, and develop your current and future products and services, as well as the tools you use to deliver them. Hydrants are a part of a huge underground network that provides water access to an entire community. Sometimes valves have to be temporarily closed to allow for maintenance, but due to the complexities of this network, water flow can be reduced without ever being fully cut off from users. Unfortunately, after the work is completed, these closed valves are sometimes forgotten about and not reopened. While this omission doesn’t affect the community on a day-to-day basis, the reduced water flow wouldn’t be sufficient to put out a fire when needed for an emergency. Similar to hydrants, your BCDR plan needs to be updated and maintained to coincide with the progress of your company. Facilitating your business growth requires you to revise, modernize, and develop your current and future products and services, as well as the tools you use to deliver them. However, if you don’t consistently update and test your BCDR plan to ensure that it keeps up with the innovation of your business, your plan won’t offer the full flow of information you need to calm the fire, so to speak, when it comes.

Avoiding Neglect

One of the dangerous consequences of not regularly testing hydrants is that they become hidden, either by overgrown plants or by decorations placed by residents who find the sight of hydrants unpleasant. Unfortunately, when a crisis occurs, these obstructions can make it almost impossible for firefighters to find hydrants and carry out their jobs. Just as residents don’t want to look at fire hydrants, many companies don’t like to dwell on BC/DR planning because it’s not always pleasant to think about. Instead, they focus on revenue, shareholders, or customer growth. A common issue that we’ve seen over the years is businesses that have a plan but don’t make it a priority to regularly test. This leaves the BC/DR plan to get buried under more gratifying things, such as profits. We recommend taking the time to fully test your BC/DR plan at least once a year to help you work out any kinks before a disaster actually strikes. How often do you test your BC/DR plan?