A business continuity program is no longer considered superfluous. Last year, businesses worldwide learned the importance of integrated business continuity testing and planning, especially when it comes to vendor management. In fact, 74 percent of surveyed organizations have faced a disruptive event with third parties in the past three years. A business continuity plan is a company's roadmap that helps navigate the unknown and unexpected, including natural disasters, communication issues, physical disruption, or other large-scale emergencies. However, having a plan in place is only half the battle. A business continuity strategy also needs to be continuously monitored and tested for gaps or obstacles.

Why Integrated Business Continuity Testing is Critical

Integrated testing moves beyond the testing of individual and isolated components. It includes testing with internal and external parties and supporting systems, processes, and resources.

1. Ensure your plans work

Testing business continuity allows you and your workforce to exercise how to approach an emergency and find gaps in the plan to address where it needs improvement.

2. Expose potential gaps before an incident occurs

Testing your business continuity plan allows you and your team to exercise how to approach an incident and find gaps in the plan to address where it needs improvement . This is a unique opportunity to practice your recovery strategy and update your incident management team on your business's latest changes.

3. Meet rising client expectations

Customer expectations are getting higher , and your business must keep up with the rising demand for impeccable customer service.

4. Continually validate and improve your plan

Your organization is continuously evolving. So should your business continuity plan. And what's a better way to improve your plan than through testing it?

5. Reduce recovery time objective and cost

With RTOs , costs increase the faster you want to recover your business after a disaster. For instance, recovering your business in 72 hours will be exponentially less expensive than recovering your business within 24 hours.

6. Preserve reputation

Business continuity management is more than just compliance. It is the foundation of a company’s reputation and stability.

7. Satisfy regulators

Regulatory scrutiny is projected to tighten even more in the coming years. Keeping your business compliant with industry regulations is key to its longevity. Besides, disobeying compliance standards will most likely lead to costly fines.

5 Testing Tips to Increase the Effectiveness of Testing

In striving to increase the effectiveness of test scenarios over time, an institution should, as appropriate, consider the following:

• – Perform integrated tests or exercises that incorporate more than one system or application and external dependencies to gauge the effectiveness of continuity plans for a business line or major function.
• – Test interdependencies where two or more departments, business lines, processes, functions, and/or third parties support one another.
• – Conduct end-to-end exercises to demonstrate your organization’s ability to recover a business process from initiation (e.g., customer contact) through process finalization (e.g., transaction closure).
• – Conduct full-scale exercises that involve the recovery of systems and applications in an interactive manner in a recovery environment, including all critical functions and modules.
• – Perform exercises that include third-party providers’ subcontractors, vendors, or services.

Core Elements of a Business Continuity Testing Strategy

The test strategy should encompass at least three elements: staffing, technology (data, systems, applications, and telecommunications), and the facilities that house the staff and technology environments.

1. Testing elements: Staffing

• Testing strategies should include demonstrations of the staff’s ability to support business processes, including the processing of transactions, communication with key internal and external stakeholders, and any other industry-specific processes.
• Strategies may need to address staff’s ability to support increased workloads resulting from the transfer of processing to alternate sites for extended periods of time. For institutions that have implemented split processing business models, any aspects of the client relationship model that present challenges or complexities to the transfer of workloads across sites, and related dependencies, should be identified and incorporated into testing strategies.
• Testing strategies should demonstrate the effectiveness of a company’s management succession plans.

2. Testing elements: Technology

• Testing technology strategies should include the data, systems, applications, networks, and telecommunications necessary for supporting business activities.
• In the event system recovery depends on retrieving data files, programs, and other items maintained at the backup facility, off-site testing procedures should only include the use of these backup items to properly replicate the loss of any master data files and programs maintained at the main facility.
• Backup data files should also be tested frequently to assess the integrity of the information, determine if the data is being saved in the correct format, and ensure that applicable files can be retrieved promptly.  Alternatively, institutions may employ other processes for data replication, such as synchronous and asynchronous data replication.  Regardless of the data replication process used, the process for demonstrating data consistency across different processing environments should be included in the testing strategy.
• Strategies should also test processes to recreate any data lost during a switch to alternate processing facilities, and periodic reviews of telecommunications services should be conducted to determine circuit diversity.

3. Testing elements: Facilities

• Testing strategies for business functions should encompass environmental controls, workspace recovery, and physical security to ensure continuity of facilities and environmental systems at primary and alternate processing sites.
• Testing strategies should include the adequacy of backup power generators and heating, ventilation, and air conditioning systems to meet business recovery objectives at operating centers.
• Workspace recovery test strategies should include assessments of the availability and adequacy of workspace, desktop computers, network connectivity, email access, telephone service, and physical security controls.  For institutions relying on the physical relocation of hardware, software, or data storage devices to recover the technology infrastructure and applications at alternate locations, the facilities testing strategy should address the secure transportation of these items.

Additional Plans for Business Continuity Testing

Test scenarios, plans, and objectives should include the institution's crisis management function to demonstrate your ability to respond effectively to contingency events. The crisis management program should be tested, with particular emphasis on the institution's capability to gather information about the threat or event, initiate the BCP, and communicate relevant information to the appropriate staff, customers, vendors, service providers, regulators, and other public authorities. Crisis management test plans should address crisis management team members' abilities and their alternates to carry out their designated responsibilities under various event scenarios. Depending on the type of industry, your organization may need to consider testing the following plans:

• Crisis or incident management plans (know how you’ll manage everything)
• Department continuity plans (maintain priority processes)
• Pandemic plan (tracking, planning, execution)
• Life Safety plans (ensure everyone knows what to do)
• Crisis Communications plans (internal and external)
• Service provider plans (validate partners and supply chain resilience)
  • Background and risk 
  • Vendor Due diligence 

Reliance on third-party providers, key suppliers, or business partners may expose your organization to points of failure that may prevent the prompt resumption of operations. The risks in outsourcing information include threats to the security, availability, integrity of systems and resources, confidentiality of information, and regulatory compliance. To ensure timely recovery of operations, management should routinely perform vendor due diligence . As part of this due diligence process, management should inquire about the service provider's physical paths to ensure that system redundancies have been properly implemented. Organizations should also review the service provider's BCP and ensure that critical services can be restored within acceptable timeframes based on the business's needs. The service provider's contract should address the service provider's responsibility for maintenance and testing of disaster recovery and contingency plans. Management should request a copy of the service provider's BCP test results and audit reports to determine the adequacy of business continuity plans and the testing program's effectiveness. If possible, the institution should consider participating in the service provider's testing process. If the service provider fails to perform satisfactorily during a service disruption, management should determine whether the institution has sufficient resources and capacity to perform these processes internally or if alternate vendor arrangements should be considered.

Unlike hurricanes or tornadoes , earthquakes don't occur at predictable times or in predictable patterns. Earthquakes rarely give any warning, which is why they present such a challenge to preparedness. One earthquake doesn't cause much damage, but large earthquakes can cause widespread destruction and loss of life. Any organization's emergency plan should consider how to protect employees, assets, and business continuity. In this article, you'll learn the best ways to prepare for the unexpected and keep your business intact.

Preparing Your Company for an Earthquake

Earthquakes are one of the most significant threats to business continuity, with devastating effects on companies, employees, and customers. Earthquakes occur in remote, high-risk areas with few or no warning systems, making them nearly impossible to predict. In the aftermath of an earthquake , employees are often left without access to their offices, computers, or other critical infrastructure they need for their jobs. Moreover, disasters often disrupt transportation networks, telecommunications lines, electricity grids, and water and sewer systems, making it difficult for employees to get to work. You can reduce the potential impact of an earthquake on your business by ensuring that you have an emergency plan and conducting regular earthquake preparedness drills. This enables you to assess your workplace's vulnerabilities and plan for potential disruptions, which can reduce the chances of injury and damage.

Establish an Emergency Plan

You should establish your company's emergency plan ahead of time. In addition to routinely training employees on what to do during an emergency, you should encourage all the key stakeholders in your company to participate in an emergency training exercise. You and the key stakeholders should also establish an alternate worksite if possible. In a natural disaster, your employees will appreciate the level of preparation you put into a disaster plan.

Design Your Company’s Emergency Plan With the Following

• – In the event of an earthquake, it is essential to establish a designated emergency area outside of the workplace. Ideally, the location should be open-air and free of other buildings or power lines. Make sure that your employees are aware of the site of the designated emergency area.
• – After evacuation, designate one or more individuals to conduct a roll call of employees, depending on the size of your company.
• – Having teams handle basic first aid, search and rescue, fire and evacuation, damage assessment, and security is an excellent way to involve your employees in the process.

Prepare Disaster Supply Kits

You can also mitigate your employees' injury rate if you have a disaster supply kit on hand after an earthquake. During a time of any disaster, you may lack access to food, water, and information, for some time. A disaster supply kit at your workplace needs to contain, at the very least, the following:

• – Bottled water
• – Hand-crank or battery-powered radio
• – Additional batteries
• – Emergency first aid kit
• – Emergency whistle
• – Local maps with information about the nearest hospital and police station
• – Chargers and backup batteries (or power banks) for cell phones
• – Pain relievers and other non-prescription medications

Develop a Business Continuity Plan (BCP) and an Emergency Action Plan (EAP)

Business continuity plans and emergency action plans are essential components of every business. BCPs ensure that a company's ability to respond to and recover from the unexpected is protected and minimizes downtime for the organization. Your employees need an EAP in case of an emergency to know what to do. Getting expert assistance can be an excellent way to build a fully actionable EAP and BCP for business owners without the time or expertise to do so themselves. The best way to determine whether your plan will effectively protect your organization is to partner with Agility’s expert business continuity testing team to develop a testing protocol tailored to your unique needs. Both weather and technology failures can account for power outages. Business owners should prepare businesses to support their productivity even when faced with a power outage and consider a backup plan that includes additional computer equipment , an emergency power supply like a generator , or a portable power and connection pack like ReadyTechGo .

Store Information Remotely

Businesses should have all critical company information, including client data, work orders, contracts, intellectual property, marketing information, and other sensitive materials, safely stored in the cloud if an unexpected disaster hits. Businesses should also have critical business data, like employee training records, sales records, and financial statements, on a remote server. Having the valuable materials mentioned above will enable your company to do business still while handling the aftermath.

Prepare Your Employees to Deal with Emergencies with Training and an Emergency Messaging System

As a result of a natural disaster, time is essential, and you must take action immediately. A person may become overwhelmed in a moment of crisis and freeze up when they should be acting quickly. Organizations that are likely to be affected by natural disasters should prioritize preparing their employees to respond to natural disasters such as hurricanes or power outages.

Importance of Earthquake Awareness

Earthquakes can cause significant disruption for businesses and their employees. Employees who are knowledgeable and prepared for earthquakes are safer and less likely to become seriously injured. Companies that establish an emergency preparedness plan are more likely to recover from the aftermath of an earthquake. Contact Agility today to strengthen your resilience against earthquakes and other disasters.

Our recent Business Resilience & Insights Report delves into some of the top trends in the business continuity landscape. Supply chain and vendor management has become a critical component in operational resilience as many organizations depend on critical vendors to perform or support crucial operations. A disruption in the delivery of those services can directly impact a company’s resilience and, on average, costs a large company $184 million a year. Supply chain disruptions also hurt companies’ reputations; 83% of companies reported that their firms have suffered reputational damage after a disruption.

President Biden recently issued an executive order designed to strengthen the resilience of America’s supply chain.

More resilient supply chains are secure and diverse — facilitating greater domestic production, a range of supply, built-in redundancies, adequate stockpiles, safe and secure digital networks, and a world-class American manufacturing base and workforce.

President Joe Biden, Executive Order on America’s Supply Chains

While the order directs some federal agencies to review existing supply chains and make recommendations to resolve current and future issues, it reinforces the importance for all organizations to take a proactive, end-to-end approach to supply chain resilience requiring optimization along all touchpoints of the supplier-to-customer route.

Added Focus on Vendors’ BC Plans

Organizations are performing greater due diligence on suppliers’ BC arrangements – according to the BCI Supply Chain Resilience Report 2021, 75% of organizations are ensuring their key suppliers have plans in place. During 2020, organizations performed greater levels of due diligence at the procurement stage of supplier relationships, with 38% now reporting BC checks are an integral part of the procurement process.

Though this trend was already beginning, the pandemic had a significant impact. Forty-nine percent of respondents reported management is “much more committed” to managing supply chain risk as a result of COVID-19. And according to Capgemini’s Fast Forward report, more than 80% of organizations were negatively impacted by the pandemic, with major supply chain repercussions:

• 74% faced a shortage of critical parts or materials
• 74% saw delayed shipments and longer lead times
• 69% faced difficulties in supply planning due to a lack of information from their suppliers
• 69% had trouble quickly scaling production up and down

After these significant disruptions, 55% of organizations report taking three to six months to recover, with 13% expecting recovery to take six to 12 months. These are strong signals to companies of any size and industry to reexamine relationships with suppliers and ways to build resilience within supply chains.

Ways to Increase Supply Chain Resilience

Although companies must be mindful of budgets, certain changes in operations can help to increase supply chain resilience without adding significant costs, depending on the industry. Here are just a few:

• Reevaluate sourcing and shift from “just-in-time” sourcing
• Build redundancy
• Shift to direct-to-consumer marketing to meet customer demand
• Create new revenue sources
• Increase visibility across the entire supply chain
• Shift to ecommerce
• Diversify your supply chain
• Create plans that take into account a range of possible disruptions, including:
  • Pandemics
  • Environmental change or natural disasters
  • Civil unrest
  • Regulatory changes
  • Fraud
  • Theft
  • Cyberattacks
• Evaluate and closely manage your vendors and suppliers (more on that below)

Best Practices to Help Regularly Assess Your Suppliers

1. Shortlist your top critical vendors.

Which vendors and suppliers does your company rely on most heavily? Those are the ones from who you should request business continuity documents in order to ensure that they, too, will maintain continuity in the face of disruption.

2. Engage with them and provide a self-assessment questionnaire or other methods to assess their susceptibility to multiple event scenarios.

These vendors should consider the same risks outlined in your organization’s internal BCP(s). Ask vendors which types of disasters they’ve dealt with in the past and whether they recovered successfully. Just like your own company, these suppliers must have plans for many different types of unforeseen events.

3. Score your suppliers based on four essential elements.

Score suppliers based on planning (BCDR), physical recovery, approach to testing and exercising, and compliance with ISO 22302 standards.

4. Conduct scenario planning exercises and testing to ensure plans work as intended and recovery timelines are met.

Suppliers must be able to deploy their plans quickly in case of a disruption or disaster. Exercising and testing plans will help ensure that suppliers know their plans and are ready to execute them to maintain continuity. At Agility, we recommend making sure that your suppliers test their disaster recovery plans at least once a year. You can also invite suppliers to participate in your tests.

5. Regularly perform vendor due diligence.

Don’t just check that vendors have everything in place when you first begin working together. Check in at least once a year to make sure that they are continuing to exercise, test, and adapt their plans based on changing threats and needs.

Read more about avoiding business disruption with supply chain resilience and maintaining operations.

Is your organization prepared for an unexpected interruption in its supply chain? To some extent, your business is involved in vendor relations and may have some questions to ask its suppliers. For most manufacturers, supply chains are their lifeblood, helping them create excellent products and deliver them to customers. Doing so keeps clients satisfied and prompts more purchases. Your supply chain might function efficiently right now. Yet, supply chains are complex and include third party suppliers, clients, partners, and vendors. That poses a lot of opportunity for a part of your system to go wrong . But what if something happens, and you don't have a disaster recovery strategy? What does disaster recovery for your suppliers and vendors include? Where do you begin evaluating your vendor’s business continuity strategy ? Keep reading to learn what questions you need to be asking your suppliers to keep your products safe and your chain running smoothly!

1. Who Holds Responsibility for Planning Disaster Recovery?

Most businesses hope they never have to use a disaster recovery plan. It doesn't mean that they shouldn't make sure their suppliers have one, though. Why do suppliers need a point person for developing a disaster recovery plan? If something happens to your supply chain, you'll need clear communication between your team and the suppliers. You won't have time to spend figuring out who is in charge of disaster communications. If you do, you might lose time and money as you're scrambling to come up with a solution. When you talk to your suppliers about their disaster recovery strategy, inquire about who will be handling communications in the case of a disaster. If possible, get this person's name and contact information. Ask if they have a plan on how to contact you if primary lines of communication go down. Knowing this information will be necessary should you suffer from a natural disaster that cuts off common communication tactics. These incidents aren't rare, either. In fact, communication often goes down in winter , when blizzards and other adverse elements cause breakdowns or blackouts.

2. What Disasters Are They Prepared to Handle?

Do you work with new supplier companies who haven't yet experienced a disaster, or do you have one that's prepared to handle it all? Ask your suppliers which types of disasters they've dealt with in the past and if they have recovered successfully. Answers to these business continuity questions will give you a good idea of what you can expect should your company experience a similar event. A company will likely experience an event that interrupts their business. In a 2017 survey, 74% of participating companies experienced a disruption to the continuation of their services. As a result, all companies need to be prepared for natural disasters and other events that wreak havoc on their supply chain. That's why they should ask about disaster recovery for suppliers. You need to know that they have a business continuity and disaster recovery plan for as many different types of unforeseen events as possible. That way, you know you'll be back up on your feet as soon as you can.

3. How Often Should Suppliers Test Their Plan?

A supplier may say they have a plan, have it on file, and only use it when they need it. It's an entirely different case to be ready for a disaster. Ideally, disaster response in a supply chain should act more like a reflex, with suppliers being able to implement their plan quickly and seamlessly. Tests prepare employees to apply the disaster recovery plan when they need to. But how often should businesses test their business continuity strategy ? At Agility, we recommend your suppliers test their disaster recovery plan at least once a year. This ensures that the correct plans are in place and ready to go at a moment's notice. Additionally, your company's disaster resilience improves and frees you to serve your clients, even if they are experiencing hardships. If you have your test on the calendar soon, invite your supplier to participate as well.

4. Can They Tell You the Location of Their Disaster Recovery Site?

Many suppliers require in-person work. On a typical day, this works well and keeps you in business. Yet, if a disaster happens, they may need a backup location. Sometimes, natural disasters cause buildings to collapse or render specific locations unsafe to get to. What happens to your suppliers if they lose their building? Where will they go if they can't access their building safely? You need to know this information because it isn't uncommon for natural disasters to cause tremendous upheavals to businesses. Companies lose around $160 billion annually. Having a backup location mitigates some of this. It gives workers a place to continue their work in a natural disaster, ensuring minimal money loss. If your suppliers don't have a backup facility, inquire about how they plan to continue their operations should their building become compromised.

5. Do They Have a Backup Power Supply?

Most people who have been in business for many years know power outages constitute some of the most common business interruptions . While they may not be as severe as suffering a natural disaster, you still need to know how your supplier plans on communicating with you. Even hour-long outages will slow down your production and cause a hitch in the supply chain. This is especially true if their portion of the supply chain requires electricity for more than just communication. If you want to make sure they will be able to serve you even amid an unforeseen outage, ask if they have a backup generator or other power source. Should they have a generator, inquire into how often it is inspected to ensure proper functioning.

6. Are They Currently Using a Disaster Recovery Provider?

Did you know that many companies provide disaster recovery services? Planning for a disaster often takes a lot of work. That's why you should hire a disaster recovery service. Your supplier returns to business as usual during a disaster. They also often cut the cost of buying and maintaining an entire backup site for facilities, which can become a cumbersome expense.

Ready to Put Disaster Recovery for Suppliers in Place?

Now that you know the six key questions you should ask when it comes to disaster recovery for suppliers, you're ready to start creating a disaster plan that works for you. Failure to know how your suppliers plan on handling disasters could mean massive interruptions in your supply chain. On the other hand, if you ask the questions listed above, you'll have a good idea of how your supply chain will run in an emergency.

Testing business continuity allows you and your workforce to exercise how to approach an emergency and find gaps in the plan to address where it needs improvement. Every company has very targeted and specific ways and types of tests   used to ascertain information in different areas within the department. Our infographic presents some of the most popular and productive ways to test a business continuity plan.

Plan Review

What is a business continuity plan review?

A plan review is much like an audit of the Business Continuity Plan. The BCP team, along with the C-level management or department heads, get together to review the plan and decide if any components are missing or need revision.

What is it best suited for?

Training new members of the BCP team, or in regular onboarding.

Benefits of a plan review

• – Does not require a lot of investment in time or resources
• – Easy to implement
• – A quick way to detect gaps or areas for improvement

Disadvantages of a plan review

• – May not provide an in-depth view into a BC strategy
• – Offers a basic level of preparedness
• – Unlikely to promote organizational buy-in

Tabletop Exercise

What is a tabletop exercise?

A tabletop exercise is a role-playing group exercise that examines the response of your crisis team to a specific scenario.

What is it best suited for?

Updating critical employees on their roles and responsibilities during an emergency.

Benefits of a tabletop test exercise

• – A thorough rehearsal of actions and steps for all team members during an incident
• – Interactive format
• – Promotes cross-departmental and company-wide engagement
• – Allows to quickly detect BCP gaps

Disadvantages of a tabletop test exercise

• – Can be time-consuming
• – Requires thorough documentation as the tabletop unfolds
• – Must be organized and guided by someone with prior experience

Walk-through/Simulation Test

What is a walk-through test?

A walk-through or simulation test is a more hands-on type of testing exercise. While a tabletop test, as the name suggests, typically consists of discussing plan details around a table, a simulation test combines real recovery actions.

What is it best suited for?

A company-wide BCP testing event to locate potential gaps as quickly as possible.

Benefits of a walk-through test

• – Provides a hands-on, real-life emergency environment
• – Can engage everyone in the company
• – Allows everyone involved to practice their plan of actions
• – Quickly identifies BCP gaps
• – Allows to develop detailed documentation for further BCP review and update

Disadvantages of a walk-through test

• – Requires considerable investment to set up and implement
• – It may be cumbersome to coordinate the schedules of all parties involved in the test

Creating a business continuity plan (BCP) isn’t an ultimate protection against business interruption. A solid BC strategy needs more than just a well-laid out theory. So, how will your plan hold up in a real-world disaster? Can your backup systems withstand a cyberattack? How efficient is your RTO for restoring data? Are your employees familiar with emergency procedures? Do you have an emergency communication strategy to let everyone know about an incident immediately? Testing business continuity plan is the most reliable way to find out, and it is a critical component of continuity planning. By skipping regular testing, you won’t know if your organization is prepared for a disaster—until it’s too late.

Testing in Numbers

According to 2019 BC Benchmark Study, 57% of companies stated that semi-annual or quarterly (consistent) testing helps to gain buy-in throughout the organization, making it more likely to be prepared for an interruption. Testing your business continuity program allows you to validate your BC plan and manage risks. In fact, 88% of our online poll respondents test BCP’s at their companies to identify gaps, and 63% of them do that to validate their plans. However, testing isn’t about pass or fail. It’s about continuous improvement.

How Often Should a Company Test?

Our online survey revealed that 40% of respondents had a BC test in the past year, 35% —in the past 6 months, while 20% of people admitted it’s been well over a year. If you already have a BCP, then it must be filled with a myriad of procedures for various events. But do you need to test everything? Some scenarios, such as an active shooter, are more critical and need to be tested frequently. Tim Mathews, a business continuity practitioner, D. Sc., MBA, MBCI, suggests an approach of “working from the headlines.” When various emergency events take place across the country, it’s a potentially good exercise to include those scenarios in your test plan.

Reasons to Test a BCP

A well-orchestrated test strategy helps protect the brand, its promise, and its value proposition. If your competitors had a poor test performance or made a critical mistake in a real-life situation with a client, your company can shine by demonstrating its reliability and advance its business forward. So, why test your BCP?

• Identify interdependencies, gaps, and areas for improvement.
• Demonstrate to your clients a higher degree of commitment.
• If you are the supplier to a firm, you rise among competitors, taking on more projects, and winning new business.
• Continually validate and improve plans.
• Satisfy compliance requirements and regulators.
• Reduce recovery time and cost.

Getting Leadership Involved

The BC Benchmark Study showed that 61% of companies are challenged with a lack of organizational engagement. However, direct involvement of senior executives is what makes your BCP mature. When determining your business’s RTO, take this question to your leadership for input. Every member of a c-level team deals with their own array of challenges. So, to make a case, consider how to package the importance of business continuity based on every leader’s role. Include your management in different forms of test you plan to run. Whether it’s inviting them to a Mobile Recovery Center you set up on your company’s parking lot or sending them a test emergency notification message as part of the training. And always follow up with recognition. It will help them to feel part of the process and will be rewarding.

After a Test

Finally, it’s necessary to document the results of any testing conducted, along with any actionable findings from those tests. Doing so will help your workforce to learn what can and should be improved, and to visualize how much progress has been made. Following up on these items and consolidating recommendations from tests is the most crucial process in the BCP testing lifecycle. Testing, registering the results of your testing, and executing methods to improve your BCP is the most reliable way to strengthen your organization’s response processes.

Applying your findings:

• Review test findings with all participants.
• Conduct a BIA.
• Assign responsibilities for open action items.
• Update and distribute the written plan.
• Capture items for consideration on the next test.

In Conclusion

Organizations face continuous threats that can put lives in danger and disrupt operations. However, implementing an incident management program that fits your organization is challenging. To help mitigate these threats, Agility offers an integrated business continuity solution.

There are 8.2 million reasons to do business continuity testing in your organization. That’s because, as of July 2019, the average cost for a data breach or business disruption in the U.S. was $8.2 million per company . Companies have learned that it’s better to perform business continuity testing than being held hostage to disruption of services. Consistent business continuity testing that’s held on a semi-annual or quarterly basis can help gain buy-in throughout the organization and save you millions of dollars in the long-run. Once your organization decides to proceed with the essential business continuity plan test (BCP), there is an exemplary 5-tier approach to BCP testing that’s worth implementing. Read on to learn how BCP builds resilience in your company and helps establish your organization as a business continuity expert.

What is BCP Testing?

Before you determine the benefits and how often you need to perform BCP testing, let’s understand its core definition, and how it can impact your company. Business Continuity Planning   involves developing a document that gives your company an outline of how the business will continue operating if there’s an unplanned disruption in service. The document is a plan that’s much more comprehensive   than a disaster recovery plan because it contains contingencies that address every aspect of business that may be affected during a disruption. The BCP can even provide a contingency plan for business partners or any other company division that needs to be functioning in case of a disruption of service.

Reasons for Performing BCP Testing

Your business has to be able to respond quickly to interruptions of service so it can minimize the negative impact   the downtime is costing you. When you perform BCP testing, you also create an integral business document that helps your company fix, recover, and continue its day-to-day operations during disruptions. There are specific reasons for doing BCP testing , and all of them help contribute to minimizing the immense damage an interruption of service causes your company. BCP testing helps you identify your company’s interdependencies, as well as gaps and areas for improvements. BCP testing also provides clients with a sense of confidence that you’re a company that demonstrates a commitment to delivering your services even with things seen and unseen happen to your company unexpectedly. BCP testing also allows for your company to have a continual process that helps you validate and improve your day-to-day operational plans, so they meet safety compliance requirements and reduce recovery time and cost.

Barriers to BCP Testing

It’s not always clear why any company wouldn’t perform BCP testing because they gain so much business continuity by having it in place. Some companies have managers in place who are afraid they may fail a BCP test, and other companies, clients, or employees will find out. In this case, one has to remember BCP isn’t about failing or passing. It’s about improving your business continuity plan and process in case of a disruption of service. There are some problems with organizational buy-in that sometimes prevent BCP testing from happening because  executive support or leadership doesn’t  see the value  in performing the test. Such logic needs to change because every company can and will benefit from BCP testing. If the leadership team involves itself with the testing procedures, the BCP test has the best validator of value possible.

What are Some BCP Tests in the Marketplace Today?

Every BCP test in a company has very targeted and specific ways and types of tests   used to ascertain information in different areas within the company. The list below gives you some but not all the information about BCP test types and reasons.

1. Plan Review: Includes a BCP team with c-level management or department heads to see if their current BCP plan needs revisions. The plan review goes over recovery contract validity, business continuity management, and any disaster recovery scenarios that can be shared with other company teams.
2. Tabletop Test: Includes role-playing discussion exercises that are scenario-based, and you usually have employees participate so they can practice their roles and responsibilities in case of any disruptive emergency from an active shooter to a hurricane or tornado.

There’s also the BCP walk-through, which mimics the tabletop test discussions with planned details but takes those details and turns it into a simulation test that combines real recovery actions. The real scenario ranges from data loss backups and restoring to emergency notifications and physical recoveries.

The Five Tiers of BCP Testing

There is one best way to approach testing strategy, and that’s to apply the five tiers of BCP testing to get it done. BC expert Marc Easley devised the five tiers of how he approaches business continuity testing.

1. 1. A tabletop exercise is done with a third party solution working a full day at a test site. The tabletop exercises go over everything from prioritizing disrupting events to analyzing their cause and impact on the business. This includes things like reduced production capacity, severed communication or transportation lines, part shortages, etc.
2. 2. Experienced user participants are an integral part of tier two in the recovery operation because they’re the ones critical to planning actions that treat disruption problems.
3. 3. You’ll need to have a multi-site and multi-day strategy that includes sending some employees to work from home and some—to a mobile recovery unit.
4. 4. There needs to be a dry run event where you shut down the office, send key personnel to the mobile recovery unit, and complete a dry run of the planned activities and solutions.
5. 5. Finally, you need to choose a full-capacity day where there are as many employees as possible working and perform a mock test with no warning given to the employees.

This unannounced mock-up test will send some employees to work from a different location. The challenge in the different location scenarios is not everyone will have their laptops with them yet will still have the same roles and responsibilities. The element of surprise will also allow for testing how secure and fast their connections are at their homes.

The Final Step

The final step in performing and fine-turning your business continuity testing can provide clarity in company and employee responsibilities and locates resources for recovery should the worst happen in a disruption of services. There is only one way a business can do that well, and that’s by learning about BCP testing from the experts.

Creating a business continuity plan has never been more important. Whether it’s a tornado in Oklahoma, a hurricane in Florida, or an earthquake in California , all natural disasters share similar characteristics. First off, they are usually difficult to predict. Secondly, they can severely impact an organization’s operations. Yet despite an increase in natural disasters over the past few years, many companies, including those who are already leveraging the benefits of cloud infrastructure, are reticent to invest the time, resources, and budget into a business continuity plan (BCP) to protect their most valuable asset—people. If you’re still on the fence about investing in the development of a business continuity plan, consider the following facts:

• 52% of businesses experienced a business interruption in the past 5 years (Agility Recovery research, 2020).
• An average cost of a data breach is $3.86 million* (Cost of a Data Breach Report, IBM & Ponemon Institute, 2018). 
• 40% of small businesses never reopen their doors following a disaster (FEMA).

Sure, you can view business continuity services as an “insurance policy” that your company may never use. Or, you can put a business continuity plan in place to ensure your organization will be up and running with minimal disruption to your customers, staff, and partners.

Creating a Business Continuity Plan

Keep in mind that a business continuity plan doesn’t need to be complicated or dozens of pages long. A BCP is simply a documented set of processes that helps a company minimize disruption to business operations in the event of an outage.

What are the key steps to creating a business continuity plan?

1. Outline roles and responsibilities

A good business continuity plan should detail what your staff needs to do in the event of a disaster, what communication methods are required, and the timeframe in which critical IT services need to be available.

• Create a contact list of key people involved in your company’s BCP, including names, titles, and communication info (both work and personal) such as phone numbers, email addresses and social media handles, if applicable.
• Provide a detailed overview of their roles and responsibilities so that everyone knows what is expected of them in the event of an outage.
• Have a written process in place for how your BCP will be updated and how these updates will be communicated to the team.

2. Analyze potential threats and outcomes

Take the time to determine “worst-case scenarios” for your particular business, industry, and geographic location. For example, a company located in Florida will be more concerned about hurricanes than earthquakes. An e-commerce company could analyze the risks and business impact of a data breach, while a manufacturing firm could map out scenarios based on production downtime. Next, rank each possible disaster and its potential long-term consequences. Map out how your team would respond to each one. This will provide a framework of issues that need to be covered in your BCP.

3. Factor in data loss

A key component of your business continuity plan should address data loss and recovery. Create a list of scenarios that could impact your data assets, including deleted or corrupt files, server hardware failure, viruses or data breaches caused by an employee’s personal laptop, and so forth. By classifying your business operations according to these two metrics, you can select the appropriate protection and recovery requirements. Consider cloud-based solutions for recovery of your critical data as these solutions allow for quicker connection and recovery of data or applications and provide access from anywhere. Lastly, it’s important to remember the only way to ensure that the plan is effective is to exercise the program. This can be done via a tabletop exercise or a full test of the recovery process. The key is exercising the program to ensure you will be able to recover your business in the event of a disaster as smoothly as possible, and staff understand their roles.

One of the most important things your business can do is test its business continuity plan. You might assume that because you have a written plan, your company is prepared for a disaster or business interruption, but how do you know your plan works until you test it? Below are four reasons that testing is essential.

1. Testing Your BCP Finds Interdependencies

Performing business continuity tests helps you identify interdependencies and gaps within your system databases and technology. For example, let’s say you were completing a test for a customer. During the test, they were able to recover their main application and network environment. However, they discovered there was a particular database the application made a call to for a subroutine. That specific database was housed in a separate environment and wasn’t being backed up. As a result, the entire system application that relied on that database wouldn’t have been able to operate during a real-world recovery scenario. It would have prevented an entire business unit from functioning. But because they chose to test, they were able to identify that interdependency ahead of time.

2. Testing Validates Compliance Requirements

Many businesses are required to have specific security protocols in place for compliance purposes. They also need to meet specific recovery time objectives (RTOs) driven by business objectives, regulatory requirements, or both. Unfortunately, sometimes when businesses are in the middle of an event, they tend to try to recover as quickly as they can, which can open up security issues. With testing, you can assess your ability to recover within your RTOs while validating that the required security controls are in place.

3. Testing Reveals Expectations vs. Reality

Differences between your current production environment and the recovered environment could cripple your employees’ productivity. People are used to using an application or software in a certain way daily. If an application isn’t configured to allow users to perform the desired functions, it will become ineffective to your employees. Testing will reveal any configuration changes you need to make.

4. Testing Business Continuity Produces Vital Documents

It’s critical for people going through an exercise to document work issues in a recovery scenario . Doing so will ensure the legacy of your work. If other people are involved in a recovery situation in the future, they have a written plan that can expedite recovery, rather than working out logistics that were resolved during a previous test. If you work with a business continuity services provider, that third party can leverage documentation on the customer’s environment to speed up the recovery. After a disaster strikes, people are typically dealing with the effects of the event and making sure their families are taken care of. That’s why key personnel are not always available to initiate the business’s recovery. In our experience, having detailed documentation can cut about six to 12 hours off the recovery process. By proactively identifying weaknesses in your business continuity plan, you can save yourself a lot of headaches down the road.

Active Shooter Statistics

To be able to properly respond to an active shooter situation, one must complete training and practice. Since FBI began releasing their report in 2000, the first seven years demonstrated an average of 6.4 active-shooter incidents, and that figure grew more than twofold to 16.4 the following seven years. The number lingered around 20 incidents every year since then, surging in the last two. Even though the previous year had a lower activity, last year’s results remained consistent with a troubling trend. According to the FBI, there have been 27 active shooter incidents in 2018 . 27 incidents in 16 states. 213 casualties – excluding the shooters. 85 killed: 2 law enforcement officers, 1 unarmed security officer 128 wounded, including 6 law enforcement officers.

Types of locations (2018):

• Sixteen of the 27 incidents took place in areas of commerce and business environment, resulting in 41 killed and 61 wounded.
• Five of the 27 incidents happened in education environments, resulting in 29 killed and 52 wounded.
• Two of the 27 incidents occurred in health care facilities.
• One of the 27 incidents occurred on government property.
• One of the 27 incidents occurred in a house of worship.

How to Respond

1. Run – Have an escape route and plan on where to go. – Leave your belongings behind. – Prevent others from entering the area. – Call 911 when it is safe to do so.
2. Hide – Shelter-in-place in an area out of the shooter’s view. – Block entry to your hiding place and secure the door. – Silence communications devices. – Remain quiet.
3. Fight – As a last resort and only if your life is in danger, attempt to incapacitate the shooter. – Act with physical aggression and throw items at the active shooter. – Commit to your actions.

When Law Enforcement Arrives

• Officers will usually be in teams.
• May be in uniform or tactical gear.
• First responders won’t help victims until the threat is neutralized.
• Remain calm and follow directions.
• Keep hands visible and avoid sudden movements.
• Avoid pointing, screaming, and yelling.
• Expect to be detained.

Get Prepared

• Establish a partnership with local law enforcement and first responders.
• Implement an action plan that addresses active shooter scenarios.
• Designate at least one (two recommended) “safe rooms” on each floor and ensure everyone is aware of the locations.
• Conduct awareness training for personnel to ensure everyone recognizes and understands the warning signs of potential violence.
• Test and drill on your plans.
• And remember, if you see something, say something.

Even the best-laid plans can go terribly wrong with the simple introduction of the “human factor.” Implement this in the emergency response planning, where the stakes are high, and even the most thorough plan can begin to fall apart. The best ways to eliminate the human factor is to test your plans during tabletop exercises.