Cybersecurity, IT Maturity
Every businessperson knows they need to back up their IT infrastructure, however simply engaging in business continuity planning is not enough.
A business continuity plan (BCP) describes the process your business follows to continue functioning despite a major IT outage, and the best BCPs are when nothing happens at all following an outage.
Unfortunately, IT disruptions happen all the time. According to Uptime Institute, more than 1 in every 3 organizations (34%) have experienced a service outage in the last 12 months. The amount of damage caused depends on how frequently and comprehensively you test your business continuity plan.
Why Test Your Business Continuity Plan?
Firstly, for business continuity planning to be effective, leadership must test the BCP at least once a year or more frequently depending on the size, structure, and complexity of their operation.
In fact, testing your business continuity strategy is required when dealing with certain types of protected information. Some industry regulations, like FINRA (Financial Industry Regulatory Authority) and HIPAA (Health Insurance Portability and Accountability Act), mandate that businesses evaluate and test their plans regularly to ensure that they will indeed work when a problem arises. For example, in the case of HIPAA, covered entities must:
“…periodically review and update its documentation in response to environmental or organizational changes that affect the security policies and procedures and written records of required actions, activities or assessments.”
By law, the HIPAA Privacy Rule applies only to covered entities such as health plans, healthcare, clearinghouses, and certain healthcare providers. However, most of these operations do not function entirely on their own, so the rule requires “business associates” of covered entities to safeguard PHI as well. Having a working business continuity plan in place helps safeguard your business against possible compliance violations.
Furthermore, how do you know a plan works if you do not test it? Infrequent testing puts a business at substantial risk. An untested BCP is likely to have blind spots due to the natural changes that occur in an organization over time. Employees come and go; services are added or subtracted; offices are upgraded or consolidated. Test your plan to better understand how it will hold up in a technical outage.
Three Testing Strategies
Here are three exercises to test a BCP:
Table Top Exercises test the theoretical viability of a business continuity plan. The process involves role playing with a single department or key stakeholders involved. A facilitator lays out the terms of the scenario, and team members vocalize their responses to the scenario in a brain storming-like environment. Pick well-defined disruptions that are likely to occur to your business.
Walk throughs take the process a step further. Rather than talking about each step in the process, the participants move to the various places where they would be during downtime and simulate their actions. They make phone calls, drive to backup facilities, and boot new computer systems.
Disaster Simulations are the most comprehensive approach. Here, the company simulates a problem, or a series of problems. Employees have no idea what the problem may be. The team must use their critical thinking skills and knowledge of the BCP to get back up and running.
Lastly, the best option is using all three methods to test and update your business continuity strategy routinely. Regular testing drives predictability, reduces risk, and ensures the plan’s alignment with the business. Your team members will feel more secure knowing the company-wide strategy for a technical outage and their role.