An effective business continuity plan is essential in any industry; for housing associations, which are often directly responsible for the welfare of their tenants, this is especially true. This article looks at the preparations needed and the methods of testing business continuity plans because for a plan to be considered effective, it must have been tested.
From our experience in the housing sector, there are broadly three categories of RSL plans:
- Completed, tested and maintained plans, driven from an up-to-date risk assessment and business impact analysis;
- Completed plans but out-of-date and never tested (a ‘tick the box’ situation), often without a proper risk assessment;
- No plans as there are more important projects to be dealt with.
Whatever stage your organisation has reached in its business continuity planning, a scenario-based exercise certainly gets staff and management thinking about business continuity, even if there isn’t a completed plan to validate.
How to test
This article looks specifically at desktop tests for the business as a whole, but ICT is a key element in any business continuity plan. You should also be physically testing disaster recovery procedures, whether that involves checking tape back-ups or ensuring that a co-location facility works.
Desktop tests are best run in a room with the same facilities that would be realistically available in a crisis control centre for your organisation. These would normally include desks, flipcharts, TV, radio, PCs, internet access and telephones (although possibly only mobiles). An initial test should introduce a scenario and accelerate time over a period from the incident. For a large organisation, the focus should be on either crisis communications and management or business recovery. If the organisation is small, then both elements can be tested together.
A scenario needs to be plausible to get buy-in from staff and management; one of our clients said that a previous exercise had involved the rather unlikely event of their building being overrun with diseased squirrels. The aim is to make sure that the participants are challenged, but also ensuring that they leave the session feeling as if they have made progress. Exercises can be built up over time to cover increasingly complex issues, such as a pandemic disease. Some ideas for a scenario might include:
- A head-office fire affecting ICT and document storage;
- Flooding or extreme weather affecting office buildings, housing and transport networks;
- Fuel strikes or shortages;
- Power outages;
- Cordons caused by other organisations in the area.
Whatever scenario is chosen, try to keep the situation realistic. Think about the impacts you are looking to test first, such as denial of access to premises, loss of telecoms or loss of key people, and then tailor the scenario to reach that goal. Bear in mind that an incident could affect, to a greater or lesser degree, one or more of the following: premises; people; technology; data and documents; and suppliers.
Who needs to attend?
If there are plans in place, it is vital that the people from the incident management teams are present. There should be successors appointed in the plans and they should be involved at some point in time too. However, it is the staff who will recover the business after an incident, not the plan, therefore their attendance is critical. The test is partly an exercise, but partly training for the teams too.
Use of media
Try to use all the resources available to keep the scenario running at a good pace. For example, we use mocked up video clips of news bulletins and web pages to make things more realistic. If communication skills are being tested, then use a resource from outside the room, such as having a journalist telephone the spokesperson and conduct an interview. They can then come back at the end of the session with a newspaper article on the incident. It is important to realise that preparation before the event will make the session more enjoyable for all those attending.
Gillian Stokes from Housing 21 said, “As a national organisation, we have a head office and several regional offices across the country. We developed comprehensive business continuity plans for each office and throughout the summer ran several testing sessions with Biscon. The tests not only checked our in-house plans, but also helped familiarise staff with what had been produced and made the organisation better prepared for a business interruption incident. Looking ahead, we are considering testing other aspects of the business, such as the closure of one of our courts, and the crisis management team.”
The test should never be about passing or failing individuals. Anything that comes out of the session should strengthen the plans and the resilience of the organisation. A debrief document should be written with agreed actions and suggested amendments to the plan. Use this time to agree another testing session and think about what other elements the teams want to test, as well as trying to bridge the gap between the ICT disaster recovery tests and the business continuity plan tests. It is vital that the business knows what ICT is capable of, and if there are gaps between what is possible from ICT in terms of recovery times, the expectations can be managed.
Mick Bayne is a director of Biscon Planning.