Business Continuity – Types of Exercising
Types of Exercising
Our previous blog about how to deliver a business continuity exercise prompted a number of questions
about the types of business continuity exercise and when to use them. So, this week’s blog does just that!
Without exercising (we prefer this to testing which implies a pass or fail), an organisation will not truly
know if its BC arrangements are effective in managing a range of disruptive incidents. Exercising is an
essential tool in the development, assessment and improvement of an organisation’s BC response capability.
It’s also important to point out that exercising is a key requirement of the ISO 22301, the International Standard
for BC Management. Clause 8.5 states that an organisation shall exercise and test its BC procedures to ensure they
are consistent with its BC objectives.
So, what types of exercises are most commonly used?
Desk check – This method involves ‘walking through’ the contents of a BC plan as a precursor to maintenance.
It is also referred to as a plan walkthrough. This is as simple as it sounds and often involves just one or two
individuals who are fully conversant with key business processes from within the organisation who quite literally
walk through the plan to gauge whether it will work as intended, whilst examining any assumptions and highlighting
Extended desktop walkthrough – This is an extended desk check to ensure the interaction and roles of participants, also
referred to as a facilitated discussion. Typically, it involves one or two plan owners walking through their plans, as with
the desk check, identifying any interdependencies and testing assumptions that one team has prioritised an activity that
is being relied on by another!
Simulation exercise (including tabletop) – This incorporates the simulation of an incident which could exercise BCPs,
building evacuation and communication. In many respects, it is a form of role play where participants are asked to
‘act out’ what they would actually say and do.
These are commonly conducted with an ‘incident response team’, such as an organisation’s Crisis/Incident Management Team.
However, you can also conduct these using a cross section of staff, whether that is using position, experience or familiarity with
BC as the basis. It may even include representatives from key suppliers.
A simulation exercise needs to be carefully thought out and must be relevant, e.g. if your organisation is heavily reliant on IT to
support its operations, a ransomware scenario may be appropriate. On the other hand, if your premises at a high risk of flooding
might run a severe weather scenario.
As a rule of thumb, the more realistic and tangible the simulation, the greater the level of engagement you will obtain from participants
and the value from running the simulation.
Test plan for critical activities – This is where controlled testing is conducted for individual critical activities, ensuring they can
be recovered as planned. Often held at a departmental/divisional/business area level and based on its critical activities. Again,
if your organisation is heavily dependent upon IT, you may utilise a disaster recovery (DR) related test or set of tests.
Invoke testing of individual departmental or business unit plans – This is an exercise for a single department’s or business unit’s
BCP. As above, but can also be related to elements not delivery specific, such as staff welfare or reputation /brand damage. This
can be a real and tangible exercise as opposed to simulated i.e. the closure of an office to test an organisation’s secondary location
or working from home strategies.
Technical testing – This is a test of equipment, recovery, procedures or technology.
Aimed at assessing the ability to recover key systems or establish whether all the relevant equipment, infrastructure, services
and security controls will perform as required when needed.
Full BC exercising – This exercises the entire organisation’s plans, including incident management plans.
Commonly referred to as a global exercise, the appetite for such an activity often depends upon the criticality of the products
or services provided and the ability to tolerate the impact. It requires meticulous planning and approval from the highest level
of the business, along with one key rule, that the exercise itself cannot be allowed to cause a real incident!
Whilst the value gained and lessons learnt correlate to the effort and costs, the simple truth is that without ever conducting such a
thorough exercise, you will never truly know if you can cope should the worst happen.
If you are unsure as to what exercises you should be conducting or how to gain the optimum return on
URM holds free seminars for end-user organisations focusing on information security and business continuity. The half-day seminars are
intended to provide practical and ‘real life’ insights into how best to comply and certify with Standards such as ISO 27001 (International Information
Security Management Standard) and ISO 22301 (International Business Continuity Management Standard).