Tips from URM – Quick and simple BC exercises

Quick and simple BC exercises, practica advice with regards to Business Continuity , ISO 22301 ISO International Standard, , top tip,
In a previous blog we looked at the different types of exercise you can utilise to validate your
business continuity approach.  This week’s top tip focuses on the desk check and facilitated
discussion.

 

At the simplest level, within any good business continuity (BC) exercise programme, lie the
following two types of exercise:

 

  • A sense check or desk check of a key BC document

 

  • A facilitated discussion, with a group of staff (e.g. representatives from departments or divisions of the organisation).

 

The sense check is fairly self-explanatory; literally, a walk-through of a BC plan with a department or plan owner, to make sure it will
work as intended.  It is key in identifying any changes within the organisation, detecting any gaps and ensuring the documentation is
up to date and relevant to the organisation’s present needs. 

 

Think of a simple scenario, sit down with the plan, and literally walk through what would happen (metaphorically),

and make sure the plan reflects this!

 

The facilitated discussion is used to check that assumptions are still viable, ensure the interaction and roles of participants are understood
and identify dependencies across departments.  Again, pick a scenario to prompt the individuals involved and walk through what would
happen, who would do what and when, and make sure the plans reflect this.  As well as the benefits above, this is particularly beneficial to
check interdependencies.  Here are a couple of examples:

 

  • Several key functions within a hospital cannot function without the porters. During the BIA, it was determined that the porters did not
    carry out critical activities.  However, when walking through a scenario involving staff illness, it was quickly discovered just how reliant
    the hospital was upon the porters as they performed often overlooked, but necessary activities such as transporting people, equipment
    and supplies between various departments.

 

  • During a facilitated discussion with an emergency service, it was noted that the department responsible for collecting data had defined a
    recovery time of 6 weeks on the basis it would manually collect information as best it could and, when up and running, populate the
    systems.  However, it became apparent that another department relied on that data to meet the regulatory requirement of monthly reporting.

 

These two simple exercise types can play a pivotal role in your exercises programme.  They are quick, require minimal planning, yet can provide a
valuable sense check of your plans.
 
contact us, consultancy , services pci dss payment card security standard information security business continuity contact form , contact us about consultancy services