Business Continuity: Testing, Training, and Exercises

Posted on Thu, Jun 13, 2013

The overall purpose of business continuity planning is to ensure the continuity of essential functions during an event that causes damage or loss to critical infrastructure. A continually changing threat environment, including severe weather, accidents, fires, technological emergencies, and terrorist-related incidents, coupled with a tightly intertwined supply chain, have increased the need for business continuity efforts.

To ensure long-term viability, companies should develop, maintain, conduct, and document a business continuity testing, training, and exercise (TT&E) program. The business continuity plan should document these training components, processes, and requirements to support the continued performance of critical business functions. Training documentation should include dates, type of event(s), and name(s) of participants. Documentation also includes test results, feedback forms, participant questionnaires, and other documents resulting from the event.

Elements of a viable business continuity program include, but are not limited to:

  1. Program plans and procedures
  2. Budgeting and acquisition of required equipment and alternate sites
  3. Essential functions of each department
  4. Identification of authority, orders of succession, and roles and responsibilities.
  5. Interoperable communications methods
  6. Vital records management
  7. Testing, training, and exercise
  8. Recovery requirements

trp corp tabletop exercises

The 2010 Department of Homeland Security Continuity of Operations plan template identifies business continuity concepts that should be tested, training priorities, and exercise recommendations. While these concepts are directed at government entities, companies should utilize these directives to evaluate their own business continuity program. Unless noted, the specific testing, training, or exercises should occur (at a minimum) on an annual basis, or as required by regulations or company policy.

TRAINING

  • Train continuity personnel on roles and responsibilities
  • Conduct continuity awareness briefings or orientations for the entire workforce
  • Train organization’s leadership on continuity of essential critical business functions
  • Train personnel on all reconstitution plans and procedures
  • Provide opportunities for continuity personnel to demonstrate familiarity with continuity plans and procedures and demonstrate organization’s capability to continue essential functions
  • Conduct exercises that incorporate the deliberate and pre-planned movement of continuity personnel to alternate facilities
  • Conduct assessments of organization’s continuity TT&E programs, and continuity plans and programs
  • Report documented training to regulatory agencies, if applicable
  • Conduct successor training for all personnel who assume the authority and responsibility of the organization’s leadership, if that leadership becomes otherwise unavailable during a continuity situation
  • Train on the identification, protection, and availability of electronic and hardcopy documents, references, records, information systems, and data management software and equipment needed to support essential functions during a continuity situation for all staff involved in the vital records program
  • Train on the organization’s recovery process, addressing how the organization will identify and conduct its essential functions during an increased threat situation or in the aftermath of a catastrophic emergency

TESTING and EXERCISE

  • Test and validate equipment monthly to ensure internal and external interoperability
  • Test the viability of communications systems monthly and mitigate if necessary
  • Test alerts, notifications, and activation procedures quarterly for all continuity personnel
  • Test primary and backup infrastructure systems and services at primary and secondary recovery sites
  • Test capabilities to perform mission essential functions
  • Test plans for recovering vital records, critical information systems, services, and data
  • Test capabilities for protecting classified and unclassified vital records and for providing access to them from the primary and secondary recovery sites
  • Test physical security capabilities at primary and secondary recovery sites
  • Test internal and external interdependencies of critical functions
  • Conduct exercises on continuity plans that involve using or relocating to primary and secondary recovery sites
  • Demonstrate coordinated communications capability
  • Demonstrate the sufficiency of backup data and records required for supporting essential functions
  • Allow opportunity for continuity personnel to demonstrate their familiarity with the recovery and restoration procedures to transition from a continuity environment to normal activities

Tags: Testing, Business Continuity key points, Business Continuity, Training and Exercises, Business Continuity Plan, Business Disruption