Business Continuity – Types of Exercising
Types of Exercising
Our previous blog about how to deliver a business continuity exercise prompted a number
of questions about the types of business continuity exercise and when to use them. So,
this week’s blog does just that!
Without exercising (we prefer this to testing which implies a pass or fail), an organisation
will not truly know if its BC arrangements are effective in managing a range of disruptive
incidents. Exercising is an essential tool in the development, assessment and improvement
of an organisation’s BC response capability.
It’s also important to point out that exercising is a key requirement of the ISO 22301, the International Standard for BC Management.
Clause 8.5 states that an organisation shall exercise and test its BC procedures to ensure they are consistent with its BC objectives.
So, what types of exercises are most commonly used?
Desk check – This method involves ‘walking through’ the contents of a BC plan as a precursor to maintenance. It is also referred
to as a plan walkthrough. This is as simple as it sounds and often involves just one or two individuals who are fully conversant
with key business processes from within the organisation who quite literally walk through the plan to gauge whether it will work
as intended, whilst examining any assumptions and highlighting any gaps.
Extended desktop walkthrough – This is an extended desk check to ensure the interaction and roles of participants, also referred
to as a facilitated discussion. Typically, it involves one or two plan owners walking through their plans, as with the desk check,
identifying any interdependencies and testing assumptions that one team has prioritised an activity that is being relied on by
Simulation exercise (including tabletop) – This incorporates the simulation of an incident which could exercise BCPs, building
evacuation and communication. In many respects, it is a form of role-play where participants are asked to ‘act out’ what they
would actually say and do.
These are commonly conducted with an ‘incident response team’, such as an organisation’s Crisis/Incident Management Team. However,
you can also conduct these using a cross section of staff, whether that is using position, experience or familiarity with BC as the basis. It
may even include representatives from key suppliers.
A simulation exercise needs to be carefully thought out and must be relevant, e.g. if your organisation is heavily reliant on IT to support its
operations, a ransomware scenario may be appropriate. On the other hand, if your premises at a high risk of flooding might run a severe
As a rule of thumb, the more realistic and tangible the simulation, the greater the level of engagement you will obtain from participants and
the value from running the simulation.
Test plan for critical activities – This is where controlled testing is conducted for individual critical activities, ensuring they can be
recovered as planned. Often held at a departmental/divisional/business area level and based on its critical activities. Again, if your
organisation is heavily dependent upon IT, you may utilise a disaster recovery (DR) related test or set of tests.
Invoke testing of individual departmental or business unit plans – This is an exercise for a single department’s or business unit’s BCP.
As above, but can also be related to elements not delivery specific, such as staff welfare or reputation /brand damage. This can be a real
and tangible exercise as opposed to simulated i.e. the closure of an office to test an organisation’s secondary location or working from
Technical testing – This is a test of equipment, recovery, procedures or technology. Aimed at assessing the ability to recover key systems or
establish whether all the relevant equipment, infrastructure, services and security controls will perform as required when needed.
Full BC exercising – This exercises the entire organisation’s plans, including incident management plans. Commonly referred to as a global
exercise, the appetite for such an activity often depends upon the criticality of the products or services provided and the ability to tolerate the
impact. It requires meticulous planning and approval from the highest level of the business, along with one key rule, that the exercise itself
cannot be allowed to cause a real incident!
Whilst the value gained and lessons learnt correlate to the effort and costs, the simple truth is that without ever conducting such a thorough
exercise, you will never truly know if you can cope should the worst happen.
If you are unsure as to what exercises you should be conducting or how to gain the optimum return on
URM holds free seminars for end-user organisations focusing on information security and business continuity. The half-day seminars are intended
to provide practical and ‘real life’ insights into how best to comply and certify with Standards such as ISO 27001 (International Information Security
Management Standard) and ISO 22301 (International Business Continuity Management Standard).