Exercising your department’s BC Plans
Exercise plan for critical activities
In our previous business continuity (BC) blog, we provided an overview of different types of exercises
that will help you identify whether your current BC arrangements are effective in managing a disruptive
That, along with instilling confidence and ‘training’ your teams, is one of the main objectives of running
a BC exercise. Running most, or ideally all, types of exercises on a cyclical basis will provide you and
your organisation with a great deal of confidence that all aspects of your BC arrangements have been
Whether it’s an all-encompassing global scale exercise, a simulation crisis style scenario or a sense check
department walk through of an individual plan, it all builds and contributes to this need for and sense of
However, if you have restricted resources or time, which exercise types should you be focusing on.
This blog, which will be followed by other blogs and top tips, will specifically focus on the merits of the
different types of exercise and the business scenarios where each is best utilised.
So, let’s start with a very common and valuable type of exercise, i.e. the test plan for critical activities.
The previous blog summarised this as an exercise where ‘controlled testing is conducted for individual
critical activities, ensuring they can be recovered as planned.
This exercise type is often conducted at a departmental, divisional or business area level and based on
the critical activities of that area. If your organisation is heavily dependent upon IT, you may utilise a
disaster recovery (DR) related test or set of tests’.
If you’re not immediately clear as to the type of exercise we’re referring to then consider
the following 3 examples:
Following a server room fire, an IT department invokes and enacts its DR (Disaster Recovery) plan,
recovering the organisation’s key IT resources, in sequential order to ensure that critical operations
such as key systems, software or equipment are maintained.
Following a software failure of the main payroll system on the day prior to ‘pay day’, the Finance team
invokes its BC plan to ensure it can still run and process staff pay manually.
Following a loss of access to the main call centre due to a flood, the customer service team invokes its
BC plan to relocate some of the team to the organisation’s secondary back up location and
the remainder to work remotely from home.
The above 3 exercises are prime examples of critical business areas facing searching examinations of how
well each can or should respond and recover following an incident. Note that they are all key departments
but all for different reasons. Your business impact analysis (BIA) process will identify your critical activities
and associated business areas.
IT needs to test its recovery plans as they support key resources that underpin the day to day operations
and deliverables of the organisation to ensure they can be recovered within agreed timescales. Have you
reviewed the sequential recovery/build order? Have you allowed for sufficient staff to be available and
considered how long they can work before others need to replace them – it is not uncommon to discover
that plans require IT staff to work straight 24/48 hour shifts? Have you reviewed all assumptions?
Finance needs to conduct such tests as they deliver a critical activity to the rest of the organisation and
need to ensure it can deliver that activity to the accepted level. Have the required authorisations been
implemented to run payroll manually? Are you just going to run payroll as per the previous month?
But what happens, for example, if that month includes exceptional payments, such as annual bonuses?
Customer Services need to be drilled thoroughly as this function carries out a critical activity and which
needs to continue to operate as close to the norm as possible following a disruption. Do all systems work
as expected in the backup location? Can customer service operatives work effectively from home or remotely?
Furthermore, an incident or disruption could affect all or just one of these departments. Whilst there may be
requests for delivering an all-inclusive global exercise that tests the above three departments along with all other
key departments, can you afford the cost or risk of conducting a global exercise?
Would it not be preferable to ensure you have confidence in the component parts before exercising the whole?
Running a departmental, functional, key activity-based exercise once a month across your organisation is far less
intrusive or resource intensive. Exercising at the more granular level brings other benefits too.
It allows for real and tangible scenarios to be targeted at a departmental or critical activity level and is also great
in building the confidence of individual teams and departments in their plans, encouraging ownership
and providing valuable training.
URM holds free seminars for end-user organisations focusing on information security and business continuity. The
half-day seminars are intended to provide practical and ‘real life’ insights into how best to comply and certify with
Standards such as ISO 27001 (International Information Security Management Standard) and