Quick and simple BC exercises, practica advice with regards to Business Continuity , ISO 22301 ISO International Standard, , top tip,

In a previous blog we looked at the different types of exercise you can utilise to validate your business continuity approach.  This week’s top tip focuses on the desk check and facilitated discussion.

At the simplest level, within any good business continuity (BC) exercise programme, lie the following two types of exercise:

  • A sense check or desk check of a key BC document
  • A facilitated discussion, with a group of staff (e.g. representatives from departments or divisions of the organisation).

The sense check is fairly self-explanatory; literally, a walk-through of a BC plan with a department or plan owner, to make sure it will work as intended.  It is key in identifying any changes within the organisation, detecting any gaps and ensuring the documentation is up to date and relevant to the organisation’s present needs. 

Think of a simple scenario, sit down with the plan, and literally walk through what would happen (metaphorically), and make sure the plan reflects this!

The facilitated discussion is used to check that assumptions are still viable, ensure the interaction and roles of participants are understood and identify dependencies across departments.  Again, pick a scenario to prompt the individuals involved and walk through what would happen, who would do what and when, and make sure the plans reflect this.  As well as the benefits above, this is particularly beneficial to check interdependencies.  Here are a couple of examples:

  • Several key functions within a hospital cannot function without the porters. During the BIA, it was determined that the porters did not carry out critical activities.  However, when walking through a scenario involving staff illness, it was quickly discovered just how reliant the hospital was upon the porters as they performed often overlooked, but necessary activities such as transporting people, equipment and supplies between various departments.
  • During a facilitated discussion with an emergency service, it was noted that the department responsible for collecting data had defined a recovery time of 6 weeks on the basis it would manually collect information as best it could and, when up and running, populate the systems.  However, it became apparent that another department relied on that data to meet the regulatory requirement of monthly reporting.

These two simple exercise types can play a pivotal role in your exercises programme.  They are quick, require minimal planning, yet can provide a valuable sense check of your plans.

contact us, consultancy , services pci dss payment card security standard information security business continuity contact form , contact us about consultancy services