Business Continuity Management System Exercising
Business continuity management system (BCMS) exercising, is a core element of the BCI professional practice.
Often, the exercising phase is ignored or postponed due to resources, time, budget etc. However, it is vital to conduct BCMS exercises to validate outcomes of business impact analysis (BIA), BCM solutions and BCM plans.
Below are selected case studies of different types of BCMS exercises across different industries over several years.
Exercise One – Manufacturing
A large manufacturing organization with one plant planned to test their BCMS system this year. Due to high investment and operational costs, the organization did not choose to have an alternative plant as a BCMS solution. Hence, the organization could not stop operations of the plant to conduct a “live” exercise. Therefore, a scenario-based tabletop exercise was conducted.
Scenarios such as unavailability of production plant, utilities, human resources, suppliers, information and operation technology were discussed with the stakeholders and their responses were captured. Moreover, scenarios such as emergency customer orders, pandemics, natural and man-made calamities were discussed and stakeholder responses were captured.
The objective was to validate stakeholder readiness to respond to each scenario, their ability to continue providing critical services and their knowledge to interact with other departments, processes and external stakeholders.
Exercise Two - Investment Bank
An investment bank with one branch performs BCMS testing annually.
Based on the BIA’s conducted, maximum tolerable period of disruption (MTPD) was determined as one day and maximum tolerable data loss (MTDL) was “real-time”. Based on the vision and mission of the bank, the technology-related BCM solution was to maintain a “warm” IT disaster recovery (DR) site. If technology is unavailable, services will be restored from the DR site, based on backup tapes taken from the previous day, where critical IT infrastructure and software will be available. Current data backups (backups are configured to be performed “real-time” into tapes) are also restored at the DR site.
These exercises are conducted during bank holidays, to minimize disruption to business-as-usual activities.
Exercise Three – Retail Bank
A retail bank that has multiple branches across geographies, conducts BCMS exercises annually.
The retail bank has “real-time” MTPD and MTDL values, since providing continuous services to customers was vital. Accordingly, the bank has a “hot” DR site and high availability (HA) data centre (DC). BCMS tests were conducted by switching over to the DR site from the DC site and while continuing operations seamlessly. Notifications were sent to customers to inform them certain branches were unavailable and thus to use alternative branches. Selected staff continued operations from the business continuity site while others continued from head office and remaining branches. These “live exercises” were performed by the bank annually and test results were documented and presented to regulators.
During the current pandemic, organizations are conducting BCMS exercises on the job. An organization providing electronic settlement services, for example, has grouped its staff into three, where one works at the head office, one at the business continuity site and the remaining work from home. Based on this arrangement, all critical staff being infected is minimized while operations are continued uninterrupted.
With the current pandemic, world dynamics have changed dramatically and demand for resilient BCMS are increasing like never before. Organizations that were reluctant to invest in BCMS are now forced to develop and implement resilient BCMS.
From the experiences exercising of the entities described above and others, I would recommend organizations to:
- Set objectives for exercising
- Selecting the most appropriate exercising method with minimal disruption to normal operations
- Allocate resources such as finance, people, technology etc
- Consider involving external parties such as customers, suppliers, emergency services etc during the exercising activities
- Plan to manage risks during an exercise
- Document and evaluate exercise results
- Continuously improve the BCMS based on exercising