Testing Scenarios and Treatment Objectives
Business continuity planning (BCP) provides a plan for the recovery of business after an emergency. To improve the effectiveness of BCP, it is important to test these plans to see how helpful they are in an actual emergency and to detect their weaknesses.
An asset-based scenario
A mid-latitude storm may lead to flooding of the area (Engemann & Henderson, 2012, p. 275-276). It can damage the assets of businesses located on lower stories of buildings, lead to prolonged power and communications failures even after the flood, and block access to the firm’s facilities. A BCP assessment scenario might include testing the enterprise’s ability to function while only using mobile communications, without the facilities located in the lower stories of buildings, and on its power generators. Treatment objectives may include enabling access to mobile communications and purchasing a power generator.
A vulnerability-based scenario
A power failure in an IT company can lead to the loss of valuable information and to the inability of staff to do their work. A testing scenario might consist of abruptly cutting off the power in the office. Treatment objectives: it may be reasonable to have the programmers work on laptops (with batteries) rather than on stationary PCs, so the information is not lost when the power is cut off. Purchasing a generator and enabling access to the wireless Internet might be useful if the prolonged power failure is a risk.
A process-based scenario
Some businesses take orders from customers via specific websites. If the server on which the website is based fails, or the website suffers from a cyber attack, customers may be unable to make orders, which is a disrupted operational process. A test BCP may include temporary “turning off” the website and assessing the firm’s ability to process orders via other means (e.g., phone, e-mail). A possible treatment objective is creating an alternative website (on a different server) via which orders can also be made.
Objective-based strategic perspectives
The growth of sales of international business may be completely disrupted by political circumstances such as a boycott. A testing scenario may include assessing the ability of the company to function without using the costs obtained from sales in the region in question for a certain period. Treatment objectives may include creating a reserve that could be used to support both the local departments of the business and the whole structure of the company.
The Importance of BCP Testing
It is essential to test the existing BCP plans (Doughty, 2001, p. 245). Testing them permits the organization to analyze the effectiveness of BCP, as well as to train personnel on how to act in an emergency.
Testing a BCP allows for practical assessment of a company’s ability to cope with an emergency. Before a BCP is tested, it remains only a theoretical statement about a hypothetical situation; numerous human factors might not be taken into account, and possible complications might be overlooked. A test provides an opportunity to detect at least some of such factors and possible complications. Uncovering them, as well as evaluating the results of the BCP’s implementation, provides some evidence-based data that let the company decide whether the tested BCP is sufficient to handle the fallout of an emergency, and to improve the BCP.
Managing BCP Test Results: Defect Analysis as a Model
Defect analysis in quality management involves uncovering the defects via practical testing and correcting them. Testing also involves assessing the frequency and probability of defects. It is noteworthy that the procedure of defect analysis is aimed at addressing both the currently existing defects and averting the faults that are possible in the future (Horch, 2003, p. 97).
BCP test results can be managed in a way similar to defect analysis. The tests supply an opportunity to uncover the weaknesses of the existing plans, and to correct them. Also, the test results provide additional empirical data that can be used to assess the probability of faults and shortcomings in the BCP that may become crucial in an emergency. These faults and shortcomings can then be addressed to make the plan more adequate to the needs that arise in an emergency, and allow for the BCP’s successful implementation in an adverse situation, which would result in the decrease of losses of the business due to this situation.
FMEA as a Model for Designing BCP Tests
A failure mode and effect analysis, or FMEA, is a scheme that is designed to detect potential faults and problems in a product or service before it reaches the client. FMEA can be performed by using historical data from other companies, or by employing inferential statistics, mathematical modeling, etc. (Stamatis, 2003). Ideally, as many items and components as reasonable should be reviewed to detect the possible threats or defects.
BCP testing can be designed similarly. While performing the test, it is recommendable to utilize the data from companies that operate in the same branch of industry to better assess the potential of the BCP. For instance, finding and employing the testing scenarios that uncovered most faults in BCPs in other businesses might be an option. Also, it is important to use the statistics and other mathematical tools to evaluate the potential problems that may arise during an emergency and to simulate them during the testing process.
References
Doughty, K. (Ed.). (2001). Business continuity planning: Protecting your organization’s life. Boca Raton, FL: CRC Press. Web.
Engemann, K. J., & Henderson, D. M. (2012). Business continuity and risk management: Essentials of organizational resilience. Brookfield, CT: Rothstein Publishing. Web.
Horch, J. W. (2003). Practical guide to software quality management (2nd ed.). Norwood, MA: Artech House. Web.
Stamatis, D. H. (2003). Failure mode and effect analysis: FMEA from theory to execution (2nd ed.) [Google Books version]. Web.