skip to navigation
skip to content

Financial Outsourcing Solutions

Person Using Technology

FOS Blog

22 Jan
2016

Business Continuity Testing Plan

Business Continuity Testing Plan

The Business continuity cycle consists of five major components: risk assessment, a business impact analysis, written procedures, test planning and the actual testing program.  The test planning tends to fall by the wayside and in turn leads to a weaker testing program.  A solid testing plan should link the assumptions made in the prior components of continuity planning, with the actual testing performed.

Strategies
In order to gauge the adequacy of assumptions made within the previous components, these assumptions, whether it be recovery time objectives or point objectives, should make their way into the pretest planning.   These assumptions should be the driving factor behind the strategies implemented.  Three generalized tests which are popular amongst many of our clients include tabletop testing, departmental testing and full testing, each of which has its own benefits and shortfalls.  Tabletop tests are good ways to ensure topical awareness amongst key employees however does not adequately address recoverability and continuity functions.  Full scale test, on the other hand, do test the practicality of the plan itself.  These tests can take place either at a variety of backup sites individual banks may have at their disposal and provide an environment as close to a real life scenario as possible.  Unfortunately this type of test has the potential to takes up resources which could impair day to day operations and require additional hardware, adding additional expenses.  Departmental tests are scaled down tests which allow a full scale test to be broken down into segments.  This strategy limits the resources needed for each test allowing limited interruption.  In order to ensure all areas are tested, advanced scheduling is needed.

Scheduling
Once the strategies have been identified, the next task is to create a schedule of the areas to be tested and the types of tests for each area.  One of the questions often posed is how often should a test be performed.  That question in itself has many different answers depending on various factors.  Size of the institution, complexity of their environment, and number of employees are three basic starting points.  As many community Banks are aware, taking employees out of their normal day to day responsibilities can have a hindrance on operations due to the limited staffing.  Advance scheduling can help to shows a proactive approach where the institution identifies all areas which are to be tested and the timeline for testing whether over a one or multiple years.  By planning further in advance, those involved can ensure their daily responsibilities are taken care of in order to reduce the potential crunch.  In addition, advanced planning can help with coordination amongst different areas.

Was it successful?
Once the testing is completed, how does one know if the test was successful?  The successfully launching and processing a sample of transactions adequate for teller?  The restoration of connectivity to the bank’s core application considered successful?  There are many other questions which should be part of the test planning process all of which should be established prior to actually performing the test.  The gauge of success should be driven by various assumptions within the rest of the business continuity program.   These assumptions should be the basis behind the characterization of success.  If the recovery time objective for a specific department or function is set for four hours, that should be what determines pass or fail.  The results of the testing are then used to drive the planning process thus allowing the business continuity cycle to continue.

Conclusion
Business continuity planning is planning for the worst case scenario.  While we hope we never need to utilize the disaster recovery plan, a fully developed test plan assists in assuring the adequacy of the plan.  By scheduling the tests in advance and setting the expectations ahead of time, banks are more adequately able to judge the strength of the plan itself.

For additional information contact the author Jeffrey J. Johns at jjohns@fosaudit.com.

Related posts:

  1. Cyber Alert: Extortion: FFIEC Puts Institutions On Notice
  2. HMDA’s Coming, Ready or Not!
  3. Dust off your Incident Response Plan
  4. Are You Effectively Identifying Marijuana-Related Business Customers?

|