By Moises Lopez Soto
Let's talk about testing in a Business Continuity Management System, based on the premise that this is an absolutely crucial element, and not necessary else MANDATORY to consider that we really have a Business Continuity Management System, not vain, They have dedicated a complete phase of the Deming’s cycle (PDCA). Therefore, let's not deep into the need for them, we assume that point passed, and we focus on How we do them or the "preparation" for them?
.png)
When the time comes to check that previously planned and done, actually, does its job and that the chosen strategy will cover and give the necessary support to the company in the field of Business Continuity, nervousness often comes to those responsible for have conducted each one of the established schedules, in addition the operational part enters a brewing cycle, normally, excessive.
We want to do a test, we consult to the members of the various existing committees about their availability because there is often some component of the Senior Management whose time is money, (so far, we can be considered a normal planning) further are consulted/agreed with responsible of the different systems/applications of IT that, possibly, will be affected by the test, we head to the users and their responsible to inform them that they will participate in a test, etc. etc. Outcome: hopefully, we will have preserved secretly the day and time of the test.
Just doing a Plan - Do - Check - Act of the test itself, the question is: is it really necessary?
.png)
Perhaps the question to be answered when we analyse the performing of a test be to When we want to be fired (being largely exaggerated) during a real contingency or after performing a failed test? Personally, if I would belong to some establishment of senior management and you are assured me Continuity alleging testing, and later, for the reasons that be, it’s must activate the plan and does not work due to the logic NOT preparation of the contingency, heads would roll…
With this, we don’t mean that it is not necessary, especially in the beginning, make some preparation before launching a test, but if that too much preparation invalidate the results we get with the test.
However, if we pass to the other end and we focus on testing without notice we also can find few problems and risks, for example, breaking the maxim: "Let the Business Continuity NO jeopardize the business" and we cause ourselves a contingency of major proportions. Furthermore, it is not good that groups with functions within the business continuity plans are accustomed to receive alerts for plan activation without prior notice as they may fall into the apathy and think "one more test" when treating of a real contingency.
Therefore, the most sensible proposal is the alternation, seen as making of prepared tests and improvised tests (knowledge of it reduced to a minimum number of people) so that knowledge and culture Business Continuity is encouraged in the company while feedback is obtained much more objective.
In any case, one way or another, it is always important to keep in mind when we're going to make a test that we must seek it is the failure, the vulnerability of our plans, the unexpected, obtaining lessons learned to maintain the continuous improvement, except inclement weather, the contingencies do not call the doorbell, knock down the door, and, above all, the test carry the imperative need for further testing inasmuch as the repetition is a proven method of learning and a perfect way to embed automation that will be absolutely necessary when stress atenace reasoning ability. How can we get this?
"A Business Continuity Test should not jeopardize the company, but must take the sure knowledge of your Resilience"
