Our three-part article covers all the essential elements of the BCP.
In our first article, we explored the fundamental aspects to consider when creating a BCP, offering an overview of the preparations needed to anticipate and manage technology disruptions. The second article provided NOVIPRO's practical tips for building a solid BCP, with a detailed checklist for protecting your business against digital risks.
Read the first article on the fundamentals of BCP
Our tips for building a solid BCP
Yet, having a BCP isn't enough; it's crucial to regularly test its robustness to ensure its effectiveness. That's why this third article focuses on the 4 main steps you need to carry out to check your BCP's resilience in the face of technological threats.
With only 43% of companies having a BCP in 2024, it's imperative to ensure that this plan is not only in place, but also rigorously tested to remain effective in an ever-changing technological landscape.
How do you get started? How can you prove the relevance of these tests to your company? What conclusions can be drawn from these exercises?
NOVIPRO explains it all in this third and final article in our BCP blog series. We'll take you through 4 key steps to making BCP more robust than ever.
What tests can I carry out at my company?
At NOVIPRO, we recommend 2 types of exercise to fully assess the continuity of your business:
- Operations tests
- Technology tests or drills
Find out what they are and how they can help your company become more cyber-resilient.
Step 1: Operations Tests
Among operational tests, we distinguish two types of exercise:
- Tabletop exercises
- Simulations
Operational testing involves every business unit within a company, including IT, to assess whether the BCP meets all the essential requirements for continued business operations in the event of technology unavailability.
Tabletop exercises
These are formative drills that test your business continuity plan against a specific chosen situation.
They involve all the internal members of the incident management cell that you determined beforehand when creating your BCP.
These exercises include:
- Simulating fictitious crisis scenarios
- Facilitating discussions between stakeholders to determine the necessary measures
- Identifying gaps in crisis management procedures
Simulations
Based on real-life situations experienced by your own or similar companies, these are realistic tests designed to assess team response and coordination in an emergency.
They involve all internal members concerned by the business continuity plan (incident management team and other relevant employees), and even external partners (in certain cases).
Here we will focus more on:
- Executing realistic business-critical scenarios
- Implementing the business continuity plan in a simulation context
- Identifying problems during implementation
How often should these operational tests be conducted?
Ideally, these two tests should be carried out once a year. However, as an IT firm, we support many customers and understand that it may not always be realistic to respect this recommendation: you have other responsibilities in the company, and these tests can sometimes affect your company's operational efficiency.
Roger Ouellet, Director of Security Practice at NOVIPRO, suggests another approach:
“An alternative could be to vary your tests each year between a tabletop exercise and a simulation. This would allow you to test your BCP while benefiting from sufficient time for planning and, of course, focusing on your core business.”
Step 2: Technological Tests or Drills
These tests will assess the practicality and technological capabilities of the company to verify that your IT infrastructures are functioning properly in the event of an incident.
Cyberattacks often occur several months after the first system breach. These types of threats take much longer for your IT teams to resolve. So your technological preparedness and your ability to analyze, contain and recover from an attack on your business are critical factors in the restoration of your information technology (IT).
These tests are crucial in assessing whether your business continuity plan is effective and whether your IT environment is sufficiently resilient in the event of an incident.
Its main difference from operational testing lies in its focus on technology and the efficiency of the IT team.
For example, technology tests can take the form of an exercise such as:
- Conducting failure or incident test scenarios, such as simulated cyber-attacks or deliberate breakdowns, to assess the IT system's response
- Implementing data backup and recovery procedures to ensure proper operation in case of data loss (optional, depending on a company's pre-established business continuity needs)
- Identifying faults and vulnerabilities in the technological environment
These exercises are created to address specific important questions:
If the company were to be hacked, how long would it take to access a second copy of the data? How long would it take IT technicians to detect a flaw in the system? Is my IT system strong enough to handle disruptions?
By design, this type of testing is internal, involving only your IT team and your technologies.
How often should these technological tests be conducted?
These exercises should be carried out once a year to ensure that the business continuity plan and data recovery are always aligned. So, in the event of a cyber-attack or technology failure, you can be reassured by the preparedness of your IT team.
Looking for expert advice on data backup and replication?
Download our free guide on 3 good reasons
to outsource your backup system
Why do I need to test my BCP regularly?
You are planning to perform an evaluation of your BCP this year, but don't understand the need to repeat this exercise annually. These periodic exercises are designed to ensure that the plan functions properly in the event of a real crisis.
Here's why BCP testing is essential for your company:
- They build confidence among all employees:
- Understanding the roles and responsibilities of each of the business units
- Assimilation of tools and plans by the relevant parties
- Better synergy between the various players and departments
In the event of a crisis, your teams may be under heavy pressure; simplify their task by preparing them rigorously for any incident.
- They reinforce the robustness of your BCP:
- Detection of technological or process problems in the BCP
- Open dialogue encouraged to improve BCP
- Business continuity readiness for IT
These regular exercises ensure that your BCP remains up-to-date and effective in the face of constantly evolving risks and technologies:
“The business continuity plan is a living document as companies' technological and operational environments and the members of their response unit evolve. So, it's vital to keep it updated.” explains Roger Ouellet.
Looking to improve your cybersecurity strategy?
Download for free the IT Trends report, NOVIPRO’s insightful
guide for enlightened strategic decisions
My staff are reluctant to carry out these tests. What can I do?
Although these tests help you to validate or rework the business continuity plan, you need to bear in mind the time required to carry them out.
For example, for a simulation, the test takes a day. However, before proceeding with the exercise, a great deal of internal preparation is required to ensure that it is as effective as possible; this includes the choice of incident, planning, performance indicators, etc.
You may encounter reluctant employees, as these tests are time-consuming and can potentially disrupt the company's productivity. You will therefore need to raise awareness and make testing more playful for those concerned.
You could convince your employees by presenting these tests as an annual activity that is fun and educational. For all employees, it would be perceived as annual training, fostering team cohesion and collaboration; for you, it would become a valuable source for improving your action plan and confirming your players.
These drills help assess how well the plan works and are critical to ensuring swift recovery in the event of a cyberattack or technological failure.
I've completed my BCP assessments, now what?
Step 3: Test Analysis
Now that you've conducted your tests in the company, it's time to analyze what hindered the proper functioning of the BCP.
For each aspect of BCP, here are some questions to consider to identify areas for improvement. This section is inspired by our second BCP blog, where we provide a downloadable list of questions to help you improve your BCP.
Key Performance Indicators (KPIs) need to be established to determine the success criteria for your BCP test. These indicators must be measurable and objectively established.
Choice of Incident Management Team members
These individuals play a decisive role in crisis management. Therefore, this information must be updated in the dedicated document whenever a relevant change occurs (retirement, resignation, promotion, etc.).
To edit the list of cell members, you can:
- Notify the responsible person to update the list
- Edit it yourself and add your name with the modification date in the appropriate section
Business Units (BU) Needs Assessment
For this assessment, you need to understand and conceive how all your business units would function without access to technology:
- Are any major tasks not covered by the technology?
- Have all business units been considered?
Activity Impact Assessment
Consider how an incident would affect your business in two ways:
- Did you misjudge your business model?
- Do you perhaps lack knowledge of the issues associated with an incident (legal, technological, etc.)?
- Does your company enjoy stable growth?
- Have you identified any new critical systems?
- Are your emergency contacts still the same?
- Have you changed your technological infrastructure?
- Has your company recently relocated?
Risk Assessment
Have you underestimated the risks of an incident for your company?
Incident Response Structure
- Have you established the right priorities for each crisis?
- Have you ensured that your technologies are ready for any type of emergency?
- Are your incident response guides ready and available to those concerned?
- Have you put in place a communications plan for each eventuality?
- Do you have the internal and technological resources to recover your data and respond to incidents?
Continuity Strategies
Has your company undergone any significant changes (new backup system, infrastructure upgrade, IT firm intervention, etc.)?
These continuity strategies must be aligned with the needs of business units, cyber insurers, investors and any other stakeholder previously identified.
Business Continuity Training and Exercise Program
- Do any of your employees require training?
- Have you experienced any staff turnover (departures or promotions)?
- Should you prioritize training for more likely risks in your sector?
- Have you established success indicators that are too high?
Find out more ideas in our free
checklist for a robust BCP
Step 4: Updating your BCP
Once you have identified the areas for improvement, adjust your BCP so that it matches your reality as closely as possible. This way, you will be better prepared for any incident as you will have learned from your mistakes and shortcomings.
In Short
- A robust BCP involves:
- Operational tests to evaluate the logistics of the plan
- Extensive technology tests, practicing technology response
- In-depth analysis of the testing process
- Regular plan updates to match your company's reality as closely as possible
- Ideally, these tests should all be carried out annually. If your employees' schedules are full, you can:
- Alternate between the two types of operational exercise on an annual basis
- Conduct an annual technology review with your IT staff
- Train your teams regularly: they will feel calmer and have good reflexes in the event of a real emergency
- Your BCP is a living document that needs to be frequently updated: it adapts to the many changes in your technological environment
- BCP assessments are essential to identify potential vulnerabilities and ensure business continuity in the event of an incident
Don't neglect BCP testing: it's an investment in your company's viability.
Do you need professional advice?
Contact Roger Ouellet, Director of Security Practice at NOVIPRO
Visit our cybersecurity services page
Looking to explore this topic further?
Read Our Article "Protecting Your Operations Thanks to the Business Continuity Plan"
Read Our Article "These 3 Steps Guarantee You an Excellent BCP"