This perspective provides an overview of the Business Continuity Institute’s Professional Practice 6 (PP6) – Validation, which is the professional practice that “confirms that the Business Continuity Management (BCM) program meets the objectives set in the Business Continuity Policy and that the organization’s BCM program is fit for purpose”. Business continuity practitioners should perform validation activities after documenting response and recovery plans for their organizations (for more on planning, read our perspective on PP5 – Implementation).
PP6 addresses three activities specific to the validation of BCM program assumptions. First, PP6 provides guidance regarding the development and execution of an exercise program, which validates the business continuity requirements gathered during the business impact analysis (BIA) and the strategies documented in the organization’s business continuity plans. Second and third, PP6 covers the principles and techniques necessary for performing both program maintenance activities and program reviews to identify improvement opportunities and increase organizational resilience. Let’s take a closer look at each activity.
According to PP6, an exercise program is required to ensure that all aspects of incident response have been tested and validate the reliability of the BCM program. Further, an exercise program assists the organization with evaluating current business continuity capabilities, as well as identifying areas for improvement, instilling confidence, developing teamwork, raising awareness, and testing the effectiveness of restoration procedures. The framework of an exercise program, including the frequency of testing, any special training required, and the procurement of necessary resources, should be addressed by the organization’s Business Continuity Policy.
PP6 defines five different types of exercises that the organization can leverage as part of a comprehensive exercise program, including:
- Discussion-based Exercises – Considered to be the most cost-effective and least time consuming, these exercises often involve participants exploring relevant issues and performing plan walk-throughs in an informal and non-threatening environment. These exercises often focus on a specific area for improvement with the aim to find a possible solution.
- Table-Top Exercises – This exercise type involves a discussion based on a relevant scenario and a specified timeline for that scenario. Participants in these exercises are expected to not only be knowledgeable in their plans, but also able to demonstrate how to use their plans to respond and recover from a disruptive incident.
- Command Post Exercises – Command post exercises typically involve stakeholders throughout the organization working from their normal locations and receiving information as they would during a disruptive incident. Participants respond to the information provided as they would during an actual incident, allowing management to test information flow and communication as well as the effectiveness of procedures.
- Live – Live exercises (also known as a simulation) can range from a small-scale exercise of a response component, to a large-scale exercise of the whole organization. While this type of exercise often provides the most effective participant training, executing a live test is time and resource intensive and can result in an actual disruption if not carefully controlled.
- Test – A test incorporates a pass/fail element within the goals and objectives established for the exercise. Often, tests are applied to equipment or technology rather than personnel.
When carrying out an exercise, business continuity professionals should ensure that all participants understand their roles and responsibilities, as well as the exercise objectives and expected outcomes. After the exercise, practitioners should debrief with participants to identify improvement opportunities, subsequently working with the organization to update plans and procedures accordingly.
Per PP6, program maintenance “keeps the organization’s BC arrangements up to date, ensuring that the organization remains ready to respond to manage incidents effectively, despite constant change.” Whenever possible, BCM maintenance activities should be incorporated into the organization’s normal change management process.
Maintenance activities include the review and update of program documentation (including, but not limited to, business continuity plans) and the communication of the changes to appropriate personnel throughout the organization. In addition, it’s important to ensure that all changes to documentation are tracked via a formal version control process, and that business continuity professionals (and the business as a whole) provide regular status reports to management regarding maintenance activities and progress.
The aforementioned maintenance activities may be triggered by specific events (e.g. exercises), but should also occur as part of ongoing BCM program activities. The frequency of maintenance activities can be determined by the organization depending on BCM requirements, frequency of strategic/organizational changes, and organizational culture.
Program reviews enable an organization to “evaluate the BCM program and identify improvements to both the organization’s implementation of the BCM lifecycle and its level of organizational resilience.” PP6 introduces five different types of reviews to achieve this objective:
- Audit – An audit validates that the processes to implement the program have been followed correctly, but it will not validate if the processes are actually correct. PP6 recommends performing an audit at least every two years.
- Self-Assessment – A self-assessment allows an organization to review the implementation method of their BCM program and identify actions for improvement. Often, self-assessments are performed between audits with the goal of evaluating progress against audit findings.
- Quality Assurance – Quality Assurance is the process of measuring program outcomes compared to program goals and objectives. This review can be a formal process for organizations to compare processes and capabilities with national or international standards. In these cases, reports must be documented as evidence of the Quality Assurance review.
- Performance Appraisal – This type of review evaluates the performance of employees compared to business continuity role expectations to determine how those personnel have performed compared to their defined roles and responsibilities.
- Supplier Performance – It is also important that an organization evaluate the ability of suppliers to respond and recover from disruptive incidents, particularly suppliers supporting the delivery of time-sensitive products/services. Organizations should perform supplier reviews in a similar manner to how they would review their own BCM program internally.
PP6 encourages the organization to leverage all types of reviews in parallel to validate internal BCM processes and employees, as well as the response and recovery capabilities of suppliers and vendors.
While ISO 22301 sets the backbone for the development of an exercise program, as well as conducting program maintenance and review, PP6 serves to expound on that information by providing methods and techniques for accomplishing these activities. ISO 22301 should be viewed as the “What”, with PP6 viewed as the “How”.
The following table demonstrates how closely PP6 mirrors the requirements described in ISO 22301:
For more information on conducting business continuity exercises and recommendations on best practices and techniques, please read: Treating the Causes of Bad Exercise and The Business Continuity Exercise: Where the Rubber Meets the Road
Helps Validate Planning Assumptions
Maintaining an exercise program allows the organization to socialize and validate the outcomes of previous business continuity activities, including the BIA, risk assessment, strategy identification, and plan documentation. Without a comprehensive exercise program, organizations cannot confirm the ability to recover in accordance with requirements defined in the BIA.
Provides Hands-On Training for Employees
When developing an exercise program, not only will your organization validate the assumptions made during the planning process, but you will also provide valuable hands-on training for employees. Performing regular exercises allows employees to receive training regarding the use of their plans as well as awareness of the strategies contained within. This increased training and awareness will aid department recovery during an actual disruption, decreasing both the impact and duration of an incident.
Defines Continual Improvement Activities
In addition to providing guidance on exercise approaches and outcomes, PP6 identifies different types of reviews and the potential outcomes derived from each, as well as key maintenance activities. These BCM program activities contribute to continual improvement. Failure to perform program reviews may lead to outdated information and requirements, as well as misalignment with organizational strategy, potentially impacting the organization’s ability to respond to and recover from a disruptive incident effectively. Ultimately, failing to perform review and maintenance activities may impact the performance of the BCM program, leading to unacceptable impacts during a disruptive incident.
For more information on the value of performing business continuity exercises, please read: Why Testing and Exercising is Essential for an Effective Business Continuity Program.
PP6 CASE STUDY
Company X decides to implement a BCM program due to stakeholder expectations and regulatory requirements. To begin, Company X engages management to identify time-sensitive products and services and determine which areas of the organization should be included in the BCM program. Next, Company X performs a BIA to identify business continuity requirements (including resource requirements). Following the BIA, Company X selected appropriate strategies for response and recovery and documented business continuity plans at different levels throughout the organization.
Despite the work performed, Company X struggled to incorporate business continuity into the organization’s culture. Employees throughout the organization viewed the BCM program as “checking a box” to satisfy regulators, and not as a strategic program delivering value to the business as a whole.
This perception changed with the completion of a business continuity exercise. The exercise developed for Company X walked through a disruptive incident as well as the stages of response and recovery, engaging plan owners to validate the steps outlined in their department business continuity plans. By performing this exercise, and using a realistic scenario, managers were able to better understand the value provided by business continuity. In addition to satisfying regulatory requirements, the organization’s leadership team and its employees realized that the BCM program delivers significant value and can greatly reduce the negative implications associated with a disruptive incident, including financial, regulatory, operational, contractual, and reputational impacts. In addition, during the exercise, participants were able to identify action items and improvement opportunities that allowed them to make their plans more effective and begin integrating business continuity into ongoing business processes and the organization’s culture.
Stated simply, by performing an exercise, Company X not only ensured increased employee and management buy-in to the BCM program, but also identified improvement opportunities that allowed the organization to advance the program and ensure the effectiveness of current response and recovery procedures. Looking ahead, Company X will be able to leverage other components of PP6 to identify additional improvement opportunities, assess performance, and further integrate business continuity into organizational culture.
Exercising business continuity plans and performing regular program maintenance and reviews is critical to a successful business continuity program. PP6 provides readers with a high-level understanding of how to implement ISO 22301 requirements, including developing an exercise program that addresses organizational requirements, as well as maintaining and reviewing business continuity program assumptions. Ultimately, following the requirements set out in ISO 22301 and described in PP6, not only results in a more resilient organization, but also an organization that truly understands their recovery capabilities and strategies.
If you would like to discuss the GPGs, aligning to ISO 22301, or pursuing certification, please reach out to us. We look forward to hearing from you!
- The BCI’s Good Practice Guidelines
- ISO 22301: 2012
- Implementing ISO 22301: The Business Continuity Management Systems Standard
- Introduction: BCI Good Practice Guidelines Series
- The Need to Establish Business Continuity Governance: An Overview of BCI Professional Practice 1
- The Importance of Embedding Business Continuity: An Overview of BCI Professional Practice 2
- Business Continuity Strategy design: An Overview of BCI Professional Practice 4
- Business Continuity Implementation: An Overview of BCI Professional Practice 5