Why Do Companies Fail to Test Their BCP?
Kodiginti Rajesh
Senior Solution Leader (BCM, Disaster Recovery & Crisis Management)
According to me, companies tend to realize how important business continuity planning is when disruptions have already affected their business. There are many factors and reasons why companies don't invest much time and effort in planning and testing, including:
?
1. Assumptions:
Where time, effort and money have already been spent in the creation of a plan, businesses assume that the plan is and will always be effective.
Exercising will highlight assumptions such as whether all staff listed in the plan are available and able to complete their duty as required, if access is prohibited in required areas and for longer than anticipated, and if all IT systems and applications will be restored within expected timeframes and access to data be as expected.
?It is these knock-on effects that have to be addressed in exercising, by coming up with solutions and going on to further exercise these.
For example, carrying out regular checks of the company call tree allows a company to evaluate the response rate of staff members and verify telephone numbers communication is of ultimate importance during an incident, and as we know, contact details can change at any time.
The crisis management team should then be able to use the plan effectively during an incident, and the individuals listed in the plan will be better equipped to respond to their assigned duties.
?
领英推荐
2. Prioritization:
Secondly, where resources are sparse and time and personnel are vital, testing as a priority can get pushed down the list. Lack of commitment, budgets, complacency and buy-in can lead to any scheduled testing getting shelved. These will put your business resilience at risk.
Experience shows that untested plans have a greater likelihood of failure, resulting in lost revenue, damage to reputation and impeded customer fulfilment.
As vital as testing is to the success of BCM, you must however not put the business at risk through the process of testing. As this activity can be time and resource heavy, it can be a complex process which is costly to an organization of any size. Taking people out of their jobs at critical times, highlighted in your BIA, can be expensive and unnecessary. Good testing should have focus and planning to avoid this.?
3. Compliance:
Another way in which a lack of exercise and testing can negatively affect a business is the relationship these activities have with compliance. To fulfil the requirements outlined within the official ISO standard for Business Continuity, ISO 22301, exercising and testing must be conducted at regular intervals by an organisation, which must then evaluate and record the findings of these events to continually improve and update its BCMS.
The standard is focused around the 'Plan-do-check-act' management model, and in this case, testing and exercise would fall into the check' step within the model, which is defined by ISO as to monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement'.
An organisation therefore must conduct these activities regularly should they wish to certify, or even align with these standards as they certainly will not be successful in doing so if not.
Source: Aimee Quinn Article
Business Continuity Manager,BCLE2000, IT DR, EXIN Certified ITIL V3 Foundation, CompTIA A+ Software, Microsoft Certified Systems Engineer (MCSE)
8 个月Companies often fail to test their Business Continuity Plans (BCPs) due to a variety of reasons: 1.Resource Constraints: Testing a BCP can be resource-intensive, requiring significant time, money, and personnel. 2. Disruption Concerns: Executing a full-scale test can disrupt normal business operations, which companies may be hesitant to do. 3. Lack of Awareness or Priority: Some companies may not fully recognize the importance of BCP testing, especially if they haven't experienced a significant disruption. 4. Complexity and Size: Larger organizations with complex operations might find it challenging to coordinate comprehensive BCP tests. 5. Complacency: A company may believe that their existing plans are sufficient and underestimate the need for regular testing and updates. 6. Regulatory and Compliance Focus: Some companies may focus primarily on regulatory compliance rather than practical, operational readiness. These factors can lead to a false sense of security, leaving companies unprepared when actual disruptions occur.