Business continuity testing starts with the risks

All business continuity analysis must be risk-based and the risks must be prioritized in order to address the major business risks first. This means that any risks to your business must be identified, investigated and addressed.

There are 4 options for dealing with each risk:

1. Limit the risk. Reducing the risk falls into 2 categories: reducing the likelihood of the problem occurring and reducing the impact of the problem if it does happen. A simple example is that by having a fire alarm you can reduce the chance of a fire spreading unseen and by installing a sprinkler system you can reduce the impact of fire.

Risk reduction is often referred to as mitigation. Data backups are, for example, a form of limitation. They reduce the impact if a problem occurs that affects the primary data source. All mitigation measures must be tested to provide assurance that they work when needed.

2. Transfer the risk. This is an interesting option that could be thought of as a side trip, but is perfectly worth doing. By transferring a risk, it becomes someone else’s problem and you have the risk covered. We are not talking about blaming someone else, or even transferring the risk to someone else in the company.

For example, there is a risk that no office space will become available at the main location in the event of an emergency. Therefore, the risk can be transferred to a third party that organizes office space for disaster recovery and keeps offices available for businesses that require such a recovery service.

3. Accept the risk. By accepting the risk of a potential problem, you are at least aware of its existence and can plan for it to happen. If it is a risk that will have no impact for an acceptable period of time, it should still be noted, but you can decide not to take action until it occurs.

Almost by definition, accepting a risk is also reducing the impact of the risk, as you are aware of the potential problem and can include it in your business continuity plan.

4. Ignore the risk. This option should never be selected. There is never a reason to ignore a risk once it has been identified. A risk can be accepted (recognized) but should never be ignored.

Once the actions for each risk have been identified, anything put in place to address a risk must be tested. However, many companies do not test at all or try to test every facet of a business continuity plan. Both methods are doomed to fail. The answer is to adopt a risk-based testing approach from two perspectives: the business continuity plan is fit for purpose and will work when invoked.

A health check (testing whether the plan is fit for purpose) must be performed by someone other than the authors of the business continuity plan. Ideally, it will be performed by an independent third party that specializes in testing business continuity plans, but it could be a disinterested party from another part of the business. Independence is essential for an objective assessment.

Testing the plan will work when invoked, should be viewed in a business context, and the elements of the plan should be prioritized so that the risks with the most business impact and probability are tested first. This approach and the techniques for conducting business continuity testing in a cost-effective manner are the subject of other articles.

Copyright Acutest UK 2005