• Simple desk checks whereby the content of the plan is reviewed and challenged by an independent person;
• Walk through, involving an extended desk check to incorporate the roles and interactions of the principle plan participants and involving the author;
• Testing functions where one or a number of business functions are moved and recreated at separate recovery site; and
• A full test of the BCP that involves full staff / resident relocation and business resumption.

The level of testing required is dependent on the complexity of the business environment, speed at which the organisation’s environment is changing, required recovery time and level of staff turnover and resident / client capacity for involvement. The full plan should be tested at least every 12 months. Management may wish to test individual components of the plan, such as the Information Technology Disaster Recovery Plan, on a more frequent basis (such as every six months).

The testing process should utilise a testing facilitator, such as a member of the Internal Audit team or BCP practitioner, and a fully developed test plan. The test plan should clearly define the scope and objectives of each test and should be agreed and signed off in advance by the business continuity sponsor. Test plans should incorporate:

• Introduction packs for the staff;
• Feedback questionnaires;
• Learning point forms for the staff to complete; and
• Scenario feeds for the tests.

Deliverables from the testing process should include a post exercise report that incorporates observations and feedback obtained throughout the exercise and a post-test action plan. The action plan should be signed off by the BCP sponsor to ensure that the issues raised are actioned and that the BCP is updated and maintained appropriately.

The business continuity management process should be reviewed annually by Internal Audit or a BCP practitioner to ensure that the overall business continuity management of the organisation remains competent and effective. This continual review process, in conjunction with training for staff, such as BCP workshops or BCP awareness questionnaires, is likely to help develop and support an effective business continuity culture and enhance the overall effectiveness of the continuity processes.

• Develop a monitoring and review process (audit tools or measures) for the Evacuation Plan, ensuring that it is reflected in existing audit schedules and key performance indicator systems. The tools used to monitor and evaluate the Evacuation Plan should be reactive to industry issues and legislation changes, and require a review of the Plan(s) at least annually.
• The Evacuation Plan testing should include annual desktop walk through of plans, annual testing of each component of the plan, and an annual full scenario based testing of the plan. Parts of these tests could take the form of:
  • Maintenance checks to make sure that equipment is working and still suitable for use
  • Process checks (including making sure that external resources are still usable or available)
  • Equipment and documentation checklist
  • Competency questionnaires for stakeholders
  • Activation of parts of the Evacuation Plan
  • Mock scenario drills. Document the results on an evaluation form and then analyse the results
  • Full activation of the Evacuation Plan, involving all stakeholders
• Identify who is to be responsible for routine monitoring and review of the plan, and ensure that it is reflected in relevant job descriptions or duty statements.
• Ensure adequate training of key personnel who are responsible for this task.
• Invite key external contractors to participate in drills.
• Identify deficiencies captured through the monitoring and review process, and ensure that action plans are developed and implemented. These should be captured and reflected in existing continuous improvement quality management systems.
• Ensure that the standard review processes (reporting on currency and robustness of the Evacuation Plan) are reported to relevant organisational committees and key personnel.

Remember, this risk management review should be updated at least annually, and be formally accepted and signed-off by the business and senior management team, as part of the ongoing strategic plan.