S 6.117 Tests and emergency drills
Initiation responsibility: Emergency Officer, Top Management
Implementation responsibility: Emergency Officer
In order to examine the effectiveness of safeguards in the area of business continuity management, it is necessary to conduct regular tests and emergency drills. These are intended to check the validity, manageability, and understandability of the business continuity handbook. In this, the most important objectives are to detect any inconsistencies in the business continuity plans or shortcomings in the planning and implementation of emergency measures as well as to practise effective and smooth procedures in case of an emergency. Typical drills include, for example:
- functional tests (on power generators, air conditioning systems, and central servers, for example),
- implementation of fire drills,
- issuing alarms and performing escalation,
- crisis team drills,
- command post drills,
- recovery of individual resources or business processes after a failure,
- evacuation of an office building and relocation to an alternative location, and
- simulation of the failure of a computer centre and initial operation of the backup computer centre.
Drills can be conducted in the form of "armchair" plan reviews, simulations, or realistic emergency drills.
The planning, conception, execution, and assessment of tests and drills require financial and personnel resources. The resources must be provided by the organisation's management. Roles must be defined and employees appointed to these roles. The employees playing a role in the planning, conception, or execution of tests and drills must receive training for their tasks.
Tests and drills must be planned. This is the only way to effectively and efficiently deploy financial and personnel resources when examining all of the emergency measures established in the scope specified. Tests and drills must be conducted regularly and in response to specific situations, i.e. after making large-scale changes in the field of business continuity management. For this reason, it is recommended to create a multi-year plan to guarantee that the entire scope of business continuity management is covered. The plan should contain different types of tests and drills in order to examine and test all business continuity plans, emergency measures, and the organisational structure of the emergency response. This long-term plan should contain the type of tests planned, the goals of the tests, the long-term schedule, and a list of the necessary resources. An annual schedule should also be created based on the long-term plan describing the schedule in more detail and stating exactly which drills will be conducted.
The long-term plan as well as the detailed plan must be signed and approved by the organisation's management.
A test and/or drill concept should be created for each test and each drill. This concept specifies details such as type, schedule, resources needed, participants, goals to be reached, and sequence of events. Experience has shown that damage events may also be caused as a side-effect of tests and drills. For this reason, the detailed plan must be designed to minimise the risks of such damage events. Before conducting an emergency drill, written approval for the detailed plan must be obtained from the top management of the organisation.
The sequence of events in each test and drill is to be documented in a logbook in such a way that it is possible to assess the results. The assessment of a test or drill must be documented and should contain the results, feedback from the participants and the organisational units the drill was conducted for, and a comparison of the result to the specified goals of the drill. The results should also contain any shortcomings or gaps discovered as well as suggestions for their elimination.
To eliminate the shortcomings and gaps detected in the business continuity plan, it is necessary to define safeguards, appoint persons in charge of implementation, and set deadlines. The timely implementation must be monitored by the Emergency Officer.
Review questions:
- Is there a long-term plan guaranteeing that the essential plans and safeguards included in the scope of business continuity management are tested and trained?
- Does business continuity management dispose of adequate resources for planning, designing, executing, and assessing the tests and drills?
- Does business continuity management conduct and document different types of tests and emergency drills with different goals regularly as well as in special situations?
- Do the shortcomings and vulnerabilities discovered during emergency drills lead to the business continuity plans and emergency measures being reviewed and is the implementation monitored?