VII Exercises and Tests
The board and senior management should provide for appropriate exercises and tests to verify that business continuity procedures support business continuity objectives. Exercises and tests should be used to validate one or more aspects of the entity’s BCP.
Examiners should review for the following in exercise and testing plans:
- Provisions for exercises and tests occurring at appropriate intervals and when significant changes affect the entity’s operating environment.
- Comprehensive program objectives and plans of exercises and tests to validate the ability to restore critical business functions in a timely manner.
- An exercise and test process that provides assurance for the continuity and resilience of critical business functions, without compromising production environments.
- Authorities and control over exercises and tests.
- Exercise and test policies, expectations, and strategies that demonstrate the entity’s ability to utilize alternate facilities.
- Exercise and test objectives for resilience, system monitoring, and the recovery of business processes and critical system components.
- Exercise and test scenarios, including exercise and test assumptions, objectives, expectations, and assessment metrics.
- Types of exercises (e.g., full scale, limited scale, or tabletop) and tests.
- Exercises and tests related to interaction with third parties, industry-wide testing, and core and significant firms.
- Documentation of issues identified through exercises and tests, and action plans and target dates for resolution.
- Board expectations for overall business continuity capabilities, including guidelines to achieve defined business continuity objectives.
Exercises and testsFor purposes of this booklet, the term “exercise” represents both exercises and tests, unless the term “test” is specifically mentioned. help ensure that business continuity procedures support business continuity objectives. An exercise is a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures. There are many different types of exercises, depending on the intended goals and objectives. Exercises may include scenario-driven simulations of BCP elements. For example, exercises may include performing duties in a simulated environment (i.e., functional) or be discussion based (i.e., tabletop).
A test is a type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment. Tests are evaluation tools that use quantifiable metrics to validate the operability of an IT system or system component in an operational environment (e.g., what happens as a result of removing power from a system or system component). Tests may focus on backup and recovery options of systems. The degree of testing can vary, from individual system components up to comprehensive tests of all system components that support business operations. Effectively, the distinction between the two is that exercises address people, processes, and systems whereas tests address specific aspects of a system.
VII.A Exercise and Test Program