VII.A Exercise and Test Program
Management should develop a comprehensive exercise and testing program including objectives, and plans to validate the entity’s ability to restore critical business functions. The entity’s risk profile should influence the frequency, objectives, and documentation of the overall exercise schedule. The entity’s consolidated exercise and test schedule should be reflective of exercise and test objectives and the overall exercise and test universe.Similar to an audit universe, an entity’s exercise and test universe is composed of an inventory of all business processes and system components that are compiled and maintained to identify areas for the exercise and test planning process.
Management should designate personnel with the authority to control the exercise or test and confirm milestones are met. Business line management should retain ownership and accountability for testing resilience of business operations, including applications and processes (both internal and external). While business line management should be responsible for testing its specific business processes and related interdependencies, managers should coordinate with personnel involved in the enterprise-wide business continuity process and support areas, such as IT and facilities management. Results should be reported to the board and senior management for inclusion in the enterprise-wide business continuity process.
Exercises and tests should occur either at appropriate intervals, when new risks are identified, or when significant changes affect the entity’s operating environment. Significant changes can render existing test plans obsolete, so BCP(s) should be retested soon after the change. A comprehensive program allows management to evaluate business interdependencies and improve continuity and resilience.
A key objective for management should be to develop a testing process that validates the effectiveness of the entity’s business continuity program, and identifies any deficiencies that may exist. Therefore, the exercise and test program should incorporate the following:
- A policy that includes strategies and expectations for exercise and test planning.
- Roles and responsibilities for implementation.
- Sufficient personnel to perform the exercise or test, provide oversight, and document the results.
- Precautions to safeguard production data, such as performing a backup before performing a test in a test environment, or testing during non-peak hours.
- Provisions for emergency stops (i.e., management’s authority to stop an exercise if a real-life event occurs) and concluding exercises and tests.
- Verification of continuity and resilience process assumptions and the ability to process a sufficient volume of work during adverse operating conditions.
- Activities commensurate with the importance of the business process, as well as to critical financial markets.
- Result comparison against the BCP to identify gaps between the exercise or test process and recovery guidelines, with revisions incorporated where appropriate.
- Independent review of business continuity program and exercises and tests (internal and external).
VII Exercises and Tests
VII.B Exercise and Test Policy