VII.K Post-Exercise and Post-Test Actions
Management should document issues identified during exercises and tests and create action plans with target dates for resolving issues. Exercise and test results should be analyzed and compared with the objectives and success criteria in the exercise and test plans, and reported to appropriate levels of management. For those items not remediated, management should document decisions to accept risks identified during the exercises.
Additionally, management should test corrective actions implemented as a result of a failed recovery objective or to address major issues encountered. Management may choose to retest during or before the next regularly scheduled exercise depending on an issue’s severity. Business line management should update the BCP based on test results and adjust the BCM process, including the exercise and testing program. Finally, management should submit regular reports to the board on the exercise and testing activities and whether the BCP meets the entity’s recovery and resilience objectives.
Exercise and test results may include the following documentation:
- Dates and locations.
- An executive summary comparing objectives and results.
- Material deviations from the plans, including whether intended participation was achieved.
- Problems identified and lessons learned.
- Assignment of responsibility for timely resolution of issues identified.
Management should periodically analyze results and issues to determine whether problems can be traced to a common source, such as inadequate change control procedures. Fixing the root cause of the problem may help resolve many underlying issues.
VII.J Testing for Core and Significant Firms
VIII Maintenance and Improvement