Principles of the Business Continuity Testing Program
Risk monitoring and testing is the final step in the cyclical business continuity planning process. Risk monitoring and testing ensures that the institution's business continuity planning process remains viable through the:
- Incorporation of the BIA and risk assessment into the BCP and testing program;
- Development of an enterprise-wide testing program;
- Assignment of roles and responsibilities for implementation of the testing program;
- Completion of annual, or more frequent, tests of the BCP;
- Evaluation of the testing program and the test results by senior management and the board;
- Assessment of the testing program and test results by an independent party; and
- Revision of the BCP and testing program based upon changes in business operations, audit and examination recommendations, and test results.
Risk monitoring and testing is necessary to ensure that the business continuity planning process remains viable through the incorporation of the BIA and risk assessment into an enterprise-wide BCP and testing program. The testing program has become a key focus of banking supervisors, in light of recent, catastrophic events, and has received heightened attention within the financial services industry because such a program can be used to validate the viability of the BCP. As such, there are various principles that should be followed by financial institutions when developing a testing program.
The following principles should be addressed in the business continuity testing program of all institutions, regardless of whether they rely on service providers or process their work internally:
- Roles and responsibilities for implementation and evaluation of the testing program should be specifically defined;
- The BIA and risk assessment should serve as the foundation of the testing program, as well as the BCP that it validates;
- The breadth and depth of testing activities should be commensurate with the importance of the business process to the institution, as well as to critical financial markets;
- Enterprise-wide testing should be conducted at least annually, or more frequently, depending on changes in the operating environment;
- Testing should be viewed as a continuously evolving cycle, and institutions should work towards a more comprehensive and integrated program that incorporates the testing of various interdependencies;Integrated testing includes testing with internal and external parties and the supporting systems, processes, and resources. A discussion of interdependencies can be found in Appendix E: "Interdependencies." Related testing guidance is included in Appendix H: "Testing Program - Governance and Attributes."
- Institutions should demonstrate, through testing, that their business continuity arrangements have the ability to sustain the business until permanent operations are reestablished;
- The testing program should be reviewed by an independent party; and
- Test results should be compared against the BCP to identify any gaps between the testing program and business continuity guidelines, with notable revisions incorporated into the testing program or the BCP, as deemed necessary.
A key challenge for management is to develop a testing program that provides a high degree of assurance for the continuity of critical business processes, including supporting infrastructure, systems, and applications, without compromising production environments. Therefore, a robust testing program should incorporate roles and responsibilities; a testing policy that includes testing strategies and test planning; the execution, evaluation, independent assessment, and reporting of test results; and updates to the BCP and testing program.
Risk Monitoring and Testing
Roles and Responsibilities