How often should you test or ‘exercise’ your business continuity plan? How long is a piece of string? The answer to both questions is of course – it depends. It depends on the nature of your business, the rate of change in your activity and your industry sector and whether or not you’ve had to put your business continuity plan into action in the recent past. It’s interesting to see different recommendations come to light: “once a year”; “once every six months”; “once every three years”, and so on. Yet for many companies, there’s an even more basic question to be answered.
That question is: “Have we ever tested our business continuity plan?” Two factors contribute to organisations not testing and therefore not being properly prepared if business disruption strikes. The first is the assumption that making a business continuity plan is enough, that it doesn’t have to be tested. The second is a shortage of staff available to run the tests. However if at least the necessity to test is recognised, even if resources are scarce, you can still make some amends. The more parts of your plan you test, the better prepared you’ll be, because the more you can reduce the chances of a disaster happening that would really sink you.
Less general than for overall business continuity plans, Symantec Corp. runs surveys annually to find out how often people test their IT disaster recovery plans. The statistics give an indication of how often a business continuity plan is tested. About a third of the respondents to the survey don’t test their IT DR plans more than once a year. Right or wrong? If they’ve determined that once a year is sufficient, then they’re right. If they haven’t investigated, then they’re wrong – not necessarily because they should test more often, but for not checking up on what they really need.