Local Business

Local Business  » Business Continuity Testing starts with the risks

Business Continuity Testing starts with the risks

Business Continuity Testing starts with the risks

All business continuity analysis should be risk based, and risk

prioritised to deal with the important business risks first.

This means that any risks to your business need to be

identified, examined and dealt with. There are 4 options for

dealing with each risk:

1. Reduce the risk. Reducing the risk falls into 2 categories -

reducing the likelihood of the problem occurring and reducing

the impact of the problem if it does happen. A simple example is

that by having a fire alarm you are reducing the likelihood of a

fire spreading unseen and by installing a sprinkler system you

are reducing the impact of fire.

Reducing the risk is often referred to as mitigation. For

example, data backups are a form of mitigation. They reduce the

impact if a problem occurs which affects the primary data

source. Any mitigating actions require testing to provide

assurance they work when required.

2. Transfer the risk. This is an interesting option which may be

seen as a get-out, but which is a perfectly valid thing to do.

By transferring a risk it becomes someone else's problem and you

therefore have the risk covered. We are not talking about

blaming someone else, or even transferring the risk to someone

else in the company.

For example, there could be a risk that office space will not be

available in the case of a disaster in the main location.

Therefore the risk can be transferred to a third party company

which organises office space for disaster recovery and keeps

offices available for companies who need such a recovery service.

3. Accept the risk. By accepting the risk of a potential problem

you are at least aware of its existence and can plan for it

happening. If it is a risk that would have no impact for an

acceptable period of time it should still be noted but you may

decide to take no action until it occurs.

Almost by definition, accepting a risk is also reducing the

impact of the risk as you are aware of the potential problem and

can write it into your business continuity plan.

4. Ignore the risk. This option should never be selected. There

is never a reason for ignoring a risk once it has been

identified. A risk can be accepted (acknowledged) but must never

be ignored.

Once the actions for each risk have been identified, then

anything put in place to help cope with a risk needs testing.

However, many companies either test nothing at all or try

testing every facet of a business continuity plan. Both methods

Today's Popular Articles

• ERM Not Just For the "Big Guys" Anymore, Small Business Rights

• Ten Easy Ways to Slow Down in Business*

are doomed to failure. The answer is to adopt a risk based

testing approach from two perspectives: the business continuity

plan is fit for purpose and it will work when invoked.

A health check (testing the plan is fit for purpose) needs to be

performed by someone other than the authors of the business

continuity plan. Ideally it's performed by an independent third

party that specialises in testing business continuity plans, but

it could be a disinterested party from another part of the

company. Independence is essential here for an objective

assessment.

Testing the plan will work when invoked, must be viewed in a

business context and the elements of the plan prioritised so

that the risks with the most business impact and likelihood are

tested first. This approach and the techniques to perform

business continuity testing in a cost effective manner are the

subject of other articles.

Copyright Acutest UK 2005

About the author:

A Streeb is an experienced practitioner of business continuity

testing at Acutest, an independent consultancy specialising in

business continuity assurance and software testing services. For

more information on this topic visit http://www.acutest.co.uk or

send an email to enquires@acutest.co.uk