Book A Demo Today

Why do organisations fail to test their BC Plans?

Published on April 05, 2019

Testing and maintenance of Business Continuity Plans is one way of managing operational risk.

The goal of testing and exercising is to reduce risks by identifying gaps in plans and taking corrective actions to increase plan's maturity.

So where does it all fall through?

32% of organisations with a BCP have never tested it (CMI, 2013). Is this down to overconfidence, or could the issues lie within resource and knowledge limitations?

1. Assumptions

Firstly, where time, effort and money has already been spent in the creation of a plan, there could be an assumption that the plan is correct, and will always be correct - so why bother to test it?

These assumptions can lead to ineffective plans.

Exercising will highlight assumptions such as whether all staff listed in the plan are available and able to complete their duty as required, if access is prohibited in required areas and for longer than anticipated, and if all IT systems and applications will be restored within expected timeframes and access to data be as expected.

It is these knock-on effects that have to be addressed in exercising, by coming up with solutions and going on to further exercise these.

For example, carrying out regular checks of the company call tree allows a company to evaluate the response rate of staff members and verify telephone numbers – communication is of ultimate importance during an incident, and as we know all too well contact details can change at any time.

Regular testing and exercising will show if the BC Plans will work as expected during a real incident.

A tested plan is a more mature plan and can handle changes to circumstance or organization. The crisis management team should then be able to use the plan effectively during an incident, and the individuals listed in the plan will be better equipped to respond in respect to their assigned duties.

2. Prioritization

Secondly, where resources are sparse and time and personnel are vital, testing as a priority can get pushed down the list. Lack of commitment, budgets, complacency and buy-in can lead to any scheduled testing getting shelved. These will put the BC Plans at risk.

Experience shows that plans which are untested have a greater likelihood of failure, resulting in lost revenue, damage to reputation and impeded customer fulfilment.

As vital as testing is to the success of BCM, it is important however not to put the business at risk through the process of testing. As this activity can be time and resource heavy, it can be a complex process which is costly to an organisation of any size.

Taking people out their jobs at critical time periods, highlighted in your BIA, can be expensive and unnecessary. Good testing should have focus and planning to avoid this and be appropriate to your business.

3. Compliance

Another way in which a lack of exercise and testing can negatively affect a business is the relationship these activities have with compliancy.

In order to fulfil the requirements outlined within the official ISO standard for Business Continuity, ISO 22301, exercising and testing must be conducted at regular intervals by an organisation, who must then evaluate and record the findings of these events in order to continually improve and update its BCMS.

The standard is focused around the 'Plan-do-check-act' management model, and in this case testing and exercise would fall into the ‘check’ step within the model, which is defined by ISO as to ‘monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement’.

The standard states that ‘the organisation shall exercise and test its business continuity procedures to ensure that they are consistent with its business continuity objectives.'

An organisation therefore must conduct these activities regularly should they wish to certify, or even align with these standards as they certainly will not be successful in doing so if not.


  • What can be done to help?

Communicating the overall risk and benefits that can come from an effective exercise and testing programme should be key to aid buy-in, support and uptake. Time and resources spent on testing is crucial to the success of BCM.

Making sure departmental awareness training is up-to-date can be vital in lieu of testing and make testing more worthwhile.

If an incident does occur and those listed in the plan have been trained and had their roles communicated effectively, then there is a greater chance of executing the plan successfully.

  • Is IT and all software up to date?

If you can’t afford to do multiple tests due to time, personnel and resource restraints, you certainly don’t want to waste time falling at a hurdle which you already know is due to fixed or upgraded.

Good testing should be focused and varied. It should be able to provide you with confidence and validation that the BC and crisis management plans & strategies are feasible and that all team members and staff are familiar with and understand their roles in the BC process.

A main outcome of any testing should be to identify the organisations BCM maturity level. You should be more prepared for internal risk within your building of operation, with rehearsal of availability and relocation of staff, but also external risks such as extreme weather.