PP6 | Validation

Question 1

Validation - Introduction

Answer 1

Validation is the Professional Practice within the business continuity management lifecycle that confirms that the business continuity programme meets the objectives set in the Business Continuity Policy and that the plans and procedures in place are effective.

The purpose of Validation is to ensure that the business continuity solutions and response structure reflect the size, complexity, and type of organisation, and that the plans are current, accurate, effective, and complete.

There should be a process in place to continually improve the overall level of organisational resilience.

Validation is achieved through a combination of the following three activities:

Exercising - Maintenance - Review

Question 2

Developing an Exercise Programme - About

Answer 2

An organisation’s continuity capability cannot be considered reliable or effective until it has been exercised.

No matter how well designed a business continuity solution or business continuity plan appears to be, realistic exercises should be used to help identify issues and validate assumptions that may require attention.

The goal of exercising is the continuous improvement of business continuity management capabilities and readiness by ensuring that lessons learned are integrated into prevention, mitigation, planning, training, and future exercising activities.

Question 3

Developing an Exercise Programme - General Principles

Answer 3

Exercising aims to achieve various outcomes, including:

Evaluating the organisation’s capability to undertake continuity activities and achieve the expected RTOs.

Validating the business continuity solutions and the assumptions on which they are based.

Verifying that the documented procedures in the business continuity plan are relevant, complete, and current.

Verifying the adequacy and practicality of resources that support the continuity solutions.

Identifying areas for improvement or missing information.

Validating competency and building confidence in personnel with relevant roles and responsibilities.

Developing team work.

Raising awareness of business continuity throughout the organisation as described in Embedding Business Continuity.

Exercising is not a one-time activity. It should be scheduled and programmed into a series of events and activities that allow the organisation to gradually improve capability over time.

An exercise programme should ensure the desired level of capability by:

Rehearsing all plans.

Verifying all business continuity solutions.

Verifying all information contained in plans.

Exercising all relevant personnel (including alternates).

Question 4

Developing an Exercise Programme - Process

Answer 4

The following should be considered in the exercising process:

Define the exercise programme goals, objectives, and scope.

Review past exercises (plans, resources, and activities) to identify areas excluded from previous exercises.

Discuss with top management any perceived areas of weakness and exercising priorities.

Review and assess current risks and threats.

Decide on the types of exercise to be undertaken.

Determine a budget for the exercise programme.

Check the availability of required personnel, facilities, and other resources.

Create an exercise schedule that includes validating the business continuity arrangements of relevant interested parties.

Submit to top management for approval.

Identify any training requirements for exercise participants or planners, and integrate them into the exercise programme.

Question 5

Developing an Exercise Programme - Outcomes

Answer 5

The outcomes of developing an exercise programme are as follows:

A complete exercise programme which defines:

The objectives to be achieved.

The methods required to achieve the objectives.

Defined resource requirements (including budget).

Proposed timing, and training requirements.

Improved organisational resilience, with a demonstrable capability to respond to, and recover from, an incident or crisis over time.

Question 6

Developing an Exercise - General Principles

Answer 6

Every exercise within the exercise programme needs to be carefully planned to justify the use of resources required when developing and delivering it.

The exercise development process should be approached like a project, using the appropriate planning steps and controls associated with good practice in project management.

Question 7

Developing an Exercise - Process

Answer 7

Although a range of different exercises are undertaken in the Validation stage of the business continuity management lifecycle, the following process can be applied for any individual exercise:

Agree the scope, aims, objectives and expected outcomes of the exercise.

Identify the exercise planning team and team roles.

Plan and design the exercise, including setting a budget and time frame as well as conducting a risk assessment to identify the risks of impact on business-as-usual tasks, where appropriate.

Conduct the exercise.

Assess and report the outcome and lessons learned, including a de-brief of the participants immediately after the exercise.

Follow-up to address any issues raised by the exercise and take corrective action(s) as required.

Question 8

Developing an Exercise - Outcomes

Answer 8

The outcomes of the exercise development and delivery process are:

An exercise plan or brief which outlines the objectives, scope, roles and responsibilities, and approach of how the exercise should be conducted.

Exercise delivery materials and resources required to conduct the exercise.

One or more completed exercises.

A post-exercise report, with recommendations for corrective actions.

The outcomes that exercises should seek to achieve include:

Confirmation that personnel are familiar with their roles, responsibilities, and authority in response to an incident.

Validation of the technical, logistical, and administrative aspects of the business continuity plan.

Validation of suitability of the continuity infrastructure (command centres, work areas, technology, and telecommunications resources).

Confirmation of the availability of personnel and processes for relocation.

Enhanced awareness of business continuity, crisis management, and emergency response procedures.

An increased awareness of the significance of business continuity.

Ideas for further exercises and scenarios relevant to the organisation.

Question 9

Maintenance - About

Answer 9

Maintenance of the business continuity programme keeps the organisation’s business continuity arrangements up-to-date.

This ensures that the organisation remains ready to respond to, and manage the impacts from incidents effectively, despite periodic organisational change.

Question 10

Maintenance - General Principles

Answer 10

To be effective, maintenance activities should be embedded within the organisation’s business-as-usual processes rather than being a separate activity that may be overlooked.

Most of the maintenance required will be the result of internal organisational changes.

The most effective way of achieving this is to incorporate maintenance activities into the organisation’s Change Management process.

However, this is not always possible as many organisations do not have such a process. If a change management process exists within an organisation, a time frame should be agreed to implement any changes in the business continuity programme.

Requirements for maintenance activities can be identified using the following:

Lessons learned through exercising.

Changes to the organisation’s structure, products and services, infrastructure, processes, or activities.

Changes to the environment in which the organisation operates.

A review or audit.

A real incident, where lessons learned can be incorporated.

Changes or updates in the business continuity management lifecycle, such as the BIA or continuity solutions.

Question 11

Maintenance - Process

Answer 11

Responsibility for undertaking the planned maintenance process should be given to an individual or team who should:

Review what has changed since the last update.

Analyse the impacts of any changes.

Agree the changes to be made to specific elements of the business continuity programme.

Make the agreed changes as required.

Identify and advise interested parties of any changes that have an impact on them.

Assess additional requirements to training, awareness and communications, based on changes.

Provide training, awareness, and communications as required.

If plans and documents have changed, distribute the new versions as appropriate.

Identify the date for undertaking the next planned maintenance, and schedule the maintenance.

The impact of any changes should be analysed by:

Reviewing and challenging any assumptions that have been made.

Determining whether any time objectives have changed, for example, MTPDs or RTOs.

Determining the adequacy and availability of external services that might be required, such as asset restoration, recovery sites and subcontracts.

Reviewing the business continuity arrangements of key suppliers.

Question 12

Maintenance - Outcomes

Answer 12

The outcomes of maintenance of the business continuity programme include:

A documented, planned maintenance schedule.

Regular progress reports.

Effective and up-to-date policies and procedures.

Up-to-date documentation.

Distribution to appropriate interested parties.

Question 13

Review - About

Answer 13

The purpose of a review is to evaluate the business continuity policy and programme for continuing suitability, adequacy, and effectiveness.

Question 14

Review - General Principles

Answer 14

There are six basic types of review:

Audit - Self Assessment - Quality Assurance (QA) - Performance Appraisal - Supplier Performance - Management Review

Question 15

Review - Outcomes

Answer 15

The outcomes of the review should be options for improving the organisation’s level of resilience.

Question 16

Audit - General Principles

Answer 16

Auditing is designed to verify that the business continuity process has been followed correctly, not that the solutions adopted are necessarily correct.

The purpose of a business continuity management audit is to analyse an organisation’s existing business continuity programme and verify it against predefined standards and criteria to deliver a structured audit report.

Audits should be conducted at planned intervals to confirm that the organisation is conforming with its own business continuity policy or the organisation’s audit and governance policies where relevant.

Question 17

Audit - Process

Answer 17

The audit process should include:

Developing an audit plan.

Defining the audit scope.

Defining the audit approach.

Reviewing information gathered by the audit activities.

Compiling and summarising interview notes, questionnaires and other information.

Identifying gaps in content and level of information gathered then conducting follow-up interviews as appropriate.

Obtaining and comparing relevant documentation relating to the business continuity programme.

Reference to secondary sources, for example, standards, regulations, and legislation to validate preliminary findings.

Finalising a draft audit report that reflects both the interests of the audit sponsor and the measurements set by external sources, for example, regulatory, legal, and industry standards.

Presenting the draft audit report for discussion and approval with key interested parties, incorporating recommendations as well as audited responses where differences of opinion persist.

Finalising an agreed remedial action plan including time frames to implement the agreed recommendations of the audit report. This should also form a key element of the business continuity programme.

Finalising a monitoring process to ensure that the audit action plan is implemented within the agreed time frame.

Question 18

Audit - Outcomes

Answer 18

The outcomes of a business continuity management audit include:

An independent business continuity management audit report.

A remedial action plan that is agreed and approved by top management.

The outcome of an unfavourable performance rating, which should be:

Acceptance of the plans by management as ‘inadequate’.

The initiation of a review conducted by a business continuity professional to assist the team in improving their position.

Question 19

Self-Assessment - General Principles

Answer 19

The purpose of self-assessment is for an organisation to review its implementation of the business continuity programme with a view to creating an action plan for improvements.

Self-assessment can be carried out between audits to identify progress against audit recommendations.

Self-assessment should also be carried out during and immediately after an initial implementation of the business continuity programme.

Question 20

Self-Assessment - Process

Answer 20

The self-assessment process should include:

Identifying objectives or measures for the business continuity programme against which performance can be assessed.

Reviewing performance against these selected objectives or measures.

Identifying trends in performance.

Highlighting areas for improvement.

Developing action plans to improve these areas.

Producing a self-assessment report.

Question 21

Self-Assessment - Outcomes

Answer 21

The outcomes of self-assessment include:

An action plan for improvements.

An improvement in the business continuity programme.

An improvement in the organisation’s level of resilience.

Question 22

Quality Assurance (QA) - General Principles

Answer 22

Quality Assurance is the process of determining whether the outputs from the business continuity programme meet the organisation’s requirements and expectations, which may or may not have been formally defined.

For organisations that are certified against international or national standards, this should be a formal and documented process.

For other organisations, this should be an informal review against expectations and intentions as expressed in the business continuity policy.

Question 23

Quality Assurance (QA) - Process

Answer 23

Quality Assurance can be undertaken as a continual process on all outputs, or through periodic sampling.

The process involves:

Identifying requirements or expectations.

Comparing the output to the requirements or expectations.

Identifying any shortfall in requirements or expectations.

Acting to remedy any shortfall.

Question 24

Quality Assurance (QA) - Outcomes

Answer 24

The outcome of Quality Assurance should be:

An improvement in the way the outputs from the business continuity programme meet the organisation’s requirements and expectations.

Question 25

Performance Appraisal - General Principles

Answer 25

Roles and responsibilities for the business continuity programme should have been defined as part of business continuity policy.

Performance appraisals should be used to check how well those roles and responsibilities are being undertaken.

Question 26

Performance Appraisal - Process

Answer 26

The performance appraisal process can be undertaken as part of a regular personnel appraisal process, or to review an individual’s performance of their responsibilities in the business continuity programme specifically.

The process involves:

Confirming the individual’s role and responsibilities in the business continuity programme.

Defining appropriate measures for the role, for example, objectives, measurement targets and standards.

Defining success factors.

Incorporating measures in annual appraisals.

Evaluating and reviewing performance against measures.

Producing performance scores.

Providing a remedial action plan to remedy any shortfall in performance.

Question 27

Performance Appraisal - Outcomes

Answer 27

The outcome of a performance appraisal should be an improvement in the way in which an individual tasked with a role in the business continuity programme:

Carries out their role.

Undertakes their responsibilities.

Meets their objectives.

Question 28

Supplier Performance - General Principles

Answer 28

The review process of the business continuity programme of any supplier on which the organisation depends should be similar to the process employed for reviewing the organisation’s own programme.

Question 29

Supplier Performance - Process

Answer 29

The process for reviewing key suppliers’ business continuity programmes and reviewing suppliers of recovery services should be defined in their contracts.

The business continuity programme key suppliers should be reviewed as if they were part of the organisation itself.

This is in the same way that the business continuity arrangements of any internal department, location, or outsourced service provider that provides products and services would be reviewed.

Question 30

Supplier Performance - Outcomes

Answer 30

The outcomes of reviewing supplier performance include:

A performance rating against SLAs.

An understanding of the supplier’s business continuity programme.

An action plan for improving supplier performance.
Increased readiness and assurance of prioritised supplier activities.

Question 31

Management Review - General Principles

Answer 31

A management review provides opportunities for top management to understand the performance of the business continuity programme.

It should be aligned to organisational objectives, and their adequacy to address governance and the overall approach to managing risk should be understood.

Question 32

Management Review - Outcomes

Answer 32

The outcomes of the management review include:

An action plan for improvements.

Continual improvement of the business continuity programme.

An enhancement of the organisation’s level of resilience.