On Wednesday, November 14th, the Federal Financial Examination Council (FFIEC) released an updated version of the Business Continuity Management Booklet. One of the changes is related to business continuity and disaster recover exercises and tests. In the new booklet, the FFIEC redefines the testing methods and introduces more delineation between a BCP exercise and a BCP test.
What is a BCP Exercise?
According to the new booklet, "an exercise is a task or activity involving people and processes that is designed to validate one or more aspects of the BCP or related procedures" (p. 37). Each exercise can look different depending on the scope, goals, and objectives of the test. Some exercises can be discussion only (i.e. tabletop discussion) while others could be comprehensive (i.e. full-scale exercise).
What is a BCP Test?
The new booklet defines a test as a "type of exercise intended to verify the quality, performance, or reliability of system resilience in an operational environment" (p. 37). Tests typically focus on a system or set of systems. An example of a test might be verifying back on a server is functions or verifying recovery time objectives (RTOs) are acceptable for a system. The big difference according to the booklet is, "exercises address people, processes, and systems whereas tests address specific aspects of a system" (p. 38).
How are the testing methods different in the new booklet?
Examples of testing methods from the older 2015 Business Continuity Planning Booklet included (p. 18):
- Tabletop Exercise Structured Walk-Through Test. "[The tabletop exercise structured walk-through tests] primary objective is to ensure that critical personnel from all areas are familiar with the BCP and that the plan accurately reflects the financial institution's ability to recover from a disaster."
- Walk-Through Drill/Simulation Test. "A walk-through drill/simulation test is somewhat more involved than a tabletop exercise/structured walk-through test because the participants choose a specific event scenario and apply the BCP to it."
- Functional Drill/Parallel Test. "Functional drill/parallel testing is the first type of test that involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform actual recovery processing as set forth in the BCP."
- Full-Interruption/Full-Scale Test. "In a full-scale test, a real-life emergency is simulated as closely as possible."
The new testing methods introduced in the 2019 Business Continuity Management Booklet map closely to its predecessor; however, they are renamed and have slight differentiators (pp. 42-44).
- Full-Scale Exercise. "A full-scale exercise simulates full use of available resources (personnel and systems) prompting a full recovery of business processes."
- Limited-Scale Exercise. "A limited-scale exercise is a simulation involving applicable resources (personnel and systems) to recover targeted business processes."
- Tabletop Exercise. "A tabletop exercise (sometimes referred to as a walk-through) is a discussion during which personnel review their BCP-defined roles and discuss their responses during an adverse event simulation."
- Tests. "Management uses tests to verify the quantifiable performance and reliability of system resilience."
What does this mean for me?
The new FFIEC guidance highlights the "people and processes" aspects of your organization's BCP. This is a shift in focus from the 2015 BCP booklet in which testing guidance more heavily emphasized testing IT systems and system components. This change can be seen in the definitions of the testing methods. Personnel are specifically included in all four of the "exercise" definitions whereas the definition of "tests" is only concerned with validating system resilience.
What hasn't changed is BCP exercises and tests are used to validate one or more aspects of an enterprise-wide BCP. Financial institutions should incorporate a variety of exercises and tests into their overall BCP test program in order to ensure the institution can restore operations and recover from business interruptions. While the test program will be different based on each institution's size and complexity, strong test plans include strategies to evaluate all aspects of the institution's BCP, including people and processes as well as IT systems.
Resources
For more information about the updated booklet, visit:
- FFIEC Press Release
- FFIEC Business Continuity Management Booklet
- Previous Versions of the Booklet: