Page 563 - ITGC_Audit Guides

P. 563

GTAG — BCM Requirements

A. Types of Exercises

Exercise Type Description and Objectives

Desk Check or This is the least invasive type of exercise/test generally still considered a test. A desk check
Plan Audit normally involves only the plan owner and perhaps a disinterested third party. The goal of this
type of effort is simply to ensure that content inside the plan is not outdated (e.g., contact infor-
mation) and that the general thrust of the plan is still relevant. It normally includes a simple
page-by-page reading and updating of the plan itself.
objectives:
• Ensure team members are accurate.
• Ensure internal and external contact numbers are current.
Orientation or Especially after a BC or CM plan has been recently adopted or significantly enhanced, it is
Plan Walkthrough helpful to walk through the document informally with those expected to implement it. The
effort would include a team meeting facilitated by a designated team leader. Normally, this type
of low-intensity event does not constitute a “test” in terms of an organization’s BCM policy
requirement.

objectives:
• Ensure team members understand their new/updated roles.
• Ensure team members understand basic plan content and format.
Tabletop Exercise In many cases, it is helpful to bring the entire BC/CM team together for a session to work collab-
(Boardroom oratively through a realistic scenario to identify challenges and build rapport in solving them
Style Exercise) together. Generally, these exercises last two to four hours and are facilitated either by the BC/
CM manager or an independent third party. The effort concludes with a formal exercise critique
detailing whether pre-established exercise objectives were met and outlining gaps uncovered in
the event with a remediation timeline as well as next steps to be performed.
objectives:
• Help team members understand the importance of their roles and responsibilities.
• See the benefit of solving continuity/crisis challenges as a team.
• Identify specific planning/training gaps across functional areas.

Communication Communication is a key component of a BCM process. In fact, failure to communicate accu-
Testing rately to key stakeholders is a frequent cause of failed crisis responses. These tests vary widely
depending on the scope of communications planning and level of automation used in the crisis
communications process. Companies that have deployed a mass notification tool realize a double
benefit from their exercise: evaluating the tool’s performance and exposing participants to how
the notification will be received. Normally, this type of event involves actually contacting busi-
ness partners and employees, not simply reviewing contact list information.
objectives:
• Validate the contact information of key stakeholders.
• Train participants in how to use mass notification and any role they have in the
response.
• Properly configure mass notification tools.
• Identify communication gaps/bottlenecks where timely communication could falter in
an event.

558 559 560 561 562 563 564 565 566 567 568